[OpenAFS] UW IMAP + AFS + Kerberos 5

Douglas E. Engert deengert@anl.gov
Wed, 19 Nov 2008 13:29:22 -0600 

Curt Freeland wrote:
> I am currently running UW IMAP with AFS and Kerberos 4 (actually our 
> auth setup uses a k4 to k5 shim).  
>
> Our site is (finally) on a path to shut down the Kerberos 4 service, 
> and move everything to Kerberos 5.  I have been trying to get my IMAP 
> to work (the same was it currently does) using Kerberos 5.  I've failed.
> Horribly.  Multiple times.
>
> The basic Kerberos/IMAP setup seems to work...as I can authenticate,
> and read mail.  But IMAP cannot write to the user's AFS based Sent 
> folder.  Nor can the user access any of their other AFS based mail 
> folders via IMAP.
>
> I am running the IMAP server on a Sparc T2000 under Solaris 10.
> I am using PAM and can authenticate using ssh, login, dtlogin, 
> and other services using the pam_krb5.so and pam_afs_session.so 
> modules from Russ Allbery (www.eyrie.org/~eagle/software/). 
>
> I have rules in pam.conf for imap.  The authentication portion 
> seems to work, but I suspect that the session portion is where my
> problems lie.
>
> I am using the imap-2007d distribution (I've tried several others too).
> I've tried many IMAP configurations:
> 	EXTRAAUTHENTICATORS=gss
> 	PASSWORDTYPE={pmb, pam, gss, afs}
> 	SSLTYPE={unix,nopwd,unix.nopwd}
>
> I've tried using a krb5.keytab file built by our Kerberos administrators.
>
> Nothing seems to allow me to access AFS files via the IMAP service.
>
> If anyone else has accomplished this, could you please contact me?
> I'm particularly interested in how you configured PAM/IMAP/Kerberos
> to make this work.
>   

Can you try adding a /etc/pam.debug file looking something like:

ebug_flags=0x37
log_priority=7
log_facility=1
#1024 max size of this file
#http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libpam/pam_framework.c
# flags=0  turn off, or no file 
#	 8 is for pam.conf parse


Then add a debug  option to all the imap entries in /etc/pam.conf.
Then restart the imap deamon.

Then send the syslog output and pam.conf file?

It might be something as simple as changing the entry for 
pam_afs_session from session to auth.


> Thanks,
> --curt
>
> Curt Freeland (curt@cse.nd.edu) GCIA #0223
> Associate Professional Specialist
> Computer Science and Engineering Department
> 323A Cushing Hall,  The University of Notre Dame
> Voice: (574) 631-5893 / FAX: (574) 631-9260   
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
>   

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444