On 02/05/2011 06:35 PM, Jason Gunthorpe wrote:
On Fri, Feb 04, 2011 at 12:57:11PM -0700, Trever L. Adams wrote:
On 02/02/2011 04:17 PM, Timo Sirainen wrote:
It does set that, but only on first GSSAPI authentication. I guess it wouldn't hurt moving it to do it always. If that script helps you, I can do this change. It appears that the script you recommended doesn't do the trick. Does /usr/libexec/dovecot/auth clear the environment. Even doing it manually from the command line the openldap stuff doesn't seem to pick up the KRB5_KTNAME environment variable. Isn't it called KRB5CCNAME? Yes. Some things (Amanda, at least from the directions, I haven't done it yet) actually still use service principals which are KRB5_KTNAME. For credentials in most clients, yes, KRB5CCNAME and that does work. Presumably if dovecot has SASL setup properly for Openldap then it will work just fine if KRB5CCNAME is properly exported to it.
However! Be aware that the TGT must be refreshed periodically, that is just how kerberos works. Yes, this refresh is EXACTLY what I have been trying to avoid with service principals. I am starting to wish that Samba 4 supported SASL CRAM-MD5 or something so that I could just use that; no refresh.
I can kinit on the command line and get auth to work, but the kinit doesn't hold over to the dovecot process (for good reasons I am sure).
The *ideal* world would be if dovecot supported an in-memory ticket cache that it stored a TGT for a given UPN that it initializes using a given keytab. This is what samba does internally and realistically is required to use kerberos as a client. I would prefer an SPN if it were at all possible. On reading that again, I think we are saying about the same thing. This would be fantastic. Heck, if I knew how to do that manually I could just script it, but, being new to Kerberos and LDAP I am missing a lot as I read the documentation, I am sure. IMHO, doing ldap without kerb is kinda sketchy unless you completely trust your network - it is easy to spoof ldap replies, kerb fixes that and has low overhead compared to ssl.
Jason Yes, this is exactly the reasons I am trying to get there. The problem is the refresh. Somehow I need to get around having to refresh the CC or use a keytab with SPNs.
Thank you for all your input. I am afraid this is the same problem I am going to hit with Postfix (it does a similar setup to Dovecot, I am just not running the recent version yet that supports it).
Timo, is it possible for you to add that "import_environment =KRB5_KTNAME=/etc/dovecot/krb5.keytab KRB5CCNAME =/etc/dovecot/krb5.cc" (does this really need to be set over and over or can the master process set it and have the environment inherited... it has been a long time since I did any coding related to environment variables accross forks, etc.)? This will solve all the problems (whether keytab or credentialcache) other than the fact that OpenLDAP as a client won't work with a keytab (SPN) and that Kerberos will require a refresh of the credential cache.
Thank you Jason and Timo for helping me find a good solution, Trever
"All that is necessary for the triumph of evil is that enough good men do nothing." -- Edmund Burke