Kerberos and cached credentials with clients that only support LOGIN

Jeremy Rumpf jrumpf at heavyload.net
Fri Mar 7 00:14:51 EST 2003


On Thursday 06 March 2003 05:26 pm, Roland Pope wrote:
> Hi,
>
> I am running cyrus-imapd 2.1.12 on a RedHat 7.3 box and have been using
> pam_smb via saslauthd to authenticate my outlook clients. Now that our DC's
> are running Win2k, I would like to use kerberos under AD to do my auth.
> I can get things working by changing the pam_smb_auth library in
> /etc/pam.d/imap to pam_krb5.so which is good. The question I have is, is
> there a way of caching credentials? The pam_krb5.so library appears to
> support cached credentials, and when I log in using SSH and pam_krb5, a
> cached credentials file is created in /tmp. But when I login to IMAP via
> saslauthd->pam->kerberos, no file is created. The end result of this is
> that I get a kerberos TGT with every login. Is there any way around this
> that people are aware of?
> I'm just trying to reduce the auth load on my DC's.
>
> Thanks
> Roland

If you're interested, I have an experimental release of saslauthd that 
supports credential caching. It's passed preliminary testing and should fix 
you right up, if your willing to live on the edge a little :).

I'll also have another experimental release that unifies the IPC mechanisms, 
plus the cache code, by the end of next week.

Let me know if you'd be willing to test things out.

Jeremy





More information about the Info-cyrus mailing list