[Samba] Where is krb5.keytab or equivalent?
Mark Foley
mfoley at ohprs.org
Sat Jul 2 01:32:53 UTC 2016
Following your example for 2nd test ...
you:
> ~# samba-tool user create dovecot
> [Assign password]
> ~# samba-tool spn add imap/server.domain.local dovecot
> ~# samba-tool domain exportkeytab --principal dovecot at DOMAIN.LOCAL
> dovecot.keytab
> ~# cp dovecot.keytab /etc/dovecot/dovecot.keytab
> ~#chgrp dovecot /etc/dovecot/dovecot.keytab
> ~#chmod g+r /etc/dovecot/dovecot.keytab
me:
root at mail > samba-tool user delete dovecot # to get rid of previous defs.
Deleted user dovecot
root at mail > samba-tool user create dovecot
New Password:
Retype Password:
User 'dovecot' created successfully
root at mail > samba-tool domain exportkeytab --principal dovecot at HPRS.LOCAL dovecot.keytab
root at mail > cp dovecot.keytab /etc/dovecot/dovecot.keytab
root at mail > chgrp dovecot /etc/dovecot//dovecot.keytab
root at mail > chmod g+r /etc/dovecot/dovecot.keytab
root at mail > dovecot reload
> As a side note. I test on an different server now and above and the mutt
> test from my other mail only works with
> auth_gssapi_hostname = "$ALL"
> defined in dovecot config.
I added that back in before reloading dovecot. Some commentor had me remove it during previous
testing.
Re-ran mutt, sadly same result as previous test, "Certificate host check failed: certificate
owner does not match hostname mail.hprs.local".
Nothing in maillog.
I think certificate is fooped.
--Mark
-----Original Message-----
> To: samba at lists.samba.org
> From: Achim Gottinger <achim at ag-web.biz>
> Date: Fri, 1 Jul 2016 23:52:53 +0200
> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>
> Here is an simpler way to create an user with the imap principal and the
> dovecot keymap
>
> ~# samba-tool user create dovecot
> [Assign password]
> ~# samba-tool spn add imap/server.domain.local dovecot
> ~# samba-tool domain exportkeytab --principal dovecot at DOMAIN.LOCAL
> dovecot.keytab
> ~# cp dovecot.keytab /etc/dovecot/dovecot.keytab
> ~#chgrp dovecot /etc/dovecot/dovecot.keytab
> ~#chmod g+r /etc/dovecot/dovecot.keytab
>
> As a side note. I test on an different server now and above and the mutt
> test from my other mail only works with
> auth_gssapi_hostname = "$ALL"
> defined in dovecot config.
>
> Otherwise I get these errors
>
> Jul 1 23:47:29 server dovecot: auth: Debug:
> gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): Obtaining credentials for imap@
> Jul 1 23:47:33 server dovecot: auth:
> gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): While acquiring service
> credentials: Unspecified GSS failure. Minor code may provide more
> information
>
>
> Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
> > I'm sure it will not work till you get that module build. :-)
> >
> >
> > Am 01.07.2016 um 20:53 schrieb Mark Foley:
> >> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at ag-web.biz>
> >> wrote:
> >>
> >>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe
> >>> at an
> >>> different location. On debian this comes with the dovecot-gssapi
> >>> package.
> >> That module is nowhere on my system.
> >>
> >> --Mark
> >>
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list