On 31.08.2011 18:55, Stanislav Klinkov wrote:
Thank you for sharing a very interesting experience, David.
It seemed like running ktpass multiple times invalidated the previous keytabs. OK. Let us assume. But then how can you explain the fact that the setting<<auth_gssapi_hostname = "$ALL">> in dovecot config solves all mentioned troubles at once?
As well I just have run the following experiment. I re-generated one more keytab for service "imap/test.efim.local" only. So, it became the last-generated key. Then I copied it onto my dovecot server as the only "krb.keytab" file, and nothing changed.
Also, I issued the following command on my AD domain controller: C:\Windows\system32>setspn -L dovecot
And the result was:
Registered ServicePrincipalNames for CN=dovecot,OU=Agents,DC=romashka,DC=lan: imap/efim.test.local smtp/efim.test.local pop/efim.test.local
Please note, that I have not apllied any magic to servicePrincipalName of AD user "dovecot" by setspn or other AD snap-ins.
Early versions of ktpass only allowed only 1 serviceprincipialnames, thus every time you generate new it was overwrite old one. ktpass from win2008 seems fix this.
To make sure everything should work, hop on a box where you have a valid user Kerberos ticket and do kvno imap/efim.test.local and kvno smtp/efim.test.local.
Sorry, I might have not mentioned above. I run Mozilla Thunderbird on my Windows XP workstation.
Can you do kinit -k imap/imap/efim.test.local@ROMASHKA.LAN and then klist, does it work for you?
I do recommend tcpdump kerberos traffic between your client and server, this is usually helps me much better then any logging, flow easy to read in wireshark.