dovecot - Jun 2016 - Looking for GSSAPI config [was: Looking for NTLM config example]

Aki - made your suggested changes, but no joy :(

My /etc/krb5.conf:

------SNIP--------
[libdefaults]
  default_realm = HPRS.LOCAL
  dns_lookup_realm = false
  dns_lookup_kdc = true

[libdefaults]
  default_realm = HPRS.LOCAL
  dns_lookup_kdc = true
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true
  fcc-mit-ticketflags = true

[realms]
  HPRS.LOCAL = {
    default_domain = hprs.local
    auth_to_local_names = {
    Administrator = root
  }
}

[domain_realm]
    hprs.local = HPRS.LOCAL
# this is not a mistake
    .hprs.local = HPRS.LOCAL
------PINS-----------

you wrote:
> You can remove the krb4_ stuff
I've remove krb4_ stuff from the [libdefaults] and eliminated the [login]
section altogether.
Question on [realms]Administrator: should that really be root or should it be my
AD Administrator?

my doveconf -n is exactly the same as posted below, but in particular:

auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = plain login gssapi

When I reloaded dovecot no mail was delivered to anyone (even though everyone
was still using
plain/ssl, no one yet configured for gssapi).

In /var/log/maillog I got (repeatedly):

Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding,
delayed sending initial response (greeting): user=<>, rip=192.168.0.54,
lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2>
Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism
'gssapi'
Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup
failed, throttling for 60 secs
Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding,
delayed sending initial response (greeting): user=<>, rip=166.170.27.161,
lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh>

This looks pretty bad right off. Why "Unknown authentication mechanism
'gssapi'"?

Do you have any idea from the configs I've posted? I'm rather depressed
about this. I thought I'd
finally able to get AD authentication going for Dovecot. Not ready to give up
though!

Suggestions?

