<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Configuring GSSAPI and Cyrus SASL — Cyrus SASL 2.1.27 documentation</title>
<link rel="shortcut icon" href="../_static/favicon.ico"/>
<link rel="stylesheet" href="../_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="../_static/cyrus.css" type="text/css" />
<link rel="index" title="Index"
href="../genindex.html"/>
<link rel="search" title="Search" href="../search.html"/>
<link rel="top" title="Cyrus SASL 2.1.27 documentation" href="../index.html"/>
<link rel="up" title="Authentication Mechanisms" href="authentication_mechanisms.html"/>
<link rel="next" title="Pwcheck" href="pwcheck.html"/>
<link rel="prev" title="Authentication Mechanisms" href="authentication_mechanisms.html"/>
</head>
<body class="wy-body-for-nav" role="document">
<div class="pageheader">
<ul>
<li><a href="../index.html">Home</a></li>
<li><a href="http://www.cyrusimap.org">Cyrus IMAP</a></li>
<li><a href="../download.html">Download</a></li>
<li><a href="../contribute.html">Contribute</a></li>
</ul>
<div>
<a href="../index.html">
<img src="../_static/logo.gif" alt="CYRUS SASL" />
</a>
</div>
</div>
<div style="clear: both;"></div>
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-nav-search">
<a href="../index.html">
<img src="../_static/logo.gif" />
</a>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
<p class="caption"><span class="caption-text">Cyrus SASL</span></p>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../download.html">Download</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../getsasl.html">Get SASL</a><ul>
<li class="toctree-l3"><a class="reference internal" href="installation.html">Installation</a><ul>
<li class="toctree-l4"><a class="reference internal" href="installation.html#quick-install-guide">Quick install guide</a></li>
<li class="toctree-l4"><a class="reference internal" href="installation.html#detailed-installation-guide">Detailed installation guide</a></li>
<li class="toctree-l4"><a class="reference internal" href="installation.html#supported-platforms">Supported platforms</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="release-notes/index.html">Release Notes</a><ul>
<li class="toctree-l3"><a class="reference internal" href="release-notes/index.html#supported-product-series">Supported Product Series</a><ul>
<li class="toctree-l4"><a class="reference internal" href="release-notes/index.html#series-2-1">Series 2.1</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="release-notes/index.html#older-versions">Older Versions</a><ul>
<li class="toctree-l4"><a class="reference internal" href="release-notes/index.html#series-2-2-0">Series 2: 2.0</a></li>
<li class="toctree-l4"><a class="reference internal" href="release-notes/index.html#series-1">Series 1</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../packager.html">Note for Packagers</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="quickstart.html">Quickstart guide</a><ul>
<li class="toctree-l2"><a class="reference internal" href="quickstart.html#features">Features</a></li>
<li class="toctree-l2"><a class="reference internal" href="quickstart.html#typical-installation">Typical Installation</a></li>
<li class="toctree-l2"><a class="reference internal" href="quickstart.html#configuration">Configuration</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="concepts.html">Concepts</a><ul>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#sasl">SASL</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#sasl-authentication-mechanisms">SASL Authentication Mechanisms</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#security-layers">Security Layers</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#channel-binding">Channel Binding</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#realms">Realms</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#protocols">Protocols</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#cyrus-sasl">Cyrus SASL</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#the-glue-library">The Glue Library</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#auxiliary-properties">Auxiliary Properties</a></li>
<li class="toctree-l2"><a class="reference internal" href="concepts.html#plugins">Plugins</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../setup.html">Setup</a><ul>
<li class="toctree-l2"><a class="reference internal" href="installation.html">Installation</a><ul>
<li class="toctree-l3"><a class="reference internal" href="installation.html#quick-install-guide">Quick install guide</a><ul>
<li class="toctree-l4"><a class="reference internal" href="installation.html#tarball-installation">Tarball installation</a></li>
<li class="toctree-l4"><a class="reference internal" href="installation.html#unix-package-installation">Unix package Installation</a></li>
<li class="toctree-l4"><a class="reference internal" href="installation.html#configuration">Configuration</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="installation.html#detailed-installation-guide">Detailed installation guide</a><ul>
<li class="toctree-l4"><a class="reference internal" href="installation.html#requirements">Requirements</a></li>
<li class="toctree-l4"><a class="reference internal" href="installation.html#build-configuration">Build Configuration</a></li>
<li class="toctree-l4"><a class="reference internal" href="installation.html#building-and-installation">Building and Installation</a></li>
<li class="toctree-l4"><a class="reference internal" href="installation.html#compilation-hints">Compilation Hints</a></li>
<li class="toctree-l4"><a class="reference internal" href="installation.html#application-configuration">Application Configuration</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="installation.html#supported-platforms">Supported platforms</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="upgrading.html">Upgrading from v1 to v2</a><ul>
