[Dovecot] Kerberos GSSAPI - proper item name in keytab

Trever L. Adams trever.adams at gmail.com
Wed Aug 31 18:28:50 EEST 2011

On 08/31/2011 07:35 AM, Stanislav Klinkov wrote:
>> and added the SPN for smtp using LDAP/setspn and used ktutil on the dovecot host to add an entry to my keytab with the same key and kvno
> Sorry, I'm not sure in realizing what you mean. What is "LDAP/setspn"?
I have only followed part of this. It the original poster's problem is
that the LDAP database is not being able to be accessed with an SPN
ticket, this is because SPNs are not allowed to log in in AD. You need
to use a user account (including MACHINE$ accounts). It took me forever
to figure this out. To use this, you need a cron job that creates/renews
tickets from time to time for the user/machine account. Then you use
Dovecot's environment setup configuration to set the KRB5_CC (or
whatever it is called, my head is elsewhere) env variable to that
Kerberos ticket cache that was created in the cronjob. This cache needs
to be readable by dovecot and should be owned by its user.

First Law of System Requirements: "Anything is possible if you don't
know what you're talking about..." -- Unknown

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20110831/d507a6d9/attachment-0004.bin>

More information about the dovecot mailing list