THX -- Mark

-----original Message-----
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config
example]
> To: dovecot at dovecot.org
> From: Aki Tuomi <aki.tuomi at dovecot.fi>
> Date: Tue, 28 Jun 2016 15:13:11 +0300
>
> On 28.06.2016 09:27, Mark Foley wrote:
> > Aki,
> >
> > To review your 5 points:
> >
> > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi at
dovecot.fi> wrote:
> >
> >> 1. Functional AD or Kerberos environment
> >> 2. Time synced against your KDC (which is your Domain Controller
on Windows)
> >> 3. /etc/krb5.conf configured
> >> 4. Both forward / reverse DNS names correct for clients and
servers.
> >> Reverse is only mandatory for servers, but having them right will
work
> >> wonders. Most kerberos problems are about DNS problems.
> >> 5. You need a keytab. This keytab needs to hold entries like
> >> IMAP/your.host.name at REALM  and IMAP/$HOSTNAME at REALM. You can
generate
> >> these on any Windows DC server (at least).
> > I believe I am good on 1,2 and 4.  I downloaded and installed kerberos
and tested it with kinit
> > and klist according to the instructions at
> >
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> >
> > As to the the keytab (#5) I did the following:
> >
> > $ samba-tool domain exportkeytab /etc/krb5.keytab
> >
> > which created the file.  I made this owned and readable by group
dovecot, per instructions at
> > http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k
/etc/krb5.keytab` shows me
> > configuration listing all the users and computers in the domain,
mostly in triplicate.  A
> > partial list:
> >
> > Keytab name: FILE:/etc/krb5.keytab
> > KVNO Principal
> > ----
--------------------------------------------------------------------------
> >    18 COMMON$@HPRS.LOCAL
> >    18 COMMON$@HPRS.LOCAL
> >    18 COMMON$@HPRS.LOCAL
> >     1 MAIL$@HPRS.LOCAL
> >     1 MAIL$@HPRS.LOCAL
> >     1 MAIL$@HPRS.LOCAL
> >     1 charmaine at HPRS.LOCAL
> >     1 charmaine at HPRS.LOCAL
> >     1 charmaine at HPRS.LOCAL
> >
> > where COMMON and MAIL are hosts and charmaine is a user. I don't
really understand the listing,
> > but am assuming it is OK.
>
> Strange that you do not have any host/ entries. Maybe it works without.
>
> >> setspn -q is helpful here, also setspn command in general.
> > I have no such command in my system. Is that a Windows thing?
> >
>
> Yes, but you can do those kind of things in Samba too.
>
> > As to the /etc/krb5.conf, the default one generated by samba is:
> >
> > [libdefaults]
> >          default_realm = HPRS.LOCAL
> >          dns_lookup_realm = false
> >          dns_lookup_kdc = true
> >
> > I'd like to modify that to your suggestions, but I need more help.
You have (with my questions):
> >
> >> Here is a *SAMPLE* configuration:
> >>
> >> [libdefaults]
> >>          default_realm = YOUR.REALM
> >>          dns_lookup_kdc = true
> >>          krb4_config = /etc/krb.conf
> >>          krb4_realms = /etc/krb.realms
> > Here, you have krb4_*. Do you mean that? My config file is krb5.conf.
Should I rather have:
>
> You can remove the krb4_ stuff
>
> > 	krb5_config = /etc/krb5.conf
> >
> > Also, I have no /etc/krb*.realms file. Do I need this? If so, what
should be in there?
> You don't necessarely require that.
>
> >>          kdc_timesync = 1
> >>          ccache_type = 4
> >>          forwardable = true
> >>          proxiable = true
> >>          fcc-mit-ticketflags = true
> >>
> >> [realms]
> >>          YOUR.REALM = {
> >>                  default_domain = your.domain.name
> >>                  auth_to_local_names = {
> >>                          Administrator = root
> >>                  }
> >>          }
> > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my
"your.domain.name" my FQDN for my AD
> > server: mail.hprs.local, or is it just hprs.local? (or something
else!)
>
> HPRS.LOCAL is your REALM, hprs.local is your domain name.
> >
> >> [domain_realm]
> >>        your.domain.name = YOUR.REALM
> >> # this is not a mistake
> >>        .your.domain.name = YOUR.REALM
> >> [login]
> >>          krb4_convert = true
> >>          krb4_get_tickets = false
> > Likewise here a question on the whole krb4 versus krb5 thing.
> >
> > Your closing comment:
> >
> >> Also, note that kerberos can only act as AUTHENTICATION system. It
> >> cannot act as USER DATABASE. For that you need to configure LDAP
or
> >> something else. With Active Directory LDAP is probably a damn good
idea.
> > I have the following doveconf -n:
> >
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_krb5_keytab = /etc/krb5.keytab
> > auth_mechanisms = plain login gssapi
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> >    driver = shadow
> > }
> > protocols = imap
> > ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> > userdb {
> >    driver = passwd
> > }
> > verbose_ssl = yes
> >
> > I assume the passwd driver for the userdb is OK? Seems to me it should
work with gssapi, but in
> > any case I still have all but this test workstation NOT using gssapi,
so I still need to
> > accomodate them.
> >
> > Thanks, --Mark
> passwd driver is fine, yes, if you ensure that users can be found.
>
> Aki
>