<li class="toctree-l3"><a class="reference internal" href="upgrading.html#backwards-compatibility">Backwards Compatibility</a></li>
<li class="toctree-l3"><a class="reference internal" href="upgrading.html#coexistence-with-saslv1">Coexistence with SASLv1</a></li>
<li class="toctree-l3"><a class="reference internal" href="upgrading.html#database-upgrades">Database Upgrades</a></li>
<li class="toctree-l3"><a class="reference internal" href="upgrading.html#errors-on-migration">Errors on migration</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="components.html">Components</a><ul>
<li class="toctree-l3"><a class="reference internal" href="components.html#the-application">The Application</a></li>
<li class="toctree-l3"><a class="reference internal" href="components.html#the-sasl-glue-layer">The SASL Glue Layer</a></li>
<li class="toctree-l3"><a class="reference internal" href="components.html#plugins">Plugins</a><ul>
<li class="toctree-l4"><a class="reference internal" href="components.html#plugins-general">Plugins: General</a></li>
<li class="toctree-l4"><a class="reference internal" href="components.html#plugins-sasl-mechanisms">Plugins: SASL Mechanisms</a></li>
<li class="toctree-l4"><a class="reference internal" href="components.html#plugins-auxiliary-property">Plugins: Auxiliary Property</a></li>
<li class="toctree-l4"><a class="reference internal" href="components.html#plugins-username-canonicalization">Plugins: Username Canonicalization</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="components.html#password-verification-services">Password Verification Services</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="options.html">Options</a><ul>
<li class="toctree-l3"><a class="reference internal" href="options.html#sasl-library">SASL Library</a></li>
<li class="toctree-l3"><a class="reference internal" href="options.html#auxiliary-property-plugin">Auxiliary Property Plugin</a></li>
<li class="toctree-l3"><a class="reference internal" href="options.html#gssapi">GSSAPI</a></li>
<li class="toctree-l3"><a class="reference internal" href="options.html#ldapdb">LDAPDB</a><ul>
<li class="toctree-l4"><a class="reference internal" href="options.html#notes-on-ldapdb">Notes on LDAPDB</a></li>
<li class="toctree-l4"><a class="reference internal" href="options.html#examples">Examples</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="options.html#ntlm">NTLM</a></li>
<li class="toctree-l3"><a class="reference internal" href="options.html#otp">OTP</a></li>
<li class="toctree-l3"><a class="reference internal" href="options.html#digest-md5">Digest-md5</a></li>
<li class="toctree-l3"><a class="reference internal" href="options.html#sasldb">SASLDB</a><ul>
<li class="toctree-l4"><a class="reference internal" href="options.html#notes-on-sasldb-with-lmdb">Notes on sasldb with LMDB</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="options.html#sql-plugin">SQL Plugin</a><ul>
<li class="toctree-l4"><a class="reference internal" href="options.html#notes-on-sql">Notes on SQL</a></li>
<li class="toctree-l4"><a class="reference internal" href="options.html#id2">Examples</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="options.html#srp">SRP</a></li>
<li class="toctree-l3"><a class="reference internal" href="options.html#kerberos-v4">Kerberos V4</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="advanced.html">Advanced Usage</a><ul>
<li class="toctree-l3"><a class="reference internal" href="advanced.html#notes-for-advanced-usage-of-libsasl">Notes for Advanced Usage of libsasl</a><ul>
<li class="toctree-l4"><a class="reference internal" href="advanced.html#using-cyrus-sasl-as-a-static-library">Using Cyrus SASL as a static library</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../operations.html">Operations</a><ul>
<li class="toctree-l2"><a class="reference internal" href="sysadmin.html">System Administrators</a><ul>
<li class="toctree-l3"><a class="reference internal" href="sysadmin.html#what-sasl-is">What SASL is</a><ul>
<li class="toctree-l4"><a class="reference internal" href="sysadmin.html#authentication-and-authorization-identifiers">Authentication and authorization identifiers</a></li>
<li class="toctree-l4"><a class="reference internal" href="sysadmin.html#realms">Realms</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="sysadmin.html#how-sasl-works">How SASL works</a><ul>
<li class="toctree-l4"><a class="reference internal" href="sysadmin.html#the-plain-mechanism-sasl-checkpass-and-plaintext-passwords">The PLAIN mechanism, <code class="docutils literal"><span class="pre">sasl_checkpass()</span></code>, and plaintext passwords</a></li>
<li class="toctree-l4"><a class="reference internal" href="sysadmin.html#shared-secrets-mechanisms">Shared secrets mechanisms</a></li>
<li class="toctree-l4"><a class="reference internal" href="sysadmin.html#kerberos-mechanisms">Kerberos mechanisms</a></li>
<li class="toctree-l4"><a class="reference internal" href="sysadmin.html#the-otp-mechanism">The OTP mechanism</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="sysadmin.html#auxiliary-properties">Auxiliary Properties</a></li>
<li class="toctree-l3"><a class="reference internal" href="sysadmin.html#how-to-set-configuration-options">How to set configuration options</a><ul>
<li class="toctree-l4"><a class="reference internal" href="sysadmin.html#the-default-configuration-file">The default configuration file</a></li>
<li class="toctree-l4"><a class="reference internal" href="sysadmin.html#application-configuration">Application configuration</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="sysadmin.html#troubleshooting">Troubleshooting</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="manpages.html">Man pages</a><ul>
