From owner-freebsd-questions@FreeBSD.ORG Tue Jul 27 15:44:52 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84EDC16A4CE for ; Tue, 27 Jul 2004 15:44:52 +0000 (GMT) Received: from hermes.webtent.net (hermes.webtent.net [192.216.106.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id E548143D55 for ; Tue, 27 Jul 2004 15:44:51 +0000 (GMT) (envelope-from robert@webtent.com) Received: from [192.168.1.11] (webtent.org [198.79.127.235]) by hermes.webtent.net (8.10.2/8.10.2) with ESMTP id i6RFigj03600 for ; Tue, 27 Jul 2004 11:44:42 -0400 From: Robert Fitzpatrick To: FreeBSD Content-Type: text/plain Organization: WebTent Networking, Inc. Message-Id: <1090943083.8898.65.camel@columbus.webtent.org> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Tue, 27 Jul 2004 11:44:43 -0400 Content-Transfer-Encoding: 7bit Subject: SASL error Decrypt integrity check failed with sample-server test for GSSAPI X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jul 2004 15:44:52 -0000 Trying to get SASL to work with Heimdal 0.6 on FreeBSD 5.2.1. When doing the sample-server test, it finds my ticket OK and presents a response that the sample-client accepts and gives its response. The problem is when sending that client response back to the server, this is what happens: esmtp# ./sample-server -s imap -p ../plugins/.libs Generating client mechanism list... Sending list of 8 mechanism(s) S: Waiting for client mechanism... C: got 'GSSAPI' lt-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (see text) (Decrypt integrity check failed) lt-sample-server: Starting SASL negotiation: authentication failure (authentication failure) esmtp# ./sample-client -s imap -n esmtp.webtent.net -u spam -p ../plugins/.libs service=imap Waiting for mechanism list from server... S: recieved 57 byte message Choosing best mechanism from: NTLM LOGIN ANONYMOUS PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5 returning OK: spam Using mechanism GSSAPI Preparing initial. Sending initial response... C: Both the SASL and saslauthd ports are version 2.1.19 on the system. Anyone know what 'Decrypt integrity check failed' means? I found references to the password being wrong when Googling it, but the password has been reset and I get this same error with any user. I am starting the sample-server and sample-client as follows, seems to find the service keytab OK, I am using what I think is setup correctly. I extracted the Kerberos keytab for imap/esmtp.webtent.net and have it placed correctly in /etc/krb5.keytab with 600 owned by the 'cyrus' user. The realm is WEBTENT.NET. ./sample-server -s imap -p ../plugins/.libs ./sample-client -s imap -n esmtp.webtent.net -u spam -p ../plugins/.libs kadmin> list spam spam@WEBTENT.NET esmtp# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: spam@WEBTENT.NET Issued Expires Principal Jul 27 10:18:04 Jul 27 20:18:04 krbtgt/WEBTENT.NET@WEBTENT.NET Jul 27 10:18:09 Jul 27 20:18:04 imap/esmtp.webtent.net@WEBTENT.NET esmtp# ls -la /etc/krb5.keytab -rw------- 1 cyrus mail 586 Jul 26 19:49 /etc/krb5.keytab -- Robert