[6115] in Kerberos
Re: AFS-aware IMAP daemon?
daemon@ATHENA.MIT.EDU (John Hascall)
Thu Nov 2 18:24:10 1995
To: kerberos@MIT.EDU
Date: 2 Nov 1995 21:42:05 GMT
From: john@iastate.edu (John Hascall)
Trey Harris <harris@email.unc.edu> wrote:
}I administer an email system with approximately 26,000 users, of which
}several thousand are using IMAP.
} ... At this time, we will be migrating our users to AFS.
}At this time we anticipate using MIT Kerberos v4 for both AFS and SP
}authentication (since both AFS and the SP are compatible with Kerberos v4
}but not with each other's proprietary Kerberos). However, we may end up
}using the AFS kaserver for reasons of expediency. I don't think this
}changes the answer to my question, though. ...
}However, when an IMAP client makes a request for an archived mail folder
}(such as the sent or saved messages), the daemon must get this information
}from the user's home directory--which resides in AFS.
}Now, if we use the Cyrus imapd, a plaintext login (such as Pine,
}MailDrop, Siren Mail or Simeon Email use) will cause the imap daemon to
}get a Kerberos ticket.
}
}This is where I get fuzzy, however. I believe that a Kerberos ticket is
}necessary but not sufficient to grant a process access to the AFS
}filespace. An AFS token is also required for a process to be able to
}read and write to an AFS filesystem. Am I correct?
Yes, but all you need to turn a ticket into a token is
to get a copy of 'aklog' from MIT (at least, this works
for us using the MIT Kerberos IV server, I can't speak to
it working with AFS's kaserver).
John
--
John Hascall ``An ill-chosen word is the fool's messenger.''
Moderator, comp.unix.wizards
Systems Software Engineer, ISU Comp Center + Ames, IA 50011 + 515/294-9551
<a href="http://www.cc.iastate.edu/staff/systems/john/">My Homepage</a>
