On Thu, Jun 14, 2012 at 7:05 AM, Dan White <dwhite@xxxxxxx> wrote: > On 06/13/12 21:02 -0700, Stephen Ingram wrote: >> >> On Wed, Jun 13, 2012 at 1:23 PM, Dan White <dwhite@xxxxxxx> wrote: >>> >>> The other issue is that where your systems are acting as clients (such as >>> when a frontend server is connecting to an mupdate server), your client >>> will need to initialize a kerberos ticket cache, and in my experience >>> cannot use the kerberos credentials used to accept connections. Or in >>> other >>> words, your frontends might have an imap/mail.example.net service ticket >>> for accepting client imap connections, but then may need a separate >>> ticket, >>> such as cyrus/mail.example.net, for backend/mupdate connections. I use >>> cronjobs, running as the cyrus user, to initialize those crendential >>> caches. >> >> >> This is exactly the part I'm really confused about. For murder, I see >> connections from the frontends and backends to the mupdate server. I >> also see connections from the frontends to the backends. The >> connections to the mupdate server are, in a very simplistic sense, to >> spread information about the mailboxes. I was thinking these should be >> machine to machine connections using Kerberos service accounts. >> However, I'm not really sure, should only the mupdate server have an >> mupdate service principals and then the frontend clients and backend >> clients connect to mupdate using "user" kerberos principals, or if all >> servers involved have service principals. Also when proxying a mail >> connection from frontend to backend, how should this be done? And then >> there is replication.... > > > Every service listed within your SERVICES section in cyrus.conf will > potentially need it's own service principal, particularly on your backends > and mupdate master. Your frontends may not need service principals if your > users are not performing GSSAPI authentication. > > libsasl2 will search for for service principals starting with: > > imap/ > lmtp/ > mupdate/ > csync/ > pop/ > nntp/ > sieve/ Wouldn't the front ends need these connections worse than the backends (assuming I'm not supporting referrals)? I'm guessing the lmtp is for Postfix connecting to the frontend/proxy to backend to deliver the message? The csync is for replication? > when initialized during service startup. Within your imapd.conf, you can > restrict authentication only to gssapi with: > > imap_sasl_mech_list: gssapi > etc. > > The *test utilities (lmtptest, imtest, mupdatetest, etc.) are invaluable > for validating the server side of your setup. > > Every server in your murder, except perhaps your replica server, will > likely need an additional client/user principal. Why wouldn't the replica server need a service principal since the backend connects to it to sync? > When proxying from the frontend to the backend, the frontend will make a > gssapi connection to the backend regardless of the authentication method > the client used when connecting to the frontend. If the client supports > referrals, then the client will then make it's own connection to the > backend using which ever authentication method it's configured to use. But only if the backend is configured for that authentication method, no? Steve ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
