* Julien Kerihuel wrote, On 03/04/09 12:28: > On Fri, 2009-04-03 at 11:16 +0100, Sam Liddicott wrote: > >> In control-panel/Mail when I get the failure, it replaces the mapi-proxy >> name I inserted and replaces it with NOVA, the real mail server. [How >> did it know to do this?] >> >> BUT, if I tell mapiproxy that the next-hop binding should be star >> (returned by RfrGetNewDSA from nova) instead of nova (the real mail >> server) then I don't get the kerberos error and everything works >> absolutely fine! >> >> >> So I think one conclusion is that mapiproxy could perhaps follow the >> RfrGetNewDSA result for the binding? >> My network seemed to get this way because I moved the domain exchange >> server from one DC to another DC. >> > > Sam, > > The RfrGetNewDSA function is part of the NSPIReferral API and is used > to locate the NSPI server. Following unconditionally this binding string > for any other services but NSPI one would be wrong. > ..
Thanks for the explanation, it was very helpful. I send the packet traces you asked for directly. Here is the biggest and most puzzling joke! If I set the mapi-proxy bind string to "star" so that the full-realm kerberos auth works... mailboxes fail to open - guess why... because mapi-proxy is talking to star (like kerberos was wanting) but the mailboxes are on nova!! Do you want a trace of that? Sam
_______________________________________________ devel mailing list devel@lists.openchange.org http://mailman.openchange.org/listinfo/devel
