While constructing a reply to your message, I believe I have found the error. I had the wrong hostname for the kdc in the [realms] section of /etc/krb5.conf. I'm a bit confused about why I was able to get tickets at all with kinit, but now both the kerberos clients and sasl-sample-{client,server} authentication are working properly.
My thanks and apologies to all those who helped me with this. When I get GSSAPI authentication fully functional with imapd on my system, I will attempt to write it up as an example so that others might benefit from these tribulations. --Mike My original reply, with the error messages that I saw before I corrected the kdc's hostname in /etc/krb5.conf: On Tue, Dec 19, 2006 at 10:52:13AM -0500, Sam Hartman wrote: > OK, so we basically know it is a client side problem. > > * check the domain_realm mappings in krb5.conf I don't have any that apply to my domain/realm. As I understand it, the domain "nutwerk.org" should get mapped to the realm "NUTWERK.ORG" without an entry there. > * confirm that you can get krb5-rsh-server and the rlogin -x hostname > fromkrb5-clients working. They tend to produce better error > reporting. In fact, I cannot, though I can get it to work on another machine (with a different domain & realm, but very nearly identical config files). The error messages in this case are less than enlightening, however: [EMAIL PROTECTED]:~$ klist Ticket cache: FILE:/tmp/krb5cc_1001 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 12/23/06 16:25:21 12/24/06 02:25:21 krbtgt/[EMAIL PROTECTED] renew until 12/30/06 16:25:17 Kerberos 4 ticket cache: /tmp/tkt1001 klist: You have no tickets cached [EMAIL PROTECTED]:~$ rlogin -x geomancer.nutwerk.org error getting credentials: Generic error (see e-text) Trying krb4 rlogin... krb_sendauth failed: You have no tickets cached [EMAIL PROTECTED]:~$ krb5-rsh geomancer.nutwerk.org ls error getting credentials: Generic error (see e-text) Trying krb4 rsh... krb_sendauth failed: You have no tickets cached trying normal rsh (/usr/bin/netkit-rsh) exec: No such file or directory > * Run kvno host/[EMAIL PROTECTED] after using kinit. [EMAIL PROTECTED]:~$ kvno host/[EMAIL PROTECTED] host/[EMAIL PROTECTED]: Generic error (see e-text) while getting credentials -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]