subject:"GSSAPI authentication ceased working"

Re: GSSAPI authentication ceased working

2009-01-08 Thread Dave McMurtrie

Lars Hanke wrote:

 BTW: It's still not working. I put it to PRI2, since the important 
 ldapdb stuff is running. Kerberized imap is rarely used here, so people 
 can do without. But still I'd like to understand, what is happening.

Is the keytab readable by the cyrus user (the Unix uid)?

Thanks,

Dave
-- 
Dave McMurtrie, SPE
Email Systems Team Leader
Carnegie Mellon University,
Computing Services

Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: GSSAPI authentication ceased working

2009-01-08 Thread Wesley Craig

On 02 Jan 2009, at 11:19, Lars Hanke wrote:
 hermod: /var/log/auth.log
 Jan  2 17:07:54 hermod imtest: GSSAPI Error: Unspecified GSS  
 failure.  Minor code may provide more information (Decrypt  
 integrity check failed)

 hel: /var/log/syslog
 Jan  2 16:07:54 hel krb5kdc[1652]: TGS_REQ (7 etypes {18 17 16 23 1  
 3 2}) 172.16.6.5: PROCESS_TGS: authtime 0,  unknown client for  
 imap/hermod@mgr, Decrypt integrity check failed

As I read this, hel is saying that the TGT is bad.  You're trying to  
obtain a service ticket for imap/hermod, but the TGT you're  
attempting to use is not accepted by the KDC.  If you klist after  
running imtest, you have no imap/hermod ticket.  I've never seen an  
error like that.  It suggests that you KDC is really broken :)   
Something like the key used to encrypt your TGT isn't valid for  
obtaining service tickets.

:wes


Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: GSSAPI authentication ceased working

2009-01-07 Thread Michael Bacon

Shot in the dark here, but are you using AFS?  If so, you can run into some 
nasty things if it tries to grab libraries out of AFS that you have access 
to when you have AFS tokens, but which become unavailable when they expire. 
You start up the process with the tokens, but when you log back in, you 
obtain tokens for yourself, but not the PAG that the process started in.

If you want to know what you're linked against, use ldd on your binaries 
and on your SASL plugins.  If you see paths in AFS, that's likely your 
problem.

-Michael

--On Friday, January 02, 2009 5:19 PM +0100 Lars Hanke l...@lhanke.de 
wrote:

 I'm currently setting up a new imap server to replace my old one.
 Yesterday I had GSSAPI authentication running, today it ceased working.
 I did quite some configuration in the meantime mostly on the LDAP
 server, but nothing I'd readily associate with cyrus-imap authentication.

 I appreciate any ideas for more systematic troubleshooting.

 Regards,
  - lars.

 The setup:
 KDC and LDAP is a sever called hel. The KDC uses LDAP as backend.
 Cyrus-Imap (v2.2.13-Debian-2.2.13-14+b3) runs on hermod.

 What worked yesterday:

 kinit cyrus
 imtest -v -u cyrus -a cyrus -p imap -r MGR hermod.mgr
 cyradm --user cyrus --auth GSSAPI --server hermod.mgr

 What still works today:
 kinit cyrus

 Diagnostics:
# kinit cyrus
 hermod:~# klist
 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: cy...@mgr

 Valid starting ExpiresService principal
 01/02/09 16:41:41  01/03/09 02:41:41  krbtgt/m...@mgr
 renew until 01/03/09 16:41:41


 Kerberos 4 ticket cache: /tmp/tkt0
 klist: You have no tickets cached
 hermod:~# imtest -v -u cyrus -a cyrus -p imap -r MGR hermod.mgr
 S: * OK hermod.mgr Cyrus IMAP4 v2.2.13-Debian-2.2.13-14+b3 server ready
 C: C01 CAPABILITY
 S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
 NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT
 THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS
 AUTH=GSSAPI AUTH=NTLM AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR S: C01 OK
 Completed
 Authentication failed. generic failure
 Security strength factor: 0
 C: Q01 LOGOUT
 * BYE LOGOUT received
 Q01 OK Completed
 Connection closed.

 hermod: /var/log/auth.log
 Jan  2 17:07:54 hermod imtest: GSSAPI Error: Unspecified GSS failure.
 Minor code may provide more information (Decrypt integrity check failed)

 hel: /var/log/syslog
 Jan  2 16:07:54 hel krb5kdc[1652]: TGS_REQ (7 etypes {18 17 16 23 1 3 2})
 172.16.6.5: PROCESS_TGS: authtime 0,  unknown client for
 imap/hermod@mgr, Decrypt integrity check failed Jan  2 16:07:54 hel
 last message repeated 3 times


