On Wed, 31 Aug 2011 14:39:56 -0600 Jason Gunthorpe articulated: > On Wed, Aug 31, 2011 at 09:28:50AM -0600, Trever L. Adams wrote: > > > I have only followed part of this. It the original poster's problem > > is that the LDAP database is not being able to be accessed with an > > SPN ticket, this is because SPNs are not allowed to log in in AD. > > You need to use a user account (including MACHINE$ accounts). It > > took me forever to figure this out. To use this, you need a cron > > job that creates/renews tickets from time to time for the > > user/machine account. Then you use Dovecot's environment setup > > configuration to set the KRB5_CC (or whatever it is called, my head > > is elsewhere) env variable to that Kerberos ticket cache that was > > created in the cronjob. This cache needs to be readable by dovecot > > and should be owned by its user. > > This all works a 1000% better if you use Samba to join the domain and > create your keytab with the right SPNs. See my prior posts to this > list for a formula. Using the MS kerberos compatability tools is > painful, complicated and tends to make a mess. > > Samba will create a machine UPN and populate the system keytab > appropriately. From a cron job you can use 'kinit -k' to maintain an > active ticket for the machine UPN which dovecot can use for LDAP > operations.
I just got this link from a friend who uses Kerberos on several systems. <http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=8350> I have no idea if it will work or help you or not. -- Jerry ✌ dovecot.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ Everlasting peace will come to the world when the last man has slain the last but one. Adolf Hitler
