[Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)

Jason Gunthorpe jgunthorpe at obsidianresearch.com
Tue Sep 1 01:35:18 EEST 2009


On Mon, Aug 31, 2009 at 11:20:18PM +0100, Gavin Hamill wrote:

> > Ok.. this is not too good, you should have many other entries too,
> > several starting with host/ and CCIMAP$.
> 
> The suggestion to remove the computer object (and the 'imapCcimap' user
> I bound the SPN to using ktpass) and 'net ads join' worked like a charm
> - I have lots more output in 'net ads keytab list' and kvno
> imap/ccimap.ad.laterooms.com works now.

Snazzy
 
> Aug 31 23:13:02 ccimap dovecot: imap-login: Login: user=<mjiggs>,
> method=GSSAPI, rip=10.6.1.81, lip=10.6.1.82

Yap, that is it

> The 'auth_gssapi_hostname = $ALL' was confusing so I commented that out
> and let it do a gethostname() instead - now it works :)

I thought Timo included this patch?? You need the $ALL for various
cases, including, I think, exim.. All it says it match any entry in
the keytab, not just imap/gethostbyname()@REALM.

If you have AD and Linux servers it is worth kerberdizing everything
(ssh, logins, imap, pop, smtp, apache, etc) the method you just used
is basically how to do it for anything. Ie you can now turn on ssh
kerberos via its config file, and with kerberdized putty on windows
you get SSO ssh logins, etc.

Jason


More information about the dovecot mailing list