projects / sysconfig / dovecot.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d9fbf4e)
Host-independent kerberos keytab
authorAlex Dehnert <alex@dehnerts.com>
Fri, 21 Jul 2023 06:35:02 +0000 (06:35 +0000)
committerAlex Dehnert <alex@dehnerts.com>
Fri, 21 Jul 2023 06:36:45 +0000 (06:36 +0000)
Also of note: default_realm needs to be set to DEHNERTS.COM in krb5.conf, and
we may also need to map hostnames to realms.

.gitignore patch | blob | history
conf.d/10-auth.conf patch | blob | history

diff --git a/.gitignore b/.gitignore
index 1a594afacfaabce2e5f984c1c86692958f734a23..aadd9709e5818f40e006231aa9627bec57a516f8 100644 (file)
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,8 @@
 extra-users.passwd
 imap.keytab
 olinda.keytab
+mail.keytab
+mail.keytab.base64
 dovecot.pem
 *.ucf-dist
 old/
diff --git a/conf.d/10-auth.conf b/conf.d/10-auth.conf
index 68aee0e68041e0020a85f011bc188c3df28ce87e..727dbedabf1f8114458ce0f4c1467237846ecaf8 100644 (file)
--- a/conf.d/10-auth.conf
+++ b/conf.d/10-auth.conf
@@ -73,7 +73,10 @@ auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012345
 # Kerberos keytab to use for the GSSAPI mechanism. Will use the system
 # default (usually /etc/krb5.keytab) if not specified. You may need to change
 # the auth service to run as root to be able to read this file.
-auth_krb5_keytab = /etc/dovecot/olinda.keytab
+# Should contain an imap/ (for IMAP) and smtp/ (for SMTP, because Postfix
+# offloads SASL auth) principal, for whatever the host's IP reverse-resolves
+# to.
+auth_krb5_keytab = /etc/dovecot/mail.keytab
 
 # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
 # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>