Removing realm from usernames authenticated by GSSAPI (and two
more unrelated questions)
amilivojevic at pbl.ca
Wed Jan 12 09:53:37 EST 2005
Jukka Salmi wrote:
> Aleksandar Milivojevic --> info-cyrus (2005-01-11 16:24:14 -0600):
>>I've got authentication using GSSAPI working. However, when I use
>>GSSAPI, imapd treats my login name as virtual domain.
> What is virtdomains set to in your imapd.conf?
It is set to "off". Regardless of that setting, in the maillog file,
this line is logged (when using GSSAPI to authenticate):
login: mailsrv [22.214.171.124] user at realm GSSAPI User logged in
What I really want is to be logged in only as "user". I don't use/need
virtual domains. Actually, I can't really use virtual domains in simple
way even if I wanted (all users are in single email domain, but in
several Kerberos realms, so there's no matching between domain and realm).
I found ptskrb5_strip_default_realm option, that should strip out
default realm (hasn't worked for me, not even for default realm).
However, I want to strip *all* realms, not just default one. I've
attempted to use afspts_localrealms option too. Same result, doesn't
work (realm is not stripped).
>>However, it seems it either isn't used for that, or that it doesn't
>>work. I had to provide KRB5_KTNAME environment variable to get imapd to
>>use correct keytab file.
> You could set 'sasl_keytab: /path/to/keytab' in imapd.conf instead.
I've just tested it. It hasn't worked. Maybe there's no such option
and only way to specify alternate keytab file is by using KRB5_KTNAME
environment variable? It would be nice it this was possible by using
config file (maybe quick&dirty fix for code, if option is found in
config file, and KRB5_KTNAME is not found in environment, define it).
>>One more question, just out of curiosity (I don't intend to implement
>>it). I've noticed that if GSSAPI is configured, than plain and login
>>can be used only over TLS (I'm not really sure about this, maybe I
>>noticed wrong ;-). If it is not configured, plain and login are allowed
>>in plaintext. Is there a configuration variable to controll this? Like
>>force TLS even if GSSAPI is not configured, or allow plaintext in case
>>GSSAPI is configured? allowplaintext option doesn't seem to work!?
> Set 'allowplaintext: 0' in imapd.conf.
I've attempted to test it with values of 0 and 1. Seems it controls
only non-SASL logins (since non-SASL unencrypted plaintext works when
allowplaintext is set to 1, but not SASL plaintext). For SASL,
encryption is always required. When connecting to the server, before
STARTTLS, flags AUTH=PLAIN and AUTH=LOGIN are not shown in list of
capabilities (shown only after STARTTLS). Attempt to force use of
'plain' (imtest -m plain) results in:
PLAIN [SASL(-16): encryption needed to use mechanism: security flags do
not match required]
As I said, it seems that 'imtest -m login' doesn't use SASL, so that one
works (regardless the fact there was no AUTH=LOGIN shown in the list of
I've tried sasl_minimum_layer option (set it to 0), but couldn't get it
not to require encryption (per man imapd.conf, sasl_minimum_layer <= 1
does not require encryption -- doesn't work for me). Am I missing some
(obvious?) sasl_* option(s)?
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus