Mark Foley
2016-Jun-29 02:04 UTC
Looking for GSSAPI config [was: Looking for NTLM config example]
Aki, you wrote:> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? > > I'll try to check status of NTLM this week.I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. I do have the Dovecot sources and will peruse the possible options after I send this. I am on version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious realated to gssapi) --Mark -----Original Message-----> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) > From: aki.tuomi at dovecot.fi > To: dovecot at dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > On June 28, 2016 at 5:17 PM Mark Foley <mfoley at ohprs.org> wrote: > > > > > > Aki - made your suggested changes, but no joy :( > > > > My /etc/krb5.conf: > > > > ------SNIP-------- > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_kdc = true > > kdc_timesync = 1 > > ccache_type = 4 > > forwardable = true > > proxiable = true > > fcc-mit-ticketflags = true > > > > [realms] > > HPRS.LOCAL = { > > default_domain = hprs.local > > auth_to_local_names = { > > Administrator = root > > } > > } > > > > [domain_realm] > > hprs.local = HPRS.LOCAL > > # this is not a mistake > > .hprs.local = HPRS.LOCAL > > ------PINS----------- > > > > you wrote: > > > You can remove the krb4_ stuff > > > > I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. > > Question on [realms]Administrator: should that really be root or should it be my AD Administrator? > > > > my doveconf -n is exactly the same as posted below, but in particular: > > > > auth_krb5_keytab = /etc/krb5.keytab > > auth_mechanisms = plain login gssapi > > > > When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using > > plain/ssl, no one yet configured for gssapi). > > > > In /var/log/maillog I got (repeatedly): > > > > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2> > > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' > > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs > > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh> > > > > This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"? > > > > Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd > > finally able to get AD authentication going for Dovecot. Not ready to give up though! > > > > Suggestions? > > > > THX -- Mark > > > > -----original Message----- > > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > To: dovecot at dovecot.org > > > From: Aki Tuomi <aki.tuomi at dovecot.fi> > > > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > > > > > On 28.06.2016 09:27, Mark Foley wrote: > > > > Aki, > > > > > > > > To review your 5 points: > > > > > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > > > > > > >> 1. Functional AD or Kerberos environment > > > >> 2. Time synced against your KDC (which is your Domain Controller on Windows) > > > >> 3. /etc/krb5.conf configured > > > >> 4. Both forward / reverse DNS names correct for clients and servers. > > > >> Reverse is only mandatory for servers, but having them right will work > > > >> wonders. Most kerberos problems are about DNS problems. > > > >> 5. You need a keytab. This keytab needs to hold entries like > > > >> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate > > > >> these on any Windows DC server (at least). > > > > I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit > > > > and klist according to the instructions at > > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > > > > > As to the the keytab (#5) I did the following: > > > > > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > > > > > which created the file. I made this owned and readable by group dovecot, per instructions at > > > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me > > > > configuration listing all the users and computers in the domain, mostly in triplicate. A > > > > partial list: > > > > > > > > Keytab name: FILE:/etc/krb5.keytab > > > > KVNO Principal > > > > ---- -------------------------------------------------------------------------- > > > > 18 COMMON$@HPRS.LOCAL > > > > 18 COMMON$@HPRS.LOCAL > > > > 18 COMMON$@HPRS.LOCAL > > > > 1 MAIL$@HPRS.LOCAL > > > > 1 MAIL$@HPRS.LOCAL > > > > 1 MAIL$@HPRS.LOCAL > > > > 1 charmaine at HPRS.LOCAL > > > > 1 charmaine at HPRS.LOCAL > > > > 1 charmaine at HPRS.LOCAL > > > > > > > > where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, > > > > but am assuming it is OK. > > > > > > Strange that you do not have any host/ entries. Maybe it works without. > > > > > > >> setspn -q is helpful here, also setspn command in general. > > > > I have no such command in my system. Is that a Windows thing? > > > > > > > > > > Yes, but you can do those kind of things in Samba too. > > > > > > > As to the /etc/krb5.conf, the default one generated by