> On June 28, 2016 at 5:17 PM Mark Foley <mfoley at ohprs.org> wrote:
> 
> 
> Aki - made your suggested changes, but no joy :(
> 
> My /etc/krb5.conf:
> 
> ------SNIP--------
> [libdefaults]
>   default_realm = HPRS.LOCAL
>   dns_lookup_realm = false
>   dns_lookup_kdc = true
> 
> [libdefaults]
>   default_realm = HPRS.LOCAL
>   dns_lookup_kdc = true
>   kdc_timesync = 1
>   ccache_type = 4
>   forwardable = true
>   proxiable = true
>   fcc-mit-ticketflags = true
> 
> [realms]
>   HPRS.LOCAL = {
>     default_domain = hprs.local
>     auth_to_local_names = {
>     Administrator = root
>   }
> }
> 
> [domain_realm]
>     hprs.local = HPRS.LOCAL
> # this is not a mistake
>     .hprs.local = HPRS.LOCAL
> ------PINS-----------
> 
> you wrote:
> > You can remove the krb4_ stuff
> 
> I've remove krb4_ stuff from the [libdefaults] and eliminated the
[login] section altogether.
> Question on [realms]Administrator: should that really be root or should it
be my AD Administrator?
> 
> my doveconf -n is exactly the same as posted below, but in particular:
> 
> auth_krb5_keytab = /etc/krb5.keytab
> auth_mechanisms = plain login gssapi
> 
> When I reloaded dovecot no mail was delivered to anyone (even though
everyone was still using
> plain/ssl, no one yet configured for gssapi).
> 
> In /var/log/maillog I got (repeatedly):
> 
> Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not
responding, delayed sending initial response (greeting): user=<>,
rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2>
> Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism
'gssapi'
> Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup
failed, throttling for 60 secs
> Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not
responding, delayed sending initial response (greeting): user=<>,
rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh>
> 
> This looks pretty bad right off. Why "Unknown authentication mechanism
'gssapi'"?
> 
> Do you have any idea from the configs I've posted? I'm rather
depressed about this. I thought I'd
> finally able to get AD authentication going for Dovecot. Not ready to give
up though!
> 
> Suggestions?
> 
> THX -- Mark
> 
> -----original Message-----
> > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config
example]
> > To: dovecot at dovecot.org
> > From: Aki Tuomi <aki.tuomi at dovecot.fi>
> > Date: Tue, 28 Jun 2016 15:13:11 +0300
> >
> > On 28.06.2016 09:27, Mark Foley wrote:
> > > Aki,
> > >
> > > To review your 5 points:
> > >
> > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi at
dovecot.fi> wrote:
> > >
> > >> 1. Functional AD or Kerberos environment
> > >> 2. Time synced against your KDC (which is your Domain
Controller on Windows)
> > >> 3. /etc/krb5.conf configured
> > >> 4. Both forward / reverse DNS names correct for clients and
servers.
> > >> Reverse is only mandatory for servers, but having them right
will work
> > >> wonders. Most kerberos problems are about DNS problems.
> > >> 5. You need a keytab. This keytab needs to hold entries like
> > >> IMAP/your.host.name at REALM  and IMAP/$HOSTNAME at REALM.
You can generate
> > >> these on any Windows DC server (at least).
> > > I believe I am good on 1,2 and 4.  I downloaded and installed
kerberos and tested it with kinit
> > > and klist according to the instructions at
> > >
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> > >
> > > As to the the keytab (#5) I did the following:
> > >
> > > $ samba-tool domain exportkeytab /etc/krb5.keytab
> > >
> > > which created the file.  I made this owned and readable by group
dovecot, per instructions at
> > > http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist
-k /etc/krb5.keytab` shows me
> > > configuration listing all the users and computers in the domain,
mostly in triplicate.  A
> > > partial list:
> > >
> > > Keytab name: FILE:/etc/krb5.keytab
> > > KVNO Principal
> > > ----
