On 31.08.2011 18:55, Stanislav Klinkov wrote:
Thank you for sharing a very interesting experience, David.
It seemed like running ktpass multiple times invalidated the previous keytabs.
OK. Let us assume. But then how can you explain the fact that the
setting<<auth_gssapi_hostname = "$ALL">> in dovecot config solves all
mentioned troubles at once?
As well I just have run the following experiment. I re-generated one
more keytab for service "imap/test.efim.local" only. So, it became the
last-generated key. Then I copied it onto my dovecot server as the only
"krb.keytab" file, and nothing changed.
Also, I issued the following command on my AD domain controller:
C:\Windows\system32>setspn -L dovecot
And the result was:
*****************
Registered ServicePrincipalNames for
CN=dovecot,OU=Agents,DC=romashka,DC=lan:
imap/efim.test.local
smtp/efim.test.local
pop/efim.test.local
*****************
Please note, that I have not apllied any magic to servicePrincipalName
of AD user "dovecot" by setspn or other AD snap-ins.
Early versions of ktpass only allowed only 1 serviceprincipialnames,
thus every time you generate new it was overwrite old one. ktpass from
win2008 seems fix this.
To make sure everything should work, hop on a box where you have a valid user
Kerberos ticket and do kvno imap/efim.test.local and kvno smtp/efim.test.local.
Sorry, I might have not mentioned above. I run Mozilla Thunderbird on my
Windows XP workstation.
Can you do kinit -k imap/imap/efim.test.lo...@romashka.lan and then
klist, does it work for you?
I do recommend tcpdump kerberos traffic between your client and server,
this is usually helps me much better then any logging, flow easy to read
in wireshark.
