authentication using kerberos

Rob Siemborski rjs3 at andrew.cmu.edu
Wed Dec 22 19:52:04 EST 2004


On Wed, 22 Dec 2004, Aleksandar Milivojevic wrote:

> Rob Siemborski wrote:
>> On Tue, 21 Dec 2004, Aleksandar Milivojevic wrote:
>> 
>>> saslauthd: auth_krb5: krb5_get_init_creds_password
>>> saslauthd: do_auth : auth failure: [user=username] [service=imap] 
>>> [realm=] [mech=kerberos5] [reason=saslauthd internal error]
>> 
>> 
>> Do you have a host/(hostname) key in the database?
>
> OK, so I added host/hostname key.  And the authentication against AD now 
> works.  I guess this step can't be skipped...

It can be if you use Heimdal for your unix side kerberos library.  Its 
been a while since I've looked at this and the reason for the difference 
escapes me at the moment.

> However, I have several AD domains.  Is it possible to define list of users 
> and to which domain (realm) they belong, so that they just type the username 
> (which is guaranteed to be uniq across all realms in my case), and cyrus 
> imapd/saslauthd autheticates against correct AD server?

I suspect that you could do this with a code modification, but I don't 
believe there is support for deriving the correct domain internally.

> If the only way is for the user to specify the realm (as in user at domain) when 
> logging in (which I'd rather avoid, if possible), I have another problem ;-)
>
> When I type user at domain in MUA, authentication goes well, but IMAPD responds 
> with "invalid mailbox" message.  Do I need to create (in this case) all 
> mailboxes as user at domain?  Or?

Virtual domains.

-Rob

---------------------------------------------------------------------
Rob Siemborski

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list