Re: [exim] exim-4.92: GSSAPI authenticator doesn't work

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Viktor Dukhovni
Date:  
À: exim-users
Sujet: Re: [exim] exim-4.92: GSSAPI authenticator doesn't work
On Thu, Jun 20, 2019 at 04:05:52PM +0200, Frank Richter via Exim-users wrote:

> 4.91:
> …
> 17651 Initialised Cyrus SASL server connection; service="smtp"
> fqdn="servername.tu-chemnitz.de" realm="NULL"


What user is exim 4.91 running as when reading the keytab file?
And which keytab file has the keys for "smtp/servername.tu-chemnitz.de"?
What are the permissions on that file?

> 17651 Calling sasl_server_start(GSSAPI,"YIICeAYJKo…")


> 4.92:
> …
> 17950 Initialised Cyrus SASL server connection; service="smtp"
> fqdn="servername.tu-chemnitz.de" realm="NULL"


Same questions. Are both tests on the same host? With the same
krb5.conf and keytab files? You'll probably want to "strace" the
Exim process to see which files it is trying to open when doin SASL
GSSAPI init. Is Exim 4.92 linked directly (ldd) against some
Kerberos library, perhaps one that is different from the one
used by the SASL GSSAPI module?

> Still got no enlightenment … no other log entries found, nothing on Kerberos
> server …


GSS acceptors don't communicate with the KDC, only GSS clients talk
to the KDC, the servers just consume tokens supplied by clients and
their own keytab file.

-- 
    Viktor.