Authenticate to IMAP server via Active Directory

Cristian Mitrana cmitrana at xnet.ro
Fri Mar 19 02:09:23 EST 2004 

Wong, G. MR EECS wrote:
> We are trying to setup a Cyrus IMAP server(version 2.2.3) on a Redhat
> Enterprise LINUX AS 3.0 box. For ease of  management we would like to
> authenticate users against a Microsoft Active Directory Domain
> controller since
> all users who would use the IMAP server are already there.
> 
> We have attempted to use Cyrus saslauthd( version 2.1.17) with kerberos5
> to do this:
> 
> 1.  Cyrus sasl has been built with gssapi(kerberos5) support
> 2.  cyrus imap has been built --with-auth=krb5
> 3.  In /etc/imapd.conf sasl-pwcheck-method=saslauthd
> 4.  We followed the instructions in
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep
> s.asp
>     to interoperate with the AD KDC:  We generated both the host and
> service-instance(imap) keytab files and
>     integrated them into the /etc/krb5.keytab file on the LINUX host.
> Finally, we modified /etc/krb5.conf
>     according to the instructions.  We tested kerberos with kinit and it
> seems to be working.
> 
> 5.  We started saslauthd with:  saslauthd -n0 -a kerberos5

You should run testsaslauthd now and see if you can authenticate after
you get the principal's ticket.
If not, than you cannot authenticate to AD.

> 6.  Finally, we started imap with master -d
> 
> We have not had success with AD authentication.  When a valid AD user
> tries to login via the imap client( we are  using microsoft outlook) we
> get a cryptic "size read failed".  When we use imtest we get a "No
> credentials cache  found" error.  We are indeed clueless would
> appreciate any help with this.

When testing with imtest you 'klist' you tickets and see if you got a
imap/host@**** ticket. Who is giving "no credentials cache found" error ?
imtest or cyrus ? I was under the impression that cyrus-imapd supports
directly authentication via GSSAPI (kerberos 5) so you wouldn't need any
saslauthd working (just a principal for cyrus-imapd accessible to the 
server).

  Alternatively you could use pam to integrate with AD, but this is 
not what
you need.

hth,
mitu
---
Home Page: http://asg.web.cmu.edu/cyrus
Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list