Help needed with Cyrus, Sasl, Kerberos5

Michael Guyver michael.guyver at gmail.com
Thu Aug 14 04:22:13 EDT 2008


2008/8/13 Dan White <dwhite at olp.net>:
> Typically you would not specify a user (-a) in your GSSAPI connection.
> Specifying a -u is asking the server to do proxy authorization, requiring
> the identity in the ticket to exist in proxy_admins I believe, unless you're
> providing the same identity in your -u as exists in your ticket.

Ah, I see. I didn't realise it was trying to do proxy-authentication,
I thought that different -u and -a values would produce that effect.
I'll have another go trying it without either -u or -a. Any chance you
could elaborate on your "proxy_admins" comment, though?

> Also, it's my understanding that not all kerberos libraries support the
> ability to specify an alternate keytab location. It could be the permission
> denied error is an indication that your imap process is unable to open the
> default file - /etc/krb5.keytab - rather than the expected /etc/imap.keytab.

Yes, I was aware of that limitation but thought that the
belt-and-braces approach of specifying both KRB5_KTNAME as a variable
to the init script as well as sasl_keytab in the imapd.conf file I
might have got it to work. I'll keep that in mind when I try this
again - for various other reasons I'm reinstalling CentOS again ~x(

Thanks for your help Dan.

Regards,

Michael


More information about the Cyrus-sasl mailing list