samba is: > > > > > > > > [libdefaults] > > > > default_realm = HPRS.LOCAL > > > > dns_lookup_realm = false > > > > dns_lookup_kdc = true > > > > > > > > I'd like to modify that to your suggestions, but I need more help. You have (with my questions): > > > > > > > >> Here is a *SAMPLE* configuration: > > > >> > > > >> [libdefaults] > > > >> default_realm = YOUR.REALM > > > >> dns_lookup_kdc = true > > > >> krb4_config = /etc/krb.conf > > > >> krb4_realms = /etc/krb.realms > > > > Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: > > > > > > You can remove the krb4_ stuff > > > > > > > krb5_config = /etc/krb5.conf > > > > > > > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? > > > You don't necessarely require that. > > > > > > >> kdc_timesync = 1 > > > >> ccache_type = 4 > > > >> forwardable = true > > > >> proxiable = true > > > >> fcc-mit-ticketflags = true > > > >> > > > >> [realms] > > > >> YOUR.REALM = { > > > >> default_domain = your.domain.name > > > >> auth_to_local_names = { > > > >> Administrator = root > > > >> } > > > >> } > > > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD > > > > server: mail.hprs.local, or is it just hprs.local? (or something else!) > > > > > > HPRS.LOCAL is your REALM, hprs.local is your domain name. > > > > > > > >> [domain_realm] > > > >> your.domain.name = YOUR.REALM > > > >> # this is not a mistake > > > >> .your.domain.name = YOUR.REALM > > > >> [login] > > > >> krb4_convert = true > > > >> krb4_get_tickets = false > > > > Likewise here a question on the whole krb4 versus krb5 thing. > > > > > > > > Your closing comment: > > > > > > > >> Also, note that kerberos can only act as AUTHENTICATION system. It > > > >> cannot act as USER DATABASE. For that you need to configure LDAP or > > > >> something else. With Active Directory LDAP is probably a damn good idea. > > > > I have the following doveconf -n: > > > > > > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > > auth_debug_passwords = yes > > > > auth_krb5_keytab = /etc/krb5.keytab > > > > auth_mechanisms = plain login gssapi > > > > auth_verbose = yes > > > > auth_verbose_passwords = plain > > > > disable_plaintext_auth = no > > > > info_log_path = /var/log/dovecot_info > > > > mail_location = maildir:~/Maildir > > > > passdb { > > > > driver = shadow > > > > } > > > > protocols = imap > > > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > > > userdb { > > > > driver = passwd > > > > } > > > > verbose_ssl = yes > > > > > > > > I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in > > > > any case I still have all but this test workstation NOT using gssapi, so I still need to > > > > accomodate them. > > > > > > > > Thanks, --Mark > > > passwd driver is fine, yes, if you ensure that users can be found. > > > > > > Aki > > > > > Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? > > I'll try to check status of NTLM this week. > > Aki >
Mark Foley
2016-Jun-29 03:32 UTC
Looking for GSSAPI config [was: Looking for NTLM config example]
Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and restarted. Now I don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, and mail is delivered successfully to the other domain users having PLAIN authentication. That's a big step. In examining my original config.log output I apparently did not have --with-gssapi enabled. HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still cannot correctly authenticate and retrieve mail. Here is the dovecot log for that host: Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 22:44:05 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 22:44:05 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.58] Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session=<WeZyumE25wDAqAA6> Does this tell you anything? `doveconf -n` and krb5.conf are configured as shown in previous messages below. Closer! --Mark -----Original Message----- From: Mark Foley <mfoley at ohprs.org> Date: Tue, 28 Jun 2016 22:04:42 -0400 To: dovecot at dovecot.org Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] Aki, you wrote:> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? > > I'll try to check status of NTLM this week.I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. I do have the Dovecot sources and will peruse the possible options after I send this. I am on version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious realated to gssapi) --Mark -----Original Message-----> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) > From: aki.tuomi at dovecot.fi > To: dovecot at dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > On June 28, 2016 at 5:17 PM Mark Foley <mfoley at ohprs.org> wrote: > > > > > > Aki - made your suggested changes, but no joy :( > > > > My /etc/krb5.conf: > > > > ------SNIP-------- > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_kdc = true > > kdc_timesync = 1 > > ccache_type = 4 > > forwardable = true > > proxiable = true > > fcc-mit-ticketflags = true > > > > [realms] > > HPRS.LOCAL = { > > default_domain = hprs.local > > auth_to_local_names = { > > Administrator = root > > } > > } > > > > [domain_realm] > > hprs.local = HPRS.LOCAL > > # this is not a mistake > > .hprs.local = HPRS.LOCAL > > ------PINS----------- > > > > you wrote: > > > You can remove the krb4_ stuff > > > > I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. > > Question on [realms]Administrator: should that really be root or should it be my AD Administrator? > > > > my doveconf -n is exactly the same as posted below, but in particular: > > > > auth_krb5_keytab = /etc/krb5.keytab > > auth_mechanisms = plain login gssapi > > > > When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using > > plain/ssl, no one yet configured for gssapi). > > > > In /var/log/maillog I got (repeatedly): > > > > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2> > > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' > > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs > > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh> > > > > This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"? > > > > Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd > > finally able to get AD authentication going for Dovecot. Not ready to give up though! > > > > Suggestions? > > > > THX -- Mark > > > > -----original Message----- > > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > To: dovecot at dovecot.org > > > From: Aki Tuomi <aki.tuomi at dovecot.fi> > > > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > > > > > On 28.06.2016 09:27, Mark Foley wrote: > > > > Aki, > > > > > > > > To review your 5 points: > > > > > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > > > > > > >> 1. Functional AD or Kerberos environment > > > >> 2. Time synced against your KDC (which is your Domain Controller on Windows) > > > >> 3. /etc/krb5.conf configured > > > >> 4. Both forward / reverse DNS names correct for clients and servers. > > > >> Reverse is only mandatory for servers, but having them right will work > > > >> wonders. Most kerberos problems are about DNS problems. > > > >> 5. You need a keytab. This keytab needs to hold entries like > > > >> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate > > > >> these on any Windows DC server (at least). > > > > I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit > > > > and klist according to the instructions at > > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > > > > > As to the the keytab (#5) I did the following: > > > > > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > > > > > which created the file. I made this owned and readable by group dovecot, per instructions at > > > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me > > > > configuration listing all the users and computers in the domain, mostly in triplicate. A > > > > partial list: > > > > > > > > Keytab name: FILE:/etc/krb5.keytab > > > > KVNO Principal > > > > ---- -------------------------------------------------------------------------- > > > > 18 COMMON$@HPRS.LOCAL > > > > 18 COMMON$@HPRS.LOCAL > > > > 18 COMMON$@HPRS.LOCAL > > > > 1 MAIL$@HPRS.LOCAL > > > > 1 MAIL$@HPRS.LOCAL > > > > 1 MAIL$@HPRS.LOCAL > > > > 1 charmaine at HPRS.LOCAL > > > > 1 charmaine at HPRS.LOCAL > > > > 1 charmaine at HPRS.LOCAL > > > > > > > > where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, > > > > but am assuming it is OK. > > > > > > Strange that you do not have any host/ entries. Maybe it works without. > > > > > > >> setspn -q is helpful here, also setspn command in general. > > > > I have no such command in my system. Is that a Windows thing? > > > > > > > > > > Yes, but you can do those kind of things in Samba too. > > > > > > > As to the /etc/krb5.conf, the default one generated by samba is: > > > > > > > > [libdefaults] > > > > default_realm = HPRS.LOCAL > > > > dns_lookup_realm = false > > > > dns_lookup_kdc = true > > > > > > > > I'd like to modify that to your suggestions, but I need more help. You have (with my questions): > > > > > > > >> Here is a *SAMPLE* configuration: > > > >> > > > >> [libdefaults] > > > >> default_realm = YOUR.REALM > > > >> dns_lookup_kdc = true > > > >> krb4_config = /etc/krb.conf > > > >> krb4_realms = /etc/krb.realms > > > > Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: > > > > > > You can remove the krb4_ stuff > > > > > > > krb5_config = /etc/krb5.conf > > > > > > > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? > > > You don't necessarely require that. > > > > > > >> kdc_timesync = 1 > > > >> ccache_type = 4 > > > >> forwardable = true > > > >> proxiable = true > > > >> fcc-mit-ticketflags = true > > > >> > > > >> [realms] > > > >> YOUR.REALM = { > > > >> default_domain = your.domain.name > > > >> auth_to_local_names = { > > > >> Administrator = root > > > >> } > > > >> } > > > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD > > > > server: mail.hprs.local, or is it just hprs.local? (or something else!) > > > > > > HPRS.LOCAL is your REALM, hprs.local is your domain name. > > > > > > > >> [domain_realm] > > > >> your.domain.name = YOUR.REALM > > > >> # this is not a mistake > > > >> .your.domain.name = YOUR.REALM > > > >> [login] > > > >> krb4_convert = true > > > >> krb4_get_tickets = false > > > > Likewise here a question on the whole krb4 versus krb5 thing. > > > > > > > > Your closing comment: > > > > > > > >> Also, note that kerberos can only act as AUTHENTICATION system. It > > > >> cannot act as USER DATABASE. For that you need to configure LDAP or > > > >> something else. With Active Directory LDAP is probably a damn good idea. > > > > I have the following doveconf -n: > > > > > > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > > auth_debug_passwords = yes > > > > auth_krb5_keytab = /etc/krb5.keytab > > > > auth_mechanisms = plain login gssapi > > > > auth_verbose = yes > > > > auth_verbose_passwords = plain > > > > disable_plaintext_auth = no > > > > info_log_path = /var/log/dovecot_info > > > > mail_location = maildir:~/Maildir > > > > passdb { > > > > driver = shadow > > > > } > > > > protocols = imap > > > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > > > userdb { > > > > driver = passwd > > > > } > > > > verbose_ssl = yes > > > > > > > > I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in > > > > any case I still have all but this test workstation NOT using gssapi, so I still need to > > > > accomodate them. > > > > > > > > Thanks, --Mark > > > passwd driver is fine, yes, if you ensure that users can be found. > > > > > > Aki > > > > > Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? > > I'll try to check status of NTLM this week. > > Aki >
Edgar Pettijohn
2016-Jun-29 03:52 UTC
Looking for GSSAPI config [was: Looking for NTLM config example]
> On Jun 28, 2016, at 10:32 PM, Mark Foley <mfoley at ohprs.org> wrote: > > Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and restarted. Now I > don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, and mail is > delivered successfully to the other domain users having PLAIN authentication. That's a big > step. In examining my original config.log output I apparently did not have --with-gssapi enabled. > > HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still cannot correctly > authenticate and retrieve mail. Here is the dovecot log for that host: >What does thunderbird tell you?> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Jun 28 22:44:05 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > Jun 28 22:44:05 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat > Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.58] > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session=<WeZyumE25wDAqAA6> > > Does this tell you anything? `doveconf -n` and krb5.conf are configured as shown in previous > messages below. > > Closer! --Mark > > -----Original Message----- > From: Mark Foley <mfoley at ohprs.org> > Date: Tue, 28 Jun 2016 22:04:42 -0400 > To: dovecot at dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > Aki, you wrote: > >> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? >> >> I'll try to check status of NTLM this week. > > I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. > > I do have the Dovecot sources and will peruse the possible options after I send this. I am on > version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do > you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious > realated to gssapi) > > --Mark > > -----Original Message----- >> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) >> From: aki.tuomi at dovecot.fi >> To: dovecot at dovecot.org >> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >> >>> On June 28, 2016 at 5:17 PM Mark Foley <mfoley at ohprs.org> wrote: >>> >>> >>> Aki - made your suggested changes, but no joy :( >>> >>> My /etc/krb5.conf: >>> >>> ------SNIP-------- >>> [libdefaults] >>> default_realm = HPRS.LOCAL >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> >>> [libdefaults] >>> default_realm = HPRS.LOCAL >>> dns_lookup_kdc = true >>> kdc_timesync = 1 >>> ccache_type = 4 >>> forwardable = true >>> proxiable = true >>> fcc-mit-ticketflags = true >>> >>> [realms] >>> HPRS.LOCAL = { >>> default_domain = hprs.local >>> auth_to_local_names = { >>> Administrator = root >>> } >>> } >>> >>> [domain_realm] >>> hprs.local = HPRS.LOCAL >>> # this is not a mistake >>> .hprs.local = HPRS.LOCAL >>> ------PINS----------- >>> >>> you wrote: >>>> You can remove the krb4_ stuff >>> >>> I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. >>> Question on [realms]Administrator: should that really be root or should it be my AD Administrator? >>> >>> my doveconf -n is exactly the same as posted below, but in particular: >>> >>> auth_krb5_keytab = /etc/krb5.keytab >>> auth_mechanisms = plain login gssapi >>> >>> When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using >>> plain/ssl, no one yet configured for gssapi). >>> >>> In /var/log/maillog I got (repeatedly): >>> >>> Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2> >>> Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' >>> Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs >>> Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh> >>> >>> This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"? >>> >>> Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd >>> finally able to get AD authentication going for Dovecot. Not ready to give up though! >>> >>> Suggestions? >>> >>> THX -- Mark >>> >>> -----original Message----- >>>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >>>> To: dovecot at dovecot.org >>>> From: Aki Tuomi <aki.tuomi at dovecot.fi> >>>> Date: Tue, 28 Jun 2016 15:13:11 +0300 >>>> >>>>> On 28.06.2016 09:27, Mark Foley wrote: >>>>> Aki, >>>>> >>>>> To review your 5 points: >>>>> >>>>>> On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote: >>>>>> >>>>>> 1. Functional AD or Kerberos environment >>>>>> 2. Time synced against your KDC (which is your Domain Controller on Windows) >>>>>> 3. /etc/krb5.conf configured >>>>>> 4. Both forward / reverse DNS names correct for clients and servers. >>>>>> Reverse is only mandatory for servers, but having them right will work >>>>>> wonders. Most kerberos problems are about DNS problems. >>>>>> 5. You need a keytab. This keytab needs to hold entries like >>>>>> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate >>>>>> these on any Windows DC server (at least). >>>>> I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit >>>>> and klist according to the instructions at >>>>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos >>>>> >>>>> As to the the keytab (#5) I did the following: >>>>> >>>>> $ samba-tool domain exportkeytab /etc/krb5.keytab >>>>> >>>>> which created the file. I made this owned and readable by group dovecot, per instructions at >>>>> http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me >>>>> configuration listing all the users and computers in the domain, mostly in triplicate. A >>>>> partial list: >>>>> >>>>> Keytab name: FILE:/etc/krb5.keytab >>>>> KVNO Principal >>>>> ---- -------------------------------------------------------------------------- >>>>> 18 COMMON$@HPRS.LOCAL >>>>> 18 COMMON$@HPRS.LOCAL >>>>> 18 COMMON$@HPRS.LOCAL >>>>> 1 MAIL$@HPRS.LOCAL >>>>> 1 MAIL$@HPRS.LOCAL >>>>> 1 MAIL$@HPRS.LOCAL >>>>> 1 charmaine at HPRS.LOCAL >>>>> 1 charmaine at HPRS.LOCAL >>>>> 1 charmaine at HPRS.LOCAL >>>>> >>>>> where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, >>>>> but am assuming it is OK. >>>> >>>> Strange that you do not have any host/ entries. Maybe it works without. >>>> >>>>>> setspn -q is helpful here, also setspn command in general. >>>>> I have no such command in my system. Is that a Windows thing? >>>> >>>> Yes, but you can do those kind of things in Samba too. >>>> >>>>> As to the /etc/krb5.conf, the default one generated by samba is: >>>>> >>>>> [libdefaults] >>>>> default_realm = HPRS.LOCAL >>>>> dns_lookup_realm = false >>>>> dns_lookup_kdc = true >>>>> >>>>> I'd like to modify that to your suggestions, but I need more help. You have (with my questions): >>>>> >>>>>> Here is a *SAMPLE* configuration: >>>>>> >>>>>> [libdefaults] >>>>>> default_realm = YOUR.REALM >>>>>> dns_lookup_kdc = true >>>>>> krb4_config = /etc/krb.conf >>>>>> krb4_realms = /etc/krb.realms >>>>> Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: >>>> >>>> You can remove the krb4_ stuff >>>> >>>>> krb5_config = /etc/krb5.conf >>>>> >>>>> Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? >>>> You don't necessarely require that. >>>> >>>>>> kdc_timesync = 1 >>>>>> ccache_type = 4 >>>>>> forwardable = true >>>>>> proxiable = true >>>>>> fcc-mit-ticketflags = true >>>>>> >>>>>> [realms] >>>>>> YOUR.REALM = { >>>>>> default_domain = your.domain.name >>>>>> auth_to_local_names = { >>>>>> Administrator = root >>>>>> } >>>>>> } >>>>> I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD >>>>> server: mail.hprs.local, or is it just hprs.local? (or something else!) >>>> >>>> HPRS.LOCAL is your REALM, hprs.local is your domain name. >>>>> >>>>>> [domain_realm] >>>>>> your.domain.name = YOUR.REALM >>>>>> # this is not a mistake >>>>>> .your.domain.name = YOUR.REALM >>>>>> [login] >>>>>> krb4_convert = true >>>>>> krb4_get_tickets = false >>>>> Likewise here a question on the whole krb4 versus krb5 thing. >>>>> >>>>> Your closing comment: >>>>> >>>>>> Also, note that kerberos can only act as AUTHENTICATION system. It >>>>>> cannot act as USER DATABASE. For that you need to configure LDAP or >>>>>> something else. With Active Directory LDAP is probably a damn good idea. >>>>> I have the following doveconf -n: >>>>> >>>>> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf >>>>> # OS: Linux 3.10.17 x86_64 Slackware 14.1 >>>>> auth_debug_passwords = yes >>>>> auth_krb5_keytab = /etc/krb5.keytab >>>>> auth_mechanisms = plain login gssapi >>>>> auth_verbose = yes >>>>> auth_verbose_passwords = plain >>>>> disable_plaintext_auth = no >>>>> info_log_path = /var/log/dovecot_info >>>>> mail_location = maildir:~/Maildir >>>>> passdb { >>>>> driver = shadow >>>>> } >>>>> protocols = imap >>>>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt >>>>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key >>>>> userdb { >>>>> driver = passwd >>>>> } >>>>> verbose_ssl = yes >>>>> >>>>> I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in >>>>> any case I still have all but this test workstation NOT using gssapi, so I still need to >>>>> accomodate them. >>>>> >>>>> Thanks, --Mark >>>> passwd driver is fine, yes, if you ensure that users can be found. >>>> >>>> Aki >> >> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? >> >> I'll try to check status of NTLM this week. >> >> Aki >>
brendan kearney
2016-Jun-29 12:03 UTC
Looking for GSSAPI config [was: Looking for NTLM config example]
The last log line shows "user=<>". This indicates no credentials were presented. If the rip field matches the client ip you tested from, I would bet the appropriate kerberos ticket (imap/host.domain.tld at REALM) was not pulled for the authentication. On Jun 28, 2016 11:33 PM, "Mark Foley" <mfoley at ohprs.org> wrote:> Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, > and restarted. Now I > don't get that "Unknown authentication mechanism 'gssapi'" message in > maillog, and mail is > delivered successfully to the other domain users having PLAIN > authentication. That's a big > step. In examining my original config.log output I apparently did not have > --with-gssapi enabled. > > HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still > cannot correctly > authenticate and retrieve mail. Here is the dovecot log for that host: > > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be > used for ECDH and ECDHE key exchanges > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be > used for ECDH and ECDHE key exchanges > Jun 28 22:44:05 auth: Debug: Loading modules from directory: > /usr/local/lib/dovecot/auth > Jun 28 22:44:05 auth: Debug: Read auth token secret from > /usr/local/var/run/dovecot/auth-token-secret.dat > Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept > initialization [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept > initialization [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 > read client hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > client hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > server hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > key exchange A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > server done A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush > data [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read > client certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read > client certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > client key exchange A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > certificate verify A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > finished A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > session ticket A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > change cipher spec A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > finished A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush > data [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation > finished successfully [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL > negotiation finished successfully [192.168.0.58] > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 > secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, > session=<WeZyumE25wDAqAA6> > > Does this tell you anything? `doveconf -n` and krb5.conf are configured as > shown in previous > messages below. > > Closer! --Mark > > -----Original Message----- > From: Mark Foley <mfoley at ohprs.org> > Date: Tue, 28 Jun 2016 22:04:42 -0400 > To: dovecot at dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config > example] > > Aki, you wrote: > > > Doh. Seems your dovecot isn't