[OpenAFS] UW IMAP + AFS + Kerberos 5

Douglas E. Engert deengert@anl.gov
Wed, 19 Nov 2008 13:54:23 -0600 

Looking closer at the imap-2007d/src/c-client.c it calls 
gss_accept_sec_context
but passes in NULL for the delegated_cred_handle parameter.

Thus it does not save the delegated credential. Even if it did,
in order to get pam_afs_session to get a AFS token, the c-client.c
would need to do a pam_start, pam_open_session and pam_end.

OpenSSH would be a good example for this with ssh_gssapi_storecreds()
and do_pam_session() both called from sshd.c.


Curt Freeland wrote:
> I am currently running UW IMAP with AFS and Kerberos 4 (actually our 
> auth setup uses a k4 to k5 shim).  
>
> Our site is (finally) on a path to shut down the Kerberos 4 service, 
> and move everything to Kerberos 5.  I have been trying to get my IMAP 
> to work (the same was it currently does) using Kerberos 5.  I've failed.
> Horribly.  Multiple times.
>
> The basic Kerberos/IMAP setup seems to work...as I can authenticate,
> and read mail.  But IMAP cannot write to the user's AFS based Sent 
> folder.  Nor can the user access any of their other AFS based mail 
> folders via IMAP.
>
> I am running the IMAP server on a Sparc T2000 under Solaris 10.
> I am using PAM and can authenticate using ssh, login, dtlogin, 
> and other services using the pam_krb5.so and pam_afs_session.so 
> modules from Russ Allbery (www.eyrie.org/~eagle/software/). 
>
> I have rules in pam.conf for imap.  The authentication portion 
> seems to work, but I suspect that the session portion is where my
> problems lie.
>
> I am using the imap-2007d distribution (I've tried several others too).
> I've tried many IMAP configurations:
> 	EXTRAAUTHENTICATORS=gss
> 	PASSWORDTYPE={pmb, pam, gss, afs}
> 	SSLTYPE={unix,nopwd,unix.nopwd}
>
> I've tried using a krb5.keytab file built by our Kerberos administrators.
>
> Nothing seems to allow me to access AFS files via the IMAP service.
>
> If anyone else has accomplished this, could you please contact me?
> I'm particularly interested in how you configured PAM/IMAP/Kerberos
> to make this work.
>
> Thanks,
> --curt
>
> Curt Freeland (curt@cse.nd.edu) GCIA #0223
> Associate Professional Specialist
> Computer Science and Engineering Department
> 323A Cushing Hall,  The University of Notre Dame
> Voice: (574) 631-5893 / FAX: (574) 631-9260   
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
>   

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444