Bug 147170 - Config option "sasl_keytab" ignored
Config option "sasl_keytab" ignored
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: cyrus-imapd (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Petr Rockai
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-04 12:09 EST by Dax Kelson
Modified: 2008-02-05 11:49 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-05 11:49:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Dax Kelson 2005-02-04 12:09:28 EST
Description of problem:
When deploying GSSAPI/Kerberos authentication with Cyrus IMAP a Kerberos
principal must be created and stored in a keytab on the Cyrus IMAP host.

The keytab file must be readable by user "cyrus", so it is good security
practice to have Cyrus IMAP use it's own keytab.

To use it's own keytab, you are supposed to be able to add a line such as the
following to the /etc/imapd.conf file:

sasl_keytab: /etc/krb5.keytab-cyrusimap

According to Google this works for many people, however it is being ignored on
FC3 and Cyrus IMAP still tries to open /etc/krb5.keytab (verified with strace).

My temporary workaround is to modify /etc/init.d/cyrus-imapd and near the top
insert the lines:

KRB5_KTNAME=/etc/krb5.keytab-cyrusimap
export KRB5_KTNAME

As noted below I tried the orginal FC3 packages and the errata packages and they
are both effected.

Version-Release number of selected component (if applicable):
cyrus-imapd-2.2.6-2.FC3.6 (orginal FC3 package)
cyrus-imapd-2.2.10-3.fc3 (more current errata as of Feb 4, 2005)

How reproducible:
Everytime

Steps to Reproduce:
1. Build a Kerberos realm
2. Try to kerberize Cyrus IMAP
3. Note the failure
Comment 1 Matthew Miller 2006-07-10 18:10:12 EDT
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 2 petrosyan 2008-02-05 11:49:51 EST
Fedora Core 3 is not maintained anymore.

Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the
current Fedora release please reopen this bug and assign it to the corresponding
Fedora version.

Note You need to log in before you can comment on or make changes to this bug.