On Mon, 2009-08-31 at 13:24 -0600, Jason Gunthorpe wrote: > > Ouch, can you go a little more slowly, please? I think I've joined the > > domain OK:
> Sure.. Many thanks for taking the time on this - it is appreciated. > Also verify that 'hostname -f' returns what you want. Very important. Yep, 'ccimap.ad.laterooms.com' - forward + reverse DNS are correct in AD > Just do this: > > ccimap:~# net ads keytab add imap > > Then: > ccimap:~ klist -k > > And verify you have imap/ entries > > Then verify kerberos is working with: > > ccimap:~# kvno imap/ccimap.ad.laterooms.com > imap/ccimap.ad.laterooms....@ad.laterooms.com: kvno = 2 I get ccimap:/etc# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 7 imap/ccimap.ad.laterooms....@ad.laterooms.com 7 imap/ccimap.ad.laterooms....@ad.laterooms.com 7 imap/ccimap.ad.laterooms....@ad.laterooms.com 7 imap/cci...@ad.laterooms.com 7 imap/cci...@ad.laterooms.com 7 imap/cci...@ad.laterooms.com ccimap:/etc# kvno imap/ccimap.ad.laterooms.com kvno: Server not found in Kerberos database while getting credentials for imap/ccimap.ad.laterooms....@ad.laterooms.com However, before I received your message I had been following the 'old-school' ktpass.exe method and I think I have poisoned the 'imap' name as a result: http://nfsworld.blogspot.com/2005/06/using-active-directory-as-your-kdc-for.html Is 'imap' a magic hardcoded name that Thunderbird will use? If so, should creating 'pop3' using 'net ads keytab add' also do the business? I'd rather try that and get a basic working auth than try to unpick my AD problems just yet. I ask because if I do a random name 'net ads keytab add purmle' and then 'kvno purmle/ccimap.ad.laterooms.com' then I get sensible output: purmle/ccimap.ad.laterooms....@ad.laterooms.com: kvno = 7 I just don't want to type anything else in cause I poison 'pop3' too :) Cheers, Gavin
