On Mon, 2009-08-31 at 15:35 -0600, Jason Gunthorpe wrote:
NP, if you have success consider making a HOWTO for the dovcot wikki :)
For sure.
Ok.. this is not too good, you should have many other entries too, several starting with host/ and CCIMAP$.
The suggestion to remove the computer object (and the 'imapCcimap' user I bound the SPN to using ktpass) and 'net ads join' worked like a charm
- I have lots more output in 'net ads keytab list' and kvno imap/ccimap.ad.laterooms.com works now.
Check that you have
use kerberos keytab = true
Yep, it's there.
Possibly, it would be good to start again. Go into AD, and delete the ccimap computer account, then re-do 'net ads join'. That should clean everything out.
Bingo :)
Freakin' awesome.. the damn thing actually works! Aug 31 23:13:02 ccimap dovecot: auth(default): client in: AUTH#0111#011GSSAPI#011service=imap#011lip=10.6.1.82#011rip=10.6.1.81#011lport=143#011rport=2807 Aug 31 23:13:02 ccimap dovecot: auth(default): gssapi(?,10.6.1.81): Obtaining credentials for imap@ccimap.ad.laterooms.com Aug 31 23:13:02 ccimap dovecot: auth(default): client out: CONT#0111#011 Aug 31 23:13:02 ccimap dovecot: auth(default): client in: CONT#0111#011YIIExAYJKoZIhv (tons of stuff..)
Aug 31 23:13:02 ccimap dovecot: auth(default): gssapi(?,10.6.1.81): security context state completed. Aug 31 23:13:02 ccimap dovecot: auth(default): client out: CONT#0111#011YIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWhtquLoCp5Nm03quJPTFS+yuNrBo3PWH+dP4RZPcsYxMDJHklCAQ84LGmQWUftFgKiryc9ZK0mZI07tNVyE4Oath4fCg2dxu+RPZvpbqIr7BIteHeg2MGPeHMg== Aug 31 23:13:02 ccimap dovecot: auth(default): client in: CONT#0111#011 Aug 31 23:13:02 ccimap dovecot: auth(default): gssapi(?,10.6.1.81): Negotiated security layer Aug 31 23:13:02 ccimap dovecot: auth(default): client out: CONT#0111#011YDAGCSqGSIb3EgECAgIBEQD/////nXVwtOl9PTyrmeUqTZZLq61UowgQVqMIAf///wE= Aug 31 23:13:02 ccimap dovecot: auth(default): client in: CONT#0111#011YDYGCSqGSIb3EgECAgIBEQD/////4AbCCa3SFaSVtGEbd6teOPapNaUhDQFFAQAAAG1qaWdncwE= Aug 31 23:13:02 ccimap dovecot: auth(default): client out: OK#0111#011user=mjiggs Aug 31 23:13:02 ccimap dovecot: auth(default): master in: REQUEST#0111#0115968#0111 Aug 31 23:13:02 ccimap dovecot: auth(default): passwd(mjiggs,10.6.1.81): lookup Aug 31 23:13:02 ccimap dovecot: auth(default): master out: USER#0111#011mjiggs#011system_user=mjiggs#011uid=10416#011gid=10000#011home=/home/AD/mjiggs Aug 31 23:13:02 ccimap dovecot: imap-login: Login: user=<mjiggs>, method=GSSAPI, rip=10.6.1.81, lip=10.6.1.82
The 'auth_gssapi_hostname = $ALL' was confusing so I commented that out and let it do a gethostname() instead - now it works :)
Thank you! :D
Cheers Gavin.