dovecot - Jun 2016 - Looking for GSSAPI config [was: Looking for NTLM config example]

Aki, you wrote:
> Doh. Seems your dovecot isn't compiled with gssapi support? Can you
compile it yourself?
>
> I'll try to check status of NTLM this week.
I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.

I do have the Dovecot sources and will peruse the possible options after I send
this.  I am on
version 2.2.15 and I see that the current downloadable version is 2.2.24. 
Should I upgrade? Do
you think that would help? (a perusal of the changes since 2.2.15 shows nothing
obvious
realated to gssapi)

--Mark

-----Original Message-----
> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST)
> From: aki.tuomi at dovecot.fi
> To: dovecot at dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config
example]
>
> > On June 28, 2016 at 5:17 PM Mark Foley <mfoley at ohprs.org>
wrote:
> > 
> > 
> > Aki - made your suggested changes, but no joy :(
> > 
> > My /etc/krb5.conf:
> > 
> > ------SNIP--------
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_realm = false
> >   dns_lookup_kdc = true
> > 
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_kdc = true
> >   kdc_timesync = 1
> >   ccache_type = 4
> >   forwardable = true
> >   proxiable = true
> >   fcc-mit-ticketflags = true
> > 
> > [realms]
> >   HPRS.LOCAL = {
> >     default_domain = hprs.local
> >     auth_to_local_names = {
> >     Administrator = root
> >   }
> > }
> > 
> > [domain_realm]
> >     hprs.local = HPRS.LOCAL
> > # this is not a mistake
> >     .hprs.local = HPRS.LOCAL
> > ------PINS-----------
> > 
> > you wrote:
> > > You can remove the krb4_ stuff
> > 
> > I've remove krb4_ stuff from the [libdefaults] and eliminated the
[login] section altogether.
> > Question on [realms]Administrator: should that really be root or
should it be my AD Administrator?
> > 
> > my doveconf -n is exactly the same as posted below, but in particular:
> > 
> > auth_krb5_keytab = /etc/krb5.keytab
> > auth_mechanisms = plain login gssapi
> > 
> > When I reloaded dovecot no mail was delivered to anyone (even though
everyone was still using
> > plain/ssl, no one yet configured for gssapi).
> > 
> > In /var/log/maillog I got (repeatedly):
> > 
> > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not
responding, delayed sending initial response (greeting): user=<>,
rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2>
> > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication
mechanism 'gssapi'
> > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command
startup failed, throttling for 60 secs
> > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not
responding, delayed sending initial response (greeting): user=<>,
rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh>
> > 
> > This looks pretty bad right off. Why "Unknown authentication
mechanism 'gssapi'"?
> > 
> > Do you have any idea from the configs I've posted? I'm rather
depressed about this. I thought I'd
> > finally able to get AD authentication going for Dovecot. Not ready to
give up though!
> > 
> > Suggestions?
> > 
> > THX -- Mark
> > 
> > -----original Message-----
> > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM
config example]
> > > To: dovecot at dovecot.org
> > > From: Aki Tuomi <aki.tuomi at dovecot.fi>
> > > Date: Tue, 28 Jun 2016 15:13:11 +0300
> > >
> > > On 28.06.2016 09:27, Mark Foley wrote:
> > > > Aki,
> > > >
> > > > To review your 5 points:
> > > >
> > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi
at dovecot.fi> wrote:
> > > >
> > > >> 1. Functional AD or Kerberos environment
> > > >> 2. Time synced against your KDC (which is your Domain
Controller on Windows)
> > > >> 3. /etc/krb5.conf configured
> > > >> 4. Both forward / reverse DNS names correct for clients
and servers.
> > > >> Reverse is only mandatory for servers, but having them
right will work
> > > >> wonders. Most kerberos problems are about DNS problems.
> > > >> 5. You need a keytab. This keytab needs to hold entries
like
> > > >> IMAP/your.host.name at REALM  and IMAP/$HOSTNAME at
REALM. You can generate
> > > >> these on any Windows DC server (at least).
> > > > I believe I am good on 1,2 and 4.  I downloaded and
installed kerberos and tested it with kinit
> > > > and klist according to the instructions at
> > > >
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> > > >
> > > > As to the the keytab (#5) I did the following:
> > > >
> > > > $ samba-tool domain exportkeytab /etc/krb5.keytab
> > > >
> > > > which created the file.  I made this owned and readable by
group dovecot, per instructions at