--------------------------------------------------------------------------
> > >    18 COMMON$@HPRS.LOCAL
> > >    18 COMMON$@HPRS.LOCAL
> > >    18 COMMON$@HPRS.LOCAL
> > >     1 MAIL$@HPRS.LOCAL
> > >     1 MAIL$@HPRS.LOCAL
> > >     1 MAIL$@HPRS.LOCAL
> > >     1 charmaine at HPRS.LOCAL
> > >     1 charmaine at HPRS.LOCAL
> > >     1 charmaine at HPRS.LOCAL
> > >
> > > where COMMON and MAIL are hosts and charmaine is a user. I
don't really understand the listing,
> > > but am assuming it is OK.
> >
> > Strange that you do not have any host/ entries. Maybe it works
without.
> >
> > >> setspn -q is helpful here, also setspn command in general.
> > > I have no such command in my system. Is that a Windows thing?
> > >
> >
> > Yes, but you can do those kind of things in Samba too.
> >
> > > As to the /etc/krb5.conf, the default one generated by samba is:
> > >
> > > [libdefaults]
> > >          default_realm = HPRS.LOCAL
> > >          dns_lookup_realm = false
> > >          dns_lookup_kdc = true
> > >
> > > I'd like to modify that to your suggestions, but I need more
help. You have (with my questions):
> > >
> > >> Here is a *SAMPLE* configuration:
> > >>
> > >> [libdefaults]
> > >>          default_realm = YOUR.REALM
> > >>          dns_lookup_kdc = true
> > >>          krb4_config = /etc/krb.conf
> > >>          krb4_realms = /etc/krb.realms
> > > Here, you have krb4_*. Do you mean that? My config file is
krb5.conf. Should I rather have:
> >
> > You can remove the krb4_ stuff
> >
> > > 	krb5_config = /etc/krb5.conf
> > >
> > > Also, I have no /etc/krb*.realms file. Do I need this? If so,
what should be in there?
> > You don't necessarely require that.
> >
> > >>          kdc_timesync = 1
> > >>          ccache_type = 4
> > >>          forwardable = true
> > >>          proxiable = true
> > >>          fcc-mit-ticketflags = true
> > >>
> > >> [realms]
> > >>          YOUR.REALM = {
> > >>                  default_domain = your.domain.name
> > >>                  auth_to_local_names = {
> > >>                          Administrator = root
> > >>                  }
> > >>          }
> > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my
"your.domain.name" my FQDN for my AD
> > > server: mail.hprs.local, or is it just hprs.local? (or something
else!)
> >
> > HPRS.LOCAL is your REALM, hprs.local is your domain name.
> > >
> > >> [domain_realm]
> > >>        your.domain.name = YOUR.REALM
> > >> # this is not a mistake
> > >>        .your.domain.name = YOUR.REALM
> > >> [login]
> > >>          krb4_convert = true
> > >>          krb4_get_tickets = false
> > > Likewise here a question on the whole krb4 versus krb5 thing.
> > >
> > > Your closing comment:
> > >
> > >> Also, note that kerberos can only act as AUTHENTICATION
system. It
> > >> cannot act as USER DATABASE. For that you need to configure
LDAP or
> > >> something else. With Active Directory LDAP is probably a damn
good idea.
> > > I have the following doveconf -n:
> > >
> > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > auth_debug_passwords = yes
> > > auth_krb5_keytab = /etc/krb5.keytab
> > > auth_mechanisms = plain login gssapi
> > > auth_verbose = yes
> > > auth_verbose_passwords = plain
> > > disable_plaintext_auth = no
> > > info_log_path = /var/log/dovecot_info
> > > mail_location = maildir:~/Maildir
> > > passdb {
> > >    driver = shadow
> > > }
> > > protocols = imap
> > > ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> > > userdb {
> > >    driver = passwd
> > > }
> > > verbose_ssl = yes
> > >
> > > I assume the passwd driver for the userdb is OK? Seems to me it
should work with gssapi, but in
> > > any case I still have all but this test workstation NOT using
gssapi, so I still need to
> > > accomodate them.
> > >
> > > Thanks, --Mark
> > passwd driver is fine, yes, if you ensure that users can be found.
> >
> > Aki
> >
Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile
it yourself?

