On Mon, 2009-08-31 at 13:24 -0600, Jason Gunthorpe wrote:
Ouch, can you go a little more slowly, please? I think I've joined the domain OK:
Sure..
Many thanks for taking the time on this - it is appreciated.
Also verify that 'hostname -f' returns what you want. Very important.
Yep, 'ccimap.ad.laterooms.com' - forward + reverse DNS are correct in AD
Just do this:
ccimap:~# net ads keytab add imap
Then: ccimap:~ klist -k
And verify you have imap/ entries
Then verify kerberos is working with:
ccimap:~# kvno imap/ccimap.ad.laterooms.com imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM: kvno = 2
I get
ccimap:/etc# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal
7 imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM 7 imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM 7 imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM 7 imap/ccimap@AD.LATEROOMS.COM 7 imap/ccimap@AD.LATEROOMS.COM 7 imap/ccimap@AD.LATEROOMS.COM ccimap:/etc# kvno imap/ccimap.ad.laterooms.com kvno: Server not found in Kerberos database while getting credentials for imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM
However, before I received your message I had been following the 'old-school' ktpass.exe method and I think I have poisoned the 'imap' name as a result:
http://nfsworld.blogspot.com/2005/06/using-active-directory-as-your-kdc-for....
Is 'imap' a magic hardcoded name that Thunderbird will use? If so, should creating 'pop3' using 'net ads keytab add' also do the business? I'd rather try that and get a basic working auth than try to unpick my AD problems just yet.
I ask because if I do a random name 'net ads keytab add purmle' and then 'kvno purmle/ccimap.ad.laterooms.com' then I get sensible output:
purmle/ccimap.ad.laterooms.com@AD.LATEROOMS.COM: kvno = 7
I just don't want to type anything else in cause I poison 'pop3' too :)
Cheers, Gavin