We are trying to setup a Cyrus IMAP server(version 2.2.3) on a Redhat Enterprise LINUX AS 3.0 box. For ease of management we would like to authenticate users against a Microsoft Active Directory Domain controller since all users who would use the IMAP server are already there.
We have attempted to use Cyrus saslauthd( version 2.1.17) with kerberos5 to do this:
1. Cyrus sasl has been built with gssapi(kerberos5) support 2. cyrus imap has been built --with-auth=krb5 3. In /etc/imapd.conf sasl-pwcheck-method=saslauthd 4. We followed the instructions in http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep s.asp to interoperate with the AD KDC: We generated both the host and service-instance(imap) keytab files and integrated them into the /etc/krb5.keytab file on the LINUX host. Finally, we modified /etc/krb5.conf according to the instructions. We tested kerberos with kinit and it seems to be working.
5. We started saslauthd with: saslauthd -n0 -a kerberos5
You should run testsaslauthd now and see if you can authenticate after you get the principal's ticket. If not, than you cannot authenticate to AD.
6. Finally, we started imap with master -d
We have not had success with AD authentication. When a valid AD user tries to login via the imap client( we are using microsoft outlook) we get a cryptic "size read failed". When we use imtest we get a "No credentials cache found" error. We are indeed clueless would appreciate any help with this.
When testing with imtest you 'klist' you tickets and see if you got a
imap/[EMAIL PROTECTED] ticket. Who is giving "no credentials cache found" error ?
imtest or cyrus ? I was under the impression that cyrus-imapd supports
directly authentication via GSSAPI (kerberos 5) so you wouldn't need any
saslauthd working (just a principal for cyrus-imapd accessible to the server).
Alternatively you could use pam to integrate with AD, but this is not what
you need.
hth, mitu --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
