Date: Tue, 27 Jul 2004 11:44:43 -0400 From: Robert Fitzpatrick <robert@webtent.com> To: FreeBSD <freebsd-questions@freebsd.org> Subject: SASL error Decrypt integrity check failed with sample-server test for GSSAPI Message-ID: <1090943083.8898.65.camel@columbus.webtent.org>
next in thread | raw e-mail | index | archive | help
Trying to get SASL to work with Heimdal 0.6 on FreeBSD 5.2.1. When doing
the sample-server test, it finds my ticket OK and presents a response
that the sample-client accepts and gives its response. The problem is
when sending that client response back to the server, this is what
happens:
esmtp# ./sample-server -s imap -p ../plugins/.libs
Generating client mechanism list...
Sending list of 8 mechanism(s)
S: <server response>
Waiting for client mechanism...
C: <client response from below>
got 'GSSAPI'
lt-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (see text) (Decrypt integrity check failed)
lt-sample-server: Starting SASL negotiation: authentication failure (authentication failure)
esmtp# ./sample-client -s imap -n esmtp.webtent.net -u spam -p ../plugins/.libs
service=imap
Waiting for mechanism list from server...
S: <server response from above>
recieved 57 byte message
Choosing best mechanism from: NTLM LOGIN ANONYMOUS PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5
returning OK: spam
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C: <client response>
Both the SASL and saslauthd ports are version 2.1.19 on the system. Anyone know
what 'Decrypt integrity check failed' means? I found references to the
password being wrong when Googling it, but the password has been reset
and I get this same error with any user. I am starting the sample-server
and sample-client as follows, seems to find the service keytab OK, I am
using what I think is setup correctly. I extracted the Kerberos keytab
for imap/esmtp.webtent.net and have it placed correctly in
/etc/krb5.keytab with 600 owned by the 'cyrus' user. The realm is
WEBTENT.NET.
./sample-server -s imap -p ../plugins/.libs
./sample-client -s imap -n esmtp.webtent.net -u spam -p ../plugins/.libs
kadmin> list spam
spam@WEBTENT.NET
esmtp# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: spam@WEBTENT.NET
Issued Expires Principal
Jul 27 10:18:04 Jul 27 20:18:04 krbtgt/WEBTENT.NET@WEBTENT.NET
Jul 27 10:18:09 Jul 27 20:18:04 imap/esmtp.webtent.net@WEBTENT.NET
esmtp# ls -la /etc/krb5.keytab
-rw------- 1 cyrus mail 586 Jul 26 19:49 /etc/krb5.keytab
--
Robert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1090943083.8898.65.camel>