compiled with gssapi support? Can you > compile it yourself? > > > > I'll try to check status of NTLM this week. > > I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. > > I do have the Dovecot sources and will peruse the possible options after I > send this. I am on > version 2.2.15 and I see that the current downloadable version is 2.2.24. > Should I upgrade? Do > you think that would help? (a perusal of the changes since 2.2.15 shows > nothing obvious > realated to gssapi) > > --Mark > > -----Original Message----- > > Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) > > From: aki.tuomi at dovecot.fi > > To: dovecot at dovecot.org > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config > example] > > > > > On June 28, 2016 at 5:17 PM Mark Foley <mfoley at ohprs.org> wrote: > > > > > > > > > Aki - made your suggested changes, but no joy :( > > > > > > My /etc/krb5.conf: > > > > > > ------SNIP-------- > > > [libdefaults] > > > default_realm = HPRS.LOCAL > > > dns_lookup_realm = false > > > dns_lookup_kdc = true > > > > > > [libdefaults] > > > default_realm = HPRS.LOCAL > > > dns_lookup_kdc = true > > > kdc_timesync = 1 > > > ccache_type = 4 > > > forwardable = true > > > proxiable = true > > > fcc-mit-ticketflags = true > > > > > > [realms] > > > HPRS.LOCAL = { > > > default_domain = hprs.local > > > auth_to_local_names = { > > > Administrator = root > > > } > > > } > > > > > > [domain_realm] > > > hprs.local = HPRS.LOCAL > > > # this is not a mistake > > > .hprs.local = HPRS.LOCAL > > > ------PINS----------- > > > > > > you wrote: > > > > You can remove the krb4_ stuff > > > > > > I've remove krb4_ stuff from the [libdefaults] and eliminated the > [login] section altogether. > > > Question on [realms]Administrator: should that really be root or > should it be my AD Administrator? > > > > > > my doveconf -n is exactly the same as posted below, but in particular: > > > > > > auth_krb5_keytab = /etc/krb5.keytab > > > auth_mechanisms = plain login gssapi > > > > > > When I reloaded dovecot no mail was delivered to anyone (even though > everyone was still using > > > plain/ssl, no one yet configured for gssapi). > > > > > > In /var/log/maillog I got (repeatedly): > > > > > > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not > responding, delayed sending initial response (greeting): user=<>, > rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2> > > > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication > mechanism 'gssapi' > > > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command > startup failed, throttling for 60 secs > > > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not > responding, delayed sending initial response (greeting): user=<>, > rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh> > > > > > > This looks pretty bad right off. Why "Unknown authentication mechanism > 'gssapi'"? > > > > > > Do you have any idea from the configs I've posted? I'm rather > depressed about this. I thought I'd > > > finally able to get AD authentication going for Dovecot. Not ready to > give up though! > > > > > > Suggestions? > > > > > > THX -- Mark > > > > > > -----original Message----- > > > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config > example] > > > > To: dovecot at dovecot.org > > > > From: Aki Tuomi <aki.tuomi at dovecot.fi> > > > > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > > > > > > > On 28.06.2016 09:27, Mark Foley wrote: > > > > > Aki, > > > > > > > > > > To review your 5 points: > > > > > > > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> > wrote: > > > > > > > > > >> 1. Functional AD or Kerberos environment > > > > >> 2. Time synced against your KDC (which is your Domain Controller > on Windows) > > > > >> 3. /etc/krb5.conf configured > > > > >> 4. Both forward / reverse DNS names correct for clients and > servers. > > > > >> Reverse is only mandatory for servers, but having them right will > work > > > > >> wonders. Most kerberos problems are about DNS problems. > > > > >> 5. You need a keytab. This keytab needs to hold entries like > > > > >> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can > generate > > > > >> these on any Windows DC server (at least). > > > > > I believe I am good on 1,2 and 4. I downloaded and installed > kerberos and tested it with kinit > > > > > and klist according to the instructions at > > > > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > > > > > > > As to the the keytab (#5) I did the following: > > > > > > > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > > > > > > > which created the file. I made this owned and readable by group > dovecot, per instructions at > > > > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist > -k /etc/krb5.keytab` shows me > > > > > configuration listing