Generating krb5.keytab

Matthieu PATOU mat at matws.net
Thu Jun 12 20:05:07 GMT 2008


Andrew Bartlett a écrit :
> On Tue, 2008-06-10 at 17:04 +0400, Matthieu PATOU wrote:
>> Dear all,
>>
>>
>> I am trying to use saslauthd directly with samba4 with the kerberos5 authentication mechanism. And it fails, starting 
>> saslauthd in debug mode with strace I notice that it can't find the file /etc/krb5.keytab.
>>
>> Is it possible to generate this file ? I tried with kadmin but got this error message:
>> kadmin: Client not found in Kerberos database while initializing kadmin interface
> 
> We don't support the kadmin interface (because it is different between
> MIT and Heimdal, and we didn't want to lock in our choice of krb5
> implementation, even if I have strong views on it :-).
> 
> The way to handle this is actually with ldbedit on the secrets.ldb.
> Look at the record in the directory for 'dns' and the entry there in
> secrets.ldb.  An additional attribute 'krb5Keytab' (as opposed to
> 'privateKeytab') is valid, and accepts absolute paths like you require.
> 
Do you mean just adding to the record for the dn:
servicePrincipalName=DNS/test.tst,CN=Principals (where test.tst is my realm) adding an attribute krb5Keytab with 
krb5.keytab as value ?
And then I suppose that I have to copy the dns.keytab file to krb5.keytab.

> I've not played with saslauthd and Samba4, so you might have some
> hickups.  What are you trying to achieve, perhaps there might be some
> other ways we can get to the same goal?
I first tried to connect saslauthd directly to kerberos with the mechanism kerberos5 but it failed so I moved to pam and
changed my /etc/pam.d/imap to add :
auth    sufficient      pam_krb5.so debug
account sufficient     pam_krb5.so debug

It works very well. But I would like to be able to map a principal to another mailbox (in cyrus) ie. m12345 at test.tst map 
to mailbox matthieu.patou.

In order that we have login composed of letters and numbers (like most medium and big sized company have) but email in 
the form first_name.last_name at domain.

Matthieu


More information about the samba-technical mailing list