Removing realm from usernames authenticated by GSSAPI (and two more unrelated questions)

Aleksandar Milivojevic amilivojevic at
Wed Jan 12 09:53:37 EST 2005

Jukka Salmi wrote:
> Aleksandar Milivojevic --> info-cyrus (2005-01-11 16:24:14 -0600):
>>I've got authentication using GSSAPI working.  However, when I use 
>>GSSAPI, imapd treats my login name as virtual domain.
> What is virtdomains set to in your imapd.conf?

It is set to "off".  Regardless of that setting, in the maillog file,
this line is logged (when using GSSAPI to authenticate):

login: mailsrv [] user at realm GSSAPI User logged in

What I really want is to be logged in only as "user".  I don't use/need
virtual domains.  Actually, I can't really use virtual domains in simple
way even if I wanted (all users are in single email domain, but in
several Kerberos realms, so there's no matching between domain and realm).

I found ptskrb5_strip_default_realm option, that should strip out
default realm (hasn't worked for me, not even for default realm).
However, I want to strip *all* realms, not just default one.  I've
attempted to use afspts_localrealms option too.  Same result, doesn't
work (realm is not stripped).

>>However, it seems it either isn't used for that, or that it doesn't 
>>work.  I had to provide KRB5_KTNAME environment variable to get imapd to 
>>use correct keytab file.
> You could set 'sasl_keytab: /path/to/keytab' in imapd.conf instead.

I've just tested it.  It hasn't worked.  Maybe there's no such option
and only way to specify alternate keytab file is by using KRB5_KTNAME
environment variable?  It would be nice it this was possible by using
config file (maybe quick&dirty fix for code, if option is found in
config file, and KRB5_KTNAME is not found in environment, define it).

>>One more question, just out of curiosity (I don't intend to implement 
>>it).  I've noticed that if GSSAPI is configured, than plain and login 
>>can be used only over TLS (I'm not really sure about this, maybe I 
>>noticed wrong ;-).  If it is not configured, plain and login are allowed 
>>in plaintext.  Is there a configuration variable to controll this?  Like 
>>force TLS even if GSSAPI is not configured, or allow plaintext in case 
>>GSSAPI is configured?  allowplaintext option doesn't seem to work!?
> Set 'allowplaintext: 0' in imapd.conf.

I've attempted to test it with values of 0 and 1.  Seems it controls
only non-SASL logins (since non-SASL unencrypted plaintext works when
allowplaintext is set to 1, but not SASL plaintext).  For SASL,
encryption is always required.  When connecting to the server, before
STARTTLS, flags AUTH=PLAIN and AUTH=LOGIN are not shown in list of
capabilities (shown only after STARTTLS).  Attempt to force use of
'plain' (imtest -m plain) results in:

PLAIN [SASL(-16): encryption needed to use mechanism: security flags do
not match required]

As I said, it seems that 'imtest -m login' doesn't use SASL, so that one
works (regardless the fact there was no AUTH=LOGIN shown in the list of

I've tried sasl_minimum_layer option (set it to 0), but couldn't get it
not to require encryption (per man imapd.conf, sasl_minimum_layer <= 1
does not require encryption -- doesn't work for me).  Am I missing some
(obvious?) sasl_* option(s)?

Aleksandar Milivojevic <amilivojevic at>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Cyrus Home Page:
Cyrus Wiki/FAQ:
List Archives/Info:

More information about the Info-cyrus mailing list