> > > > http://wiki2.dovecot.org/Authentication/Kerberos.  Running
`klist -k /etc/krb5.keytab` shows me
> > > > configuration listing all the users and computers in the
domain, mostly in triplicate.  A
> > > > partial list:
> > > >
> > > > Keytab name: FILE:/etc/krb5.keytab
> > > > KVNO Principal
> > > > ----
--------------------------------------------------------------------------
> > > >    18 COMMON$@HPRS.LOCAL
> > > >    18 COMMON$@HPRS.LOCAL
> > > >    18 COMMON$@HPRS.LOCAL
> > > >     1 MAIL$@HPRS.LOCAL
> > > >     1 MAIL$@HPRS.LOCAL
> > > >     1 MAIL$@HPRS.LOCAL
> > > >     1 charmaine at HPRS.LOCAL
> > > >     1 charmaine at HPRS.LOCAL
> > > >     1 charmaine at HPRS.LOCAL
> > > >
> > > > where COMMON and MAIL are hosts and charmaine is a user. I
don't really understand the listing,
> > > > but am assuming it is OK.
> > >
> > > Strange that you do not have any host/ entries. Maybe it works
without.
> > >
> > > >> setspn -q is helpful here, also setspn command in
general.
> > > > I have no such command in my system. Is that a Windows
thing?
> > > >
> > >
> > > Yes, but you can do those kind of things in Samba too.
> > >
> > > > As to the /etc/krb5.conf, the default one generated by samba
is:
> > > >
> > > > [libdefaults]
> > > >          default_realm = HPRS.LOCAL
> > > >          dns_lookup_realm = false
> > > >          dns_lookup_kdc = true
> > > >
> > > > I'd like to modify that to your suggestions, but I need
more help. You have (with my questions):
> > > >
> > > >> Here is a *SAMPLE* configuration:
> > > >>
> > > >> [libdefaults]
> > > >>          default_realm = YOUR.REALM
> > > >>          dns_lookup_kdc = true
> > > >>          krb4_config = /etc/krb.conf
> > > >>          krb4_realms = /etc/krb.realms
> > > > Here, you have krb4_*. Do you mean that? My config file is
krb5.conf. Should I rather have:
> > >
> > > You can remove the krb4_ stuff
> > >
> > > > 	krb5_config = /etc/krb5.conf
> > > >
> > > > Also, I have no /etc/krb*.realms file. Do I need this? If
so, what should be in there?
> > > You don't necessarely require that.
> > >
> > > >>          kdc_timesync = 1
> > > >>          ccache_type = 4
> > > >>          forwardable = true
> > > >>          proxiable = true
> > > >>          fcc-mit-ticketflags = true
> > > >>
> > > >> [realms]
> > > >>          YOUR.REALM = {
> > > >>                  default_domain = your.domain.name
> > > >>                  auth_to_local_names = {
> > > >>                          Administrator = root
> > > >>                  }
> > > >>          }
> > > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is
my "your.domain.name" my FQDN for my AD
> > > > server: mail.hprs.local, or is it just hprs.local? (or
something else!)
> > >
> > > HPRS.LOCAL is your REALM, hprs.local is your domain name.
> > > >
> > > >> [domain_realm]
> > > >>        your.domain.name = YOUR.REALM
> > > >> # this is not a mistake
> > > >>        .your.domain.name = YOUR.REALM
> > > >> [login]
> > > >>          krb4_convert = true
> > > >>          krb4_get_tickets = false
> > > > Likewise here a question on the whole krb4 versus krb5
thing.
> > > >
> > > > Your closing comment:
> > > >
> > > >> Also, note that kerberos can only act as AUTHENTICATION
system. It
> > > >> cannot act as USER DATABASE. For that you need to
configure LDAP or
> > > >> something else. With Active Directory LDAP is probably a
damn good idea.
> > > > I have the following doveconf -n:
> > > >
> > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > > auth_debug_passwords = yes
> > > > auth_krb5_keytab = /etc/krb5.keytab
> > > > auth_mechanisms = plain login gssapi
> > > > auth_verbose = yes
> > > > auth_verbose_passwords = plain
> > > > disable_plaintext_auth = no
> > > > info_log_path = /var/log/dovecot_info
> > > > mail_location = maildir:~/Maildir
> > > > passdb {
> > > >    driver = shadow
> > > > }
> > > > protocols = imap
> > > > ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > > > ssl_key =
</etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> > > > userdb {
> > > >    driver = passwd
> > > > }
> > > > verbose_ssl = yes
> > > >
> > > > I assume the passwd driver for the userdb is OK? Seems to me
it should work with gssapi, but in
> > > > any case I still have all but this test workstation NOT
using gssapi, so I still need to
> > > > accomodate them.
> > > >
> > > > Thanks, --Mark
> > > passwd driver is fine, yes, if you ensure that users can be
found.
> > >
> > > Aki
> > >
>
> Doh. Seems your dovecot isn't compiled with gssapi support? Can you
compile it yourself?
>
> I'll try to check status of NTLM this week.
>
> Aki
>

Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and
restarted. Now I
don't get that "Unknown authentication mechanism 'gssapi'"
message in maillog, and mail is
delivered successfully to the other domain users having PLAIN authentication.
That's a big
step. In examining my original config.log output I apparently did not have
--with-gssapi enabled.

HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI'
still cannot correctly
authenticate and retrieve mail. Here is the dovecot log for that host:

Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used
for ECDH and ECDHE key exchanges
Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used
for ECDH and ECDHE key exchanges
Jun 28 22:44:05 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
Jun 28 22:44:05 auth: Debug: Read auth token secret from
/usr/local/var/run/dovecot/auth-token-secret.dat
Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076)
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept
initialization [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept
initialization [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read
client hello A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client
hello A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server
hello A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
certificate A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key
exchange A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server
done A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data
[192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client
certificate A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client
certificate A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client
key exchange A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
certificate verify A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished
A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session
ticket A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change
cipher spec A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
finished A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data
[192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation
finished successfully [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation
finished successfully [192.168.0.58]
Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs):
user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS,
session=<WeZyumE25wDAqAA6>

Does this tell you anything? `doveconf -n` and krb5.conf are configured as shown
in previous
messages below.

Closer! --Mark

-----Original Message-----
From: Mark Foley <mfoley at ohprs.org>
Date: Tue, 28 Jun 2016 22:04:42 -0400
To: dovecot at dovecot.org
Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]

Aki, you wrote:
> Doh. Seems your dovecot isn't compiled with gssapi support? Can you
compile it yourself?
>
> I'll try to check status of NTLM this week.
I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.

I do have the Dovecot sources and will peruse the possible options after I send
this.  I am on
version 2.2.15 and I see that the current downloadable version is 2.2.24. 
Should I upgrade? Do
you think that would help? (a perusal of the changes since 2.2.15 shows nothing
obvious
realated to gssapi)

