GSSAPI for various murder component setups

[Dan White]

On 06/13/12 21:02 -0700, Stephen Ingram wrote:
>On Wed, Jun 13, 2012 at 1:23 PM, Dan White <dwhite at olp.net> wrote:
>> The other issue is that where your systems are acting as clients (such as
>> when a frontend server is connecting to an mupdate server), your client
>> will need to initialize a kerberos ticket cache, and in my experience
>> cannot use the kerberos credentials used to accept connections. Or in other
>> words, your frontends might have an imap/mail.example.net service ticket
>> for accepting client imap connections, but then may need a separate ticket,
>> such as cyrus/mail.example.net, for backend/mupdate connections. I use
>> cronjobs, running as the cyrus user, to initialize those crendential
>> caches.
>
>This is exactly the part I'm really confused about. For murder, I see
>connections from the frontends and backends to the mupdate server. I
>also see connections from the frontends to the backends. The
>connections to the mupdate server are, in a very simplistic sense, to
>spread information about the mailboxes. I was thinking these should be
>machine to machine connections using Kerberos service accounts.
>However, I'm not really sure, should only the mupdate server have an
>mupdate service principals and then the frontend clients and backend
>clients connect to mupdate using "user" kerberos principals, or if all
>servers involved have service principals. Also when proxying a mail
>connection from frontend to backend, how should this be done? And then
>there is replication....

Every service listed within your SERVICES section in cyrus.conf will
potentially need it's own service principal, particularly on your backends
and mupdate master. Your frontends may not need service principals if your
users are not performing GSSAPI authentication.

libsasl2 will search for for service principals starting with:

imap/
lmtp/
mupdate/
csync/
pop/
nntp/
sieve/

when initialized during service startup. Within your imapd.conf, you can
restrict authentication only to gssapi with:

imap_sasl_mech_list: gssapi
etc.

The *test utilities (lmtptest, imtest, mupdatetest, etc.) are invaluable
for validating the server side of your setup.

Every server in your murder, except perhaps your replica server, will
likely need an additional client/user principal.

When proxying from the frontend to the backend, the frontend will make a
gssapi connection to the backend regardless of the authentication method
the client used when connecting to the frontend. If the client supports
referrals, then the client will then make it's own connection to the
backend using which ever authentication method it's configured to use.

-- 
Dan White