On Thu, 2015-09-24 at 08:23 +0300, Alexander Bokovoy wrote: OK. I have refreshed my memory of how Kerberos works.
> The sequence above: > > - Sets a random Kerberos key for a principal named > aster...@example.com > on IPA KDC and stores it to the local keytab file asterisk.keytab Yes. That keytab is intended to be the machine equivalent of the human who enters their password at a kinit prompt. > - tries to use a key for > aster...@example.com to obtain ticket > granting > ticket as > imap/linux.example....@exampe.com Why would it try to obtain a TGT as the imap/linux.example.com principle? It should be trying to obtain a TGT as the aster...@example.com principle, exactly as a human named "asterisk" would do using kinit. The goal here is to have the daemon authenticate to the KDC as aster...@example.com and then use that TGT to get service tickets to the imap service so that it authenticates to the imap service as the user "asterisk". I suppose the other way, is to give the daemon the imap principle's key and let it forge service tickets but that would require the daemon to know that that is what is doing. It does not know that. It is just acting like an imap client as any other imap client that uses kerberos does. To be perfectly clear, this daemon only wants to authenticate as the single user "asterisk" to the imap server. It does not need to authenticate as many users. Cheers, b.
Description: This is a digitally signed message part
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project