On Thu, 2015-09-24 at 08:23 +0300, Alexander Bokovoy wrote: > You need to explain what are you trying to achieve first.
Sure. It is entirely likely that I am misunderstanding what I should be doing. A system service needs to be able to authenticate to the service imap/linux.example.com as a given user, so clearly that system service cannot kinit and provide a password as a user would normally (I guess this is what GSS-Proxy is for, FWIW). > The sequence above: > > - Sets a random Kerberos key for a principal named > aster...@example.com OK. > on IPA KDC and stores it to the local keytab file asterisk.keytab Right. > - tries to use a key for > aster...@example.com to obtain ticket > granting > ticket as > imap/linux.example....@exampe.com So maybe this is where I am going wrong. > Unless imap/linux.example....@example.com > has exactly same Kerberos key > as aster...@example.com, the above should > fail and it does. So I want to put the imap/linux.example.com kerberos key into the asterisk.keytab file such as: ipa-getkeytab -s server.example.com -p imap/linux.example.com -k /tmp/asterisk-krb5.keytab -e aes256-cts I probably need to brush up on my kerberos here but is that what a user effectively does? When I, as a user do a "kinit brian" and then do a klist (after having used my imap client) and I see: 24/09/15 09:00:28 25/09/15 06:19:42 imap/linux.example....@example.com Does that mean that I actually have the Kerberos key for that imap/linu x.example....@example.com in my key cache -- the exact same key that I am going to put into the asterisk.keytab above? Cheers, b.
Description: This is a digitally signed message part
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project