On Sat, Feb 05, 2011 at 08:49:21PM -0700, Trever L. Adams wrote:
Isn't it called KRB5CCNAME? Yes. Some things (Amanda, at least from the directions, I haven't done it yet) actually still use service principals which are KRB5_KTNAME. For credentials in most clients, yes, KRB5CCNAME and that does work. Amanda is doing what I described below internally. The keytab file contains kerberos shared secrets so Amanda uses that to get a TGT. You can't use kerberos without a TGT. The fact it is using a SPN or UPN shared secret doesn't matter at the client. Great to know. Thank you. Yes, this refresh is EXACTLY what I have been trying to avoid with service principals. I am starting to wish that Samba 4 supported SASL CRAM-MD5 or something so that I could just use that; no refresh. Put the kinit -k line in a crontab. That command gets a fresh TGT for the machine account.
Service principles just avoid having to create a new UPN in MIT kerberos. In AD kerberos a SPN cannot get a TGT so that is undoable. The machine account works in very similarly to how a SPN would be used in MIT kerberos except that it is a UPN at the KDC. Samba writes a keytab entry for the machine account that contains the shared secret which lets kinit -k work. Ok, I had to use SPNs for part of the setup. I am now using the UPN they run under for my tests and everything seems to work ok. I cannot test it
Thank you for all your input. I am afraid this is the same problem I am going to hit with Postfix (it does a similar setup to Dovecot, I am just not running the recent version yet that supports it). Yes. Same answer, run it pointing to the same CC cache you setup for dovecot.
Be aware that both the keytab and the creditial cache are 'password equilvients' and must be protected.
Jason Yes, I was aware of this. Thank you very much for the reminder. So, all
On 02/05/2011 09:40 PM, Jason Gunthorpe wrote: directly in Dovecot as the Linux distro I am using doesn't have the Postfix counterpart needed just yet, but the kinit -k works from the keytab I have setup. Hopefully I can test that soon. this time I just needed to be able to set an environment variable and since Samba and AD don't allow you to login using SPNs, just use the UPN I had the SPNs under for this CC setup.
Thank you, Trever Adams
-- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin