Generating krb5.keytab

Andrew Bartlett abartlet at
Sat Jun 14 12:21:54 GMT 2008

On Fri, 2008-06-13 at 00:05 +0400, Matthieu PATOU wrote:
> Andrew Bartlett a écrit :
> > On Tue, 2008-06-10 at 17:04 +0400, Matthieu PATOU wrote:
> >> Dear all,
> >>
> >>
> >> I am trying to use saslauthd directly with samba4 with the kerberos5 authentication mechanism. And it fails, starting 
> >> saslauthd in debug mode with strace I notice that it can't find the file /etc/krb5.keytab.
> >>
> >> Is it possible to generate this file ? I tried with kadmin but got this error message:
> >> kadmin: Client not found in Kerberos database while initializing kadmin interface
> > 
> > We don't support the kadmin interface (because it is different between
> > MIT and Heimdal, and we didn't want to lock in our choice of krb5
> > implementation, even if I have strong views on it :-).
> > 
> > The way to handle this is actually with ldbedit on the secrets.ldb.
> > Look at the record in the directory for 'dns' and the entry there in
> > secrets.ldb.  An additional attribute 'krb5Keytab' (as opposed to
> > 'privateKeytab') is valid, and accepts absolute paths like you require.
> > 
> Do you mean just adding to the record for the dn:
> servicePrincipalName=DNS/test.tst,CN=Principals (where test.tst is my realm) adding an attribute krb5Keytab with 
> krb5.keytab as value ?
> And then I suppose that I have to copy the dns.keytab file to krb5.keytab.

I meant creating a new entry in the directory similar to cn=DNS, and a
new entry in the secrets.ldb similar (but again, not for DNS but for the
target service), using krb5keytab.

> > I've not played with saslauthd and Samba4, so you might have some
> > hickups.  What are you trying to achieve, perhaps there might be some
> > other ways we can get to the same goal?
> I first tried to connect saslauthd directly to kerberos with the mechanism kerberos5 but it failed so I moved to pam and
> changed my /etc/pam.d/imap to add :
> auth    sufficient debug
> account sufficient debug
> It works very well. But I would like to be able to map a principal to another mailbox (in cyrus) ie. m12345 at test.tst map 
> to mailbox matthieu.patou.
> In order that we have login composed of letters and numbers (like most medium and big sized company have) but email in 
> the form first_name.last_name at domain.

Sounds like a reasonable goal, but don't you want to do the Kerberos
authentication directly from the kerberised client to the kerberised
IMAP server?  Using saslauthd allows useful manipulations, but places
the cleartext password on the wire...

You might also consider having saslauthd use LDAP.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list