<li class="toctree-l3"><a class="reference internal" href="manpages.html#library-files">(3) Library Files</a><ul>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl.html"><strong>SASL</strong> - SASL Authentication Library</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_authorize_t.html"><strong>sasl_authorize_t</strong> - The SASL authorization callback</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_auxprop.html"><strong>sasl_auxprop</strong> - How to work with SASL auxiliary properties</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_auxprop_add_plugin.html"><strong>sasl_auxprop_add_plugin</strong> - add a SASL auxiliary property plugin</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_auxprop_getctx.html"><strong>sasl_auxprop_getctx</strong> - Acquire an auxiliary property context</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_auxprop_request.html"><strong>sasl_auxprop_request</strong> - Request auxiliary properties from SASL</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_callbacks.html"><strong>sasl_callbacks</strong> - How to work with SASL callbacks</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_canon_user_t.html"><strong>sasl_canon_user_t</strong> - Application-supplied user canonicalization function</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_canonuser_add_plugin.html"><strong>sasl_canonuser_add_plugin</strong> - add a SASL user canonicalization plugin</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_chalprompt_t.html"><strong>sasl_chalprompt_t</strong> - Realm acquisition callback</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_checkapop.html"><strong>sasl_checkapop</strong> - Check an APOP challenge/response</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_checkpass.html"><strong>sasl_checkpass</strong> - Check a plaintext password</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_client_add_plugin.html"><strong>sasl_client_add_plugin</strong> - add a SASL client plugin</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_client_done.html"><strong>sasl_client_done</strong> - Cleanup function</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_client_init.html"><strong>sasl_client_init</strong> - SASL client authentication initialization</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_client_new.html"><strong>sasl_client_new</strong> - Create a new client authentication object</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_client_plug_init_t.html"><strong>sasl_client_plug_init_t</strong> - client plug‐in entry point</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_client_start.html"><strong>sasl_client_start</strong> - Begin an authentication negotiation</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_client_step.html"><strong>sasl_client_step</strong> - Perform a step in the authentication negotiation</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_decode.html"><strong>sasl_decode</strong> - Decode data received</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_decode64.html"><strong>sasl_decode64</strong> - Decode base64 string</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_dispose.html"><strong>sasl_dispose</strong> - Dispose of a SASL connection object</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_done.html"><strong>sasl_done</strong> - Dispose of a SASL connection object</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_encode.html"><strong>sasl_encode</strong> - Encode data for transport to authenticated host</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_encode64.html"><strong>sasl_encode64</strong> - Encode base64 string</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_encodev.html"><strong>sasl_encodev</strong> - Encode data for transport to authenticated host</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_erasebuffer.html"><strong>sasl_erasebuffer</strong> - erase buffer</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_errdetail.html"><strong>sasl_errdetail</strong> - Retrieve detailed information about an error</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_errors.html"><strong>sasl_errors</strong> - SASL error codes</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_errstring.html"><strong>sasl_errstring</strong> - Translate a SASL return code to a human-readable form</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_getcallback_t.html"><strong>sasl_getcallback_t</strong> - callback function to lookup a sasl_callback_t for a connection</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_getconfpath_t.html"><strong>sasl_getconfpath_t</strong> - The SASL callback to indicate location of the config files</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_getopt_t.html"><strong>sasl_getopt_t</strong> - The SASL get option callback</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_getpath_t.html"><strong>sasl_getpath_t</strong> - The SASL callback to indicate location of the mechanism drivers</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_getprop.html"><strong>sasl_getprop</strong> - Get a SASL property</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_getrealm_t.html"><strong>sasl_getrealm_t</strong> - Realm Acquisition Callback</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_getsecret_t.html"><strong>sasl_getsecret_t</strong> - The SASL callback for secrets (passwords)</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_getsimple_t.html"><strong>sasl_getsimple_t</strong> - The SASL callback for username/authname/realm</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_global_listmech.html"><strong>sasl_global_listmech</strong> - Retrieve a list of the supported SASL mechanisms</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_idle.html"><strong>sasl_idle</strong> - Perform precalculations during an idle