Bug 147170 - Config option "sasl_keytab" ignored
Summary: Config option "sasl_keytab" ignored
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: cyrus-imapd
Version: 3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Petr Rockai
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-02-04 17:09 UTC by Dax Kelson
Modified: 2008-02-05 16:49 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-02-05 16:49:51 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Dax Kelson 2005-02-04 17:09:28 UTC
Description of problem:
When deploying GSSAPI/Kerberos authentication with Cyrus IMAP a Kerberos
principal must be created and stored in a keytab on the Cyrus IMAP host.

The keytab file must be readable by user "cyrus", so it is good security
practice to have Cyrus IMAP use it's own keytab.

To use it's own keytab, you are supposed to be able to add a line such as the
following to the /etc/imapd.conf file:

sasl_keytab: /etc/krb5.keytab-cyrusimap

According to Google this works for many people, however it is being ignored on
FC3 and Cyrus IMAP still tries to open /etc/krb5.keytab (verified with strace).

My temporary workaround is to modify /etc/init.d/cyrus-imapd and near the top
insert the lines:

KRB5_KTNAME=/etc/krb5.keytab-cyrusimap
export KRB5_KTNAME

As noted below I tried the orginal FC3 packages and the errata packages and they
are both effected.

Version-Release number of selected component (if applicable):
cyrus-imapd-2.2.6-2.FC3.6 (orginal FC3 package)
cyrus-imapd-2.2.10-3.fc3 (more current errata as of Feb 4, 2005)

How reproducible:
Everytime

Steps to Reproduce:
1. Build a Kerberos realm
2. Try to kerberize Cyrus IMAP
3. Note the failure

Comment 1 Matthew Miller 2006-07-10 22:10:12 UTC
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!


Comment 2 petrosyan 2008-02-05 16:49:51 UTC
Fedora Core 3 is not maintained anymore.

Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the
current Fedora release please reopen this bug and assign it to the corresponding
Fedora version.


Note You need to log in before you can comment on or make changes to this bug.