Hello, We use AFS but do not have it doing anything for IMAP. Our authentication scheme sounds just like what you want to do however. I've only recently got something to compile and it looks like it will work, but it hasn't been tested extensively yet.
Are you putting the user folders in AFS? One of my coworkers has read that may not be a good idea. The I/O throughput is limited by AFS. We have separate raid units for each server. Our biggest problem now is the number of users we have allowed to accumulate on each server and backing them up. We are looking at moving to a SAN to alleviate both problems and to make it easier to bring a server up to replace one with problems. You are correct in that the conflict between openssl and kerberos is a problem. I believe CMU's current plan is to let the OpenSSL project change their conflicting names. Until then I found some information on the list archive from a programmer at Duke who has hacked the kerberos stuff a little bit to provide a compilable source tree. If you can't find his directions in the archive let me know. I'll see if I still have them laying around. You will need to use saslauthd to get things to work and include kerberosIV as an authentication mechanism. You may also need to make some changes in the source tree if CMU has not made them yet, depending upon your target platform. I am on Solaris 2.6. I have no confirmation but believe anything newer will be ok without any mods. As for sasl, everything I read says I have included 5, but it does not show up when doing saslauthd -v. We are able to authenticate using the kerberos4 mechanism. Please let me know how things go for you. As they say, misery loves company. Regards, Earl Shannon -- Systems Programmer, Computing Services, Information Technology NC State University. http://www4.ncsu.edu/~ershanno Adam Thornton wrote: > > Here's my situation: > > I want to use Cyrus imapd to handle mail in AFS space; I'm using OpenAFS > 1.2.2, which is roughly equivalent to Transarc 3.6. > > I'd like to have Cyrus use the pts server for its ACLs, since I already > have working ACLS and it makes my life a lot easier. I also have no > reason to keep my users in /etc/passwd, since I'll be spreading mail > across a bunch of machines, so I really want to authenticate against > Kerberos, not /etc/passwd. The principals all look like v4 principals > (because they're intended for use with AFS), but they really do live in > K5 space: > > I'm not really running Kerberos IV; instead I'm using MIT krb5 1.2.2, > and using the MIT krb524d to convert tickets. All that works fine. > > I was able to convince SASL-2.1.0 to build against the KerberosIV > libraries, but not saslauthd, largely (I think) because the des.h in K4 > gets along extremely poorly with the des.h in OpenSSL. > > Once I turn to imapd itself, I can more or less bully things into > compiling, except for ipop3d, which gets upset over the krb.h in > /usr/local/include/kerberosIV. > > My question is: is there anyone else out there using Cyrus imapd in > conjunction with user homes and folders in AFS-space, and if so, is > there anybody doing with with a krb5 implementation, rather than v4, > under the covers? Am I even on the right track with what I'm trying to > do? > > Adam
