Generating krb5.keytab
Andrew Bartlett
abartlet at samba.org
Tue Jun 17 05:16:03 GMT 2008
On Sun, 2008-06-15 at 03:20 +0400, Matthieu PATOU wrote:
> >> Do you mean just adding to the record for the dn:
> >> servicePrincipalName=DNS/test.tst,CN=Principals (where test.tst is my realm) adding an attribute krb5Keytab with
> >> krb5.keytab as value ?
> >> And then I suppose that I have to copy the dns.keytab file to krb5.keytab.
> >
> > I meant creating a new entry in the directory similar to cn=DNS, and a
> > new entry in the secrets.ldb similar (but again, not for DNS but for the
> > target service), using krb5keytab.
> >
> Still not clear for me, I guess I need to concentrate really on it and do some try and fail cycles.
> >> It works very well. But I would like to be able to map a principal to another mailbox (in cyrus) ie. m12345 at test.tst map
> >> to mailbox matthieu.patou.
> >>
> >> In order that we have login composed of letters and numbers (like most medium and big sized company have) but email in
> >> the form first_name.last_name at domain.
> >
> > Sounds like a reasonable goal, but don't you want to do the Kerberos
> > authentication directly from the kerberised client to the kerberised
> > IMAP server?
> Although I am not an cyrus expert, it seems that you have only two solutions with cyrus: saslauthd or auxprop both seems
> quite equivalent to me I could either gssapi module and auxprop to kerberise cyrus or saslauthd + mech krb5 to achieve
> the same.
>
> >Using saslauthd allows useful manipulations, but places
> > the cleartext password on the wire...
> I am not sure that information go cleartext, at least with clients that support secured authentification (cram-md5,
> ntlm, ...)
If they used secured authentication, then you can't map this to kerberos
(as it needs a plaintext password for intput).
Instead, you need to tell cyrus how to access the plaintext password
that we don't store by default, or pass the NTLM exchange along to
ntlm_auth (see the cyrus-sasl plugin in our 'lorikeet' repoistory for
this approach). This would be an interesting development project.
> >
> > You might also consider having saslauthd use LDAP.
> In fact I am trying to make cyrus use kerberos very directly because it seems (at least it's what I understand) that you
> can do the kind of mapping exposed in my previous mail when cyrus is using kerberos authentification.
That would be unfortunate. I suggest that as you suggest above, find a
test server and try things out. It should not be too hard to follow the
pattern.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080617/2e1a8fe3/attachment.bin
More information about the samba-technical
mailing list