The Cyrus IMAP server comes with sasl library and daemon that allow the administrator to setup authentication against Kerberos amongst other alternatives. Lately I canceled my domain name vornos.com because yahoo increased the renewal fees from 9$ to 34$ for no reason. To adapt my system to the change. I kept VORNOS.COM as my Kerberos realm name and changed sendmail and imap settings to use codealias.info as domain name.

Theorically, I can use a realm name that is different from the domain name as long as Kerberized applications can figure the IP address of the the realm name VORNOS.COM. This is normally possible by adding an entry to the file /etc/krb5.conf for the realm VORNOS.COM.

However, I noticed that, when using saslauthd to verify user passwords against a Kerberos KDC. The sasl library does not lookup the IP addresses of Kerberos realms in the local /etc/krb5.conf. It attempts to obtain the IP address by querying the Kerberos SRV records for the realm VORNOS.COM. I think the standards does not specify whether the Kerberos client should consult the local configuration file first or the DNS first. However an option for forcing the use of local configuration file (/etc/krb5.conf) should be added to all Kerberos clients. Just in case the realm name does not correspond to an actual domain name.

In my current configuration, the DNS domain vornos.com does not exist. However, I am using VORNOS.COM as realm name. The local (/etc/krb5.conf) contains an entry that specifies the KDC for the realm VORNOS.COM. With this setup sasl authentication against Kerberos does not work. The only solution I can think of is just to use another Kerberos realm name that corresponds to a realm DNS name (eg. CODEALIAS.INFO).

Labels: security, Kerberos