[OpenAFS] UW IMAP + AFS + Kerberos 5

Douglas E. Engert deengert@anl.gov
Wed, 19 Nov 2008 13:58:56 -0600 

And an alternate approach would be to run the imap server
under its own AFS id, like nd_imap_server and add this to the
ACLs of the user's mail directories. Thus no delegated credentials
or user tokens are needed.

As Ken points out, the client may not even delegate.


Curt Freeland wrote:
> I am currently running UW IMAP with AFS and Kerberos 4 (actually our 
> auth setup uses a k4 to k5 shim).  
>
> Our site is (finally) on a path to shut down the Kerberos 4 service, 
> and move everything to Kerberos 5.  I have been trying to get my IMAP 
> to work (the same was it currently does) using Kerberos 5.  I've failed.
> Horribly.  Multiple times.
>
> The basic Kerberos/IMAP setup seems to work...as I can authenticate,
> and read mail.  But IMAP cannot write to the user's AFS based Sent 
> folder.  Nor can the user access any of their other AFS based mail 
> folders via IMAP.
>
> I am running the IMAP server on a Sparc T2000 under Solaris 10.
> I am using PAM and can authenticate using ssh, login, dtlogin, 
> and other services using the pam_krb5.so and pam_afs_session.so 
> modules from Russ Allbery (www.eyrie.org/~eagle/software/). 
>
> I have rules in pam.conf for imap.  The authentication portion 
> seems to work, but I suspect that the session portion is where my
> problems lie.
>
> I am using the imap-2007d distribution (I've tried several others too).
> I've tried many IMAP configurations:
> 	EXTRAAUTHENTICATORS=gss
> 	PASSWORDTYPE={pmb, pam, gss, afs}
> 	SSLTYPE={unix,nopwd,unix.nopwd}
>
> I've tried using a krb5.keytab file built by our Kerberos administrators.
>
> Nothing seems to allow me to access AFS files via the IMAP service.
>
> If anyone else has accomplished this, could you please contact me?
> I'm particularly interested in how you configured PAM/IMAP/Kerberos
> to make this work.
>
> Thanks,
> --curt
>
> Curt Freeland (curt@cse.nd.edu) GCIA #0223
> Associate Professional Specialist
> Computer Science and Engineering Department
> 323A Cushing Hall,  The University of Notre Dame
> Voice: (574) 631-5893 / FAX: (574) 631-9260   
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
>   

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444