[Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
Gavin Hamill
gdh at acentral.co.uk
Tue Sep 1 00:21:47 EEST 2009
On Mon, 2009-08-31 at 13:24 -0600, Jason Gunthorpe wrote:
> > Ouch, can you go a little more slowly, please? I think I've joined the
> > domain OK:
> Sure..
Many thanks for taking the time on this - it is appreciated.
> Also verify that 'hostname -f' returns what you want. Very important.
Yep, 'ccimap.ad.laterooms.com' - forward + reverse DNS are correct in AD
> Just do this:
>
> ccimap:~# net ads keytab add imap
>
> Then:
> ccimap:~ klist -k
>
> And verify you have imap/ entries
>
> Then verify kerberos is working with:
>
> ccimap:~# kvno imap/ccimap.ad.laterooms.com
> imap/ccimap.ad.laterooms.com at AD.LATEROOMS.COM: kvno = 2
I get
ccimap:/etc# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
7 imap/ccimap.ad.laterooms.com at AD.LATEROOMS.COM
7 imap/ccimap.ad.laterooms.com at AD.LATEROOMS.COM
7 imap/ccimap.ad.laterooms.com at AD.LATEROOMS.COM
7 imap/ccimap at AD.LATEROOMS.COM
7 imap/ccimap at AD.LATEROOMS.COM
7 imap/ccimap at AD.LATEROOMS.COM
ccimap:/etc# kvno imap/ccimap.ad.laterooms.com
kvno: Server not found in Kerberos database while getting credentials
for imap/ccimap.ad.laterooms.com at AD.LATEROOMS.COM
However, before I received your message I had been following the
'old-school' ktpass.exe method and I think I have poisoned the 'imap'
name as a result:
http://nfsworld.blogspot.com/2005/06/using-active-directory-as-your-kdc-for.html
Is 'imap' a magic hardcoded name that Thunderbird will use? If so,
should creating 'pop3' using 'net ads keytab add' also do the business?
I'd rather try that and get a basic working auth than try to unpick my
AD problems just yet.
I ask because if I do a random name 'net ads keytab add purmle' and then
'kvno purmle/ccimap.ad.laterooms.com' then I get sensible output:
purmle/ccimap.ad.laterooms.com at AD.LATEROOMS.COM: kvno = 7
I just don't want to type anything else in cause I poison 'pop3' too :)
Cheers,
Gavin
More information about the dovecot
mailing list