Bug 506709 - saslauthd does not create kerberos ticket for imap
saslauthd does not create kerberos ticket for imap
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cyrus-sasl (Show other bugs)
5.3
All Linux
low Severity medium
: rc
: ---
Assigned To: Petr Lautrbach
BaseOS QE
: Reopened
Depends On:
Blocks: 860737 1036818
  Show dependency treegraph
 
Reported: 2009-06-18 08:59 EDT by Karel Volný
Modified: 2013-12-02 11:51 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 860737 (view as bug list)
Environment:
Last Closed: 2013-03-13 09:26:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Karel Volný 2009-06-18 08:59:39 EDT
Description of problem:
When trying to test kerberos5 authentication with cyrus-imapd, I have found that the credentials cache doesn't get initialised.

Version-Release number of selected component (if applicable):
krb5-server-1.6.1-31.el5_3.3
cyrus-sasl-2.1.22-4
cyrus-imapd-2.3.7-2.el5_3.2

How reproducible:
always

Steps to Reproduce:
1. reset kerberos configuration
kdestroy
rm -f /var/kerberos/krb5kdc/*
rm -f /etc/krb5.keytab

2. create testing kerberos configuration
echo "[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 EXAMPLE.COM = {
  kdc = `hostname -f`:88
  admin_server = `hostname -f`:749
  default_domain = redhat.com
 }

[domain_realm]
 .redhat.com = EXAMPLE.COM
 redhat.com = EXAMPLE.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }" > /etc/krb5.conf
kdb5_util create -s EXAMPLE.COM
service krb5kdc start
service kadmin start
kadmin.local -q "ank -randkey imap/`hostname -f`"
kadmin.local -q "ktadd imap/`hostname -f`"

3. make the keytab readable
chmod +r /etc/krb5.keytab

4. set saslauthd to use kerberos
# cat /etc/sysconfig/saslauthd
# Directory in which to place saslauthd's listening socket, pid file, and so
# on.  This directory must already exist.
SOCKETDIR=/var/run/saslauthd

# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=kerberos5

# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
FLAGS=

5. set mechanism to GSSAPI
# cat /etc/imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: GSSAPI
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt

6. (re)start the services
service saslauthd start
service cyrus-imapd start

7. imtest

8. see the log

Actual results:
.qa.[root@i386-5s-m1 tps]# imtest
WARNING: no hostname supplied, assuming localhost

S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=GSSAPI SASL-IR] i386-5s-m1.lab.bos.redhat.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-2.el5_3.2 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=GSSAPI SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
Authentication failed. generic failure
Security strength factor: 0
C: Q01 LOGOUT
Connection closed.
.qa.[root@i386-5s-m1 tps]# tail /var/log/messages
Jun 18 08:50:35 i386-5s-m1 imap[31219]: auxpropfunc error no mechanism available
Jun 18 08:50:35 i386-5s-m1 imap[31220]: auxpropfunc error invalid parameter supplied
Jun 18 08:50:35 i386-5s-m1 pop3[31221]: sql_select option missing
Jun 18 08:50:35 i386-5s-m1 imap[31219]: auxpropfunc error invalid parameter supplied
Jun 18 08:50:35 i386-5s-m1 pop3[31221]: auxpropfunc error no mechanism available
Jun 18 08:50:35 i386-5s-m1 pop3[31221]: auxpropfunc error invalid parameter supplied
Jun 18 08:50:38 i386-5s-m1 imap[31223]: sql_select option missing
Jun 18 08:50:38 i386-5s-m1 imap[31223]: auxpropfunc error no mechanism available
Jun 18 08:50:38 i386-5s-m1 imap[31223]: auxpropfunc error invalid parameter supplied
Jun 18 08:50:38 i386-5s-m1 imtest: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No credentials cache found)


Expected results:
the operation gets authenticated, no errors

Additional info:
after initialising the ticket manually:
kadmin.local -q "cpw -pw password imap/`hostname -f`"
kinit imap/`hostname -f`

the error message changes:
Jun 18 08:55:58 i386-5s-m1 imtest: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)

while the record is there:
.qa.[root@i386-5s-m1 tps]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: imap/i386-5s-m1.lab.bos.redhat.com@EXAMPLE.COM

Valid starting     Expires            Service principal
06/18/09 08:55:21  06/19/09 08:55:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

and there are some messages in krb5kdc.log:
Jun 18 08:55:58 i386-5s-m1.lab.bos.redhat.com krb5kdc[30832](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.16.40.49: UNKNOWN_SERVER: authtime 1245329721,  imap/i386-5s-m1.lab.bos.redhat.com@EXAMPLE.COM for imap/localhost.localdomain@EXAMPLE.COM, Server not found in Kerberos database
Jun 18 08:55:58 i386-5s-m1.lab.bos.redhat.com krb5kdc[30832](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.16.40.49: UNKNOWN_SERVER: authtime 1245329721,  imap/i386-5s-m1.lab.bos.redhat.com@EXAMPLE.COM for krbtgt/LOCALDOMAIN@EXAMPLE.COM, Server not found in Kerberos database
Jun 18 08:55:58 i386-5s-m1.lab.bos.redhat.com krb5kdc[30832](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.16.40.49: UNKNOWN_SERVER: authtime 1245329721,  imap/i386-5s-m1.lab.bos.redhat.com@EXAMPLE.COM for krbtgt/COM@EXAMPLE.COM, Server not found in Kerberos database
Comment 1 Jan F. Chadima 2011-05-24 11:18:38 EDT
Is the same issue with rhel6 also?
and with the last fedora?
Comment 2 Karel Volný 2011-06-28 15:01:46 EDT
(In reply to comment #1)
> Is the same issue with rhel6 also?

the error is different:

Jun 28 14:46:30 i386-6s-m1 imtest: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/krb5cc_0' not found)

> and with the last fedora?

hm, krb5kdc does not start ...
Comment 3 Jan F. Chadima 2011-06-28 15:15:00 EDT
can you supply your kerberos and sasl configurations?
Comment 5 David Spurek 2012-09-26 11:25:21 EDT
This problem still exists and I wrote the reproducer for this test (link to tcms is in external tracker).
Comment 6 Petr Lautrbach 2013-03-13 09:26:38 EDT
I am sorry, but it is now too late in the RHEL-5 release cycle.
RHEL-5.10 (the next RHEL-5 minor release) is going to be the first
production phase 2 [1] release of RHEL-5. Since phase 2 we'll be
addressing only security and critical issues.

Note You need to log in before you can comment on or make changes to this bug.