Re: Kerberos support for Cyrus: I need help

[Balazs GAL <balsa@rit.bme.hu>]

2002-09-23, h keltezéssel Henrique de Moraes Holschuh ezt írta:
> On Sun, 22 Sep 2002, Balazs GAL wrote:
> > PLEASE, dont compile it with kerberos support. We have symbols
> > problem with mit krb5,krb4 vs. heimdal kth-krb4. If you compile it
> > with any libs it can break the other with sasl2 plugin.
> 
> This just means we need versioned symbols in these libs.  Just like in
> libsasl, libldap, and everything ever linked to a nss plugin.

This is not as simple, as we think. Please read the threads:

http://mailman.boxedpenguin.com/pipermail/debian-kerberos/2002-August/000432.html
http://mailman.boxedpenguin.com/pipermail/debian-kerberos/2002-August/000436.html
 
> No. I can simply have two binaries (services) for everything that needs it,
> one compiled against auth_unix and the other against auth_krb.  That means
> two configure-and-compile passes to build, but what the heck...

Great. :) Then we have symbol problem only with the pop3 daemon.
 
> > I can compile cyrus21/sasl/sasl2 with heimdal and kth-krb4 support, but
> > as I wrote PLEASE dont do it.
> 
> How usable is Cyrus with the auth_unix module in a full kerberos
> environment?

Very usable. :))
Kerberos itself doesn't provide an authorization system, every daemon
should implement it for onself. So often the krb based daemons use
the standard unix authz system (e.g unix groups), like auth_unix in
cyrus.
The auth_krb authorization in cyrus is not very usefull, because it
doesn't implement groups only aliases from one user to another, and it
_breaks some imap clients_ wich dont use krb based sasl plugin for authc
(e.g like a webmail client with login or plain authc).

The afs pts naturally implements groups and it can be really usefull.

balsa