Auth Cyrus against Win2K-ADS

lst_hoe01 at kwsoft.de lst_hoe01 at kwsoft.de
Tue Mar 30 05:28:42 EST 2004 

Zitat von Nikola Milutinovic <Nikola.Milutinovic at ev.co.yu>:

> 
> Whz are zou running "imtest" on domain controller? Shouldn't you go against
> IMAP server?
> 

Sorry : Typo, it was the name of the Cyrus server ...

> > imapd.conf :
> > 
> > configdirectory: /var/lib/imap
> > partition-default: /var/spool/imap
> > sievedir: /var/lib/sieve
> > admins: cyrus
> > allowanonymouslogin: no
> > allowplaintext: yes
> > autocreatequota: 10000
> > reject8bit: no
> > quotawarn: 90
> > timeout: 30
> > poptimeout: 10
> > dracinterval: 0
> > drachost: localhost
> > sasl_pwcheck_method: saslauthd
> > keytab: /etc/imap.keytab <---- Not sure if this will work??
> 
> I think this is hardwired for Kerberos5 library, but not sure.



> > klist output :
> > 
> > Credentials cache: FILE:/tmp/krb5cc_0
> >         Principal: kw3075 at HQ.TEST.DE
> > 
> >   Issued           Expires          Principal                         
> > Mar 30 10:29:49  Mar 30 20:29:49  krbtgt/HQ.TEST.DE at HQ.TEST.DE        
> > Mar 30 10:30:06  Mar 30 20:29:49  imap/linux-tst.hq.test.de at HQ.TEST.DE
> 
> OK, client has obtained a ticket for IMAP service.

Yes. This is after i tried "imtest". Before only the list only contain the
krbtgt entry.

> > ktutil list output :
> > 
> > FILE:/etc/krb5.keytab:
> > 
> > Vno  Type         Principal                           
> >   1  des-cbc-crc  host/linux-tst.hq.test.de at HQ.TEST.DE
> 
> You need in here not "host/...", but "imap/..." principal. That is why
> "imtest" is failing. You need to create a service principal on your ADS for 
> "imap/linux-tst.hq.test.de at HQ.TEST.DE" and export the key to your Linux
> keytab "/etc/krb5.keytab".

That´s why i try to convince Cyrus to use the /etc/imap.keytab. As far as i
understand the krb5.keytab should be used for the host itself and protected as
read only by root?
The /etc/imap.keytab is indeed from ADS and readable by cyrus. If i do a "ktutil
-k /etc/imap.keytab" i get :

/etc/imap.keytab:

Vno  Type         Principal                           
  1  des-cbc-crc  imap/linux-tst.hq.test.de at HQ.TEST.DE

> BTW, "host/..." principal is for Kerberized "telnet", "r*" and I believe
> "SSH".

I will try to move the imap.keytab to krb5.keytab (readable by cyrus) and see if
i get further on.

> 
> Nix.

Thanxs for reply

Andreas
---
Home Page: http://asg.web.cmu.edu/cyrus
Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list