On Aug 31, 2011, at 10:55 AM, Stanislav Klinkov wrote:
>
> Thank you for sharing a very interesting experience, David.
>
>> It seemed like running ktpass multiple times invalidated the previous
>> keytabs.
> OK. Let us assume. But then how can you explain the fact that the
> setting <<auth_gssapi_hostname = "$ALL">> in dovecot config solves all
> mentioned troubles at once?
>
That is a very good question that I sadly don't have the answer to and I fear I
misunderstood the initial problem. It's my understanding that
auth_gssapi_hostname controls which entries in the keytab file dovecot will
allow itself to use. If you enable debug auth logging in dovecot, do you see
anything about which entry in your keytab file it's attempting to use? Also, do
you see anything in your AD logs when you get the "invalid principal" error
from the IP of your dovecot host?
> As well I just have run the following experiment. I re-generated one
> more keytab for service "imap/test.efim.local" only. So, it became the
> last-generated key. Then I copied it onto my dovecot server as the only
> "krb.keytab" file, and nothing changed.
>
> Also, I issued the following command on my AD domain controller:
> C:\Windows\system32>setspn -L dovecot
>
> And the result was:
> *****************
> Registered ServicePrincipalNames for
> CN=dovecot,OU=Agents,DC=romashka,DC=lan:
> imap/efim.test.local
> smtp/efim.test.local
> pop/efim.test.local
> *****************
>
> Please note, that I have not apllied any magic to servicePrincipalName
> of AD user "dovecot" by setspn or other AD snap-ins.
>
>> To make sure everything should work, hop on a box where you have a valid
>> user Kerberos ticket and do kvno imap/efim.test.local and kvno
>> smtp/efim.test.local.
>
> Sorry, I might have not mentioned above. I run Mozilla Thunderbird on my
> Windows XP workstation.
>
