# Postfix + Cyrus-Imapd via Kerberos with AD users.

## SimbioS

Hi there.

SORRY, CAN I place the message in the wrong place, but I am desperate  :Sad: 

I install on my gentoo OS, Postfix + Cyrus-Imapd +Cyrus-Sasl with Kerberos and ldap support.

1. Create keytab on my Windows srv 2008 (AD+KDC):

ktpass -princ host/srv-mydomain.local@MYDOMAIN.LOCAL -mapuser ldapmail@MYDOMAIN.LOCAL -crypto RC4-HMAC-NT -ptype KRB5_NT_SRV_INST -pass "mypasswd" -out c:\mail.keytab

2. Copy mail.keytab via SCP to linux server (srv-mydomain.local)

changed permission

chown root.kerberos /etc/mail/mail.keytab

where kerberos:

cat /etc/group | grep kerberos

kerberos::1100:root,postﬁx,cyrus

kinit this keytab:

kinit -V -k -t /etc/mail/mail.keytab host srv-mydomain.local@MYDOMAIN.LOCAL

Authenticated to Kerberos v5

3. saslauthd start with next option:

ps ax | grep sasl

27593 ? Ss 0:00 /usr/sbin/saslauthd -a kerberos5

cat smtp.conf

pwcheck_method: saslauthd

mech_list: gssapi

sasl_pwcheck_method: saslauthd

sasl_mech_list: gssapi

sasl_keytab: /etc/mail/mail.keytab

I want, my users to be held authenticated via Kerberos, without using a login & password.

Postfix & Cyrus-Imapd should verify the existence of these users in AD.

So what is my next steps ???

many thanks ALL for your help  :Smile: 

--

Ross

----------

## gerdesj

You have provided nearly the perfect query - lots of config details.

However, no logs - from anything.

Have you looked at any logs.  For starters your KDCs should see something and report in Event Log.  If they are not then either logging isn't configured or requests are not even being sent.

Dig out Wireshark. 

Cheers

jon

----------

