Cyrus IMAP GSSAPI for multiple AD domains
Dan White
dwhite at olp.net
Thu Oct 22 11:58:18 EDT 2009
On 22/10/09 22:38 +0800, John Mok wrote:
>Oct 22 15:35:02 imapsv01 cyrus/imap[19466]: badlogin:
>John.sml.citizen.co.jp [10.144.1.192] GSSAPI [SASL(-13): authentication
>failure: user komatsuj at go.citizen.co.jp is not allowed to proxy]
>
>I checked with imtest and it passed successfully :-
>
> >imtest -m GSSAPI imapsv01.grt.citizen.co.jp
>
>The IMAP config. /etc/imapd.conf follows :-
>
>....
>virtdomains: yes
>defaultdomain: grt.citizen.co.jp
>sasl_pwcheck_method: saslauthd
The "...not allowed to proxy" would seem to indicate that the client is
sending an authorization identity, and that it does not match the
authentication identity derived from GSSAPI.
What does your 'loginrealms:' entry look like in imapd.conf? Are you
specifying a(n authorization) username within the email client? If so, try
including go.citizen.co.jp in your loginrealms config, and configuring
'komatsuj at go.citizen.co.jp' as your authorization identity in your client,
or perhaps not specify it at all.
--
Dan White
More information about the Info-cyrus
mailing list