Problem with testsaslauthd and kerberos5 ("saslauthd internal error")

by danorton   Last Updated August 01, 2020 14:00 PM

The error message “saslauthd internal error” seems like a catch-all for saslauthd, so I’m not sure if it’s a red herring, but here’s the brief description of my problem:

This Kerberos command works fine:

$ echo getprivs | kadmin -p username -w password
Authenticating as principal username with password.
kadmin:  getprivs
current privileges: GET ADD MODIFY DELETE

But this SASL test command fails:

$ testsaslauthd -u username -p password
0: NO "authentication failed"

saslauthd works fine with "-a sasldb", but the above is with "-a kerberos5"

This is the most detail I seem to be able to get from saslauthd:

saslauthd[]: auth_krb5: krb5_get_init_creds_password: -1765328353
saslauthd[]: do_auth : auth failure: [user=username] [service=imap]
                 [realm=] [mech=kerberos5] [reason=saslauthd internal error]

Kerberos seems happy:

krb5kdc[](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1:
                 ISSUE: authtime 1298779891, etypes {rep=18 tkt=18 ses=18},
                 username at REALM for krbtgt/DOMAIN at REALM

I’m running Ubuntu 10.04 (lucid) with the latest updates, namely:

  • Kerberos 5 release 1.8.1
  • saslauthd 2.1.23

Thanks for any clues.



Answers 2


Try:

  • specifying [email protected]
  • obtaining TGT with kinit: Kerberos should work without supplying passwords anywhere else.
yrk
yrk
January 17, 2012 22:23 PM

auth_krb5: krb5_get_init_creds_password: -1765328353

This is the only useful bit. You do have the error code, the tricky part is turning that error into a useful message. Some google fu yields

https://andromeda.rutgers.edu/~sysmail/krb5_error.html (which has since gone offline, but is available on the Internet Archive)

Decrypt Integrity check failed.

Anybody can get a tgt from the kdc, but not everybody can decrypt it to make it useful. It really looks like you don't have the right password.

http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html#badpass (→ Internet Archive)

Do you have a keytab for saslauthd to validate logins?

Fred the Magic Wonder Dog
Fred the Magic Wonder Dog
October 23, 2013 00:11 AM

Related Questions



System Auth through kerberos + ldap in Docker

Updated April 13, 2017 20:00 PM

Pass through authentication with LDAP and Kerberos

Updated December 04, 2018 14:00 PM