Generating krb5.keytab

Matthieu PATOU mat at
Sat Jun 14 23:20:39 GMT 2008

>> Do you mean just adding to the record for the dn:
>> servicePrincipalName=DNS/test.tst,CN=Principals (where test.tst is my realm) adding an attribute krb5Keytab with 
>> krb5.keytab as value ?
>> And then I suppose that I have to copy the dns.keytab file to krb5.keytab.
> I meant creating a new entry in the directory similar to cn=DNS, and a
> new entry in the secrets.ldb similar (but again, not for DNS but for the
> target service), using krb5keytab.
Still not clear for me, I guess I need to concentrate really on it and do some try and fail cycles.
>> It works very well. But I would like to be able to map a principal to another mailbox (in cyrus) ie. m12345 at test.tst map 
>> to mailbox matthieu.patou.
>> In order that we have login composed of letters and numbers (like most medium and big sized company have) but email in 
>> the form first_name.last_name at domain.
> Sounds like a reasonable goal, but don't you want to do the Kerberos
> authentication directly from the kerberised client to the kerberised
> IMAP server?  
Although I am not an cyrus expert, it seems that you have only two solutions with cyrus: saslauthd or auxprop both seems 
quite equivalent to me I could either gssapi module and auxprop to kerberise cyrus or saslauthd + mech krb5 to achieve 
the same.

 >Using saslauthd allows useful manipulations, but places
 > the cleartext password on the wire...
I am not sure that information go cleartext, at least with clients that support secured authentification (cram-md5, 
ntlm, ...)

> You might also consider having saslauthd use LDAP.
In fact I am trying to make cyrus use kerberos very directly because it seems (at least it's what I understand) that you 
can do the kind of mapping exposed in my previous mail when cyrus is using kerberos authentification.


More information about the samba-technical mailing list