I'll try to check status of NTLM this week.

Aki

Aki, you wrote:
> Doh. Seems your dovecot isn't compiled with gssapi support? Can you
compile it yourself?
>
> I'll try to check status of NTLM this week.
I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.

I do have the Dovecot sources and will peruse the possible options after I send
this.  I am on
version 2.2.15 and I see that the current downloadable version is 2.2.24. 
Should I upgrade? Do
you think that would help? (a perusal of the changes since 2.2.15 shows nothing
obvious
realated to gssapi)

--Mark

-----Original Message-----
> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST)
> From: aki.tuomi at dovecot.fi
> To: dovecot at dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config
example]
>
> > On June 28, 2016 at 5:17 PM Mark Foley <mfoley at ohprs.org>
wrote:
> > 
> > 
> > Aki - made your suggested changes, but no joy :(
> > 
> > My /etc/krb5.conf:
> > 
> > ------SNIP--------
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_realm = false
> >   dns_lookup_kdc = true
> > 
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_kdc = true
> >   kdc_timesync = 1
> >   ccache_type = 4
> >   forwardable = true
> >   proxiable = true
> >   fcc-mit-ticketflags = true
> > 
> > [realms]
> >   HPRS.LOCAL = {
> >     default_domain = hprs.local
> >     auth_to_local_names = {
> >     Administrator = root
> >   }
> > }
> > 
> > [domain_realm]
> >     hprs.local = HPRS.LOCAL
> > # this is not a mistake
> >     .hprs.local = HPRS.LOCAL
> > ------PINS-----------
> > 
> > you wrote:
> > > You can remove the krb4_ stuff
> > 
> > I've remove krb4_ stuff from the [libdefaults] and eliminated the
[login] section altogether.
> > Question on [realms]Administrator: should that really be root or
should it be my AD Administrator?
> > 
> > my doveconf -n is exactly the same as posted below, but in particular:
> > 
> > auth_krb5_keytab = /etc/krb5.keytab
> > auth_mechanisms = plain login gssapi
> > 
> > When I reloaded dovecot no mail was delivered to anyone (even though
everyone was still using
> > plain/ssl, no one yet configured for gssapi).
> > 
> > In /var/log/maillog I got (repeatedly):
> > 
> > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not
responding, delayed sending initial response (greeting): user=<>,
rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2>
> > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication
mechanism 'gssapi'
> > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command
startup failed, throttling for 60 secs
> > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not
responding, delayed sending initial response (greeting): user=<>,
rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh>
> > 
> > This looks pretty bad right off. Why "Unknown authentication
mechanism 'gssapi'"?
> > 
> > Do you have any idea from the configs I've posted? I'm rather
depressed about this. I thought I'd
> > finally able to get AD authentication going for Dovecot. Not ready to
give up though!
> > 
> > Suggestions?
> > 
> > THX -- Mark
> > 
> > -----original Message-----
> > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM
config example]
> > > To: dovecot at dovecot.org
> > > From: Aki Tuomi <aki.tuomi at dovecot.fi>
> > > Date: Tue, 28 Jun 2016 15:13:11 +0300
> > >
> > > On 28.06.2016 09:27, Mark Foley wrote:
> > > > Aki,
> > > >
> > > > To review your 5 points:
> > > >
> > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi
at dovecot.fi> wrote:
> > > >
> > > >> 1. Functional AD or Kerberos environment
> > > >> 2. Time synced against your KDC (which is your Domain
Controller on Windows)
> > > >> 3. /etc/krb5.conf configured
> > > >> 4. Both forward / reverse DNS names correct for clients
and servers.
> > > >> Reverse is only mandatory for servers, but having them
right will work
> > > >> wonders. Most kerberos problems are about DNS problems.
> > > >> 5. You need a keytab. This keytab needs to hold entries
like
> > > >> IMAP/your.host.name at REALM  and IMAP/$HOSTNAME at
REALM. You can generate
> > > >> these on any Windows DC server (at least).
> > > > I believe I am good on 1,2 and 4.  I downloaded and
installed kerberos and tested it with kinit
> > > > and klist according to the instructions at
> > > >
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> > > >
> > > > As to the the keytab (#5) I did the following:
> > > >
> > > > $ samba-tool domain exportkeytab /etc/krb5.keytab
> > > >
> > > > which created the file.  I made this owned and readable by
group dovecot, per instructions at