all the users and computers in the domain, > mostly in triplicate. A > > > > > partial list: > > > > > > > > > > Keytab name: FILE:/etc/krb5.keytab > > > > > KVNO Principal > > > > > ---- > -------------------------------------------------------------------------- > > > > > 18 COMMON$@HPRS.LOCAL > > > > > 18 COMMON$@HPRS.LOCAL > > > > > 18 COMMON$@HPRS.LOCAL > > > > > 1 MAIL$@HPRS.LOCAL > > > > > 1 MAIL$@HPRS.LOCAL > > > > > 1 MAIL$@HPRS.LOCAL > > > > > 1 charmaine at HPRS.LOCAL > > > > > 1 charmaine at HPRS.LOCAL > > > > > 1 charmaine at HPRS.LOCAL > > > > > > > > > > where COMMON and MAIL are hosts and charmaine is a user. I don't > really understand the listing, > > > > > but am assuming it is OK. > > > > > > > > Strange that you do not have any host/ entries. Maybe it works > without. > > > > > > > > >> setspn -q is helpful here, also setspn command in general. > > > > > I have no such command in my system. Is that a Windows thing? > > > > > > > > > > > > > Yes, but you can do those kind of things in Samba too. > > > > > > > > > As to the /etc/krb5.conf, the default one generated by samba is: > > > > > > > > > > [libdefaults] > > > > > default_realm = HPRS.LOCAL > > > > > dns_lookup_realm = false > > > > > dns_lookup_kdc = true > > > > > > > > > > I'd like to modify that to your suggestions, but I need more help. > You have (with my questions): > > > > > > > > > >> Here is a *SAMPLE* configuration: > > > > >> > > > > >> [libdefaults] > > > > >> default_realm = YOUR.REALM > > > > >> dns_lookup_kdc = true > > > > >> krb4_config = /etc/krb.conf > > > > >> krb4_realms = /etc/krb.realms > > > > > Here, you have krb4_*. Do you mean that? My config file is > krb5.conf. Should I rather have: > > > > > > > > You can remove the krb4_ stuff > > > > > > > > > krb5_config = /etc/krb5.conf > > > > > > > > > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what > should be in there? > > > > You don't necessarely require that. > > > > > > > > >> kdc_timesync = 1 > > > > >> ccache_type = 4 > > > > >> forwardable = true > > > > >> proxiable = true > > > > >> fcc-mit-ticketflags = true > > > > >> > > > > >> [realms] > > > > >> YOUR.REALM = { > > > > >> default_domain = your.domain.name > > > > >> auth_to_local_names = { > > > > >> Administrator = root > > > > >> } > > > > >> } > > > > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my " > your.domain.name" my FQDN for my AD > > > > > server: mail.hprs.local, or is it just hprs.local? (or something > else!) > > > > > > > > HPRS.LOCAL is your REALM, hprs.local is your domain name. > > > > > > > > > >> [domain_realm] > > > > >> your.domain.name = YOUR.REALM > > > > >> # this is not a mistake > > > > >> .your.domain.name = YOUR.REALM > > > > >> [login] > > > > >> krb4_convert = true > > > > >> krb4_get_tickets = false > > > > > Likewise here a question on the whole krb4 versus krb5 thing. > > > > > > > > > > Your closing comment: > > > > > > > > > >> Also, note that kerberos can only act as AUTHENTICATION system. It > > > > >> cannot act as USER DATABASE. For that you need to configure LDAP > or > > > > >> something else. With Active Directory LDAP is probably a damn > good idea. > > > > > I have the following doveconf -n: > > > > > > > > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > > > auth_debug_passwords = yes > > > > > auth_krb5_keytab = /etc/krb5.keytab > > > > > auth_mechanisms = plain login gssapi > > > > > auth_verbose = yes > > > > > auth_verbose_passwords = plain > > > > > disable_plaintext_auth = no > > > > > info_log_path = /var/log/dovecot_info > > > > > mail_location = maildir:~/Maildir > > > > > passdb { > > > > > driver = shadow > > > > > } > > > > > protocols = imap > > > > > ssl_cert > </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > > > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > > > > userdb { > > > > > driver = passwd > > > > > } > > > > > verbose_ssl = yes > > > > > > > > > > I assume the passwd driver for the userdb is OK? Seems to me it > should work with gssapi, but in > > > > > any case I still have all but this test workstation NOT using > gssapi, so I still need to > > > > > accomodate them. > > > > > > > > > > Thanks, --Mark > > > > passwd driver is fine, yes, if you ensure that users can be found. > > > > > > > > Aki > > > > > > > > Doh. Seems your dovecot isn't compiled with gssapi support? Can you > compile it yourself? > > > > I'll try to check status of NTLM this week. > > > > Aki > > >
Reasonably Related Threads
- Looking for GSSAPI config [was: Looking for NTLM config example]
- Looking for GSSAPI config [was: Looking for NTLM config example]
- Looking for GSSAPI config [was: Looking for NTLM config example]
- Howto authenticate smartPhone via Active Directory
- Howto authenticate smartPhone via Active Directory