SASL error Decrypt integrity check failed with sample-server test for GSSAPI

Robert Fitzpatrick robert at webtent.com
Tue Jul 27 08:44:52 PDT 2004 

Trying to get SASL to work with Heimdal 0.6 on FreeBSD 5.2.1. When doing
the sample-server test, it finds my ticket OK and presents a response
that the sample-client accepts and gives its response. The problem is
when sending that client response back to the server, this is what
happens:

esmtp# ./sample-server -s imap -p ../plugins/.libs
Generating client mechanism list...
Sending list of 8 mechanism(s)
S: <server response>
Waiting for client mechanism...
C: <client response from below>
got 'GSSAPI'
lt-sample-server: SASL Other: GSSAPI Error:  Miscellaneous failure (see text) (Decrypt integrity check failed)
lt-sample-server: Starting SASL negotiation: authentication failure (authentication failure)
esmtp# ./sample-client -s imap -n esmtp.webtent.net -u spam -p ../plugins/.libs
service=imap
Waiting for mechanism list from server...
S: <server response from above>
recieved 57 byte message
Choosing best mechanism from: NTLM LOGIN ANONYMOUS PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5
returning OK: spam
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C: <client response>

Both the SASL and saslauthd ports are version 2.1.19 on the system. Anyone know
what 'Decrypt integrity check failed' means? I found references to the
password being wrong when Googling it, but the password has been reset
and I get this same error with any user. I am starting the sample-server
and sample-client as follows, seems to find the service keytab OK, I am
using what I think is setup correctly. I extracted the Kerberos keytab
for imap/esmtp.webtent.net and have it placed correctly in
/etc/krb5.keytab with 600 owned by the 'cyrus' user. The realm is
WEBTENT.NET.

./sample-server -s imap -p ../plugins/.libs
./sample-client -s imap -n esmtp.webtent.net -u spam -p ../plugins/.libs
kadmin> list spam
  spam at WEBTENT.NET
esmtp# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: spam at WEBTENT.NET

  Issued           Expires          Principal
Jul 27 10:18:04  Jul 27 20:18:04  krbtgt/WEBTENT.NET at WEBTENT.NET
Jul 27 10:18:09  Jul 27 20:18:04  imap/esmtp.webtent.net at WEBTENT.NET
esmtp# ls -la /etc/krb5.keytab
-rw-------  1 cyrus  mail  586 Jul 26 19:49 /etc/krb5.keytab

-- 
Robert

More information about the freebsd-questions mailing list