I’ve been working on creating an ejabberd package with mikma/badlop’s XMPP GSSAPI support patch applied. I wanted to use Pidgin as a client to test it. Pidgin claims to support Kerberos authentication, but I was unable to find documentation on how to set it up.

After digging through the source of the Jabber authentication module in libpurple, I figured out what was going on: there is no explicit “use Kerberos” option in the settings for an account. If a server lists GSSAPI as one of its supported mechanisms, the logged-in user has valid Kerberos credentials in their cache, and the appropriate SASL GSSAPI libraries are installed on the client machine, then it will use Kerberos for authentication.

The installation of the SASL GSSAPI libraries was what initially tripped me up. At the time of writing, the documentation does not appear to mention this. Since Pidgin does not know that you want Kerberos authentication for an account, no error is generated if they are not installed; it simply tries to use one of the other authentication mechanisms available.

On Debian and its derivatives (e.g., Ubuntu), this can be resolved by installing the libsasl2-modules-gssapi-heimdal or libsasl2-modules-gssapi-mit package, as appropriate for the Kerberos implementation on your machine.