Hide Forgot
Description of problem: While using GSSAPI mechanism, the server_start() method ALWAYS fails when cyrus-sasl uses GSSAPI with krb5-workstation v1.6.1 36.el5_5.6. Installing krb5-workstation v1.8.2 3.7 (RHEL 6 version) solves the problem. The problem is in the linkage between libgssapi of cyrus-sasl and libgssapi of krb5. This problem doesn't exist on RHEL 4 nor RHEL 6, RHEL 5 is the only version impacted. Version-Release number of selected component (if applicable): cyrus-sasl 2.1.22 5.el5_4.3 (both i386 and x86_64) krb5-workstation 1.6.1 36.el5_5.6 How reproducible: Just use the sasl2-sample-client and sasl2-sample-server to discover the bug: no GSSAPI authentication is possible on a sasl2-sample-server running under RHEL 5. Steps to Reproduce: 1. Install a Kerberos keytab for principal host/test.redhat.com for instance, and create a client principal test. 2. On server, launch "sasl2-sample-server -p 12345 -s host" 3. On client, identify youself to Kerberos server with kinit test 4. On client, launch "sasl2-sample-client -p 12345 -s host -m GSSAPI test.redhat.com" 5. Enter "test" when client requests an authorization id. Actual results: Authentication failed. No GSSAPI authentication is possible with this version of krb5-workstation. Expected results: Successful Authentication. Additional info: This bug will also be submitted under cyrus-sasl software. Cheers R.
This is the same as bug #498554, which is fixed in 5.6. I expect that setting an explicit mapping from the server's host name to its realm in the [domain_realm] section of the server's /etc/krb5.conf would work around it.
You were right... just adding this section fixes the problem. In Heimdal kerberos, the default_realm is used when kerberos libraries doesn't know which REALM they should use, I guessed MIT had the same behavior. Thanks a lot :) Cheers R.
No worries. Closing with resolution ERRATA.