[6052] in Kerberos
Re: AFS-aware IMAP daemon?
daemon@ATHENA.MIT.EDU (Michael Grubb)
Wed Oct 25 19:50:03 1995
To: kerberos@MIT.EDU
Date: 25 Oct 1995 19:21:57 -0400
From: mg@ac.duke.edu (Michael Grubb)
In article <46mbop$nm8@bigblue.oit.unc.edu>,
Trey Harris <harris@email.unc.edu> wrote:
>My question has to do with my IMAP users. Mail spools will continue to
>reside in the Unix filesystem, not AFS. Thus, as I understand it, there
>is no need for an 'AFS-ized' IMAP daemon just to get at the inboxes of
>users. AFS does not come into this scenario. A Kerberized daemon is
>required so that the plaintext login can be authenticated to Kerberos.
>However, when an IMAP client makes a request for an archived mail folder
>(such as the sent or saved messages), the daemon must get this information
>from the user's home directory--which resides in AFS.
There's no reason for folders to be in AFS unless the user puts them there.
(The user can define folder locations in the client, as with pine's
folder collections definitions in the .pinerc.) You can configure the IMAP
server so that folders and inboxes alike are located on local filesystems.
How to do that depends on which imapd you are running.
>Now, if we use the Cyrus imapd, a plaintext login (such as Pine,
>MailDrop, Siren Mail or Simeon Email use) will cause the imap daemon to
>get a Kerberos ticket.
If you use the Cyrus imapd, your users should not be logging in to the IMAP
server, and your users' login sessions on other machines should have no
effect on authentication of the imapd processes. A fortiori, the Cyrus
imapd handles all folders on local disk. Trying to wedge that into AFS
would be a supremely bad idea.
>This is where I get fuzzy, however. I believe that a Kerberos ticket is
>necessary but not sufficient to grant a process access to the AFS
>filespace. An AFS token is also required for a process to be able to
>read and write to an AFS filesystem. Am I correct?
That's right, but it shouldn't enter into your IMAP server configuration
at all.
If you need some boilerplate code to serve as an example of how a process
can get a Kerberos ticket and an AFS token, let me know and I'll be glad to
send you a sample or two. Getting such code to build is highly dependent
on your particular platform, Kerberos libraries, and AFS version.
-- Mike
--
Michael Grubb <mg@ac.duke.edu>
Duke University Office of Information Technology
phone +1 919 660 6903 / 417 North Building, Durham NC 27708-0132 USA
