On Wed, Aug 31, 2011 at 09:28:50AM -0600, Trever L. Adams wrote: > I have only followed part of this. It the original poster's problem is > that the LDAP database is not being able to be accessed with an SPN > ticket, this is because SPNs are not allowed to log in in AD. You need > to use a user account (including MACHINE$ accounts). It took me forever > to figure this out. To use this, you need a cron job that creates/renews > tickets from time to time for the user/machine account. Then you use > Dovecot's environment setup configuration to set the KRB5_CC (or > whatever it is called, my head is elsewhere) env variable to that > Kerberos ticket cache that was created in the cronjob. This cache needs > to be readable by dovecot and should be owned by its user.
This all works a 1000% better if you use Samba to join the domain and create your keytab with the right SPNs. See my prior posts to this list for a formula. Using the MS kerberos compatability tools is painful, complicated and tends to make a mess. Samba will create a machine UPN and populate the system keytab appropriately. From a cron job you can use 'kinit -k' to maintain an active ticket for the machine UPN which dovecot can use for LDAP operations. Jason