2008/8/13 Dan White <dwhite@xxxxxxx>: > Typically you would not specify a user (-a) in your GSSAPI connection. > Specifying a -u is asking the server to do proxy authorization, requiring > the identity in the ticket to exist in proxy_admins I believe, unless you're > providing the same identity in your -u as exists in your ticket. Ah, I see. I didn't realise it was trying to do proxy-authentication, I thought that different -u and -a values would produce that effect. I'll have another go trying it without either -u or -a. Any chance you could elaborate on your "proxy_admins" comment, though? > Also, it's my understanding that not all kerberos libraries support the > ability to specify an alternate keytab location. It could be the permission > denied error is an indication that your imap process is unable to open the > default file - /etc/krb5.keytab - rather than the expected /etc/imap.keytab. Yes, I was aware of that limitation but thought that the belt-and-braces approach of specifying both KRB5_KTNAME as a variable to the init script as well as sasl_keytab in the imapd.conf file I might have got it to work. I'll keep that in mind when I try this again - for various other reasons I'm reinstalling CentOS again ~x( Thanks for your help Dan. Regards, Michael
