[Dovecot] Kerberos GSSAPI - proper item name in keytab

Jason Gunthorpe jgunthorpe at obsidianresearch.com
Wed Aug 31 23:39:56 EEST 2011


On Wed, Aug 31, 2011 at 09:28:50AM -0600, Trever L. Adams wrote:

> I have only followed part of this. It the original poster's problem is
> that the LDAP database is not being able to be accessed with an SPN
> ticket, this is because SPNs are not allowed to log in in AD. You need
> to use a user account (including MACHINE$ accounts). It took me forever
> to figure this out. To use this, you need a cron job that creates/renews
> tickets from time to time for the user/machine account. Then you use
> Dovecot's environment setup configuration to set the KRB5_CC (or
> whatever it is called, my head is elsewhere) env variable to that
> Kerberos ticket cache that was created in the cronjob. This cache needs
> to be readable by dovecot and should be owned by its user.

This all works a 1000% better if you use Samba to join the domain and
create your keytab with the right SPNs. See my prior posts to this
list for a formula. Using the MS kerberos compatability tools is
painful, complicated and tends to make a mess.

Samba will create a machine UPN and populate the system keytab
appropriately. From a cron job you can use 'kinit -k' to maintain an
active ticket for the machine UPN which dovecot can use for LDAP
operations.

Jason



More information about the dovecot mailing list