--Mark

-----Original Message-----
> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST)
> From: aki.tuomi at dovecot.fi
> To: dovecot at dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config
example]
>
> > On June 28, 2016 at 5:17 PM Mark Foley <mfoley at ohprs.org>
wrote:
> > 
> > 
> > Aki - made your suggested changes, but no joy :(
> > 
> > My /etc/krb5.conf:
> > 
> > ------SNIP--------
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_realm = false
> >   dns_lookup_kdc = true
> > 
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_kdc = true
> >   kdc_timesync = 1
> >   ccache_type = 4
> >   forwardable = true
> >   proxiable = true
> >   fcc-mit-ticketflags = true
> > 
> > [realms]
> >   HPRS.LOCAL = {
> >     default_domain = hprs.local
> >     auth_to_local_names = {
> >     Administrator = root
> >   }
> > }
> > 
> > [domain_realm]
> >     hprs.local = HPRS.LOCAL
> > # this is not a mistake
> >     .hprs.local = HPRS.LOCAL
> > ------PINS-----------
> > 
> > you wrote:
> > > You can remove the krb4_ stuff
> > 
> > I've remove krb4_ stuff from the [libdefaults] and eliminated the
[login] section altogether.
> > Question on [realms]Administrator: should that really be root or
should it be my AD Administrator?
> > 
> > my doveconf -n is exactly the same as posted below, but in particular:
> > 
> > auth_krb5_keytab = /etc/krb5.keytab
> > auth_mechanisms = plain login gssapi
> > 
> > When I reloaded dovecot no mail was delivered to anyone (even though
everyone was still using
> > plain/ssl, no one yet configured for gssapi).
> > 
> > In /var/log/maillog I got (repeatedly):
> > 
> > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not
responding, delayed sending initial response (greeting): user=<>,
rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2>
> > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication
mechanism 'gssapi'
> > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command
startup failed, throttling for 60 secs
> > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not
responding, delayed sending initial response (greeting): user=<>,
rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh>
> > 
> > This looks pretty bad right off. Why "Unknown authentication
mechanism 'gssapi'"?
> > 
> > Do you have any idea from the configs I've posted? I'm rather
depressed about this. I thought I'd
> > finally able to get AD authentication going for Dovecot. Not ready to
give up though!
> > 
> > Suggestions?
> > 
> > THX -- Mark
> > 
> > -----original Message-----
> > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM
config example]
> > > To: dovecot at dovecot.org
> > > From: Aki Tuomi <aki.tuomi at dovecot.fi>
> > > Date: Tue, 28 Jun 2016 15:13:11 +0300
> > >
> > > On 28.06.2016 09:27, Mark Foley wrote:
> > > > Aki,
> > > >
> > > > To review your 5 points:
> > > >
> > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi
at dovecot.fi> wrote:
> > > >
> > > >> 1. Functional AD or Kerberos environment
> > > >> 2. Time synced against your KDC (which is your Domain
Controller on Windows)
> > > >> 3. /etc/krb5.conf configured
> > > >> 4. Both forward / reverse DNS names correct for clients
and servers.
> > > >> Reverse is only mandatory for servers, but having them
right will work
> > > >> wonders. Most kerberos problems are about DNS problems.
> > > >> 5. You need a keytab. This keytab needs to hold entries
like
> > > >> IMAP/your.host.name at REALM  and IMAP/$HOSTNAME at
REALM. You can generate
> > > >> these on any Windows DC server (at least).
> > > > I believe I am good on 1,2 and 4.  I downloaded and
installed kerberos and tested it with kinit
> > > > and klist according to the instructions at
> > > >
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> > > >
> > > > As to the the keytab (#5) I did the following:
> > > >
> > > > $ samba-tool domain exportkeytab /etc/krb5.keytab
> > > >
> > > > which created the file.  I made this owned and readable by
group dovecot, per instructions at
> > > > http://wiki2.dovecot.org/Authentication/Kerberos.  Running
`klist -k /etc/krb5.keytab` shows me
> > > > configuration listing all the users and computers in the
domain, mostly in triplicate.  A
> > > > partial list:
> > > >
> > > > Keytab name: FILE:/etc/krb5.keytab
> > > > KVNO Principal
> > > > ----
