[Dovecot] Kerberos GSSAPI - proper item name in keytab

Stanislav Klinkov klinkov at yandex.ru
Wed Aug 31 17:55:04 EEST 2011


Thank you for sharing a very interesting experience, David.

> It seemed like running ktpass multiple times invalidated the previous keytabs.
OK. Let us assume. But then how can you explain the fact that the
setting <<auth_gssapi_hostname = "$ALL">> in dovecot config solves all
mentioned troubles at once?

As well I just have run the following experiment. I re-generated one
more keytab for service "imap/test.efim.local" only. So, it became the
last-generated key. Then I copied it onto my dovecot server as the only
"krb.keytab" file, and nothing changed.

Also, I issued the following command on my AD domain controller:
C:\Windows\system32>setspn -L dovecot

And the result was:
*****************
Registered ServicePrincipalNames for
CN=dovecot,OU=Agents,DC=romashka,DC=lan:
        imap/efim.test.local
        smtp/efim.test.local
        pop/efim.test.local
*****************

Please note, that I have not apllied any magic to servicePrincipalName
of AD user "dovecot" by setspn or other AD snap-ins.

> To make sure everything should work, hop on a box where you have a valid user Kerberos ticket and do kvno imap/efim.test.local and kvno smtp/efim.test.local.

Sorry, I might have not mentioned above. I run Mozilla Thunderbird on my
Windows XP workstation.



More information about the dovecot mailing list