How do I tell cyrus-imapd to *not* strip default realm from
kerberos principals?
Lars Kellogg-Stedman
lars at oddbit.com
Tue Nov 1 23:44:46 EST 2005
Hello again,
I'm using virtual domains on our Cyrus IMAP server, which means that
the user "lars" is distinct from "lars at example.com". I've just
started setting up kerberos (5) in this environment, and I've
discovered that the Cyrus IMAP server will strip the default realm
from a connecting principal before treating it as a username -- which
means that nobody can actually use kerberos. If I'm authenticated as
"lars at EXAMPLE.COM", Cyrus imapd will authenticate me as the user
"lars", and if I try to SELECT INBOX, for example, I get a "no such
mailbox".
If I connect *without* kerberos and authenticate as lars at example.com,
everything works just grand.
More details:
Given a kerberos environment like this:
$ klist
Credentials cache: FILE:/tmp/krb5cc_20000
Principal: lars at EXAMPLE.COM
Connecting to the IMAP server like this:
$ imtest mail.example.com
[...elided...]
C: A01 AUTHENTICATE GSSAPI ...
[...elided...]
S: A01 OK Success (privacy protection)
Authenticated.
Security strength factor: 56
The server says:
mail.notice: Nov 1 23:34:53 imap[23997]: login:
mail.example.com [192.168.1.20] lars GSSAPI User logged in
-- Lars
More information about the Info-cyrus
mailing list