This looks to be a Mail.app bug, but I thought it worth mentioning here
since it's Kerberos-related.
I am using Kerberos with a Debian server on which is running the MIT KDC,
Cyrus, imapd, and sendmail. I have been using Kerberos authentication
with Mail.app in this environment for some time, under Tiger. I just
upgraded to Leopard, and it no longer works. The problem is simple: the
Mail.app IMAP conversation goes like this:
OK sequoia Cyrus IMAP4 v2.1.18-IPv6-Debian-2.1.18-5.1 server ready
1.11 CAPABILITY
* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE
UIDP LUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=GSSAPI AUTH=CRAM-MD5
AUTH=DIGEST-MD5 AUTH=NTLM ANNOTATEMORE
1.11 OK Completed
2.11 AUTHENTICATE GSSAPI
+
2.11 NO authentication failure
Mail.app simply sends an empty gssapi message. This problem does not
appear to be in the Kerberos libraries or endemic to Apple's apps in
general, since Kerberos authentication still works in both SSH and
WebDAV. This appears to be a Mail.app bug.
I have also noticed that both klist and Kerberos.app omit realm names from
service ticket principals, e.g.:
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: [EMAIL PROTECTED]
Valid Starting Expires Service Principal
01/13/08 16:35:37 01/14/08 02:35:37 krbtgt/[EMAIL PROTECTED]
renew until 01/20/08 16:35:37
01/13/08 16:36:15 01/14/08 02:35:37 imap/sequoia.oankali.net@
renew until 01/20/08 16:35:37
01/13/08 16:45:38 01/14/08 02:35:37 host/sequoia.oankali.net@
renew until 01/20/08 16:35:37
01/13/08 16:52:37 01/14/08 02:35:37 HTTP/sequoia.oankali.net@
renew until 01/20/08 16:35:37
Seem unrelated, but I thought I'd mention it anyway.
- Richard Silverman
[EMAIL PROTECTED]
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
