Author Topic: Kerberos authentication and GSSAPI  (Read 5791 times)

Offline Curious George

  • Newbie
  • *
  • Posts: 2
Kerberos authentication and GSSAPI
« on: October 11, 2016, 03:24:41 PM »
I am new to Kerberos authentication so I have been poking things to see how they react.

I have a local test network of VMs with cyrus imap, postgres and a webserver running roundcube 1.2.  I can log into roundcube and authenticate through the imap server.

I then point roundcube to an already established IMAP server on another test network that uses Kerberos authentication.  I have the krb5 extension installed.

When I try to authenticate with imap_auth_type='LOGIN' it fails as expected as LOGIN is turned off on the IMAP server.  Twitch achieved.

If I set imap_auth_type as the default null I get complaints about gssapi_cn and gssapi_context not set.  Looking at the php code I am not sure if theseconfig items are something I am supposed to set somewhere and, if so, what format. Google'd around and there is not much there.

Any suggestions?

Offline alec

  • Hero Member
  • *****
  • Posts: 1,363
Re: Kerberos authentication and GSSAPI
« Reply #1 on: October 12, 2016, 02:18:25 AM »
You need krb_authentication plugin.

Offline Curious George

  • Newbie
  • *
  • Posts: 2
Re: Kerberos authentication and GSSAPI
« Reply #2 on: October 26, 2016, 03:18:06 PM »

So I authenticate with Kerberos and get past the roundcube login screen to the main screen.  Any commands past login such as getting that INBOX fail.
Looking at the logs on the IMAP server I see something like "encoded packet size too big 1093677104 > 4096"
Looking in the SASL code it looks like it is expecting the first 4 bytes to be the length of the command so it looks like maybe round cube is not sending a correct command? Looking in cube_imap_generic.php it looks like the authentication stuff is getting wrapped and encoded but the stuff in execute() is not.  Maybe this is an issue?  Hopefully there is a simple one character magic answer :)

Using Cyrus SASL 2.1.25 and roundcube 1.2.1.  Running round cube on CentOS7 and using Safari from Max OSX. I can use Cyrus imtest and can authenticate and fiddle with the mailboxes just fine.