period</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_listmech.html"><strong>sasl_listmech</strong> - Retrieve a list of the supported SASL mechanisms</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_log_t.html"><strong>sasl_log_t</strong> - The SASL logging callback</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_add_plugin.html"><strong>sasl_server_add_plugin</strong> - add a SASL server plugin</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_done.html"><strong>sasl_server_done</strong> - Cleanup function</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_init.html"><strong>sasl_server_init</strong> - SASL server authentication initialization</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_new.html"><strong>sasl_server_new</strong> - Create a new server authentication object</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_plug_init_t.html"><strong>sasl_server_plug_init_t</strong> - server plug‐in entry point</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_start.html"><strong>sasl_server_start</strong> - Begin an authentication negotiation</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_step.html"><strong>sasl_server_step</strong> - Perform a step in the authentication negotiation</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_userdb_checkpass_t.html"><strong>sasl_server_userdb_checkpass_t</strong> - Plaintext Password Verification Callback</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_server_userdb_setpass_t.html"><strong>sasl_server_userdb_setpass_t</strong> - UserDB Plaintext Password Setting Callback</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_set_alloc.html"><strong>sasl_set_alloc</strong> - set the memory allocation functions used by the SASL library</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_set_mutex.html"><strong>sasl_set_mutex</strong> - set the mutex lock functions used by the SASL library</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_seterror.html"><strong>sasl_seterror</strong> - set the error string</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_setpass.html"><strong>sasl_setpass</strong> - Check a plaintext password</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_setprop.html"><strong>sasl_setprop</strong> - Set a SASL property</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_user_exists.html"><strong>sasl_user_exists</strong> - Check if a user exists on server</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_usererr.html"><strong>sasl_usererr</strong> - Remove information leak about accounts from sasl error codes</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_utf8verify.html"><strong>sasl_utf8verify</strong> - Verify a string is valid utf8</a></li>
<li class="toctree-l4"><a class="reference internal" href="reference/manpages/library/sasl_verifyfile_t.html"><strong>sasl_verifyfile_t</strong> - The SASL file verification</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="auxiliary_properties.html">Auxiliary Properties</a><ul>
<li class="toctree-l3"><a class="reference internal" href="auxiliary_properties.html#auxiliary-properties-and-the-glue-layer">Auxiliary Properties and the Glue Layer</a></li>
<li class="toctree-l3"><a class="reference internal" href="auxiliary_properties.html#passwords-and-other-data">Passwords and other Data</a></li>
<li class="toctree-l3"><a class="reference internal" href="auxiliary_properties.html#sasldb">sasldb</a></li>
<li class="toctree-l3"><a class="reference internal" href="auxiliary_properties.html#ldapdb">ldapdb</a></li>
<li class="toctree-l3"><a class="reference internal" href="auxiliary_properties.html#sql">sql</a></li>
<li class="toctree-l3"><a class="reference internal" href="auxiliary_properties.html#user-canonicalization">User Canonicalization</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="authentication_mechanisms.html">Authentication Mechanisms</a><ul>
<li class="toctree-l3"><a class="reference internal" href="authentication_mechanisms.html#mechanisms">Mechanisms</a><ul>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#anonymous">ANONYMOUS</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#cram-md5">CRAM-MD5</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#digest-md5">DIGEST-MD5</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#external">EXTERNAL</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#g2">G2</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#gssapi">GSSAPI</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#gss-spegno">GSS-SPEGNO</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#kerberos-v4">KERBEROS_V4</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#login">LOGIN</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#ntlm">NTLM</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#otp">OTP</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#passdss">PASSDSS</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#plain">PLAIN</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#scram">SCRAM</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#srp">SRP</a></li>
<li class="toctree-l4"><a class="reference internal" href="authentication_mechanisms.html#non-sasl-authentication">Non-SASL Authentication</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="authentication_mechanisms.html#summary">Summary</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="pwcheck.html">Pwcheck</a><ul>
<li class="toctree-l3"><a class="reference internal" href="pwcheck.html#auxprop">Auxprop</a></li>
<li class="toctree-l3"><a class="reference internal" href="pwcheck.html#auxprop-hashed">Auxprop-hashed</a></li>
<li class="toctree-l3"><a class="reference internal" href="pwcheck.html#saslauthd">Saslauthd</a></li>
<li class="toctree-l3"><a class="reference internal" href="pwcheck.html#authdaemon">Authdaemon</a></li>
