On Thu, Jun 14, 2012 at 9:14 PM, Dan White <dwhite@xxxxxxx> wrote: ...snip... > You can control whether clients will get referrals via the > proxyd_disable_mailbox_referrals option. > > When proxying, you would configure the 'cyrus-<hostname>' user within > the proxyservers option on the backend. When the frontend authenticates to > the backend, it will send an authorization identity of the previously > authenticated frontend user. Like: > > authcid: none (derived from your kerberos identity) > authzid: jsmith > > Then, from the backend's perspective, jsmith performed the authentication, > and gets all the proper ACL permissions applied. The frontend *might* have > all the appropriate service principals in place to support client gssapi > authentication, however that's not necessary. The client authentication to > the frontend, and the frontend's proxy authentication to the backend are > distinct authentications. The frontend *will* need to have a non-service > principal ticket initialized when performing gssapi authentication to the > backend. If I'm reading this correctly, you are saying that you really don't need any of the services (imap,sieve,nntp,pop) in the keytab on the frontend, but only the backend. The frontend authenticates to the backend using it's own credentials (in my case the credential cache from imap/imap.example.com) and proxies the user ticket to the backend services (even with proxyd_disable_mailbox_referrals turned on). It looks like Dave is authenticating on the frontend instead. Is this just a different way of doing things or does each come with advantages/disadvantages? I would think that you *would* need to make the authcid to authzid determination on the backend, so I wonder how this is working for him? Steve ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
