On Mon, Aug 31, 2009 at 10:21:47PM +0100, Gavin Hamill wrote:
On Mon, 2009-08-31 at 13:24 -0600, Jason Gunthorpe wrote:
Ouch, can you go a little more slowly, please? I think I've joined the domain OK:
Sure..
Many thanks for taking the time on this - it is appreciated.
NP, if you have success consider making a HOWTO for the dovcot wikki :)
Also verify that 'hostname -f' returns what you want. Very important.
Yep, 'ccimap.ad.laterooms.com' - forward + reverse DNS are correct in AD
Good
ccimap:~# net ads keytab add imap
Then: ccimap:~ klist -k
And verify you have imap/ entries
Then verify kerberos is working with:
ccimap:~# kvno imap/ccimap.ad.laterooms.com imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM: kvno = 2
I get
ccimap:/etc# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal 7 imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM 7 imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM 7 imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM 7 imap/ccimap@AD.LATEROOMS.COM 7 imap/ccimap@AD.LATEROOMS.COM 7 imap/ccimap@AD.LATEROOMS.COM
Ok.. this is not too good, you should have many other entries too, several starting with host/ and CCIMAP$.
What version of samba is this? does 'net ads keytab create' fix it up?
Check that you have
use kerberos keytab = true
In smb.conf
ccimap:/etc# kvno imap/ccimap.ad.laterooms.com kvno: Server not found in Kerberos database while getting credentials for imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM
This is fatal. If ldapsearch indicates that SPN exists then you are probably right that something has become damaged in AD. Otherwise you are just having wacky samba problems.
However, before I received your message I had been following the 'old-school' ktpass.exe method and I think I have poisoned the 'imap' name as a result:
Possibly, it would be good to start again. Go into AD, and delete the ccimap computer account, then re-do 'net ads join'. That should clean everything out.
The ktpass.exe method has so many problems, don't use it. Samba can generate all the keys directly itself now, there is no need for ktpass.
Is 'imap' a magic hardcoded name that Thunderbird will use? If so, should creating 'pop3' using 'net ads keytab add' also do the business? I'd rather try that and get a basic working auth than try to unpick my AD problems just yet.
The SPN service name is hardwired based on the protocol, imap, smtp and something for pop. I'm not sure what. :)
I ask because if I do a random name 'net ads keytab add purmle' and then 'kvno purmle/ccimap.ad.laterooms.com' then I get sensible output:
purmle/ccimap.ad.laterooms.com@AD.LATEROOMS.COM: kvno = 7
Hmm. You do need the '-U Administrator' or similarly privileged account for the keytab add. Otherwise I noticed that samba silently fails to update LDAP when it gets permission denied from ADS. The true test that it worked is the ldapsearch command I gave, or adsi edit.
Jason