GSSAPI / cyrus / samba4
Matthieu Patou
mat+Informatique.Samba at matws.net
Wed Aug 12 12:34:09 MDT 2009
hello andrew,
As I told you on IRC i was able to make GSSAPI work with s4 but when I
tried to make things a bit cleaner then I faced a problem very strange.
So my dc is test.samba4.tst and my imap server is on the dc but I
usually access it through imap.samba4.tst.
Adding the principal imap/test.samba4.tst in sam.ldb and editing the
secret.ldb so that an keytab entry for this principal is added was
simple. With the resulting keytab I copied it as /etc/krb5.keytab
restarted cyrus and then I started to be able to use GSSAPI.
So I wanted to make it a bit cleaner and also not to use the same keytab
as the DC/KDC ...
I first tried to create a computer CN=imap,DC=samba4,DC=tst with a
servicePrincipalName of imap/imap.samba4.tst and the associated keytab
with all the good things (and I've been very carefull about the
passwords so that the secret attribute in secrets.ldb for this entry is
in sync with the unicodePwd in sam.ldb) and of course copied back to
/etc/krb5.keytab the new keytab.
This wasn't successfull, so I tried to add the servicePrincipal
imap/imap.samba4.tst to the entry of the DC (CN=TEST,DC=SAMBA4,DC=TST).
I modified the secrets.ldb ... regenerated the keytab with one more
entry for imap/imap.samba4.tst ... removed the other entry for principal
imap/imap.samba4.tst and retested.
And still it don't work.
So it's quite strange as I'm still on my orange belt in kerberos I'm
quite sure to miss something have you any clue ?
Matthieu.
More information about the samba-technical
mailing list