[Dovecot] LDAP and GSSAPI problems

Trever L. Adams trever.adams at gmail.com
Fri Feb 25 12:38:42 EET 2011


On 02/05/2011 09:40 PM, Jason Gunthorpe wrote:
> On Sat, Feb 05, 2011 at 08:49:21PM -0700, Trever L. Adams wrote:
>
>>> Isn't it called KRB5CCNAME?
>> Yes. Some things (Amanda, at least from the directions, I haven't done
>> it yet) actually still use service principals which are KRB5_KTNAME. For
>> credentials in most clients, yes, KRB5CCNAME and that does work.
> Amanda is doing what I described below internally. The keytab file
> contains kerberos shared secrets so Amanda uses that to get a TGT. You
> can't use kerberos without a TGT. The fact it is using a SPN or UPN
> shared secret doesn't matter at the client.
Great to know. Thank you.
>> Yes, this refresh is EXACTLY what I have been trying to avoid with
>> service principals. I am starting to wish that Samba 4 supported SASL
>> CRAM-MD5 or something so that I could just use that; no refresh.
> Put the kinit -k line in a crontab. That command gets a fresh TGT for
> the machine account.
>
> Service principles just avoid having to create a new UPN in MIT
> kerberos. In AD kerberos a SPN cannot get a TGT so that is
> undoable. The machine account works in very similarly to how a SPN
> would be used in MIT kerberos except that it is a UPN at the
> KDC. Samba writes a keytab entry for the machine account that
> contains the shared secret which lets kinit -k work.
Ok, I had to use SPNs for part of the setup. I am now using the UPN they
run under for my tests and everything seems to work ok. I cannot test it
directly in Dovecot as the Linux distro I am using doesn't have the
Postfix counterpart needed just yet, but the kinit -k works from the
keytab I have setup. Hopefully I can test that soon.
>> Thank you for all your input. I am afraid this is the same problem I am
>> going to hit with Postfix (it does a similar setup to Dovecot, I am just
>> not running the recent version yet that supports it).
> Yes. Same answer, run it pointing to the same CC cache you setup for
> dovecot.
>
> Be aware that both the keytab and the creditial cache are 'password
> equilvients' and must be protected.
>
> Jason
Yes, I was aware of this. Thank you very much for the reminder. So, all
this time I just needed to be able to set an environment variable and
since Samba and AD don't allow you to login using SPNs, just use the UPN
I had the SPNs under for this CC setup.

Thank you,
Trever Adams

-- 
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- Benjamin Franklin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20110225/12164f7e/attachment.bin 


More information about the dovecot mailing list