Re: GSSAPI authentication ceased working
Lars Hanke wrote: BTW: It's still not working. I put it to PRI2, since the important ldapdb stuff is running. Kerberized imap is rarely used here, so people can do without. But still I'd like to understand, what is happening. Is the keytab readable by the cyrus user (the Unix uid)? Thanks, Dave -- Dave McMurtrie, SPE Email Systems Team Leader Carnegie Mellon University, Computing Services Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: GSSAPI authentication ceased working
On 02 Jan 2009, at 11:19, Lars Hanke wrote: hermod: /var/log/auth.log Jan 2 17:07:54 hermod imtest: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed) hel: /var/log/syslog Jan 2 16:07:54 hel krb5kdc[1652]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.6.5: PROCESS_TGS: authtime 0, unknown client for imap/hermod@mgr, Decrypt integrity check failed As I read this, hel is saying that the TGT is bad. You're trying to obtain a service ticket for imap/hermod, but the TGT you're attempting to use is not accepted by the KDC. If you klist after running imtest, you have no imap/hermod ticket. I've never seen an error like that. It suggests that you KDC is really broken :) Something like the key used to encrypt your TGT isn't valid for obtaining service tickets. :wes Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: GSSAPI authentication ceased working
Shot in the dark here, but are you using AFS? If so, you can run into some nasty things if it tries to grab libraries out of AFS that you have access to when you have AFS tokens, but which become unavailable when they expire. You start up the process with the tokens, but when you log back in, you obtain tokens for yourself, but not the PAG that the process started in. If you want to know what you're linked against, use ldd on your binaries and on your SASL plugins. If you see paths in AFS, that's likely your problem. -Michael --On Friday, January 02, 2009 5:19 PM +0100 Lars Hanke l...@lhanke.de wrote: I'm currently setting up a new imap server to replace my old one. Yesterday I had GSSAPI authentication running, today it ceased working. I did quite some configuration in the meantime mostly on the LDAP server, but nothing I'd readily associate with cyrus-imap authentication. I appreciate any ideas for more systematic troubleshooting. Regards, - lars. The setup: KDC and LDAP is a sever called hel. The KDC uses LDAP as backend. Cyrus-Imap (v2.2.13-Debian-2.2.13-14+b3) runs on hermod. What worked yesterday: kinit cyrus imtest -v -u cyrus -a cyrus -p imap -r MGR hermod.mgr cyradm --user cyrus --auth GSSAPI --server hermod.mgr What still works today: kinit cyrus Diagnostics: # kinit cyrus hermod:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: cy...@mgr Valid starting ExpiresService principal 01/02/09 16:41:41 01/03/09 02:41:41 krbtgt/m...@mgr renew until 01/03/09 16:41:41 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached hermod:~# imtest -v -u cyrus -a cyrus -p imap -r MGR hermod.mgr S: * OK hermod.mgr Cyrus IMAP4 v2.2.13-Debian-2.2.13-14+b3 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=GSSAPI AUTH=NTLM AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR S: C01 OK Completed Authentication failed. generic failure Security strength factor: 0 C: Q01 LOGOUT * BYE LOGOUT received Q01 OK Completed Connection closed. hermod: /var/log/auth.log Jan 2 17:07:54 hermod imtest: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed) hel: /var/log/syslog Jan 2 16:07:54 hel krb5kdc[1652]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.6.5: PROCESS_TGS: authtime 0, unknown client for imap/hermod@mgr, Decrypt integrity check failed Jan 2 16:07:54 hel last message repeated 3 times What I tried: Since Decrypt integrity check failed means wrong password I recreated the principal imap/hermod.mgr and replaced the keytab file with the new key. I also removed the ldapdb auxprop, which I had installed in the meantime, but nothing helped. If I remove the ticket for cyrus, I receive: Jan 2 17:13:36 hermod imtest: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found) as I would expect. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: GSSAPI authentication ceased working
Hi Michael, Shot in the dark here, but are you using AFS? If so, you can run into some nasty things if it tries to grab libraries out of AFS that you have access to when you have AFS tokens, but which become unavailable when they expire. You start up the process with the tokens, but when you log back in, you obtain tokens for yourself, but not the PAG that the process started in. There are strange things out there. Thanks for the idea, but I definitely have never used AFS and nothing is installed, which I would associate with AFS. BTW: It's still not working. I put it to PRI2, since the important ldapdb stuff is running. Kerberized imap is rarely used here, so people can do without. But still I'd like to understand, what is happening. Regards, - lars. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
GSSAPI authentication ceased working
I'm currently setting up a new imap server to replace my old one. Yesterday I had GSSAPI authentication running, today it ceased working. I did quite some configuration in the meantime mostly on the LDAP server, but nothing I'd readily associate with cyrus-imap authentication. I appreciate any ideas for more systematic troubleshooting. Regards, - lars. The setup: KDC and LDAP is a sever called hel. The KDC uses LDAP as backend. Cyrus-Imap (v2.2.13-Debian-2.2.13-14+b3) runs on hermod. What worked yesterday: kinit cyrus imtest -v -u cyrus -a cyrus -p imap -r MGR hermod.mgr cyradm --user cyrus --auth GSSAPI --server hermod.mgr What still works today: kinit cyrus Diagnostics: # kinit cyrus hermod:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: cy...@mgr Valid starting ExpiresService principal 01/02/09 16:41:41 01/03/09 02:41:41 krbtgt/m...@mgr renew until 01/03/09 16:41:41 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached hermod:~# imtest -v -u cyrus -a cyrus -p imap -r MGR hermod.mgr S: * OK hermod.mgr Cyrus IMAP4 v2.2.13-Debian-2.2.13-14+b3 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=GSSAPI AUTH=NTLM AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR S: C01 OK Completed Authentication failed. generic failure Security strength factor: 0 C: Q01 LOGOUT * BYE LOGOUT received Q01 OK Completed Connection closed. hermod: /var/log/auth.log Jan 2 17:07:54 hermod imtest: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed) hel: /var/log/syslog Jan 2 16:07:54 hel krb5kdc[1652]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.6.5: PROCESS_TGS: authtime 0, unknown client for imap/hermod@mgr, Decrypt integrity check failed Jan 2 16:07:54 hel last message repeated 3 times What I tried: Since Decrypt integrity check failed means wrong password I recreated the principal imap/hermod.mgr and replaced the keytab file with the new key. I also removed the ldapdb auxprop, which I had installed in the meantime, but nothing helped. If I remove the ticket for cyrus, I receive: Jan 2 17:13:36 hermod imtest: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found) as I would expect. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html