The error message “saslauthd internal error” seems like a catch-all for saslauthd, so I’m not sure if it’s a red herring, but here’s the brief description of my problem:
This Kerberos command works fine:
$ echo getprivs | kadmin -p username -w password
Authenticating as principal username with password.
kadmin: getprivs
current privileges: GET ADD MODIFY DELETE
But this SASL test command fails:
$ testsaslauthd -u username -p password
0: NO "authentication failed"
saslauthd works fine with "-a sasldb", but the above is with "-a kerberos5"
This is the most detail I seem to be able to get from saslauthd:
saslauthd[]: auth_krb5: krb5_get_init_creds_password: -1765328353
saslauthd[]: do_auth : auth failure: [user=username] [service=imap]
[realm=] [mech=kerberos5] [reason=saslauthd internal error]
Kerberos seems happy:
krb5kdc[](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1:
ISSUE: authtime 1298779891, etypes {rep=18 tkt=18 ses=18},
username at REALM for krbtgt/DOMAIN at REALM
I’m running Ubuntu 10.04 (lucid) with the latest updates, namely:
- Kerberos 5 release 1.8.1
- saslauthd 2.1.23
Thanks for any clues.
This is the only useful bit. You do have the error code, the tricky part is turning that error into a useful message. Some google fu yields
https://andromeda.rutgers.edu/~sysmail/krb5_error.html (which has since gone offline, but is available on the Internet Archive)
Decrypt Integrity check failed.
Anybody can get a tgt from the kdc, but not everybody can decrypt it to make it useful. It really looks like you don't have the right password.
http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html#badpass (→ Internet Archive)
Do you have a keytab for saslauthd to validate logins?
Try:
kinit
: Kerberos should work without supplying passwords anywhere else.