--------------------------------------------------------------------------
> > > >    18 COMMON$@HPRS.LOCAL
> > > >    18 COMMON$@HPRS.LOCAL
> > > >    18 COMMON$@HPRS.LOCAL
> > > >     1 MAIL$@HPRS.LOCAL
> > > >     1 MAIL$@HPRS.LOCAL
> > > >     1 MAIL$@HPRS.LOCAL
> > > >     1 charmaine at HPRS.LOCAL
> > > >     1 charmaine at HPRS.LOCAL
> > > >     1 charmaine at HPRS.LOCAL
> > > >
> > > > where COMMON and MAIL are hosts and charmaine is a user. I
don't really understand the listing,
> > > > but am assuming it is OK.
> > >
> > > Strange that you do not have any host/ entries. Maybe it works
without.
> > >
> > > >> setspn -q is helpful here, also setspn command in
general.
> > > > I have no such command in my system. Is that a Windows
thing?
> > > >
> > >
> > > Yes, but you can do those kind of things in Samba too.
> > >
> > > > As to the /etc/krb5.conf, the default one generated by samba
is:
> > > >
> > > > [libdefaults]
> > > >          default_realm = HPRS.LOCAL
> > > >          dns_lookup_realm = false
> > > >          dns_lookup_kdc = true
> > > >
> > > > I'd like to modify that to your suggestions, but I need
more help. You have (with my questions):
> > > >
> > > >> Here is a *SAMPLE* configuration:
> > > >>
> > > >> [libdefaults]
> > > >>          default_realm = YOUR.REALM
> > > >>          dns_lookup_kdc = true
> > > >>          krb4_config = /etc/krb.conf
> > > >>          krb4_realms = /etc/krb.realms
> > > > Here, you have krb4_*. Do you mean that? My config file is
krb5.conf. Should I rather have:
> > >
> > > You can remove the krb4_ stuff
> > >
> > > > 	krb5_config = /etc/krb5.conf
> > > >
> > > > Also, I have no /etc/krb*.realms file. Do I need this? If
so, what should be in there?
> > > You don't necessarely require that.
> > >
> > > >>          kdc_timesync = 1
> > > >>          ccache_type = 4
> > > >>          forwardable = true
> > > >>          proxiable = true
> > > >>          fcc-mit-ticketflags = true
> > > >>
> > > >> [realms]
> > > >>          YOUR.REALM = {
> > > >>                  default_domain = your.domain.name
> > > >>                  auth_to_local_names = {
> > > >>                          Administrator = root
> > > >>                  }
> > > >>          }
> > > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is
my "your.domain.name" my FQDN for my AD
> > > > server: mail.hprs.local, or is it just hprs.local? (or
something else!)
> > >
> > > HPRS.LOCAL is your REALM, hprs.local is your domain name.
> > > >
> > > >> [domain_realm]
> > > >>        your.domain.name = YOUR.REALM
> > > >> # this is not a mistake
> > > >>        .your.domain.name = YOUR.REALM
> > > >> [login]
> > > >>          krb4_convert = true
> > > >>          krb4_get_tickets = false
> > > > Likewise here a question on the whole krb4 versus krb5
thing.
> > > >
> > > > Your closing comment:
> > > >
> > > >> Also, note that kerberos can only act as AUTHENTICATION
system. It
> > > >> cannot act as USER DATABASE. For that you need to
configure LDAP or
> > > >> something else. With Active Directory LDAP is probably a
damn good idea.
> > > > I have the following doveconf -n:
> > > >
> > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > > auth_debug_passwords = yes
> > > > auth_krb5_keytab = /etc/krb5.keytab
> > > > auth_mechanisms = plain login gssapi
> > > > auth_verbose = yes
> > > > auth_verbose_passwords = plain
> > > > disable_plaintext_auth = no
> > > > info_log_path = /var/log/dovecot_info
> > > > mail_location = maildir:~/Maildir
> > > > passdb {
> > > >    driver = shadow
> > > > }
> > > > protocols = imap
> > > > ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > > > ssl_key =
</etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> > > > userdb {
> > > >    driver = passwd
> > > > }
> > > > verbose_ssl = yes
> > > >
> > > > I assume the passwd driver for the userdb is OK? Seems to me
it should work with gssapi, but in
> > > > any case I still have all but this test workstation NOT
using gssapi, so I still need to
> > > > accomodate them.
> > > >
> > > > Thanks, --Mark
> > > passwd driver is fine, yes, if you ensure that users can be
found.
> > >
> > > Aki
> > >
>
> Doh. Seems your dovecot isn't compiled with gssapi support? Can you
compile it yourself?
>
> I'll try to check status of NTLM this week.
>
> Aki
>

