[Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
Gavin Hamill
gdh at acentral.co.uk
Tue Sep 1 01:20:18 EEST 2009
On Mon, 2009-08-31 at 15:35 -0600, Jason Gunthorpe wrote:
> NP, if you have success consider making a HOWTO for the dovcot wikki
> :)
For sure.
> Ok.. this is not too good, you should have many other entries too,
> several starting with host/ and CCIMAP$.
The suggestion to remove the computer object (and the 'imapCcimap' user
I bound the SPN to using ktpass) and 'net ads join' worked like a charm
- I have lots more output in 'net ads keytab list' and kvno
imap/ccimap.ad.laterooms.com works now.
> Check that you have
>
> use kerberos keytab = true
Yep, it's there.
> Possibly, it would be good to start again. Go into AD, and delete the
> ccimap computer account, then re-do 'net ads join'. That should clean
> everything out.
Bingo :)
Freakin' awesome.. the damn thing actually works!
Aug 31 23:13:02 ccimap dovecot: auth(default): client in:
AUTH#0111#011GSSAPI#011service=imap#011lip=10.6.1.82#011rip=10.6.1.81#011lport=143#011rport=2807
Aug 31 23:13:02 ccimap dovecot: auth(default): gssapi(?,10.6.1.81):
Obtaining credentials for imap at ccimap.ad.laterooms.com
Aug 31 23:13:02 ccimap dovecot: auth(default): client out: CONT#0111#011
Aug 31 23:13:02 ccimap dovecot: auth(default): client in:
CONT#0111#011YIIExAYJKoZIhv (tons of stuff..)
Aug 31 23:13:02 ccimap dovecot: auth(default): gssapi(?,10.6.1.81):
security context state completed.
Aug 31 23:13:02 ccimap dovecot: auth(default): client out:
CONT#0111#011YIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWhtquLoCp5Nm03quJPTFS+yuNrBo3PWH+dP4RZPcsYxMDJHklCAQ84LGmQWUftFgKiryc9ZK0mZI07tNVyE4Oath4fCg2dxu+RPZvpbqIr7BIteHeg2MGPeHMg==
Aug 31 23:13:02 ccimap dovecot: auth(default): client in: CONT#0111#011
Aug 31 23:13:02 ccimap dovecot: auth(default): gssapi(?,10.6.1.81):
Negotiated security layer
Aug 31 23:13:02 ccimap dovecot: auth(default): client out:
CONT#0111#011YDAGCSqGSIb3EgECAgIBEQD/////nXVwtOl9PTyrmeUqTZZLq61UowgQVqMIAf///wE=
Aug 31 23:13:02 ccimap dovecot: auth(default): client in:
CONT#0111#011YDYGCSqGSIb3EgECAgIBEQD/////4AbCCa3SFaSVtGEbd6teOPapNaUhDQFFAQAAAG1qaWdncwE=
Aug 31 23:13:02 ccimap dovecot: auth(default): client out:
OK#0111#011user=mjiggs
Aug 31 23:13:02 ccimap dovecot: auth(default): master in:
REQUEST#0111#0115968#0111
Aug 31 23:13:02 ccimap dovecot: auth(default): passwd(mjiggs,10.6.1.81):
lookup
Aug 31 23:13:02 ccimap dovecot: auth(default): master out:
USER#0111#011mjiggs#011system_user=mjiggs#011uid=10416#011gid=10000#011home=/home/AD/mjiggs
Aug 31 23:13:02 ccimap dovecot: imap-login: Login: user=<mjiggs>,
method=GSSAPI, rip=10.6.1.81, lip=10.6.1.82
The 'auth_gssapi_hostname = $ALL' was confusing so I commented that out
and let it do a gethostname() instead - now it works :)
Thank you! :D
Cheers
Gavin.
More information about the dovecot
mailing list