<li class="toctree-l3"><a class="reference internal" href="pwcheck.html#alwaystrue">Alwaystrue</a></li>
<li class="toctree-l3"><a class="reference internal" href="pwcheck.html#auto-transition">Auto Transition</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="faq.html">Frequently Asked Questions</a><ul>
<li class="toctree-l3"><a class="reference internal" href="faqs/authorize-vs-authenticate.html">What is the difference between an Authorization ID and a Authentication ID?</a></li>
<li class="toctree-l3"><a class="reference internal" href="faqs/crammd5-digestmd5.html">Why do CRAM-MD5 and DIGEST-MD5 not work with CyrusSaslauthd?</a></li>
<li class="toctree-l3"><a class="reference internal" href="faqs/openldap-sasl-gssapi.html">How do I configure OpenLDAP +SASL+GSSAPI?</a></li>
<li class="toctree-l3"><a class="reference internal" href="faqs/plaintextpasswords.html">Why does CyrusSasl store plaintext passwords in its databases?</a></li>
<li class="toctree-l3"><a class="reference internal" href="faqs/rfcs.html">RFCs and drafts</a></li>
<li class="toctree-l3"><a class="reference internal" href="faqs/upgrade-saslv2.html">Why am I having a problem running dbconverter-2 to upgrade from SASLv1 to SASLv2?</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="resources.html">Other Documentation & Resources</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../developer.html">Developers</a><ul>
<li class="toctree-l2"><a class="reference internal" href="appconvert.html">Converting Applications from v1 to v2</a><ul>
<li class="toctree-l3"><a class="reference internal" href="appconvert.html#tips-for-both-clients-and-servers">Tips for both clients and servers</a></li>
<li class="toctree-l3"><a class="reference internal" href="appconvert.html#tips-for-clients">Tips for clients</a></li>
<li class="toctree-l3"><a class="reference internal" href="appconvert.html#tips-for-servers">Tips for Servers</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="developer/programming.html">Application Programmer’s Guide</a><ul>
<li class="toctree-l3"><a class="reference internal" href="developer/programming.html#introduction">Introduction</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#about-this-guide">About this Guide</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#what-is-sasl">What is SASL?</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/programming.html#background">Background</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#how-did-the-world-work-before-sasl">How did the world work before SASL?</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#sasl-to-the-rescue">SASL to the rescue!</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/programming.html#briefly">Briefly</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#what-is-the-cyrus-sasl-library-good-for">What is the Cyrus SASL library good for?</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#what-does-the-cyrus-sasl-library-do">What does the Cyrus SASL library do?</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#what-doesn-t-the-cyrus-sasl-library-do">What doesn’t the Cyrus SASL library do?</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/programming.html#client-only-section">Client-only Section</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#a-typical-interaction-from-the-client-s-perspective">A typical interaction from the client’s perspective</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#how-does-this-look-in-code">How does this look in code</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/programming.html#server-only-section">Server-only Section</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#a-typical-interaction-from-the-server-s-perspective">A typical interaction from the server’s perspective</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#id1">How does this look in code?</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/programming.html#common-section">Common Section</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#callbacks-and-interactions">Callbacks and Interactions</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#security-layers">Security layers</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/programming.html#example-applications-that-come-with-the-cyrus-sasl-library">Example applications that come with the Cyrus SASL library</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#sample-client-and-sample-server"><cite>sample-client</cite> and <cite>sample-server</cite></a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#cyrus-imapd-v2-1-0-or-later">Cyrus imapd v2.1.0 or later</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#imtest-from-cyrus-2-1-0-or-later"><cite>imtest</cite>, from Cyrus 2.1.0 or later</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/programming.html#miscellaneous-information">Miscellaneous Information</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#empty-exchanges">Empty exchanges</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/programming.html#idle">Idle</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="developer/plugprog.html">Plugin Programmer’s Guide</a><ul>
<li class="toctree-l3"><a class="reference internal" href="developer/plugprog.html#introduction">Introduction</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/plugprog.html#about-this-guide">About this Guide</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/plugprog.html#what-is-sasl">What is SASL?</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/plugprog.html#common-section">Common Section</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/plugprog.html#overview-of-plugin-programming">Overview of Plugin Programming</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/plugprog.html#use-of-sasl-utils-t">Use of sasl_utils_t</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/plugprog.html#error-reporting">Error Reporting</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/plugprog.html#memory-allocation">Memory Allocation</a></li>
