problem with 2003 krb and mit krb integration with mozilla thunderbirdon a multiple realm scenario

---

• From: tquadra@xxxxxxxxxxxxxxxx (Tiago Quadra)
• Date: Wed, 01 Feb 2006 09:27:30 -0200

---

Hi all,

I'm trying to log in on cyrus imap running on a Linux box, using SSPI 
from a Windows XP Pro workstation logged on a Windows 2003 DC using a 
principal from MIT Kerberos.

So far, I've managed to:
    - Set up the trust betwen the Windows 2003 KRB and MIT KRB
    - Log on Windows 2003 DC using my MIT Kerberos.

My Windows 2003 DC Domain: CORP.MTI.COM.BR <http://CORP.MTI.COM.BR>.
My MIT KDC Server has multiple REALMS, where the default is MTI.COM.BR 
<http://MTI.COM.BR> (an internal domain of my company).
I'm testing using a principal tquadra@xxxxxxxxxxxxxxxxx 
<mailto:tquadra@xxxxxxxxxxxxxxxxx> on a MIT REALM.*

*1st test - Good: From a *Linux Box*,
        using *kinit *to authenticate with tquadra@xxxxxxxxxxxxxxxxx 
<mailto:tquadra@xxxxxxxxxxxxxxxxx>
        and *imtest *to log on Cyrus IMAP *_I can login_ with GSSAPI.*

2nd test - Good: From a *Windows XP Pro sp2 workstation*,
        using *MIT kerbeors client* to authenticate with 
tquadra@xxxxxxxxxxxxxxxxx <mailto:tquadra@xxxxxxxxxxxxxxxxx>
        and *Mozilla Thunderbird* to log on Cyrus IMAP *_I can login_ 
with GSSAPI.*

3rd test - Bad: From a *Windows XP Pro **sp2 **workstation*,
        using the *credentias got from Windows Log on*
        and *Mozilla Thunderbird* to log on Cyrus IMAP *_I cannot login_ 
witg GSSAPI.*

On the 1st and 2nd tests I got a TGS ticket 
imap/cyrusimap.mti.com.br@xxxxxxxxxx 
<mailto:imap/cyrusimap.mti.com.br@xxxxxxxxxx>.
On the 3rd test I got a TGS ticket 
imap/cyrusimap.mti.com.br@xxxxxxxxxxxxxxxxx 
<mailto:imap/cyrusimap.mti.com.br@xxxxxxxxxxxxxxxxx>

My cyrusimap syslog shows the following error message:
Jan 31 15:46:30 cyrusimap imap[/PID/]: GSSAPI Error: Miscellaneous 
failure (Wrong principal in request)
Jan 31 15:46:30 cyrusimap imap[/PID/]: badlogin: [/IP/] GSSAPI 
[SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context]

I have both imap/cyrusimap.mti.com.br@xxxxxxxxxx 
<mailto:imap/cyrusimap.mti.com.br@xxxxxxxxxx> AND 
imap/cyrusimap.mti.com.br@xxxxxxxxxxxxxxxxx 
<mailto:imap/cyrusimap.mti.com.br@xxxxxxxxxxxxxxxxx>
on my /etc/krb5.keytab.

I have krbtgt principals for trust between MTI.COM.BR 
<http://MTI.COM.BR> and LABEXAMPLE.COM.BR <http://LABEXAMPLE.COM.BR>.

Any suggestions?

Best regards,
Tiago Quadra.

*Server with MIT Kerberos, host *mitkdc.mti.com.br 
<http://mitkdc.mti.com.br>*:*
/etc/krb5.conf
[libdefaults]
    default_realm = MTI.COM.BR <http://MTI.COM.BR>

 CORP.MTI.COM.BR <http://CORP.MTI.COM.BR> = {
  kdc = winkdc.mti.com.br:88 <http://winkdc.mti.com.br:88>
  admin_server = winkdc.mti.com.br:749 <http://winkdc.mti.com.br:749>
  kpasswd_server = winkdc.mti.com.br:464 <http://winkdc.mti.com.br:464>
  default_domain = corp.mti.com.br <http://corp.mti.com.br>
 }

