[Dovecot] Kerberos GSSAPI - proper item name in keytab
Jerry
dovecot.user at seibercom.net
Wed Aug 31 23:58:36 EEST 2011
On Wed, 31 Aug 2011 14:39:56 -0600
Jason Gunthorpe articulated:
> On Wed, Aug 31, 2011 at 09:28:50AM -0600, Trever L. Adams wrote:
>
> > I have only followed part of this. It the original poster's problem
> > is that the LDAP database is not being able to be accessed with an
> > SPN ticket, this is because SPNs are not allowed to log in in AD.
> > You need to use a user account (including MACHINE$ accounts). It
> > took me forever to figure this out. To use this, you need a cron
> > job that creates/renews tickets from time to time for the
> > user/machine account. Then you use Dovecot's environment setup
> > configuration to set the KRB5_CC (or whatever it is called, my head
> > is elsewhere) env variable to that Kerberos ticket cache that was
> > created in the cronjob. This cache needs to be readable by dovecot
> > and should be owned by its user.
>
> This all works a 1000% better if you use Samba to join the domain and
> create your keytab with the right SPNs. See my prior posts to this
> list for a formula. Using the MS kerberos compatability tools is
> painful, complicated and tends to make a mess.
>
> Samba will create a machine UPN and populate the system keytab
> appropriately. From a cron job you can use 'kinit -k' to maintain an
> active ticket for the machine UPN which dovecot can use for LDAP
> operations.
I just got this link from a friend who uses Kerberos on several systems.
<http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=8350>
I have no idea if it will work or help you or not.
--
Jerry ✌
Dovecot.user at seibercom.net
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________
Everlasting peace will come to the world when the last man has slain
the last but one.
Adolf Hitler
More information about the dovecot
mailing list