[OpenAFS] UW IMAP + AFS + Kerberos 5

Ken Hornstein kenh@cmf.nrl.navy.mil
Wed, 19 Nov 2008 14:35:33 -0500

>The basic Kerberos/IMAP setup seems to work...as I can authenticate,
>and read mail.  But IMAP cannot write to the user's AFS based Sent 
>folder.  Nor can the user access any of their other AFS based mail 
>folders via IMAP.

My question to you is ... "how did this work before?"

Authentication to a server (such as an IMAP server) doesn't mean that server
gets the necessary Kerberos bits to do things like access AFS on behalf of
that user; it just means it's proved that users identity via Kerberos.  To
actually provide access to AFS on a server, you need to forward over a copy
of a user's TGT, and I don't think (a) any Kerberized IMAP clients will do
that and (b) I don't think any IMAP servers would know what to do with
a TGT that case.

(I am presuming that when you say "Kerberos 5", you are NOT referring to
"validating a plaintext password via a Kerberos 5 database"; if that's
what you mean, then I think Doug's suggestions will point you on the right