cyrus and gssapi
Stephen
sdw2 at shineonline.co.nz
Thu Aug 12 18:09:32 EDT 2004
I guess it'll help a lot if I add some config files. I'm running gentoo.
Domain names and realms changed to protect the innocent.
I've added imap/kerberos.acme.co.nz to the keytab file and changed
ownership to cyrus.
I'm wondering if sasl_pwcheck_method in /etc/imapd.conf should be
changed if one requires gssapi authentication. I tried setting it to
"gssapi" but it didn't help. What should be value be?
Thanks
Results of a console session...
--------------------------------------------------------
silver imap # ls -l /etc/krb5.keytab
-rw------- 1 cyrus root 330 Aug 12 10:45 /etc/krb5.keytab
silver root # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: cyrus at ACME.CO.NZ
Valid starting Expires Service principal
08/13/04 09:34:22 08/13/04 19:34:22 krbtgt/ACME.CO.NZ at ACME.CO.NZ
renew until 08/13/04 09:34:22
silver root # imtest -a cyrus -m login -p imap2 localhost
S: * OK silver Cyrus IMAP4 v2.1.15 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=GSSAPI
AUTH=NTLM AUTH=CRAM-MD5 AUTH=DIGEST-MD5 LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyrus {10}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
----------------------------------------------------------------------------------
Here is my imapd.conf file
----------------------------------------------------
configdirectory: /var/imap
partition-default: /var/spool/imap
sievedir: /var/imap/sieve
tls_cert_file: /etc/cyrusimapd/server.crt
tls_key_file: /etc/cyrusimapd/server.key
admins: cyrus
hashimapspool: yes
allowanonymouslogin: no
#allowplaintext: no
allowplaintext: yes
# Use this if sieve-scripts could be in ~user/.sieve.
#sieveusehomedir: yes
# Use saslauthd if you want to use pam for imap.
# But be warned: login with DIGEST-MD5 or CRAM-MD5
# is not possible using pam.
#sasl_pwcheck_method: saslauthd
-------------------------------------------------------------------------
/etc/krb5.conf
---------------------------------------
[libdefaults]
ticket_lifetime = 600
default_realm = ACME.CO.NZ
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
ACME.CO.NZ = {
kdc = kerberos.acme.co.nz:88
kdc = kerberos2.acme.co.nz:88
admin_server = kerberos.acme.co.nz:749
}
[domain_realm]
.acme.co.nz = ACME.CO.NZ
acme.co.nz = ACME.CO.NZ
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
--------------------------------------------------------------------------
Andreas wrote:
>On Thu, Aug 12, 2004 at 01:10:05PM +1200, Stephen wrote:
>
>
>> 3. The missing piece is how to link cyrus-imap and GSSAPI. Kerberos
>> is operational and I have tried
>> "addprinc -randkey host/kerberos.ourdomain" and then "ktadd
>> host/kerberos.ourdomain", but still can't authenticate.
>>
>>
>
>You need a principal in the form of "imap/fqdn-of-imap-server". Then add
>it to the default keytab (/etc/krb5.keytab) and make sure the cyrus-master
>daemon can read it.
>
>
>
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list