 What I tried:

 Since Decrypt integrity check failed means wrong password I recreated
 the principal imap/hermod.mgr and replaced the keytab file with the new
 key. I also removed the ldapdb auxprop, which I had installed in the
 meantime, but nothing helped. If I remove the ticket for cyrus, I receive:
 Jan  2 17:13:36 hermod imtest: GSSAPI Error: Unspecified GSS failure.
 Minor code may provide more information (No credentials cache found) as I
 would expect.





 
 Cyrus Home Page: http://cyrusimap.web.cmu.edu/
 Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
 List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html





Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: GSSAPI authentication ceased working

2009-01-07 Thread Lars Hanke

Hi Michael,
 Shot in the dark here, but are you using AFS? If so, you can run into 
 some nasty things if it tries to grab libraries out of AFS that you 
 have access to when you have AFS tokens, but which become unavailable 
 when they expire. You start up the process with the tokens, but when 
 you log back in, you obtain tokens for yourself, but not the PAG that 
 the process started in.
There are strange things out there. Thanks for the idea, but I 
definitely have never used AFS and nothing is installed, which I would 
associate with AFS.

BTW: It's still not working. I put it to PRI2, since the important 
ldapdb stuff is running. Kerberized imap is rarely used here, so people 
can do without. But still I'd like to understand, what is happening.

Regards,
- lars.


Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

GSSAPI authentication ceased working

2009-01-02 Thread Lars Hanke

I'm currently setting up a new imap server to replace my old one.  
Yesterday I had GSSAPI authentication running, today it ceased working. 
I did quite some configuration in the meantime mostly on the LDAP 
server, but nothing I'd readily associate with cyrus-imap authentication.

I appreciate any ideas for more systematic troubleshooting.

Regards,
 - lars.

The setup:
KDC and LDAP is a sever called hel. The KDC uses LDAP as backend.
Cyrus-Imap (v2.2.13-Debian-2.2.13-14+b3) runs on hermod.

What worked yesterday:

kinit cyrus
imtest -v -u cyrus -a cyrus -p imap -r MGR hermod.mgr
cyradm --user cyrus --auth GSSAPI --server hermod.mgr

What still works today:
kinit cyrus

Diagnostics:
# kinit cyrus
hermod:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: cy...@mgr

Valid starting ExpiresService principal
01/02/09 16:41:41  01/03/09 02:41:41  krbtgt/m...@mgr
renew until 01/03/09 16:41:41


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
hermod:~# imtest -v -u cyrus -a cyrus -p imap -r MGR hermod.mgr
S: * OK hermod.mgr Cyrus IMAP4 v2.2.13-Debian-2.2.13-14+b3 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID 
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=GSSAPI 
AUTH=NTLM AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR
S: C01 OK Completed
Authentication failed. generic failure
Security strength factor: 0
C: Q01 LOGOUT
* BYE LOGOUT received
Q01 OK Completed
Connection closed.

hermod: /var/log/auth.log
Jan  2 17:07:54 hermod imtest: GSSAPI Error: Unspecified GSS failure.  Minor 
code may provide more information (Decrypt integrity check failed)

hel: /var/log/syslog
Jan  2 16:07:54 hel krb5kdc[1652]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 
172.16.6.5: PROCESS_TGS: authtime 0,  unknown client for imap/hermod@mgr, 
Decrypt integrity check failed
Jan  2 16:07:54 hel last message repeated 3 times


What I tried:

Since Decrypt integrity check failed means wrong password I recreated the 
principal imap/hermod.mgr and replaced the keytab file with the new key. I 
also removed the ldapdb auxprop, which I had installed in the meantime, but 
nothing helped.
If I remove the ticket for cyrus, I receive:
Jan  2 17:13:36 hermod imtest: GSSAPI Error: Unspecified GSS failure.  Minor 
code may provide more information (No credentials cache found)
as I would expect.






Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: GSSAPI authentication ceased working

Re: GSSAPI authentication ceased working

Re: GSSAPI authentication ceased working

Re: GSSAPI authentication ceased working

GSSAPI authentication ceased working

5 matches

Site Navigation

Mail list logo

Footer information