[Dovecot] Kerberos GSSAPI - proper item name in keytab

Nikolay Shopik shopik at inblock.ru
Wed Aug 31 19:30:48 EEST 2011

On 31.08.2011 18:55, Stanislav Klinkov wrote:
> Thank you for sharing a very interesting experience, David.
>> It seemed like running ktpass multiple times invalidated the previous keytabs.
> OK. Let us assume. But then how can you explain the fact that the
> setting<<auth_gssapi_hostname = "$ALL">>  in dovecot config solves all
> mentioned troubles at once?
> As well I just have run the following experiment. I re-generated one
> more keytab for service "imap/test.efim.local" only. So, it became the
> last-generated key. Then I copied it onto my dovecot server as the only
> "krb.keytab" file, and nothing changed.
> Also, I issued the following command on my AD domain controller:
> C:\Windows\system32>setspn -L dovecot
> And the result was:
> *****************
> Registered ServicePrincipalNames for
> CN=dovecot,OU=Agents,DC=romashka,DC=lan:
>          imap/efim.test.local
>          smtp/efim.test.local
>          pop/efim.test.local
> *****************
> Please note, that I have not apllied any magic to servicePrincipalName
> of AD user "dovecot" by setspn or other AD snap-ins.

Early versions of ktpass only allowed only 1 serviceprincipialnames, 
thus every time you generate new it was overwrite old one. ktpass from 
win2008 seems fix this.
>> To make sure everything should work, hop on a box where you have a valid user Kerberos ticket and do kvno imap/efim.test.local and kvno smtp/efim.test.local.
> Sorry, I might have not mentioned above. I run Mozilla Thunderbird on my
> Windows XP workstation.

Can you do kinit -k imap/imap/efim.test.local at ROMASHKA.LAN and then 
klist, does it work for you?

I do recommend tcpdump kerberos traffic between your client and server, 
this is usually helps me much better then any logging, flow easy to read 
in wireshark.

More information about the dovecot mailing list