Generating krb5.keytab

Andrew Bartlett abartlet at
Tue Jun 17 05:16:03 GMT 2008

On Sun, 2008-06-15 at 03:20 +0400, Matthieu PATOU wrote:
> >> Do you mean just adding to the record for the dn:
> >> servicePrincipalName=DNS/test.tst,CN=Principals (where test.tst is my realm) adding an attribute krb5Keytab with 
> >> krb5.keytab as value ?
> >> And then I suppose that I have to copy the dns.keytab file to krb5.keytab.
> > 
> > I meant creating a new entry in the directory similar to cn=DNS, and a
> > new entry in the secrets.ldb similar (but again, not for DNS but for the
> > target service), using krb5keytab.
> > 
> Still not clear for me, I guess I need to concentrate really on it and do some try and fail cycles.
> >> It works very well. But I would like to be able to map a principal to another mailbox (in cyrus) ie. m12345 at test.tst map 
> >> to mailbox matthieu.patou.
> >>
> >> In order that we have login composed of letters and numbers (like most medium and big sized company have) but email in 
> >> the form first_name.last_name at domain.
> > 
> > Sounds like a reasonable goal, but don't you want to do the Kerberos
> > authentication directly from the kerberised client to the kerberised
> > IMAP server?  
> Although I am not an cyrus expert, it seems that you have only two solutions with cyrus: saslauthd or auxprop both seems 
> quite equivalent to me I could either gssapi module and auxprop to kerberise cyrus or saslauthd + mech krb5 to achieve 
> the same.
>  >Using saslauthd allows useful manipulations, but places
>  > the cleartext password on the wire...
> I am not sure that information go cleartext, at least with clients that support secured authentification (cram-md5, 
> ntlm, ...)

If they used secured authentication, then you can't map this to kerberos
(as it needs a plaintext password for intput).  

Instead, you need to tell cyrus how to access the plaintext password
that we don't store by default, or pass the NTLM exchange along to
ntlm_auth (see the cyrus-sasl plugin in our 'lorikeet' repoistory for
this approach).  This would be an interesting development project. 

> > 
> > You might also consider having saslauthd use LDAP.
> In fact I am trying to make cyrus use kerberos very directly because it seems (at least it's what I understand) that you 
> can do the kind of mapping exposed in my previous mail when cyrus is using kerberos authentification.

That would be unfortunate.  I suggest that as you suggest above, find a
test server and try things out.  It should not be too hard to follow the

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list