Red Hat Bugzilla – Bug 147170
Config option "sasl_keytab" ignored
Last modified: 2008-02-05 11:49:51 EST
Description of problem: When deploying GSSAPI/Kerberos authentication with Cyrus IMAP a Kerberos principal must be created and stored in a keytab on the Cyrus IMAP host. The keytab file must be readable by user "cyrus", so it is good security practice to have Cyrus IMAP use it's own keytab. To use it's own keytab, you are supposed to be able to add a line such as the following to the /etc/imapd.conf file: sasl_keytab: /etc/krb5.keytab-cyrusimap According to Google this works for many people, however it is being ignored on FC3 and Cyrus IMAP still tries to open /etc/krb5.keytab (verified with strace). My temporary workaround is to modify /etc/init.d/cyrus-imapd and near the top insert the lines: KRB5_KTNAME=/etc/krb5.keytab-cyrusimap export KRB5_KTNAME As noted below I tried the orginal FC3 packages and the errata packages and they are both effected. Version-Release number of selected component (if applicable): cyrus-imapd-2.2.6-2.FC3.6 (orginal FC3 package) cyrus-imapd-2.2.10-3.fc3 (more current errata as of Feb 4, 2005) How reproducible: Everytime Steps to Reproduce: 1. Build a Kerberos realm 2. Try to kerberize Cyrus IMAP 3. Note the failure
Fedora Core 3 is now maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC5 updates or in the FC6 test release, reopen and change the version to match. Thank you!
Fedora Core 3 is not maintained anymore. Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the current Fedora release please reopen this bug and assign it to the corresponding Fedora version.