Looking closer at the imap-2007d/src/c-client.c it calls
gss_accept_sec_context
but passes in NULL for the delegated_cred_handle parameter.
Thus it does not save the delegated credential. Even if it did,
in order to get pam_afs_session to get a AFS token, the c-client.c
would need to do a pam_start, pam_open_session and pam_end.
OpenSSH would be a good example for this with ssh_gssapi_storecreds()
and do_pam_session() both called from sshd.c.
Curt Freeland wrote:
I am currently running UW IMAP with AFS and Kerberos 4 (actually our
auth setup uses a k4 to k5 shim).
Our site is (finally) on a path to shut down the Kerberos 4 service,
and move everything to Kerberos 5. I have been trying to get my IMAP
to work (the same was it currently does) using Kerberos 5. I've failed.
Horribly. Multiple times.
The basic Kerberos/IMAP setup seems to work...as I can authenticate,
and read mail. But IMAP cannot write to the user's AFS based Sent
folder. Nor can the user access any of their other AFS based mail
folders via IMAP.
I am running the IMAP server on a Sparc T2000 under Solaris 10.
I am using PAM and can authenticate using ssh, login, dtlogin,
and other services using the pam_krb5.so and pam_afs_session.so
modules from Russ Allbery (www.eyrie.org/~eagle/software/).
I have rules in pam.conf for imap. The authentication portion
seems to work, but I suspect that the session portion is where my
problems lie.
I am using the imap-2007d distribution (I've tried several others too).
I've tried many IMAP configurations:
EXTRAAUTHENTICATORS=gss
PASSWORDTYPE={pmb, pam, gss, afs}
SSLTYPE={unix,nopwd,unix.nopwd}
I've tried using a krb5.keytab file built by our Kerberos administrators.
Nothing seems to allow me to access AFS files via the IMAP service.
If anyone else has accomplished this, could you please contact me?
I'm particularly interested in how you configured PAM/IMAP/Kerberos
to make this work.
Thanks,
--curt
Curt Freeland ([EMAIL PROTECTED]) GCIA #0223
Associate Professional Specialist
Computer Science and Engineering Department
323A Cushing Hall, The University of Notre Dame
Voice: (574) 631-5893 / FAX: (574) 631-9260
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