> On Jun 28, 2016, at 10:32 PM, Mark Foley <mfoley at ohprs.org> wrote:
> 
> Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi,
and restarted. Now I
> don't get that "Unknown authentication mechanism
'gssapi'" message in maillog, and mail is
> delivered successfully to the other domain users having PLAIN
authentication. That's a big
> step. In examining my original config.log output I apparently did not have
--with-gssapi enabled.
> 
> HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI'
still cannot correctly
> authenticate and retrieve mail. Here is the dovecot log for that host:
> 
What does thunderbird tell you?

> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be
used for ECDH and ECDHE key exchanges
> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be
used for ECDH and ECDHE key exchanges
> Jun 28 22:44:05 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
> Jun 28 22:44:05 auth: Debug: Read auth token secret from
/usr/local/var/run/dovecot/auth-token-secret.dat
> Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076)
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept
initialization [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept
initialization [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read
client hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
client hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
server hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
key exchange A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
server done A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush
data [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
client certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
client certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
client key exchange A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
certificate verify A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
finished A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
session ticket A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
change cipher spec A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
finished A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush
data [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation
finished successfully [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL
negotiation finished successfully [192.168.0.58]
> Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
> Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
> Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6
secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS,
session=<WeZyumE25wDAqAA6>
> 
> Does this tell you anything? `doveconf -n` and krb5.conf are configured as
shown in previous
> messages below.
> 
> Closer! --Mark
> 
> -----Original Message-----
> From: Mark Foley <mfoley at ohprs.org>
> Date: Tue, 28 Jun 2016 22:04:42 -0400
> To: dovecot at dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config
example]
> 
> Aki, you wrote:
> 
>> Doh. Seems your dovecot isn't compiled with gssapi support? Can you
compile it yourself?
>> 
>> I'll try to check status of NTLM this week.
> 
> I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.
> 
> I do have the Dovecot sources and will peruse the possible options after I
send this.  I am on
> version 2.2.15 and I see that the current downloadable version is 2.2.24. 
Should I upgrade? Do
> you think that would help? (a perusal of the changes since 2.2.15 shows
nothing obvious
> realated to gssapi)
> 
> --Mark
> 
> -----Original Message-----
>> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST)
>> From: aki.tuomi at dovecot.fi
>> To: dovecot at dovecot.org
>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config
example]
>> 
>>> On June 28, 2016 at 5:17 PM Mark Foley <mfoley at ohprs.org>
wrote:
>>> 
>>> 
>>> Aki - made your suggested changes, but no joy :(
>>> 
>>> My /etc/krb5.conf:
>>> 
>>> ------SNIP--------
>>> [libdefaults]
>>>  default_realm = HPRS.LOCAL