 MTI.COM.BR <http://MTI.COM.BR> = {
  kdc = mitkdc.mti.com.br:88 <http://mitkdc.mti.com.br:88>
  admin_server = mitkdc.mti.com.br:900 <http://mitkdc.mti.com.br:900>
  kpasswd_server = mitkdc.mti.com.br:464 <http://mitkdc.mti.com.br:464>
  default_domain = mti.com.br <http://mti.com.br>
 }

  LABEXAMPLE.COM.BR <http://LABEXAMPLE.COM.BR> = {
  kdc = mitkdc.mti.com.br:88 <http://mitkdc.mti.com.br:88>
  admin_server = mitkdc.mti.com.br:901 <http://mitkdc.mti.com.br:901>
  kpasswd_server = mitkdc.mti.com.br:465 <http://mitkdc.mti.com.br:465>
  default_domain = labexample.com.br <http://labexample.com.br>
 }


*Server with Cyrus IMAP host *cyrusimap.mti.com.br 
<http://cyrusimap.mti.com.br>*:*
/etc/krb5.conf
[libdefaults]
    default_realm = MTI.COM.BR <http://MTI.COM.BR>

  CORP.MTI.COM.BR <http://CORP.MTI.COM.BR> = {
  kdc = winkdc.mti.com.br:88 <http://winkdc.mti.com.br:88>
  admin_server = winkdc.mti.com.br:749 <http://winkdc.mti.com.br:749>
  kpasswd_server = winkdc.mti.com.br:464 <http://winkdc.mti.com.br:464>
  default_domain = corp.mti.com.br <http://corp.mti.com.br>
 }

 MTI.COM.BR <http://MTI.COM.BR> = {
  kdc = mitkdc.mti.com.br:88 <http://mitkdc.mti.com.br:88>
  admin_server = mitkdc.mti.com.br:900 <http://mitkdc.mti.com.br:900>
  kpasswd_server = mitkdc.mti.com.br:464 <http://mitkdc.mti.com.br:464>
  default_domain = mti.com.br <http://mti.com.br>
 }

  LABEXAMPLE.COM.BR <http://LABEXAMPLE.COM.BR> = {
  kdc = mitkdc.mti.com.br:88 <http://mitkdc.mti.com.br:88>
  admin_server = mitkdc.mti.com.br:901 <http://mitkdc.mti.com.br:901>
  kpasswd_server = mitkdc.mti.com.br:465 <http://mitkdc.mti.com.br:465>
  default_domain = labexample.com.br <http://labexample.com.br>
 }

root@cyrusimap:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tquadra@xxxxxxxxxxxxxxxxx 
<mailto:tquadra@xxxxxxxxxxxxxxxx>

Valid starting     Expires            Service principal
01/31/06 17:44:24  02/01/06 03:44:24  
krbtgt/LABEXAMPLE.COM.BR@xxxxxxxxxxxxxxxxx 
<mailto:krbtgt/MULTIPLAN.COM.BR@xxxxxxxxxxxxxxxx>
        renew until 02/01/06 17:44:24


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
root@cyrusimap:~#

root@cyrusimap:~# imtest cyrusimap
S: * OK srv05 Cyrus IMAP4 v2.2.10 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND 
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE 
STARTTLS AUTH=GSSAPI SASL-IR
S: C01 OK Completed
C: A01 AUTHENTICATE GSSAPI ...
S: + ...
C:
S: + ...
C: ...
S: A01 OK Success (privacy protection)
Authenticated.
Security strength factor: 56

root@cyrusimap:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tquadra@ <mailto:tquadra@xxxxxxxxxxxxxxxxx> 
LABEXAMPLE <mailto:tquadra@xxxxxxxxxxxxxxxx>.COM.BR 
<mailto:tquadra@xxxxxxxxxxxxxxxxx>