> > > > http://wiki2.dovecot.org/Authentication/Kerberos.  Running
`klist -k /etc/krb5.keytab` shows me
> > > > configuration listing all the users and computers in the
domain, mostly in triplicate.  A
> > > > partial list:
> > > >
> > > > Keytab name: FILE:/etc/krb5.keytab
> > > > KVNO Principal
> > > > ----
--------------------------------------------------------------------------
> > > >    18 COMMON$@HPRS.LOCAL
> > > >    18 COMMON$@HPRS.LOCAL
> > > >    18 COMMON$@HPRS.LOCAL
> > > >     1 MAIL$@HPRS.LOCAL
> > > >     1 MAIL$@HPRS.LOCAL
> > > >     1 MAIL$@HPRS.LOCAL
> > > >     1 charmaine at HPRS.LOCAL
> > > >     1 charmaine at HPRS.LOCAL
> > > >     1 charmaine at HPRS.LOCAL
> > > >
> > > > where COMMON and MAIL are hosts and charmaine is a user. I
don't really understand the listing,
> > > > but am assuming it is OK.
> > >
> > > Strange that you do not have any host/ entries. Maybe it works
without.
> > >
> > > >> setspn -q is helpful here, also setspn command in
general.
> > > > I have no such command in my system. Is that a Windows
thing?
> > > >
> > >
> > > Yes, but you can do those kind of things in Samba too.
> > >
> > > > As to the /etc/krb5.conf, the default one generated by samba
is:
> > > >
> > > > [libdefaults]
> > > >          default_realm = HPRS.LOCAL
> > > >          dns_lookup_realm = false
> > > >          dns_lookup_kdc = true
> > > >
> > > > I'd like to modify that to your suggestions, but I need
more help. You have (with my questions):
> > > >
> > > >> Here is a *SAMPLE* configuration:
> > > >>
> > > >> [libdefaults]
> > > >>          default_realm = YOUR.REALM
> > > >>          dns_lookup_kdc = true
> > > >>          krb4_config = /etc/krb.conf
> > > >>          krb4_realms = /etc/krb.realms
> > > > Here, you have krb4_*. Do you mean that? My config file is
krb5.conf. Should I rather have:
> > >
> > > You can remove the krb4_ stuff
> > >
> > > > 	krb5_config = /etc/krb5.conf
> > > >
> > > > Also, I have no /etc/krb*.realms file. Do I need this? If
so, what should be in there?
> > > You don't necessarely require that.
> > >
> > > >>          kdc_timesync = 1
> > > >>          ccache_type = 4
> > > >>          forwardable = true
> > > >>          proxiable = true
> > > >>          fcc-mit-ticketflags = true
> > > >>
> > > >> [realms]
> > > >>          YOUR.REALM = {
> > > >>                  default_domain = your.domain.name
> > > >>                  auth_to_local_names = {
> > > >>                          Administrator = root
> > > >>                  }
> > > >>          }
> > > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is
my "your.domain.name" my FQDN for my AD
> > > > server: mail.hprs.local, or is it just hprs.local? (or
something else!)
> > >
> > > HPRS.LOCAL is your REALM, hprs.local is your domain name.
> > > >
> > > >> [domain_realm]
> > > >>        your.domain.name = YOUR.REALM
> > > >> # this is not a mistake
> > > >>        .your.domain.name = YOUR.REALM
> > > >> [login]
> > > >>          krb4_convert = true
> > > >>          krb4_get_tickets = false
> > > > Likewise here a question on the whole krb4 versus krb5
thing.
> > > >
> > > > Your closing comment:
> > > >
> > > >> Also, note that kerberos can only act as AUTHENTICATION
system. It
> > > >> cannot act as USER DATABASE. For that you need to
configure LDAP or
> > > >> something else. With Active Directory LDAP is probably a
damn good idea.
> > > > I have the following doveconf -n:
> > > >
> > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > > auth_debug_passwords = yes
> > > > auth_krb5_keytab = /etc/krb5.keytab
> > > > auth_mechanisms = plain login gssapi
> > > > auth_verbose = yes
> > > > auth_verbose_passwords = plain
> > > > disable_plaintext_auth = no
> > > > info_log_path = /var/log/dovecot_info
> > > > mail_location = maildir:~/Maildir
> > > > passdb {
> > > >    driver = shadow
> > > > }
> > > > protocols = imap
> > > > ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > > > ssl_key =
</etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> > > > userdb {
> > > >    driver = passwd
> > > > }
> > > > verbose_ssl = yes
> > > >
> > > > I assume the passwd driver for the userdb is OK? Seems to me
it should work with gssapi, but in
> > > > any case I still have all but this test workstation NOT
using gssapi, so I still need to
> > > > accomodate them.
> > > >
> > > > Thanks, --Mark
> > > passwd driver is fine, yes, if you ensure that users can be
found.
> > >
> > > Aki
> > >
>
> Doh. Seems your dovecot isn't compiled with gssapi support? Can you
compile it yourself?
>
> I'll try to check status of NTLM this week.
>
> Aki
>