[Samba] GSSAPI/Kerberos authenticate with Dovecot
L.P.H. van Belle
belle at bazuin.nl
Wed Dec 12 14:51:31 UTC 2018
Whats set for the server in its delegation?
sudo samba-tool delegation show dovecot\$
Run this on the DC, or add the -S YourDC.hostname
You need something like this:
samba-tool delegation for-any-service dovecot\$ on
Or setup for only imap, but cifs/nfs automounts may need this to.
After you've set it, i suggest, export the imap keytab again.
Not really sure if its needed, but if it does not work, try it.
And use stop and start command not restart/reload.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> basti via samba
> Verzonden: woensdag 12 december 2018 15:31
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] GSSAPI/Kerberos authenticate with Dovecot
>
> Hello,
>
> I try to setup Dovecot with Kerberos/GSSAPI and use this howto:
> https://wiki.samba.org/index.php/Authenticating_Dovecot_agains
> t_Active_Directory#Create_the_Dovecot_user_and_keytab
>
> I also try https://wiki.dovecot.org/Authentication/Kerberos
>
> I can login as windows user on win7 and access shares.
> When I open Thunderbird I get the message:
>
> "kerberos/gssapi ticket was not accepted"
>
> For debuging I use Kerbtray.
>
> The Tickets I get are:
>
> MY.FQDN.COM
> |-- cifs/dc1.my.fqdn.com
> |-- cifs/files.my.fqdn.com
> |-- krbtgt/MY.FQDN.COM
> |-- krbtgt/MY.FQDN.COM
> |-- LDAP/dc1.my.fqdn.com/my.fqdn.com
>
> There is *no* imap ticket.
>
> root at dovecot:~# ktutil
> ktutil: rkt /etc/dovecot/dovecot.keytab
> ktutil: l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM
> 2 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM
> 3 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM
> ktutil: q
> root at dovecot:~#
>
> Best Regards,
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list