Authenticating (with cyradm) using an alternate Kerberos instance?
lars at oddbit.com
Sun Nov 6 23:23:27 EST 2005
I'm running Cyrus imapd in a Kerberos environment.
When using cyradm, I would like to authenticate with a /admin
instance, rather than giving my primary instance admin privileges or
always connecting as the 'cyrus' user. I haven't had much luck so
far, and I think it's because I'm not clear on how Cyrus/SASL
interacts with Kerberos and LDAP.
I've authenticated to Kerberos as lars/admin at EXAMPLE.COM:
Credentials cache: FILE:/tmp/krb5cc_20000_u20528
Principal: lars/admin at EXAMPLE.COM
Issued Expires Principal
Nov 6 22:50:33 Nov 7 08:50:33 krbtgt/EXAMPLE.COM at EXAMPLE.COM
I've added lars/admin as an admin user in /etc/imapd.conf (and set
defaultdomain to example.com), like this:
admins: cyrus lars/admin
We're running 'saslauthd -a ldap'. There is a matching record in LDAP
(uid: lars/admin) that will be matched by the filter in
If I try to connect with cyradm, I get an error:
$ cyradm mail.example.com
cyradm: cannot authenticate to server with as lars
And the IMAP server says:
badlogin: mail.example.com [192.168.1.20] GSSAPI [SASL(-13):
authentication failure: bad userid authenticated]
I get the same behavior if I try:
$ cyradm --user=lars/admin mail.example.com
I should probably mention that:
(a) authenticating as my primary instance (lars at EXAMPLE.COM) works
just fine (and if I set myself up as an admin user I get admin
(b) If I obtain the 'cyrus at EXAMPLE.COM' principal, everything works as expected.
(c) authenticating to, say, our LDAP server as lars/admin does the
right thing, although that's largely due to the magic of OpenLDAP's
What am I missing? Thanks!
More information about the Info-cyrus