Bug#455983: libsasl2-modules-gssapi-heimdal: SASL<->SASL GSSAPI failure (likely in -mit version as well)

Dan White dwhite at olp.net
Wed Dec 12 20:13:56 UTC 2007 

Richard,

The cyrus-sasl list might also be a good resource for this question.

You can try 'saslpluginviewer' to make sure that the GSSAPI 
mechanism is installed.

You can also try 'smtptest', from the cyrus-clients-2.x package, 
for a second opinion.

Also, might not be a bad idea to try the 
libsasl2-modules-gssapi-mit package to see if you get the same error.

- Dan

Richard A Nelson wrote:
> Package: libsasl2-modules-gssapi-heimdal
> Version: 2.1.22.dfsg1-16
> Severity: normal
> 
> I'm using SASL with OpenLDAP, Sendmail, and a few other packages
> For imap/pop, I use Dovecot - with its own SASL implimentation
> 
> In the quest to simplify and improve my infrastructure at home and work,
> I've recently added Kerberos (Heimdal) to the mix (What was I thinking).
> 
> GSSAPI auth is working with SSH, OpenLDAP, Dovecot, apache2(mod-auth-kerb)
> just fine.
> 
> The only failing case I have is sendmail -> sendmail AUTH GSSAPI; where
> I always get this error on the client:
> 	050 >>> AUTH GSSAPI YIICjgYJKoZIhvcSAQICAQBuggJ9MIICeaADAgEFoQMCAQ6iBwMFACAAAACj
> 	050 535 5.7.0 authentication failed
> 	050 >>> AUTH DIGEST-MD5
> 	050 334 bm9uY2U9IjNRcHpBMnRIbDMzSzFqN3JCeHdsUmdUbkhyWlEwTnhoL2ZVbFFRb1BHYkk9Iixy
> 	050 >>>
> 	050 235 2.0.0 OK Authenticated
> And this on the server side:
> 	sendmail[9310]: GSSAPI Error:  An unsupported mechanism was requested (unknown mech-code 0 for mech unknown)
> 
> /usr/lib/sasl2/Sendmail.conf contains:
> 	log_level: 9999                     # doesn't seem to do much :(
> 	keytab: /etc/mail/sendmail.keytab   # Is actually accessed
> 	mech_list: EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN
> 	pwcheck_method: auxprop             # Needed until GSSAPI is working
> 	auxprop_plugin: ldapdb
> 	ldapdb_uri: ldapi://
> 	...  ldap specs ...
> 
> The client is using the following to authenticate (/etc/mail/authinfo):
> 	AuthInfo:<fqdn> "U:sendmail" "I:sendmail" "P:<pwd>" "R:<REALM>" "M:GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN"
> 
> For testing, I'm running sendmail in standalone mode, and have
> initialized my cc with the smtp/fqdn principle:
> # klist -v
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: smtp/<fqdn>@<REALM>
>     Cache version: 4
> 
> Server: krbtgt/<REALM>@<REALM>
> Client: smtp/<fqdn>@<REALM>
> Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
> Ticket length: 362
> Auth time:  Dec 12 17:01:07 2007
> End time:   Dec 26 17:01:02 2007
> Renew till: Dec 26 17:01:02 2007
> Ticket flags: forwardable, renewable, initial, pre-authenticated
> Addresses: addressless
> 
> Running strace -f sendmail -bD -X smlog >log 2>&1 shows, amongs other
> things:
> 	[pid  9310] open("/etc/mail/sendmail.keytab", O_RDONLY) = 13
> 	... seek/read
> 	[pid  9310] open("/etc/krb5.conf", O_RDONLY) = 13
> 	... read
> 	[pid  9310] uname({sys="Linux", node="<fqdn>", ...}) = 0
> 	...
> 	[pid  9310] open("/tmp/krb5cc_0", O_RDONLY) = 13
> 	... seek/read
> 	[pid  9310] socket(PF_NETLINK, SOCK_RAW, 0) = 13
> 	[pid  9310] bind(13, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
> 	[pid  9310] getsockname(13, {sa_family=AF_NETLINK, pid=9310, groups=00000000}, [4114028252329148428]) = 0
> 	[pid  9310] sendto(13, "\24\0\0\0\26\0\1\3f#`G\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
> 	[pid  9310] recvmsg(13, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{...
> 	...
> 
> I have the full trace, and can re-run to gather any pertinant data
> 
> It is extremely possible that I've screwed up the sendmail authinfo
> data, but google has thus far proven extremely unhelpful
> 
> 
> -- System Information:
> Debian Release: lenny/sid
>   APT prefers testing-proposed-updates
>   APT policy: (500, 'testing-proposed-updates'), (500, 'proposed-updates'), (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 2.6.23.9 (SMP w/2 CPU cores)
> Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
> 
> Versions of packages libsasl2-modules-gssapi-heimdal depends on:
> ii  libasn1-8-heimdal        1.0.1-5         Heimdal Kerberos - ASN.1 library
> ii  libc6                    2.7-4           GNU C Library: Shared libraries
> ii  libcomerr2               1.40.3-1        common error description library
> ii  libgssapi2-heimdal       1.0.1-5         Heimdal Kerberos - GSSAPI support 
> ii  libkrb5-22-heimdal       1.0.1-5         Heimdal Kerberos - libraries
> ii  libroken18-heimdal       1.0.1-5         Heimdal Kerberos - roken support l
> ii  libsasl2-modules         2.1.22.dfsg1-16 Cyrus SASL - pluggable authenticat
> ii  libssl0.9.8              0.9.8g-3        SSL shared libraries
> 
> libsasl2-modules-gssapi-heimdal recommends no packages.
> 
> -- no debconf information
> 
> 
> 
> _______________________________________________
> Pkg-cyrus-sasl2-debian-devel mailing list
> Pkg-cyrus-sasl2-debian-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-cyrus-sasl2-debian-devel

More information about the Pkg-cyrus-sasl2-debian-devel mailing list