[exim-dev] [Bug 1498] AUTH GSSAPI does not work with cross-r…

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMPhil Pennock at <-
MViktor Dukhovni at ->
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1498] AUTH GSSAPI does not work with cross-realm
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1498




--- Comment #3 from Phil Pennock <pdp@???> 2014-07-01 22:50:31 ---
Okay, the KRB5_KTNAME problem is a deficiency in the APIs; neither the SASL nor
the GSSAPI specifications provide a way to specify the location of the server
keytab.

We documented this environment variable for Exim in the preamble for the
cyrus_sasl authenticator chapter of the docs. It used to work reliably. I
wrote the heimdal_gssapi authenticator after Heimdal stopped honouring that
environment variable in setuid programs, even when the original caller was
root, and that is the one potentially non-portable call used in the library
which makes it Heimdal specific -- the environment variable hack to bypass the
deficient APIs is convenient but, like all hacks, not guaranteed. I feel your
pain though -- I'm the one who found the environment variable path, which led
to it being documented.

When using cyrus-sasl, Exim's code is not handling anything to do with talking
to the KDC -- that's all part of the service provided by the authentication
library.

I can not find any documentation on anything specific which needs to be done,
per-app, to support multiple realms; the debug traces you provide show that
Exim is passing the auth data to cyrus-sasl, which is just erroring out
immediately, as a permanent error; according to the header file <sasl/sasl.h>
the numeric error -13 is "SASL_BADAUTH" -- so the library is telling Exim
outright that authentication has failed. If this were something wrong with
cross-realm trust setup, I'd optimistically expect SASL_NOAUTHZ telling us that
the user can't be authorized, not that authentication itself failed.

The first other avenue I know of to investigate is that we initialise Cyrus
SASL with an application name of "exim", so a file named "exim.conf" in the
sasl2 library directory should be picked up by Cyrus and parsed; my
recollection is that setting "keytab" in that did not work for me, using Cyrus
SASL with Heimdal, so I've not explored that much.

The other option is that the SASL library is expecting to be able to call the
"sasl_authorize_t" callback to handle cross-realm trust issues (very unclear if
this is so), and because Exim does not register a callback for that,
authorization fails and Cyrus is doing something horrendously funky to turn
that into an authentication failure.

Investigation and patches very welcome.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-[exim-dev] [Bug 1498] AUTH GSSAPI does not work with cross-realmRe: [exim-dev] [Bug 1498] AUTH GSSAPI does not work with cross-realm->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)