saslauthd GSSAPI not working

Matthew B. Brookover mbrookov at mines.edu
Mon Sep 12 17:02:30 UTC 2005 

I have redhat enterprise 3, release 5.  I have Kerberos running and I
can login.  The ldap servers use sasl/gssapi and also works fine.

These sasl and kerberos RPMs are installed:
cyrus-sasl-2.1.15-10
cyrus-sasl-devel-2.1.15-10
cyrus-sasl-plain-2.1.15-10
cyrus-sasl-md5-2.1.15-10
cyrus-sasl-gssapi-2.1.15-10
pam_krb5-1.75-1
krb5-devel-1.2.7-47
krb5-server-1.2.7-47
krb5-workstation-1.2.7-47
krb5-libs-1.2.7-47

I tried to install uw-imap with Kerberos support and could not
authenticate.  After some digging I tried to run the test tools that are
part of the development package.

Step 1, start up saslauthd:

[root at imagine mbrookov]# saslauthd -a kerberos5
[root at imagine mbrookov]# ps auxww | grep saslauthd
root     20542  0.0  0.0  2380  708 ?        S    10:47   0:00 saslauthd -a kerberos5
root     20543  0.0  0.0  2380  708 ?        S    10:47   0:00 saslauthd -a kerberos5
root     20544  0.0  0.0  2380  708 ?        S    10:47   0:00 saslauthd -a kerberos5
root     20545  0.0  0.0  2380  708 ?        S    10:47   0:00 saslauthd -a kerberos5
root     20546  0.0  0.0  2380  708 ?        S    10:47   0:00 saslauthd -a kerberos5
root     20548  0.0  0.0  3684  664 pts/3    S    10:47   0:00 grep saslauthd
[root at imagine mbrookov]#


By default, sasl2-sample-server uses a service principal named rcmd.  So
I created it and put it in a keytab and set $KRB5_KTNAME to point to it.

[mbrookov at imagine mbrookov]$ klist -k $KRB5_KTNAME -e -t
Keytab name: FILE:/u/mx/ch/mbrookov/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 09/12/05 09:57:20 rcmd/imagine.mines.edu at MINES.EDU (ArcFour with HMAC/md5)
   3 09/12/05 09:57:20 rcmd/imagine.mines.edu at MINES.EDU (DES cbc mode with RSA-MD5)
   3 09/12/05 09:57:20 rcmd/imagine.mines.edu at MINES.EDU (Triple DES cbc mode with HMAC/sha1)
   3 09/12/05 09:57:20 rcmd/imagine.mines.edu at MINES.EDU (etype 18)
[mbrookov at imagine mbrookov]$


I then ran kinit and started up sasl2-sample-server:

[mbrookov at imagine mbrookov]$ sasl2-sample-server
trying 10, 1, 6
socket: Address family not supported by protocol
trying 2, 1, 6
accepted new connection
send: {48}
PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 ANONYMOUS
recv: {6}
GSSAPI
recv: {1}
Y
recv: {562}
`[82][2].[6][9]*[86]H[86][F7][12][1][2][2][1][0]n[82][2][1D]0[82][2][19][A0][3][2][1][5]
[A1][3][2][1][E][A2][7][3][5][0] [0][0][0][A3][82][1]=a[82][1]90[82][1]5[A0][3][2][1][5]
[A1][B][1B][9]MINES.EDU[A2]$0"[A0][3][2][1][3][A1][1B]0[19][1B][4]rcmd[1B][11]imagine.mines.edu
[A3][81][FA]0[81][F7][A0][3][2][1][17][A1][3][2][1][3][A2][81][EA][4][81][E7][15][A9][7]
[CC][B0][CE][D4][98][16][9B]2[AE][A1][D5][DB][13][A7][B0]:[D6][FD][C8]k[FF]hR[98][17][86]
[CA]C[C4]j)[15][8A]c[18][91][F5]4[E5][1F][BB][99]I[E9][C5]w[FA][3]'[F5]_[1B][DE]N0[CE]
[FC][CD][1D][9E][F1][1][1B]][C8][E7][80][D5][D9][BE][E8][A][CF][B4]dd[A7][FA][E3]K[5][9F]
[DF][83][8A][8C]=[10]Z [EB]g[E8]k[90][D3]A[E][9A]x[A6][CD]_&[C9][8E][A8]:[C6][BD][B0][82]
[7F]u[8C][3]BQ[B1][BF][FC][B1][B8][FC]C[EA][FA]P6r_[BC][83][EF][1C]k[92]q[99][B7].[8A]uW[B9]
s[83][8D]tl[E2][9D]O}q[F3][A2][88]_[C7]C[C5][D5][7][94][E0][BF]u[AA]7D[3][AF][CA];[8D]j^
[19][7]`[84][19][92][u[CA],[6][E5][5]`[A][B]x[C4]}N[D0][D6][2][9E][16]5[E4][C]K[DB][96]
 u'E}[B1][90][1E][90][86][1B][BD]r[CD],[F8][12][E6][6][A4][81][C2]0[81][BF][A0][3][2][1]
[10][A2][81][B7][4][81][B4]KFy[2]/_[84][B2][BD][D7][ED][B6][AE]|"yx[97][D2][F1][E1]N[F9]
[2][BE]#[9A]s+(Y[3][CC]~[82][5][8]r[AB][E8][E5][83]D[AC][E0][C9][A9]W[8D][BF]e[F8][CF]#
[D2]o[D5]=[A][B9][8C][B9][FC][x[8D][E1][A0][9B][EB][F4][EE][DE]"k[F3]BVS4d#[D][94]1[85]
[8D]d[5][90];[C2][FE]\g[16][8F]][C1]Ni|r[B0][A][87][ED][C6][1D][C3][8A][E][8B]([E5][EF]
[E9]ns[1A][FF]E\n[9D][A6][1D]mGW[3][EB]%[EB]:[92][F3][9A][A8][BE][9A][FF][87][A8][DA][90]
[5][D][1][F9][A1]wP[DD][91][DD][AD]w[91]w[C4][A6][A2]Q[D6]jY[E7][1F][90][CF][E2][81][A3]
[BE][17][1D]L[DF][E6]
starting SASL negotiation: authentication failureclosing connection

