Problem with SASL authentication against Kerberos5 (Windows Active Directory)

Martin Schweizer office at
Tue Sep 28 08:26:07 UTC 2010


My system:
FreeBSD  8.1-RELEASE FreeBSD 8.1-RELEASE #2: Tue Aug 31 17:07:54 CEST
2010    :/usr/obj/usr/src/sys/GENERIC  i386

Relevant part of the installed software:
# pkg_info|grep cyrus
cyrus-imapd-2.3.16_2 The cyrus mail server, supporting POP3 and IMAP4 protocols
cyrus-sasl-2.1.23   RFC 2222 SASL (Simple Authentication and Security Layer)
cyrus-sasl-saslauthd-2.1.23 SASL authentication server for cyrus-sasl2

Kerberos5 settings:
They are all ok, because I can these cross check by using kinit (and
such tools), ldapsearch and of course the security event protocol of
the domain controllers. So I can say all this is ok.

saslauthd_flags="-a kerberos5"

I use three of the above servers and with two of them I have no such
problems. Here what is going wrong:
After I update all my ports I can no longer authenticate against
Kerberos5. The test with testsaslauthd -u usernamex -p passwordx ends
always in
0: NO "authentication failed". In /var/log/auth.log I can see Sep 24
08:07:28  saslauthd[83827]: do_auth  : auth failure: [user=martin]
[service=imap] [realm=] [mech=kerberos5] [reason=krb5_verify_user_opt
failed]. What's intressting if I use saslauthd_flags="-a pam" then all
is working as expected. And again before the update all worked without
any problems. Any ideas?


Martin Schweizer
<office at>

PC-Service M. Schweizer GmbH; Bannholzstrasse 6; CH-8608 Bubikon
Tel. +41 55 243 30 00; Fax: +41 55 243 33 22

More information about the freebsd-questions mailing list