Valid starting     Expires            Service principal
01/31/06 17:44:24  02/01/06 03:44:24  krbtgt/ 
<mailto:krbtgt/MULTIPLAN.COM.BR@xxxxxxxxxxxxxxxx> LABEXAMPLE 
<mailto:tquadra@xxxxxxxxxxxxxxxx>.COM.BR@ 
<mailto:krbtgt/MULTIPLAN.COM.BR@xxxxxxxxxxxxxxxx> LABEXAMPLE 
<mailto:tquadra@xxxxxxxxxxxxxxxx>.COM.BR 
<mailto:krbtgt/MULTIPLAN.COM.BR@xxxxxxxxxxxxxxxx>
        renew until 02/01/06 17:44:24
01/31/06 17:44:36  02/01/06 03:44:24  krbtgt/MTI.COM.BR@ 
<mailto:krbtgt/MTI.COM.BR@xxxxxxxxxxxxxxxx> LABEXAMPLE 
<mailto:tquadra@xxxxxxxxxxxxxxxx>.COM.BR 
<mailto:krbtgt/MTI.COM.BR@xxxxxxxxxxxxxxxx>
        renew until 02/01/06 17:44:24
01/31/06 17:44:36  02/01/06 03:44:24  
imap/cyrusimap.mti.com.br@xxxxxxxxxx 
<mailto:imap/srv05.mti.com.br@xxxxxxxxxx>
        renew until 02/01/06 17:44:24

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

*Tickets from SSPI on my Windows XP Pro sp2 workstation*

-- 
Tiago Quadra
Informática - Grupo Multiplan/Renasce
com.: +55 21 3433-5258
cel.: +55 21 7824-7461
fax.: +55 21 3150-2650
rad.: +55 21 55*439303*20 (nextel)



Esta mensagem, incluindo seus anexos, pode conter informacoes privilegiadas e/ou de carater confidencial, nao podendo ser retransmitida sem autorizacao do remetente.

Portanto, se voce recebeu esta mensagem por  engano, por favor, nos informe respondendo imediatamente a este e-mail e em seguida apague-a.

As empresas do GRUPO MULTIPLAN nao se responsabilizam por conclusoes, opinioes, ou outras informacoes nesta mensagem que nao se relacionem com sua linha de negocios.

________________________________________________
Kerberos mailing list           Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

.

---

• Follow-Ups:
  • Re: problem with 2003 krb and mit krb integration with mozilla thunderbirdon a multiple realm scenario
    • From: "Douglas E. Engert"

• Next by Date: Can use kerberized telnet, but cannot use pam_krb5
• Next by thread: Re: problem with 2003 krb and mit krb integration with mozilla thunderbirdon a multiple realm scenario
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: St. Petersburg ... two sets of ticket windows, one facing the entrance door, then the ... windows at right angles to that. ... the Russian climate reduces the frequency of on-the-street stuff. ... Best food we ... (rec.travel.europe) RE: Laptop Logoff Painfully Slow when a Kerberos Realm user is logged on ... I notice there are some issues about MIT Kerberos ... Cannot Access Active Directory Shares From MIT Kerberos Realm ... On to a Windows XP Client ... Logon failure events are incorrectly recorded for trusted MIT ... (microsoft.public.windowsxp.general) Re: Samba + Kerberos + LDAP ... You can connect to a samba server using MIT kerberos, ... windows to authenticate to an MIT kerberos server. ... I need the Samba for file sharing with windows users (primarily Windows ... (comp.protocols.kerberos) Re: Wrong ticket encryption for W2K clients only ... The Windows service account used for Vintela SSO is set up using "Use DES ... -crypto DES-CBC-MD5 encryption. ... But on the Windows 2000 clients the ticket is encrypted with RC4-HMAC-NT: ... KerbTicket Encryption Type: Kerberos RSADSI RC4-HMAC ... (comp.protocols.kerberos) RE: XP SP1 cannot reboot after applying 10/12/04 patches ... I logged a ticket with Microsoft who could not help much more in booting off ... Create a Windows XP boot diskette by looking up Microsoft Article ID 305595. ... to create the floppy. ... (microsoft.public.windowsupdate)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)