The sasl2-sample-client output:

[mbrookov at imagine mbrookov]$ sasl2-sample-client imagine.mines.edu
receiving capability list... recv: {48}
PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 ANONYMOUS
PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 ANONYMOUS
please enter an authorization id: mbrookov
send: {6}
GSSAPI
send: {1}
Y
send: {562}
`[82][2].[6][9]*[86]H[86][F7][12][1][2][2][1][0]n[82][2][1D]0[82][2][19][A0][3][2][1][5]
[A1][3][2][1][E][A2][7][3][5][0] [0][0][0][A3][82][1]=a[82][1]90[82][1]5[A0][3][2][1][5]
[A1][B][1B][9]MINES.EDU[A2]$0"[A0][3][2][1][3][A1][1B]0[19][1B][4]rcmd[1B][11]imagine.mines.edu
[A3][81][FA]0[81][F7][A0][3][2][1][17][A1][3][2][1][3][A2][81][EA][4][81][E7][15][A9][7]
[CC][B0][CE][D4][98][16][9B]2[AE][A1][D5][DB][13][A7][B0]:[D6][FD][C8]k[FF]hR[98][17][86]
[CA]C[C4]j)[15][8A]c[18][91][F5]4[E5][1F][BB][99]I[E9][C5]w[FA][3]'[F5]_[1B][DE]N0[CE]
[FC][CD][1D][9E][F1][1][1B]][C8][E7][80][D5][D9][BE][E8][A][CF][B4]dd[A7][FA][E3]K[5][9F]
[DF][83][8A][8C]=[10]Z [EB]g[E8]k[90][D3]A[E][9A]x[A6][CD]_&[C9][8E][A8]:[C6][BD][B0][82]
[7F]u[8C][3]BQ[B1][BF][FC][B1][B8][FC]C[EA][FA]P6r_[BC][83][EF][1C]k[92]q[99][B7].[8A]uW[B9]
s[83][8D]tl[E2][9D]O}q[F3][A2][88]_[C7]C[C5][D5][7][94][E0][BF]u[AA]7D[3][AF][CA];[8D]j^[19]
[7]`[84][19][92][u[CA],[6][E5][5]`[A][B]x[C4]}N[D0][D6][2][9E][16]5[E4][C]K[DB][96] u'E}[B1]
[90][1E][90][86][1B][BD]r[CD],[F8][12][E6][6][A4][81][C2]0[81][BF][A0][3][2][1][10][A2][81]
[B7][4][81][B4]KFy[2]/_[84][B2][BD][D7][ED][B6][AE]|"yx[97][D2][F1][E1]N[F9][2][BE]#[9A]
s+(Y[3][CC]~[82][5][8]r[AB][E8][E5][83]D[AC][E0][C9][A9]W[8D][BF]e[F8][CF]#[D2]o[D5]=[A]
[B9][8C][B9][FC][x[8D][E1][A0][9B][EB][F4][EE][DE]"k[F3]BVS4d#[D][94]1[85][8D]d[5][90];[C2]
[FE]\g[16][8F]][C1]Ni|r[B0][A][87][ED][C6][1D][C3][8A][E][8B]([E5][EF][E9]ns[1A][FF]E\n[9D]
[A6][1D]mGW[3][EB]%[EB]:[92][F3][9A][A8][BE][9A][FF][87][A8][DA][90][5][D][1][F9][A1]wP[DD]
[91][DD][AD]w[91]w[C4][A6][A2]Q[D6]jY[E7][1F][90][CF][E2][81][A3][BE][17][1D]L[DF][E6]
authentication failed
closing connection
[mbrookov at imagine mbrookov]$ klist
Ticket cache: FILE:/tmp/krb5cc_5467_PafttD
Default principal: mbrookov at MINES.EDU

Valid starting     Expires            Service principal
09/12/05 10:52:18  09/12/05 20:52:33  krbtgt/MINES.EDU at MINES.EDU
09/12/05 10:52:31  09/12/05 20:52:33  rcmd/imagine.mines.edu at MINES.EDU


Kerberos 4 ticket cache: /tmp/tkt5467
klist: You have no tickets cached
[mbrookov at imagine mbrookov]$


>From the klist ouput, sasl is finding the rcmd service principal and
loading into the cache, then reporting the authentication failure.

Does any body have any idea why?

Thank you for your assistance.

Matt Brookover
mbrookov at mines.edu
303-273-3436

More information about the redhat-list mailing list