I've added imap/kerberos.acme.co.nz to the keytab file and changed ownership to cyrus.
I'm wondering if sasl_pwcheck_method in /etc/imapd.conf should be changed if one requires gssapi authentication. I tried setting it to "gssapi" but it didn't help. What should be value be?
Thanks
Results of a console session... -------------------------------------------------------- silver imap # ls -l /etc/krb5.keytab -rw------- 1 cyrus root 330 Aug 12 10:45 /etc/krb5.keytab
silver root # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
08/13/04 09:34:22 08/13/04 19:34:22 krbtgt/[EMAIL PROTECTED]
renew until 08/13/04 09:34:22silver root # imtest -a cyrus -m login -p imap2 localhost
S: * OK silver Cyrus IMAP4 v2.1.15 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=GSSAPI AUTH=NTLM AUTH=CRAM-MD5 AUTH=DIGEST-MD5 LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyrus {10}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
----------------------------------------------------------------------------------
Here is my imapd.conf file ---------------------------------------------------- configdirectory: /var/imap partition-default: /var/spool/imap sievedir: /var/imap/sieve
tls_cert_file: /etc/cyrusimapd/server.crt tls_key_file: /etc/cyrusimapd/server.key
admins: cyrus
hashimapspool: yes allowanonymouslogin: no #allowplaintext: no allowplaintext: yes
# Use this if sieve-scripts could be in ~user/.sieve. #sieveusehomedir: yes
# Use saslauthd if you want to use pam for imap. # But be warned: login with DIGEST-MD5 or CRAM-MD5 # is not possible using pam. #sasl_pwcheck_method: saslauthd -------------------------------------------------------------------------
/etc/krb5.conf
---------------------------------------
[libdefaults]
ticket_lifetime = 600
default_realm = ACME.CO.NZ
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc[realms]
ACME.CO.NZ = {
kdc = kerberos.acme.co.nz:88
kdc = kerberos2.acme.co.nz:88
admin_server = kerberos.acme.co.nz:749
}[domain_realm]
.acme.co.nz = ACME.CO.NZ
acme.co.nz = ACME.CO.NZ[kdc]
profile = /etc/krb5kdc/kdc.conf[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
--------------------------------------------------------------------------Andreas wrote:
On Thu, Aug 12, 2004 at 01:10:05PM +1200, Stephen wrote:
3. The missing piece is how to link cyrus-imap and GSSAPI. Kerberos
is operational and I have tried
"addprinc -randkey host/kerberos.ourdomain" and then "ktadd
host/kerberos.ourdomain", but still can't authenticate.
You need a principal in the form of "imap/fqdn-of-imap-server". Then add it to the default keytab (/etc/krb5.keytab) and make sure the cyrus-master daemon can read it.
--- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
