From owner-freebsd-questions@FreeBSD.ORG Tue Sep 28 08:26:07 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 909E41065701 for ; Tue, 28 Sep 2010 08:26:07 +0000 (UTC) (envelope-from martin@saturn.pcs.ms) Received: from mail1.hostpark.net (mail1.hostpark.net [212.243.197.31]) by mx1.freebsd.org (Postfix) with ESMTP id 18F6C8FC1C for ; Tue, 28 Sep 2010 08:26:06 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail1.hostpark.net (Postfix) with ESMTP id C564F907C4; Tue, 28 Sep 2010 10:08:00 +0200 (CEST) X-Virus-Scanned: by Hostpark/NetZone Mailprotection at hostpark.net Received: from mail1.hostpark.net ([127.0.0.1]) by localhost (mail1.hostpark.net [127.0.0.1]) (amavisd-new, port 10124) with ESMTP id FY3VwkdE+XGw; Tue, 28 Sep 2010 10:08:00 +0200 (CEST) Received: from saturn.pcs.ms (75-182.203-62.cust.bluewin.ch [62.203.182.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail1.hostpark.net (Postfix) with ESMTP id 6F6A7906C2; Tue, 28 Sep 2010 10:08:00 +0200 (CEST) Received: from saturn.pcs.ms (localhost [127.0.0.1]) by saturn.pcs.ms (8.14.4/8.14.4) with ESMTP id o8S87je9080056 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NOT); Tue, 28 Sep 2010 10:07:45 +0200 (CEST) (envelope-from martin@saturn.pcs.ms) Received: (from martin@localhost) by saturn.pcs.ms (8.14.4/8.14.4/Submit) id o8S87jiI080055; Tue, 28 Sep 2010 10:07:45 +0200 (CEST) (envelope-from martin) Date: Tue, 28 Sep 2010 10:07:44 +0200 From: Martin Schweizer To: freebsd-questions@freebsd.org Message-ID: <20100928080744.GA80050@saturn.pcs.ms> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Organization: PC-Service M. Schweizer GmbH, CH-8608 Bubikon, Switzerland User-Agent: Mutt/1.5.20 (2009-06-14) Subject: Problem with SASL authentication against Kerberos5 (Windows Active Directory) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Martin Schweizer List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Sep 2010 08:26:07 -0000 Hello My system: FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE #2: Tue Aug 31 17:07:54 CEST 2010 :/usr/obj/usr/src/sys/GENERIC i386 Relevant part of the installed software: # pkg_info|grep cyrus cyrus-imapd-2.3.16_2 The cyrus mail server, supporting POP3 and IMAP4 protocols cyrus-sasl-2.1.23 RFC 2222 SASL (Simple Authentication and Security Layer) cyrus-sasl-saslauthd-2.1.23 SASL authentication server for cyrus-sasl2 Kerberos5 settings: They are all ok, because I can these cross check by using kinit (and such tools), ldapsearch and of course the security event protocol of the domain controllers. So I can say all this is ok. /etc/rc.conf: [snip] saslauthd_enable="YES" saslauthd_flags="-a kerberos5" I use three of the above servers and with two of them I have no such problems. Here what is going wrong: After I update all my ports I can no longer authenticate against Kerberos5. The test with testsaslauthd -u usernamex -p passwordx ends always in 0: NO "authentication failed". In /var/log/auth.log I can see Sep 24 08:07:28 saslauthd[83827]: do_auth : auth failure: [user=martin] [service=imap] [realm=] [mech=kerberos5] [reason=krb5_verify_user_opt failed]. What's intressting if I use saslauthd_flags="-a pam" then all is working as expected. And again before the update all worked without any problems. Any ideas? Regards, -- Martin Schweizer PC-Service M. Schweizer GmbH; Bannholzstrasse 6; CH-8608 Bubikon Tel. +41 55 243 30 00; Fax: +41 55 243 33 22