Re: Cyrus Imapd with SASL, authenticate against AD Windows 2003 with Kerberos5

2009-08-16 Thread Martin Schweizer 
Hello Volodymyr

Am Sat, Aug 08, 2009 at 09:42:22AM +0300 Volodymyr Kostyrko schrieb:
 Martin Schweizer wrote:
 
 So I have now no more ideas where I can check. Any hints are welcome.
 
 I have done almost the same thing, only with pam:
 
  grep sasl /etc/rc.conf
 saslauthd_enable='yes'
 saslauthd_flags='-apam -n1'
 
  cat /etc/pam.d/imap
 auth required pam_krb5.so no_warn try_first_pass
 

Sorry for the delay but I was out of town. I did same as you suggested and now 
it works. Thank you.

Regards,

-- 

Martin Schweizer
off...@pc-service.ch

PC-Service M. Schweizer GmbH; Bannholzstrasse 6; CH-8608 Bubikon
Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch;
public key : http://www.pc-service.ch/pgp/public_key.asc; 
fingerprint: EC21 CA4D 5C78 BC2D 73B7  10F9 C1AE 1691 D30F D239;

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Cyrus Imapd with SASL, authenticate against AD Windows 2003 with Kerberos5

2009-08-08 Thread Volodymyr Kostyrko 

Martin Schweizer wrote:


So I have now no more ideas where I can check. Any hints are welcome.


I have done almost the same thing, only with pam:

 grep sasl /etc/rc.conf
saslauthd_enable='yes'
saslauthd_flags='-apam -n1'

 cat /etc/pam.d/imap
auth required pam_krb5.so no_warn try_first_pass

--
Sphinx of black quartz judge my vow.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Cyrus Imapd with SASL, authenticate against AD Windows 2003 with Kerberos5

2009-08-02 Thread Martin Schweizer 
Hello

My goal is to authenticate my Cyrus Imapd users against Windos 2003
Active Directory with Kerberos . I have the following setup:

Kerberos5 client
===
FreeBSD acsvfbsd06.domain.tld 7.2-RELEASE FreeBSD 7.2-RELEASE

/etc/krb.conf:
[libdefaults]

   default_realm = domain.tld

   default_etypes_des = des-cbc-md5

[realms]
   ACUTRONIC.CH = {
   kdc = tcp/acsv3k04.domain.tld:88
   }

[logging]
kdc = SYSLOG:INFO:AUTH
   admin_server = SYSLOG:INFO:AUTH
   default = SYSLOG:INFO:AUTH

/etc/krb5.keytab (ktutil list output):
For the keytab file I followed:
http://technet.microsoft.com/en-us/library/bb742433.aspx

FILE:/etc/krb5.keytab:

Vno  Type Principal
 1  des-cbc-md5  host/acsvfbsd06.domain@domain.tld

I get tickets if I use kinit user:
acsvfbsd06# kinit user
mar...@domain.tld's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week

klist:
Credentials cache: FILE:/tmp/krb5cc_0
   Principal: u...@domain.tld

 Issued   Expires  Principal
Jul 31 17:58:09  Aug  1 03:57:44  krbtgt/domain@domain.tld

I an use ldapsearch as follows:

acsvfbsd06# ldapsearch -v -LLL -b
OU=Mitgliedsserver,OU=ACH,DC=Domain,DC=tld -h acsv3k04.domain.tld
description
ldap_initialize( ldap://acsv3k04.domain.tld)
SASL/GSSAPI authentication started
SASL username: u...@domain.tld
SASL SSF: 56
SASL data security layer installed.
filter: (objectclass=*)
requesting: description
dn: OU=Mitgliedsserver,OU=ACH,DC=Domain,DC=tld
...
[snip]

So far all looks well.

For the Cyrus Imapd setup I run saslauthd -a kerberos5.

/usr/local/etc/imapd.conf:

configdirectory: /usr/imap/var/imap
partition-default: /usr/imap/var/spool/imap
virtdomains: yes
admins:root cyrus
sasl_option: 1
sasl_pwcheck_method: saslauthd
sasl_mech_list: GSSAPI PLAIN LOGIN CRAM-MD5 DIGEST-MD5
sasl_log_level: 7
lmtpsocket: /usr/imap/var/imap/socket/lmtp
allowplaintext: yes


Each time I start a test by

- testsaslauthd -u user -p password
or
- imtest -m plain -a user localhost

I get ervery time

saslauthd[42062]: do_auth : auth failure: [user=user]
[service=imap] [realm=] [mech=kerberos5] [reason=krb5_verify_user_opt
failed]

The krb5_verify_user_opt failed is comming from the Kerberos 5 Library
(libkrb5, -lkrb5) - krb5_verify_user_opt and is located in the
auth_krb5.c (from SASL).

I ckecked the kerberos/DNS communication on both sides with tshark and
Netmon (Microsoft's tcpdump) but the kerberos communications seems
to be ok. Additionaly I started also a struss on saslauthd but also
without any look.

So I have now no more ideas where I can check. Any hints are welcome.

Regards,
-- 

Martin Schweizer
off...@pc-service.ch

PC-Service M. Schweizer GmbH; Bannholzstrasse 6; CH-8608 Bubikon
Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch;
public key : http://www.pc-service.ch/pgp/public_key.asc; 
fingerprint: EC21 CA4D 5C78 BC2D 73B7  10F9 C1AE 1691 D30F D239;

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org