On Fri, Feb 04, 2011 at 12:57:11PM -0700, Trever L. Adams wrote:
On 02/02/2011 04:17 PM, Timo Sirainen wrote:
It does set that, but only on first GSSAPI authentication. I guess it wouldn't hurt moving it to do it always. If that script helps you, I can do this change.
It appears that the script you recommended doesn't do the trick. Does /usr/libexec/dovecot/auth clear the environment. Even doing it manually from the command line the openldap stuff doesn't seem to pick up the KRB5_KTNAME environment variable.
Isn't it called KRB5CCNAME?
Ie if you are using a AD type environment then I think the only way this can work is if you do these steps:
# JGGL is the name of your machine in AD klist -k should tell # you what it is, and you must have samba setup properly, the # machine joined, and samba must be set to write the system keytab. # See 'net ads keytab' $ KRB5CCNAME="/tmp/machine" kinit -k JGGL$
$ KRB5CCNAME="/tmp/machine" klist
Ticket cache: FILE:/tmp/machine
Default principal: JGGL$@ADS.ORCORP.CA
Valid starting Expires Service principal 02/05/11 18:26:34 02/06/11 04:26:34 krbtgt/ADS.ORCORP.CA@ADS.ORCORP.CA renew until 02/12/11 18:26:34 $ KRB5CCNAME="/tmp/machine" ldapsearch uid=jgg SASL/GSSAPI authentication started SASL username: JGGL$@ADS.ORCORP.CA SASL SSF: 56 SASL data security layer installed. [..]
Presumably if dovecot has SASL setup properly for Openldap then it will work just fine if KRB5CCNAME is properly exported to it.
However! Be aware that the TGT must be refreshed periodically, that is just how kerberos works.
I can kinit on the command line and get auth to work, but the kinit doesn't hold over to the dovecot process (for good reasons I am sure).
Maybe dovecot isn't enabling SASL for openldap?
eg the python wrappers for openldap require this sequence:
conn = ldap.initialize(server); auth_tokens = ldap.sasl.gssapi(); conn.sasl_interactive_bind_s("",auth_tokens);
Before they attempt gssapi - so this will also be true for the C version.
The *ideal* world would be if dovecot supported an in-memory ticket cache that it stored a TGT for a given UPN that it initializes using a given keytab. This is what samba does internally and realistically is required to use kerberos as a client.
IMHO, doing ldap without kerb is kinda sketchy unless you completely trust your network - it is easy to spoof ldap replies, kerb fixes that and has low overhead compared to ssl.
Jason