Cyrus IMAPd, SASL, GSSAPI, Proxy Authorization
Earl R Shannon
ershanno at unity.ncsu.edu
Mon Mar 15 08:54:12 EST 2004
Hello,
It would help to see the imapd.conf file for the server in
question. That said, is the user jablko listed in the
imapd.conf file on the proxyservers list? ie:
proxyservers: jablko
Regards,
Earl Shannon
ms419 at freezone.co.uk wrote:
> I'm attempting to connect to the Cyrus IMAPd mailbox "admin" on
> "wum.lat" as the Kerberos principal "jablko at LAT", using proxy
> authorization. The principal "imap/wum.lat" is in the realm "RUZ" -
> cross realm authentication is working - I can connect to the mailbox
> "admin" as "admin at LAT". Account information is currently being
> successfully retrieved from an OpenLDAP server, using nss_ldap. I can
> currently ssh to "admin at wum.lat" as "jablko at LAT", using a ".k5login"
> file in admin's home. I should also be able to proxy authorize to the
> OpenLDAP server using saslAuthzTo / From. Cyrus, however, isn't letting
> me in. I am unclear on what I must do to configure proxy authorization
> for Cyrus IMAPd, and why it is calling nss_ldap (and why nss_ldap can't,
> in this case, contact the LDAP server).
>
> Can anyone help?
>
> Thanks!
>
> Jack
>
> ==> auth.log <==
> Mar 13 15:41:10 wum krb5kdc[17432]: AS_REQ (6 etypes {18 16 23 1 3 2})
> 192.168.179.43: NEEDED_PREAUTH: jablko at LAT for krbtgt/LAT at LAT,
> Additional pre-authentication required
> Mar 13 15:41:10 wum krb5kdc[17432]: AS_REQ (6 etypes {18 16 23 1 3 2})
> 192.168.179.43: ISSUE: authtime 1079221270, etypes {rep=16 tkt=16
> ses=16}, jablko at LAT for krbtgt/LAT at LAT
> Mar 13 15:41:53 wum krb5kdc[17432]: TGS_REQ (6 etypes {18 16 23 1 3 2})
> 192.168.179.43: ISSUE: authtime 1079221270, etypes {rep=16 tkt=16
> ses=16}, jablko at LAT for krbtgt/RUZ at LAT
> Mar 13 15:41:53 wum krb5kdc[17432]: TGS_REQ (5 etypes {16 23 1 3 2})
> 192.168.179.43: ISSUE: authtime 1079221270, etypes {rep=16 tkt=16
> ses=16}, jablko at LAT for imap/wum.lat at RUZ
>
> ==> mail.log <==
> Mar 13 15:41:53 wum cyrus/imapd[18603]: accepted connection
>
> ==> auth.log <==
> Mar 13 15:41:54 wum cyrus/imapd[18603]: user jablko is not allowed to proxy
>
> ==> mail.log <==
> Mar 13 15:41:54 wum cyrus/imapd[18603]: nss_ldap: could not connect to
> any LDAP server as (null) - Can't contact LDAP server
> Mar 13 15:41:54 wum cyrus/imapd[18603]: badlogin:
> fis.lat[192.168.179.43] GSSAPI [SASL(-13): authentication failure: user
> jablko is not allowed to proxy]
>
> ---
> Home Page: http://asg.web.cmu.edu/cyrus
> Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
---
Home Page: http://asg.web.cmu.edu/cyrus
Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list