On Aug 31, 2011, at 4:39 PM, Jason Gunthorpe wrote:
On Wed, Aug 31, 2011 at 09:28:50AM -0600, Trever L. Adams wrote:
I have only followed part of this. It the original poster's problem is that the LDAP database is not being able to be accessed with an SPN ticket, this is because SPNs are not allowed to log in in AD. You need to use a user account (including MACHINE$ accounts). It took me forever to figure this out. To use this, you need a cron job that creates/renews tickets from time to time for the user/machine account. Then you use Dovecot's environment setup configuration to set the KRB5_CC (or whatever it is called, my head is elsewhere) env variable to that Kerberos ticket cache that was created in the cronjob. This cache needs to be readable by dovecot and should be owned by its user.
This all works a 1000% better if you use Samba to join the domain and create your keytab with the right SPNs. See my prior posts to this list for a formula. Using the MS kerberos compatability tools is painful, complicated and tends to make a mess.
Samba will create a machine UPN and populate the system keytab appropriately. From a cron job you can use 'kinit -k' to maintain an active ticket for the machine UPN which dovecot can use for LDAP operations.
I would agree with that is easier unless/until you are load balancing connections on a single hostname to multiple physical machines. In that scenario you can't add SPNs for the shared hostname to the machine accounts (since SPNs must be unique) and you're still looking at futzing with ktpass.
Jason