[OpenAFS] UW IMAP + AFS + Kerberos 5

Curt Freeland curt@cse.nd.edu
Wed, 19 Nov 2008 14:11:10 -0500

I am currently running UW IMAP with AFS and Kerberos 4 (actually our 
auth setup uses a k4 to k5 shim).  

Our site is (finally) on a path to shut down the Kerberos 4 service, 
and move everything to Kerberos 5.  I have been trying to get my IMAP 
to work (the same was it currently does) using Kerberos 5.  I've failed.
Horribly.  Multiple times.

The basic Kerberos/IMAP setup seems to work...as I can authenticate,
and read mail.  But IMAP cannot write to the user's AFS based Sent 
folder.  Nor can the user access any of their other AFS based mail 
folders via IMAP.

I am running the IMAP server on a Sparc T2000 under Solaris 10.
I am using PAM and can authenticate using ssh, login, dtlogin, 
and other services using the pam_krb5.so and pam_afs_session.so 
modules from Russ Allbery (www.eyrie.org/~eagle/software/). 

I have rules in pam.conf for imap.  The authentication portion 
seems to work, but I suspect that the session portion is where my
problems lie.

I am using the imap-2007d distribution (I've tried several others too).
I've tried many IMAP configurations:
	PASSWORDTYPE={pmb, pam, gss, afs}

I've tried using a krb5.keytab file built by our Kerberos administrators.

Nothing seems to allow me to access AFS files via the IMAP service.

If anyone else has accomplished this, could you please contact me?
I'm particularly interested in how you configured PAM/IMAP/Kerberos
to make this work.


Curt Freeland (curt@cse.nd.edu) GCIA #0223
Associate Professional Specialist
Computer Science and Engineering Department
323A Cushing Hall,  The University of Notre Dame
Voice: (574) 631-5893 / FAX: (574) 631-9260