On Thu, 2015-09-24 at 08:23 +0300, Alexander Bokovoy wrote:

OK.  I have refreshed my memory of how Kerberos works.

> The sequence above:
> 
>  - Sets a random Kerberos key for a principal named 
> aster...@example.com
>    on IPA KDC and stores it to the local keytab file asterisk.keytab

Yes.  That keytab is intended to be the machine equivalent of the human
who enters their password at a kinit prompt.

>  - tries to use a key for 
> aster...@example.com to obtain ticket
> granting
>    ticket as 
> imap/linux.example....@exampe.com

Why would it try to obtain a TGT as the imap/linux.example.com
principle?  It should be trying to obtain a TGT as the 
aster...@example.com principle, exactly as a human named "asterisk"
would do using kinit.

The goal here is to have the daemon authenticate to the KDC as 
aster...@example.com and then use that TGT to get service tickets to
the imap service so that it authenticates to the imap service as the
user "asterisk".

I suppose the other way, is to give the daemon the imap principle's key
and let it forge service tickets but that would require the daemon to
know that that is what is doing.  It does not know that.  It is just
acting like an imap client as any other imap client that uses kerberos
does.  To be perfectly clear, this daemon only wants to authenticate as
the single user "asterisk" to the imap server.  It does not need to
authenticate as many users.

Cheers,
b.

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to