GSSAPI / cyrus / samba4

Matthieu Patou mat at
Wed Aug 12 15:44:48 MDT 2009

It seems to be that cyrus is messing with the names ....

On 08/12/2009 10:34 PM, Matthieu Patou wrote:
> hello andrew,
> As I told you on IRC i was able to make GSSAPI work with s4 but when I
> tried to make things a bit cleaner then I faced a problem very strange.
> So my dc is test.samba4.tst and my imap server is on the dc but I
> usually access it through imap.samba4.tst.
> Adding the principal imap/test.samba4.tst in sam.ldb and editing the
> secret.ldb so that an keytab entry for this principal is added was
> simple. With the resulting keytab I copied it as /etc/krb5.keytab
> restarted cyrus and then I started to be able to use GSSAPI.
> So I wanted to make it a bit cleaner and also not to use the same keytab
> as the DC/KDC ...
> I first tried to create a computer CN=imap,DC=samba4,DC=tst with a
> servicePrincipalName of imap/imap.samba4.tst and the associated keytab
> with all the good things (and I've been very carefull about the
> passwords so that the secret attribute in secrets.ldb for this entry is
> in sync with the unicodePwd in sam.ldb) and of course copied back to
> /etc/krb5.keytab the new keytab.
> This wasn't successfull, so I tried to add the servicePrincipal
> imap/imap.samba4.tst to the entry of the DC (CN=TEST,DC=SAMBA4,DC=TST).
> I modified the secrets.ldb ... regenerated the keytab with one more
> entry for imap/imap.samba4.tst ... removed the other entry for principal
> imap/imap.samba4.tst and retested.
> And still it don't work.
> So it's quite strange as I'm still on my orange belt in kerberos I'm
> quite sure to miss something have you any clue ?
> Matthieu.

More information about the samba-technical mailing list