Bug 147170

Summary: Config option "sasl_keytab" ignored
Product: [Fedora] Fedora Reporter: Dax Kelson <dkelson>
Component: cyrus-imapdAssignee: Petr Rockai <prockai>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: mattdm, zing
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-05 16:49:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dax Kelson 2005-02-04 17:09:28 UTC 
Description of problem:
When deploying GSSAPI/Kerberos authentication with Cyrus IMAP a Kerberos
principal must be created and stored in a keytab on the Cyrus IMAP host.

The keytab file must be readable by user "cyrus", so it is good security
practice to have Cyrus IMAP use it's own keytab.

To use it's own keytab, you are supposed to be able to add a line such as the
following to the /etc/imapd.conf file:

sasl_keytab: /etc/krb5.keytab-cyrusimap

According to Google this works for many people, however it is being ignored on
FC3 and Cyrus IMAP still tries to open /etc/krb5.keytab (verified with strace).

My temporary workaround is to modify /etc/init.d/cyrus-imapd and near the top
insert the lines:

KRB5_KTNAME=/etc/krb5.keytab-cyrusimap
export KRB5_KTNAME

As noted below I tried the orginal FC3 packages and the errata packages and they
are both effected.

Version-Release number of selected component (if applicable):
cyrus-imapd-2.2.6-2.FC3.6 (orginal FC3 package)
cyrus-imapd-2.2.10-3.fc3 (more current errata as of Feb 4, 2005)

How reproducible:
Everytime

Steps to Reproduce:
1. Build a Kerberos realm
2. Try to kerberize Cyrus IMAP
3. Note the failure
Comment 1 Matthew Miller 2006-07-10 22:10:12 UTC 
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 2 petrosyan 2008-02-05 16:49:51 UTC 
Fedora Core 3 is not maintained anymore.

Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the
current Fedora release please reopen this bug and assign it to the corresponding
Fedora version.