Jukka Salmi wrote:
Aleksandar Milivojevic --> info-cyrus (2005-01-11 16:24:14 -0600):
I've got authentication using GSSAPI working. However, when I use
GSSAPI, imapd treats my login name as virtual domain.
What is virtdomains set to in your imapd.conf?
It is set to "off". Regardless of that setting, in the maillog file,
this line is logged (when using GSSAPI to authenticate):
login: mailsrv [1.2.3.4] [EMAIL PROTECTED] GSSAPI User logged in
What I really want is to be logged in only as "user". I don't use/need
virtual domains. Actually, I can't really use virtual domains in simple
way even if I wanted (all users are in single email domain, but in
several Kerberos realms, so there's no matching between domain and realm).
I found ptskrb5_strip_default_realm option, that should strip out
default realm (hasn't worked for me, not even for default realm).
However, I want to strip *all* realms, not just default one. I've
attempted to use afspts_localrealms option too. Same result, doesn't
work (realm is not stripped).
However, it seems it either isn't used for that, or that it doesn't
work. I had to provide KRB5_KTNAME environment variable to get imapd to
use correct keytab file.
You could set 'sasl_keytab: /path/to/keytab' in imapd.conf instead.
I've just tested it. It hasn't worked. Maybe there's no such option
and only way to specify alternate keytab file is by using KRB5_KTNAME
environment variable? It would be nice it this was possible by using
config file (maybe quick&dirty fix for code, if option is found in
config file, and KRB5_KTNAME is not found in environment, define it).
One more question, just out of curiosity (I don't intend to implement
it). I've noticed that if GSSAPI is configured, than plain and login
can be used only over TLS (I'm not really sure about this, maybe I
noticed wrong ;-). If it is not configured, plain and login are allowed
in plaintext. Is there a configuration variable to controll this? Like
force TLS even if GSSAPI is not configured, or allow plaintext in case
GSSAPI is configured? allowplaintext option doesn't seem to work!?
Set 'allowplaintext: 0' in imapd.conf.
I've attempted to test it with values of 0 and 1. Seems it controls
only non-SASL logins (since non-SASL unencrypted plaintext works when
allowplaintext is set to 1, but not SASL plaintext). For SASL,
encryption is always required. When connecting to the server, before
STARTTLS, flags AUTH=PLAIN and AUTH=LOGIN are not shown in list of
capabilities (shown only after STARTTLS). Attempt to force use of
'plain' (imtest -m plain) results in:
PLAIN [SASL(-16): encryption needed to use mechanism: security flags do
not match required]
As I said, it seems that 'imtest -m login' doesn't use SASL, so that one
works (regardless the fact there was no AUTH=LOGIN shown in the list of
capabilities).
I've tried sasl_minimum_layer option (set it to 0), but couldn't get it
not to require encryption (per man imapd.conf, sasl_minimum_layer <= 1
does not require encryption -- doesn't work for me). Am I missing some
(obvious?) sasl_* option(s)?
--
Aleksandar Milivojevic <[EMAIL PROTECTED]> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