<li class="toctree-l4"><a class="reference internal" href="developer/plugprog.html#client-send-first-server-send-last">Client Send First / Server Send Last</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/plugprog.html#client-plugins">Client Plugins</a></li>
<li class="toctree-l3"><a class="reference internal" href="developer/plugprog.html#server-plugins">Server Plugins</a></li>
<li class="toctree-l3"><a class="reference internal" href="developer/plugprog.html#user-canonicalization-canon-user-plugins">User Canonicalization (canon_user) Plugins</a></li>
<li class="toctree-l3"><a class="reference internal" href="developer/plugprog.html#auxiliary-property-auxprop-plugins">Auxiliary Property (auxprop) Plugins</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="developer/testing.html">Testing</a><ul>
<li class="toctree-l3"><a class="reference internal" href="developer/testing.html#testing-the-cmu-sasl-library-with-the-included-sample-applications">Testing the CMU SASL Library with the included sample applications</a><ul>
<li class="toctree-l4"><a class="reference internal" href="developer/testing.html#example">Example</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="developer/testing.html#running-the-testsuite-application">Running the Testsuite application</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../support.html">Support/Community</a></li>
</ul>
<p class="caption"><span class="caption-text">IMAP</span></p>
<ul>
<li class="toctree-l1"><a class="reference external" href="http://www.cyrusimap.org">Cyrus IMAP</a></li>
</ul>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
<nav class="wy-nav-top" role="navigation" aria-label="top navigation">
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../index.html">Cyrus SASL</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="breadcrumbs navigation">
<ul class="wy-breadcrumbs">
<li><a href="../index.html">Docs v2.1.27</a> »</li>
<li><a href="../operations.html">Operations</a> »</li>
<li><a href="authentication_mechanisms.html">Authentication Mechanisms</a> »</li>
<li>Configuring GSSAPI and Cyrus SASL</li>
<li class="wy-breadcrumbs-aside">
<a href="https://github.com/cyrusimap/cyrus-sasl/blob/master/docsrc/sasl/gssapi.rst" class="fa fa-github"> Edit on GitHub</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document">
<div class="section" id="configuring-gssapi-and-cyrus-sasl">
<span id="gssapi"></span><h1>Configuring GSSAPI and Cyrus SASL<a class="headerlink" href="#configuring-gssapi-and-cyrus-sasl" title="Permalink to this headline">¶</a></h1>
<p>This document was contributed by <a class="reference external" href="mailto:kenh%40cmf.nrl.navy.mil">Ken Hornstein</a> and updated
by <a class="reference external" href="mailto:Alexey.Melnikov%40isode.com">Alexey Melnikov</a>.</p>
<p>A couple of people have asked me privately, “Hey, how did you get the
GSSAPI mechanism to work? I tried, but the sample apps kept failing”.
(The short answer: I’m a tenacious bastard).</p>
<p>I figured that it couldn’t hurt to give a quick explanation as to
how you get GSSAPI working with the sample apps, since it wasn’t
obvious to me, and I consider myself not completely ignorant of GSSAPI
and Kerberos.</p>
<div class="section" id="compile-cyrus-sasl-with-gssapi">
<h2>Compile Cyrus SASL with GSSAPI<a class="headerlink" href="#compile-cyrus-sasl-with-gssapi" title="Permalink to this headline">¶</a></h2>
<p>Compile the Cyrus-SASL distribution with the GSSAPI plugin
for your favorite GSS-API mechanism. I personally use the GSSAPI
libraries included with the <a class="reference external" href="http://web.mit.edu/kerberos/www/">MIT Kerberos 5 distribution</a>;
<a class="reference external" href="http://www.pdc.kth.se/heimdal/">Heimdal</a>
and <a class="reference external" href="http://www.cybersafe.com">CyberSafe</a> work as well.</p>
</div>
<div class="section" id="start-sample-server">
<h2>Start sample server<a class="headerlink" href="#start-sample-server" title="Permalink to this headline">¶</a></h2>
<p>The command-line used for
sample-server needs to specify the GSSAPI service name and the
location of the plug-ins.</p>
<ul class="simple">
<li>On Unix: <code class="docutils literal"><span class="pre">./sample-server</span> <span class="pre">-s</span> <span class="pre">host</span> <span class="pre">-p</span> <span class="pre">../plugins/.libs</span></code></li>
<li>On Windows: <code class="docutils literal"><span class="pre">sample-server</span> <span class="pre">-s</span> <span class="pre">host</span> <span class="pre">-p</span> <span class="pre">..\plugins</span></code></li>
</ul>
<p>In this example, I am using “host”, which already exists on my
machine, but only root can read it, so I an running this as root.
If you want to use an alternate service name, you will need to
create that service in Kerberos, place it in a keytab readable by
you, and point your Kerberos library at it.</p>
<ul class="simple">
<li>On Unix: Unix: both MIT Kerberos and Heimdal, use <code class="docutils literal"><span class="pre">/etc/krb5.keytab</span></code> on Unix by default, but this can be changed
by setting the <code class="docutils literal"><span class="pre">KRB5_KTNAME</span></code> environment variable; the default
for CyberSafe Kerberos is <code class="docutils literal"><span class="pre">/krb5/v5srvtab</span></code> for UNIX systems and can be
changed by setting the <code class="docutils literal"><span class="pre">CSFC5KTNAME</span></code> environment variable.</li>
<li>On Windows: the default service key table location for CyberSafe is
<code class="docutils literal"><span class="pre">C:\Program</span> <span class="pre">Files\CyberSafe\v5srvtab</span></code>, unless the
CyberSafe registry setting for the KeyTab key is set to an
alternate path. MIT Kerberos on Windows uses the keytab filename
krb5kt.</li>
</ul>
<p>You should get a response similar to:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">Generating</span> <span class="n">client</span> <span class="n">mechanism</span> <span class="nb">list</span><span class="o">...</span>
<span class="n">Sending</span> <span class="nb">list</span> <span class="n">of</span> <span class="mi">3</span> <span class="n">mechanism</span><span class="p">(</span><span class="n">s</span><span class="p">)</span>
<span class="n">S</span><span class="p">:</span> <span class="n">R1NTQVBJIFBMQUlOIEFOT05ZTU9VUw</span><span class="o">==</span>
</pre></div>
</div>
<p>Note that later on (assuming everything works) you might need to paste
in lines that are longer than canonical input processing buffer on your
system. You can get around that by messing around with stty; while
the details vary from system to system, on Solaris you can do something
like:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">(</span> <span class="n">stty</span> <span class="o">-</span><span class="n">icanon</span> <span class="nb">min</span> <span class="mi">1</span> <span class="n">time</span> <span class="mi">0</span> <span class="p">;</span> <span class="o">./</span><span class="n">sample</span><span class="o">-</span><span class="n">server</span> <span class="o">-</span><span class="n">s</span> <span class="n">host</span> <span class="o">-</span><span class="n">p</span> <span class="o">../</span><span class="n">plugins</span><span class="o">/.</span><span class="n">libs</span> <span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="obtain-kerberos-ticket">
<h2>Obtain Kerberos ticket<a class="headerlink" href="#obtain-kerberos-ticket" title="Permalink to this headline">¶</a></h2>
<p>Obtain a Kerberos ticket for the user you want to authenticate as.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kinit</span> <span class="n">kenh</span>
</pre></div>
</div>
</div>
<div class="section" id="start-up-sample-client">
<h2>Start up sample client<a class="headerlink" href="#start-up-sample-client" title="Permalink to this headline">¶</a></h2>
<p>You need to specify the service
name, the hostname, and the userid. An example might be</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">./</span><span class="n">sample</span><span class="o">-</span><span class="n">client</span> <span class="o">-</span><span class="n">s</span> <span class="n">host</span> <span class="o">-</span><span class="n">n</span> <span class="n">your</span><span class="o">.</span><span class="n">fqdn</span><span class="o">.</span><span class="n">here</span> <span class="o">-</span><span class="n">u</span> <span class="n">kenh</span> <span class="o">-</span><span class="n">p</span> <span class="o">../</span><span class="n">plugins</span><span class="o">/.</span><span class="n">libs</span>
</pre></div>
</div>
<p>You should get a response similar to this:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">Waiting</span> <span class="k">for</span> <span class="n">mechanism</span> <span class="nb">list</span> <span class="kn">from</span> <span class="nn">server...</span>
</pre></div>
</div>
</div>
<div class="section" id="connect-server-to-client">
<h2>Connect Server to Client<a class="headerlink" href="#connect-server-to-client" title="Permalink to this headline">¶</a></h2>
<p>Cut-and-paste the initial mechanism line from the server process
(this includes the `` S: `` ) into the client process. You
should get something similar to:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">S</span><span class="p">:</span> <span class="n">R1NTQVBJIFBMQUlOIEFOT05ZTU9VUw</span><span class="o">==</span>
<span class="n">Choosing</span> <span class="n">best</span> <span class="n">mechanism</span> <span class="n">from</span><span class="p">:</span> <span class="n">GSSAPI</span> <span class="n">PLAIN</span> <span class="n">ANONYMOUS</span>
<span class="n">Using</span> <span class="n">mechanism</span> <span class="n">GSSAPI</span>
<span class="n">Preparing</span> <span class="n">initial</span><span class="o">.</span>
<span class="n">Sending</span> <span class="n">initial</span> <span class="n">response</span><span class="o">...</span>
<span class="n">C</span><span class="p">:</span> <span class="o"><....</span> <span class="n">lots</span> <span class="n">of</span> <span class="n">base</span> <span class="mi">64</span> <span class="n">data</span> <span class="o">...></span>
<span class="n">Waiting</span> <span class="k">for</span> <span class="n">server</span> <span class="n">reply</span><span class="o">...</span>
</pre></div>
</div>
<p>If GSSAPI isn’t selected as the mechanism, there is a few things that
might have gone wrong:</p>
<ul>
<li><p class="first">The mechanism might not have been offered by the server. The decoded
mechanism list offered by the server appears in the “<code class="docutils literal"><span class="pre">Choosing</span> <span class="pre">best</span>
<span class="pre">mechanism</span></code>” line. If GSSAPI didn’t appear in that list, then
something is wrong on the server. Make sure that you specified the
correct plugins directory. If the plugin directory is correct, but
the library fails to load, you might be running across a bug
in libtool on some platforms. If you have your Kerberos/gssapi
libraries not installed in the system library path, those libraries
are likely not able to be found when the SASL GSSAPI plugin loads.</p>
<p>The solution varies from system to system; what I did was take
the linker line generated by libtool and run it by hand, adding
a <code class="docutils literal"><span class="pre">-R/path/to/kerberos/libraries</span></code> switch (this was on Solaris).
