On 02/05/2011 06:35 PM, Jason Gunthorpe wrote: > On Fri, Feb 04, 2011 at 12:57:11PM -0700, Trever L. Adams wrote: >> On 02/02/2011 04:17 PM, Timo Sirainen wrote: >>> It does set that, but only on first GSSAPI authentication. I guess it >>> wouldn't hurt moving it to do it always. If that script helps you, I can >>> do this change. >> It appears that the script you recommended doesn't do the trick. Does >> /usr/libexec/dovecot/auth clear the environment. Even doing it manually >> from the command line the openldap stuff doesn't seem to pick up the >> KRB5_KTNAME environment variable. > Isn't it called KRB5CCNAME? Yes. Some things (Amanda, at least from the directions, I haven't done it yet) actually still use service principals which are KRB5_KTNAME. For credentials in most clients, yes, KRB5CCNAME and that does work. > Presumably if dovecot has SASL setup properly for Openldap then it > will work just fine if KRB5CCNAME is properly exported to it. > > However! Be aware that the TGT must be refreshed periodically, that > is just how kerberos works. Yes, this refresh is EXACTLY what I have been trying to avoid with service principals. I am starting to wish that Samba 4 supported SASL CRAM-MD5 or something so that I could just use that; no refresh. >> I can kinit on the command line and get auth to work, but the kinit >> doesn't hold over to the dovecot process (for good reasons I am sure). > > The *ideal* world would be if dovecot supported an in-memory ticket > cache that it stored a TGT for a given UPN that it initializes using a > given keytab. This is what samba does internally and realistically is > required to use kerberos as a client. I would prefer an SPN if it were at all possible. On reading that again, I think we are saying about the same thing. This would be fantastic. Heck, if I knew how to do that manually I could just script it, but, being new to Kerberos and LDAP I am missing a lot as I read the documentation, I am sure. > IMHO, doing ldap without kerb is kinda sketchy unless you completely > trust your network - it is easy to spoof ldap replies, kerb fixes > that and has low overhead compared to ssl. > > Jason Yes, this is exactly the reasons I am trying to get there. The problem is the refresh. Somehow I need to get around having to refresh the CC or use a keytab with SPNs.
Thank you for all your input. I am afraid this is the same problem I am going to hit with Postfix (it does a similar setup to Dovecot, I am just not running the recent version yet that supports it). Timo, is it possible for you to add that "import_environment =KRB5_KTNAME=/etc/dovecot/krb5.keytab KRB5CCNAME =/etc/dovecot/krb5.cc" (does this really need to be set over and over or can the master process set it and have the environment inherited... it has been a long time since I did any coding related to environment variables accross forks, etc.)? This will solve all the problems (whether keytab or credentialcache) other than the fact that OpenLDAP as a client won't work with a keytab (SPN) and that Kerberos will require a refresh of the credential cache. Thank you Jason and Timo for helping me find a good solution, Trever -- "All that is necessary for the triumph of evil is that enough good men do nothing." -- Edmund Burke
signature.asc
Description: OpenPGP digital signature
