[OpenAFS] UW IMAP + AFS + Kerberos 5

Douglas E. Engert deengert@anl.gov
Wed, 19 Nov 2008 13:29:22 -0600

Curt Freeland wrote:
> I am currently running UW IMAP with AFS and Kerberos 4 (actually our 
> auth setup uses a k4 to k5 shim).  
> Our site is (finally) on a path to shut down the Kerberos 4 service, 
> and move everything to Kerberos 5.  I have been trying to get my IMAP 
> to work (the same was it currently does) using Kerberos 5.  I've failed.
> Horribly.  Multiple times.
> The basic Kerberos/IMAP setup seems to work...as I can authenticate,
> and read mail.  But IMAP cannot write to the user's AFS based Sent 
> folder.  Nor can the user access any of their other AFS based mail 
> folders via IMAP.
> I am running the IMAP server on a Sparc T2000 under Solaris 10.
> I am using PAM and can authenticate using ssh, login, dtlogin, 
> and other services using the pam_krb5.so and pam_afs_session.so 
> modules from Russ Allbery (www.eyrie.org/~eagle/software/). 
> I have rules in pam.conf for imap.  The authentication portion 
> seems to work, but I suspect that the session portion is where my
> problems lie.
> I am using the imap-2007d distribution (I've tried several others too).
> I've tried many IMAP configurations:
> 	PASSWORDTYPE={pmb, pam, gss, afs}
> 	SSLTYPE={unix,nopwd,unix.nopwd}
> I've tried using a krb5.keytab file built by our Kerberos administrators.
> Nothing seems to allow me to access AFS files via the IMAP service.
> If anyone else has accomplished this, could you please contact me?
> I'm particularly interested in how you configured PAM/IMAP/Kerberos
> to make this work.

Can you try adding a /etc/pam.debug file looking something like:

#1024 max size of this file
# flags=0  turn off, or no file 
#	 8 is for pam.conf parse

Then add a debug  option to all the imap entries in /etc/pam.conf.
Then restart the imap deamon.

Then send the syslog output and pam.conf file?

It might be something as simple as changing the entry for 
pam_afs_session from session to auth.

> Thanks,
> --curt
> Curt Freeland (curt@cse.nd.edu) GCIA #0223
> Associate Professional Specialist
> Computer Science and Engineering Department
> 323A Cushing Hall,  The University of Notre Dame
> Voice: (574) 631-5893 / FAX: (574) 631-9260   
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444