Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 506709

Summary: saslauthd does not create kerberos ticket for imap
Product: Red Hat Enterprise Linux 5 Reporter: Karel Volný <kvolny>
Component: cyrus-saslAssignee: Petr Lautrbach <plautrba>
Status: CLOSED WONTFIX QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: low    
Version: 5.3CC: dspurek
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 860737 (view as bug list) Environment:
Last Closed: 2013-03-13 13:26:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 860737, 1036818    

Description Karel Volný 2009-06-18 12:59:39 UTC
Description of problem:
When trying to test kerberos5 authentication with cyrus-imapd, I have found that the credentials cache doesn't get initialised.

Version-Release number of selected component (if applicable):
krb5-server-1.6.1-31.el5_3.3
cyrus-sasl-2.1.22-4
cyrus-imapd-2.3.7-2.el5_3.2

How reproducible:
always

Steps to Reproduce:
1. reset kerberos configuration
kdestroy
rm -f /var/kerberos/krb5kdc/*
rm -f /etc/krb5.keytab

2. create testing kerberos configuration
echo "[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 EXAMPLE.COM = {
  kdc = `hostname -f`:88
  admin_server = `hostname -f`:749
  default_domain = redhat.com
 }

[domain_realm]
 .redhat.com = EXAMPLE.COM
 redhat.com = EXAMPLE.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }" > /etc/krb5.conf
kdb5_util create -s EXAMPLE.COM
service krb5kdc start
service kadmin start
kadmin.local -q "ank -randkey imap/`hostname -f`"
kadmin.local -q "ktadd imap/`hostname -f`"

3. make the keytab readable
chmod +r /etc/krb5.keytab

4. set saslauthd to use kerberos
# cat /etc/sysconfig/saslauthd
# Directory in which to place saslauthd's listening socket, pid file, and so
# on.  This directory must already exist.
SOCKETDIR=/var/run/saslauthd

# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=kerberos5

# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
FLAGS=

5. set mechanism to GSSAPI
# cat /etc/imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: GSSAPI
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt

6. (re)start the services
service saslauthd start
service cyrus-imapd start

7. imtest

8. see the log

Actual results:
.qa.[root@i386-5s-m1 tps]# imtest
WARNING: no hostname supplied, assuming localhost

S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=GSSAPI SASL-IR] i386-5s-m1.lab.bos.redhat.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-2.el5_3.2 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=GSSAPI SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
Authentication failed. generic failure
Security strength factor: 0
C: Q01 LOGOUT
Connection closed.
.qa.[root@i386-5s-m1 tps]# tail /var/log/messages
Jun 18 08:50:35 i386-5s-m1 imap[31219]: auxpropfunc error no mechanism available
Jun 18 08:50:35 i386-5s-m1 imap[31220]: auxpropfunc error invalid parameter supplied
Jun 18 08:50:35 i386-5s-m1 pop3[31221]: sql_select option missing
Jun 18 08:50:35 i386-5s-m1 imap[31219]: auxpropfunc error invalid parameter supplied
Jun 18 08:50:35 i386-5s-m1 pop3[31221]: auxpropfunc error no mechanism available
Jun 18 08:50:35 i386-5s-m1 pop3[31221]: auxpropfunc error invalid parameter supplied
Jun 18 08:50:38 i386-5s-m1 imap[31223]: sql_select option missing
Jun 18 08:50:38 i386-5s-m1 imap[31223]: auxpropfunc error no mechanism available
Jun 18 08:50:38 i386-5s-m1 imap[31223]: auxpropfunc error invalid parameter supplied
Jun 18 08:50:38 i386-5s-m1 imtest: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No credentials cache found)


Expected results:
the operation gets authenticated, no errors

Additional info:
after initialising the ticket manually:
kadmin.local -q "cpw -pw password imap/`hostname -f`"
kinit imap/`hostname -f`

the error message changes:
Jun 18 08:55:58 i386-5s-m1 imtest: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)

while the record is there:
.qa.[root@i386-5s-m1 tps]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: imap/i386-5s-m1.lab.bos.redhat.com

Valid starting     Expires            Service principal
06/18/09 08:55:21  06/19/09 08:55:21  krbtgt/EXAMPLE.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

and there are some messages in krb5kdc.log:
Jun 18 08:55:58 i386-5s-m1.lab.bos.redhat.com krb5kdc[30832](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.16.40.49: UNKNOWN_SERVER: authtime 1245329721,  imap/i386-5s-m1.lab.bos.redhat.com for imap/localhost.localdomain, Server not found in Kerberos database
Jun 18 08:55:58 i386-5s-m1.lab.bos.redhat.com krb5kdc[30832](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.16.40.49: UNKNOWN_SERVER: authtime 1245329721,  imap/i386-5s-m1.lab.bos.redhat.com for krbtgt/LOCALDOMAIN, Server not found in Kerberos database
Jun 18 08:55:58 i386-5s-m1.lab.bos.redhat.com krb5kdc[30832](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.16.40.49: UNKNOWN_SERVER: authtime 1245329721,  imap/i386-5s-m1.lab.bos.redhat.com for krbtgt/COM, Server not found in Kerberos database

Comment 1 Jan F. Chadima 2011-05-24 15:18:38 UTC
Is the same issue with rhel6 also?
and with the last fedora?

Comment 2 Karel Volný 2011-06-28 19:01:46 UTC
(In reply to comment #1)
> Is the same issue with rhel6 also?

the error is different:

Jun 28 14:46:30 i386-6s-m1 imtest: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/krb5cc_0' not found)

> and with the last fedora?

hm, krb5kdc does not start ...

Comment 3 Jan F. Chadima 2011-06-28 19:15:00 UTC
can you supply your kerberos and sasl configurations?

Comment 5 David Spurek 2012-09-26 15:25:21 UTC
This problem still exists and I wrote the reproducer for this test (link to tcms is in external tracker).

Comment 6 Petr Lautrbach 2013-03-13 13:26:38 UTC
I am sorry, but it is now too late in the RHEL-5 release cycle.
RHEL-5.10 (the next RHEL-5 minor release) is going to be the first
production phase 2 [1] release of RHEL-5. Since phase 2 we'll be
addressing only security and critical issues.