GSSAPI / cyrus / samba4

Matthieu Patou mat+Informatique.Samba at
Wed Aug 12 12:34:09 MDT 2009

hello andrew,

As I told you on IRC i was able to make GSSAPI work with s4 but when I 
tried to make things a bit cleaner then I faced a problem very strange.

So my dc is test.samba4.tst and my imap server is on the dc but I 
usually access it through imap.samba4.tst.

Adding the principal imap/test.samba4.tst in sam.ldb and editing the 
secret.ldb so that an keytab entry for this principal is added was 
simple. With the resulting keytab I copied it as /etc/krb5.keytab 
restarted cyrus and then I started to be able to use GSSAPI.

So I wanted to make it a bit cleaner and also not to use the same keytab 
as the DC/KDC ...
I first tried to create a computer CN=imap,DC=samba4,DC=tst with a 
servicePrincipalName of imap/imap.samba4.tst and the associated keytab 
with all the good things (and I've been very carefull about the 
passwords so that the secret attribute in secrets.ldb for this entry is 
in sync with the unicodePwd in sam.ldb) and of course copied back to 
/etc/krb5.keytab the new keytab.

This wasn't successfull, so I tried to add the servicePrincipal 
imap/imap.samba4.tst to the entry of the DC (CN=TEST,DC=SAMBA4,DC=TST).
I modified the secrets.ldb ... regenerated the keytab with one more 
entry for imap/imap.samba4.tst ... removed the other entry for principal 
imap/imap.samba4.tst and retested.
And still it don't work.

So it's quite strange as I'm still on my orange belt in kerberos I'm 
quite sure to miss something have you any clue ?


More information about the samba-technical mailing list