Date: Mon, 3 Aug 2009 07:04:58 +0200 From: Martin Schweizer <lists_freebsd@bluewin.ch> To: freebsd-questions@freebsd.org Subject: Cyrus Imapd with SASL, authenticate against AD Windows 2003 with Kerberos5 Message-ID: <20090803050458.GA81711@saturn.pcs.ms>
next in thread | raw e-mail | index | archive | help
Hello
My goal is to authenticate my Cyrus Imapd users against Windos 2003
Active Directory with Kerberos . I have the following setup:
Kerberos5 client
===========
FreeBSD acsvfbsd06.domain.tld 7.2-RELEASE FreeBSD 7.2-RELEASE
/etc/krb.conf:
[libdefaults]
default_realm = domain.tld
default_etypes_des = des-cbc-md5
[realms]
ACUTRONIC.CH = {
kdc = tcp/acsv3k04.domain.tld:88
}
[logging]
kdc = SYSLOG:INFO:AUTH
admin_server = SYSLOG:INFO:AUTH
default = SYSLOG:INFO:AUTH
/etc/krb5.keytab (ktutil list output):
For the keytab file I followed:
http://technet.microsoft.com/en-us/library/bb742433.aspx
FILE:/etc/krb5.keytab:
Vno Type Principal
1 des-cbc-md5 host/acsvfbsd06.domain.tld@DOMAIN.TLD
I get tickets if I use kinit user:
acsvfbsd06# kinit user
martin@DOMAIN.TLD's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
klist:
Credentials cache: FILE:/tmp/krb5cc_0
Principal: user@DOMAIN.TLD
Issued Expires Principal
Jul 31 17:58:09 Aug 1 03:57:44 krbtgt/DOMAIN.TLD@DOMAIN.TLD
I an use ldapsearch as follows:
acsvfbsd06# ldapsearch -v -LLL -b
"OU=Mitgliedsserver,OU=ACH,DC=Domain,DC=tld" -h acsv3k04.domain.tld
description
ldap_initialize( ldap://acsv3k04.domain.tld)
SASL/GSSAPI authentication started
SASL username: user@DOMAIN.TLD
SASL SSF: 56
SASL data security layer installed.
filter: (objectclass=*)
requesting: description
dn: OU=Mitgliedsserver,OU=ACH,DC=Domain,DC=tld
...
[snip]
So far all looks well.
For the Cyrus Imapd setup I run saslauthd -a kerberos5.
/usr/local/etc/imapd.conf:
configdirectory: /usr/imap/var/imap
partition-default: /usr/imap/var/spool/imap
virtdomains: yes
admins:root cyrus
sasl_option: 1
sasl_pwcheck_method: saslauthd
sasl_mech_list: GSSAPI PLAIN LOGIN CRAM-MD5 DIGEST-MD5
sasl_log_level: 7
lmtpsocket: /usr/imap/var/imap/socket/lmtp
allowplaintext: yes
Each time I start a test by
- testsaslauthd -u user -p password
or
- imtest -m plain -a user localhost
I get ervery time
saslauthd[42062]: do_auth : auth failure: [user=user]
[service=imap] [realm=] [mech=kerberos5] [reason=krb5_verify_user_opt
failed]
The krb5_verify_user_opt failed is comming from the Kerberos 5 Library
(libkrb5, -lkrb5) -> krb5_verify_user_opt and is located in the
auth_krb5.c (from SASL).
I ckecked the kerberos/DNS communication on both sides with tshark and
Netmon (Microsoft's "tcpdump") but the kerberos communications seems
to be ok. Additionaly I started also a struss on saslauthd but also
without any look.
So I have now no more ideas where I can check. Any hints are welcome.
Regards,
--
Martin Schweizer
<office@pc-service.ch>
PC-Service M. Schweizer GmbH; Bannholzstrasse 6; CH-8608 Bubikon
Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch;
public key : http://www.pc-service.ch/pgp/public_key.asc;
fingerprint: EC21 CA4D 5C78 BC2D 73B7 10F9 C1AE 1691 D30F D239;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090803050458.GA81711>