cyrus and gssapi

Jukka Salmi j+asg at
Sat Aug 14 11:57:55 EDT 2004

(This discussion should be continued on the SASL list IMHO.)

Stephen --> info-cyrus (2004-08-15 02:32:00 +1200):
> Also, I tried exporting the keytab to a file /etc/krb5-cyrus.keytab, and 
> added the line below to /etc/imapd.conf, but the imap server wouldn't 
> respond to a keytab in /etc/krb5-cyrus.keytab (it did have cyrus 
> ownership). I had to comment out the line and put the keytab in the 
> standard place for the gentoo setup, /etc/krb5.keytab.
> ----> line below added to /etc/imapd.conf but didn't work for me.
>    sasl_keytab:         /etc/krb5-cyrus.keytab
> Jukka: How have you implemented sasl_keytab??

As you did: added the principals to /etc/pkg/krb5.keytabs/cyrus, and
set 'sasl_keytab: /usr/pkg/etc/krb5.keytabs/cyrus' in imapd.conf. BTW,
I'm using SASL 2.1.18, IMAPd 2.2.6 and Heimdal 0.6.1 (each installed
from pkgsrc[1] on a NetBSD 1.6.2 system).

However, I'm not sure what's the right way to do it. The SASL documentation
seems to be contradictory: first of all, "keytab" is listed as an option[2]
for the GSSAPI mechanism. But on sysadmin.html[3] it states

	"Currently, the keytab file location is not configurable and
	 defaults to the system default (probably /etc/krb5.keytab)."

On gssapi.html[4] it tells about environment variables used by the
kerberos libraries to determine the keytab file, i.e. KRB5_KTNAME for
Heimdal (which I can confirm to be correct).

AFAICT the statement on sysadmin.html is not correct.

Regards, Jukka


bashian roulette:
$ ((RANDOM%6)) || rm -rf ~

More information about the Info-cyrus mailing list