On Mon, Aug 31, 2009 at 11:20:18PM +0100, Gavin Hamill wrote:
Ok.. this is not too good, you should have many other entries too, several starting with host/ and CCIMAP$.
The suggestion to remove the computer object (and the 'imapCcimap' user I bound the SPN to using ktpass) and 'net ads join' worked like a charm
- I have lots more output in 'net ads keytab list' and kvno imap/ccimap.ad.laterooms.com works now.
Snazzy
Aug 31 23:13:02 ccimap dovecot: imap-login: Login: user=<mjiggs>, method=GSSAPI, rip=10.6.1.81, lip=10.6.1.82
Yap, that is it
The 'auth_gssapi_hostname = $ALL' was confusing so I commented that out and let it do a gethostname() instead - now it works :)
I thought Timo included this patch?? You need the $ALL for various cases, including, I think, exim.. All it says it match any entry in the keytab, not just imap/gethostbyname()@REALM.
If you have AD and Linux servers it is worth kerberdizing everything (ssh, logins, imap, pop, smtp, apache, etc) the method you just used is basically how to do it for anything. Ie you can now turn on ssh kerberos via its config file, and with kerberdized putty on windows you get SSO ssh logins, etc.
Jason