You can check with a system call tracer to see exactly what it is
trying to do.</p>
</li>
<li><p class="first">The client doesn’t know about the mechanism. The reasons for this
happening are the same as the server: check the -p switch, check
to make sure the correct libraries are being loaded with the GSSAPI
plugin.</p>
<p>You can turn on a healthy amount of debugging information by changing
the definition in config.h of the VL macro to (and recompiling libsasl):</p>
</li>
</ul>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="c1">#define VL(foo) printf foo;</span>
</pre></div>
</div>
<p>There is a possibility
you might get an error that looks like this:</p>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sample</span><span class="o">-</span><span class="n">client</span><span class="p">:</span> <span class="n">Starting</span> <span class="n">SASL</span> <span class="n">negotiation</span><span class="p">:</span> <span class="n">generic</span> <span class="n">failure</span>
</pre></div>
</div>
</div></blockquote>
<p>This can mean that you didn’t provide all of the required information
to the sample-client (did you provide a service name with -s, the
hostname of the service with -n, and a username with -u ?), or that
GSSAPI has failed (unfortunately, on the client you cannot find out
the internal GSSAPI error; you will need to break out the debugger
for that).</p>
</div>
<div class="section" id="connect-client-to-server">
<h2>Connect Client to Server<a class="headerlink" href="#connect-client-to-server" title="Permalink to this headline">¶</a></h2>
<p>Cut and paste the client response (The <em>entire</em> line that begins
with C:, including the initial <code class="docutils literal"><span class="pre">C:</span></code> ) to the server
process. You should get a response back that starts with <code class="docutils literal"><span class="pre">S:</span></code> .
Cut and paste that to the client, and continue this
exchange until you either get <code class="docutils literal"><span class="pre">Negotiation</span> <span class="pre">complete</span></code>, or an error.</p>
<p>If you get an error on the server you should get a complete error
message (including the GSSAPI error string); on the client you
unfortunately will only probably get <code class="docutils literal"><span class="pre">generic</span> <span class="pre">failure</span></code>, which will
again require the use of a debugger (but the VL macro should help
with this).</p>
<p>One common thing that happens is that on your server you might see
the error:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sample</span><span class="o">-</span><span class="n">server</span><span class="p">:</span> <span class="n">Performing</span> <span class="n">SASL</span> <span class="n">negotiation</span><span class="p">:</span> <span class="n">authentication</span> <span class="n">failure</span>
<span class="p">(</span><span class="n">Requested</span> <span class="n">identity</span> <span class="ow">not</span> <span class="n">authenticated</span> <span class="n">identity</span><span class="p">)</span>
</pre></div>
</div>
<p>This comes from not having a requested identity (the -u option) that
matches the identity that you were authenticated to via the GSSAPI.
This is of course mechanism specific, but if for example you’re using
Kerberos, the Cyrus SASL library strips out the @REALM from your
identity if you are in the same realm as the server. So if your
Kerberos identity is user@SOME.REALM and the server is in SOME.REALM,
you need to specify “user” to the -u flag of the client. If you’re
accessing a server in a foreign realm, you need to pass the full
principal name via the -u option to make this work correctly.</p>
<p>If you complete the negotiation successfully, you should see something
that looks like (on both the client and server):</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">Negotiation</span> <span class="n">complete</span>
<span class="n">Username</span><span class="p">:</span> <span class="n">kenh</span>
<span class="n">sample</span><span class="o">-</span><span class="n">server</span><span class="p">:</span> <span class="n">realm</span><span class="p">:</span> <span class="n">can</span><span class="s1">'t request info until later in exchange</span>
<span class="n">SSF</span><span class="p">:</span> <span class="mi">56</span>
</pre></div>
</div>
<p>If you get to that, then you’ve done it, and GSSAPI works successfully!</p>
</div>
</div>
</div>
<footer>
<div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
<a href="pwcheck.html" class="btn btn-neutral float-right" title="Pwcheck" accesskey="n">Next <span class="fa fa-arrow-circle-right"></span></a>
<a href="authentication_mechanisms.html" class="btn btn-neutral" title="Authentication Mechanisms" accesskey="p"><span class="fa fa-arrow-circle-left"></span> Previous</a>
</div>
<hr/>
<div role="contentinfo">
<p>
© Copyright 1993-2016, The Cyrus Team.
</p>
</div>
Built with <a href="http://sphinx-doc.org/">Sphinx</a> 1.6.6 using a modified <a href="https://readthedocs.org">Read the Docs</a> <a href="https://github.com/snide/sphinx_rtd_theme">theme</a>.
</footer>
</div>
</div>
</section>
</div>
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT:'../',
VERSION:'2.1.27',
COLLAPSE_INDEX:false,
FILE_SUFFIX:'.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<script type="text/javascript" src="https://cdn.mathjax.org/mathjax/latest/MathJax.js"></script>
<script type="text/javascript" src="../_static/js/theme.js"></script>
<script type="text/javascript">
<!-- jQuery(function () {
SphinxRtdTheme.StickyNav.enable();
}); -->
</script>
</body>
</html>
