[Dovecot] Kerberos GSSAPI - proper item name in keytab
warden at geneseo.edu
Wed Aug 31 18:51:02 EEST 2011
On Aug 31, 2011, at 10:55 AM, Stanislav Klinkov wrote:
> Thank you for sharing a very interesting experience, David.
>> It seemed like running ktpass multiple times invalidated the previous keytabs.
> OK. Let us assume. But then how can you explain the fact that the
> setting <<auth_gssapi_hostname = "$ALL">> in dovecot config solves all
> mentioned troubles at once?
That is a very good question that I sadly don't have the answer to and I fear I misunderstood the initial problem. It's my understanding that auth_gssapi_hostname controls which entries in the keytab file dovecot will allow itself to use. If you enable debug auth logging in dovecot, do you see anything about which entry in your keytab file it's attempting to use? Also, do you see anything in your AD logs when you get the "invalid principal" error from the IP of your dovecot host?
> As well I just have run the following experiment. I re-generated one
> more keytab for service "imap/test.efim.local" only. So, it became the
> last-generated key. Then I copied it onto my dovecot server as the only
> "krb.keytab" file, and nothing changed.
> Also, I issued the following command on my AD domain controller:
> C:\Windows\system32>setspn -L dovecot
> And the result was:
> Registered ServicePrincipalNames for
> Please note, that I have not apllied any magic to servicePrincipalName
> of AD user "dovecot" by setspn or other AD snap-ins.
>> To make sure everything should work, hop on a box where you have a valid user Kerberos ticket and do kvno imap/efim.test.local and kvno smtp/efim.test.local.
> Sorry, I might have not mentioned above. I run Mozilla Thunderbird on my
> Windows XP workstation.
More information about the dovecot