On Thu, 2015-09-24 at 08:23 +0300, Alexander Bokovoy wrote:
> You need to explain what are you trying to achieve first.

Sure.  It is entirely likely that I am misunderstanding what I should
be doing.

A system service needs to be able to authenticate to the service
imap/linux.example.com as a given user, so clearly that system service
cannot kinit and provide a password as a user would normally (I guess
this is what GSS-Proxy is for, FWIW).

> The sequence above:
>  - Sets a random Kerberos key for a principal named 
> aster...@example.com


>    on IPA KDC and stores it to the local keytab file asterisk.keytab


>  - tries to use a key for 
> aster...@example.com to obtain ticket
> granting
>    ticket as 
> imap/linux.example....@exampe.com

So maybe this is where I am going wrong.

> Unless imap/linux.example....@example.com
>  has exactly same Kerberos key
> as aster...@example.com, the above should
> fail and it does.

So I want to put the imap/linux.example.com kerberos key into the
 asterisk.keytab file such as:

ipa-getkeytab -s server.example.com -p imap/linux.example.com -k 
/tmp/asterisk-krb5.keytab -e aes256-cts

I probably need to brush up on my kerberos here but is that what a user
effectively does?  When I, as a user do a "kinit brian" and then do a
klist (after having used my imap client) and I see:

24/09/15 09:00:28  25/09/15 06:19:42  imap/linux.example....@example.com

Does that mean that I actually have the Kerberos key for that imap/linu
in my key cache -- the exact same key that I am going to put into the
asterisk.keytab above?


Attachment: signature.asc
Description: This is a digitally signed message part

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to