kerberos/imap trouble
Dennis Davis
ccsdhd at bath.ac.uk
Fri Dec 10 09:01:52 EST 2004
>From: Mark Hannessen <mark at nperfection.com>
>To: kerberos at mit.edu
>Date: Fri, 10 Dec 2004 14:27:30 +0100
>
>I am trying to setup a kerberos v5 only cyrus imap server.
>that is: I would like all autherisation to be done by gssapi/kerberos.
...
>does anybody have a suggestion where I should look next?
Is the keytab file in the right place? Depending on your
version/implementation of kerberos it could be in any of:
/etc/krb5.keytab
/etc/krb5/krb5.keytab
/etc/kerberosV/krb5.keytab
Do the logs on the Kerberos server give any more detail?
Note that a Cyrus IMAP server using Kerberos5 should need the
principals:
pop/server-name at K5-DOMAIN
imap/server-name at K5-DOMAIN
sieve/server-name at K5-DOMAIN
The imap and sieve principals are definitely needed. It's worth
adding the pop principal even if you initially don't intend running
the pop daemon.
It is advisable to extract these to a separate keytab file --
/var/imap/krb5.keytab -- and give that to the Cyrus user. You can
then start the master daemon with a command line of the form:
KRB5_KTNAME=/var/imap/krb5.keytab /usr/local/cyrus/bin/master &
The above makes it unnecessary to add all the cyrus principals to
/etc/krb5.keytab (or similar) and make this owned by, or at least
readable by, the cyrus user.
More information about the Kerberos
mailing list