Red Hat Bugzilla – Bug 147170
Config option "sasl_keytab" ignored
Last modified: 2008-02-05 11:49:51 EST
Description of problem:
When deploying GSSAPI/Kerberos authentication with Cyrus IMAP a Kerberos
principal must be created and stored in a keytab on the Cyrus IMAP host.
The keytab file must be readable by user "cyrus", so it is good security
practice to have Cyrus IMAP use it's own keytab.
To use it's own keytab, you are supposed to be able to add a line such as the
following to the /etc/imapd.conf file:
According to Google this works for many people, however it is being ignored on
FC3 and Cyrus IMAP still tries to open /etc/krb5.keytab (verified with strace).
My temporary workaround is to modify /etc/init.d/cyrus-imapd and near the top
insert the lines:
As noted below I tried the orginal FC3 packages and the errata packages and they
are both effected.
Version-Release number of selected component (if applicable):
cyrus-imapd-2.2.6-2.FC3.6 (orginal FC3 package)
cyrus-imapd-2.2.10-3.fc3 (more current errata as of Feb 4, 2005)
Steps to Reproduce:
1. Build a Kerberos realm
2. Try to kerberize Cyrus IMAP
3. Note the failure
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.
Fedora Core 3 is not maintained anymore.
Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the
current Fedora release please reopen this bug and assign it to the corresponding