>>>  dns_lookup_realm = false
>>>  dns_lookup_kdc = true
>>> 
>>> [libdefaults]
>>>  default_realm = HPRS.LOCAL
>>>  dns_lookup_kdc = true
>>>  kdc_timesync = 1
>>>  ccache_type = 4
>>>  forwardable = true
>>>  proxiable = true
>>>  fcc-mit-ticketflags = true
>>> 
>>> [realms]
>>>  HPRS.LOCAL = {
>>>    default_domain = hprs.local
>>>    auth_to_local_names = {
>>>    Administrator = root
>>>  }
>>> }
>>> 
>>> [domain_realm]
>>>    hprs.local = HPRS.LOCAL
>>> # this is not a mistake
>>>    .hprs.local = HPRS.LOCAL
>>> ------PINS-----------
>>> 
>>> you wrote:
>>>> You can remove the krb4_ stuff
>>> 
>>> I've remove krb4_ stuff from the [libdefaults] and eliminated
the [login] section altogether.
>>> Question on [realms]Administrator: should that really be root or
should it be my AD Administrator?
>>> 
>>> my doveconf -n is exactly the same as posted below, but in
particular:
>>> 
>>> auth_krb5_keytab = /etc/krb5.keytab
>>> auth_mechanisms = plain login gssapi
>>> 
>>> When I reloaded dovecot no mail was delivered to anyone (even
though everyone was still using
>>> plain/ssl, no one yet configured for gssapi).
>>> 
>>> In /var/log/maillog I got (repeatedly):
>>> 
>>> Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not
responding, delayed sending initial response (greeting): user=<>,
rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2>
>>> Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication
mechanism 'gssapi'
>>> Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command
startup failed, throttling for 60 secs
>>> Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not
responding, delayed sending initial response (greeting): user=<>,
rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh>
>>> 
>>> This looks pretty bad right off. Why "Unknown authentication
mechanism 'gssapi'"?
>>> 
>>> Do you have any idea from the configs I've posted? I'm
rather depressed about this. I thought I'd
>>> finally able to get AD authentication going for Dovecot. Not ready
to give up though!
>>> 
>>> Suggestions?
>>> 
>>> THX -- Mark
>>> 
>>> -----original Message-----
>>>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM
config example]
>>>> To: dovecot at dovecot.org
>>>> From: Aki Tuomi <aki.tuomi at dovecot.fi>
>>>> Date: Tue, 28 Jun 2016 15:13:11 +0300
>>>> 
>>>>> On 28.06.2016 09:27, Mark Foley wrote:
>>>>> Aki,
>>>>> 
>>>>> To review your 5 points:
>>>>> 
>>>>>> On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi
<aki.tuomi at dovecot.fi> wrote:
>>>>>> 
>>>>>> 1. Functional AD or Kerberos environment
>>>>>> 2. Time synced against your KDC (which is your Domain
Controller on Windows)
>>>>>> 3. /etc/krb5.conf configured
>>>>>> 4. Both forward / reverse DNS names correct for clients
and servers.
>>>>>> Reverse is only mandatory for servers, but having them
right will work
>>>>>> wonders. Most kerberos problems are about DNS problems.
>>>>>> 5. You need a keytab. This keytab needs to hold entries
like
>>>>>> IMAP/your.host.name at REALM  and IMAP/$HOSTNAME at
REALM. You can generate
>>>>>> these on any Windows DC server (at least).
>>>>> I believe I am good on 1,2 and 4.  I downloaded and
installed kerberos and tested it with kinit
>>>>> and klist according to the instructions at
>>>>>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
>>>>> 
>>>>> As to the the keytab (#5) I did the following:
>>>>> 
>>>>> $ samba-tool domain exportkeytab /etc/krb5.keytab
>>>>> 
>>>>> which created the file.  I made this owned and readable by
group dovecot, per instructions at
>>>>> http://wiki2.dovecot.org/Authentication/Kerberos.  Running
`klist -k /etc/krb5.keytab` shows me
>>>>> configuration listing all the users and computers in the
domain, mostly in triplicate.  A
>>>>> partial list:
>>>>> 
>>>>> Keytab name: FILE:/etc/krb5.keytab
>>>>> KVNO Principal
>>>>> ----
--------------------------------------------------------------------------
>>>>>   18 COMMON$@HPRS.LOCAL
>>>>>   18 COMMON$@HPRS.LOCAL
>>>>>   18 COMMON$@HPRS.LOCAL
>>>>>    1 MAIL$@HPRS.LOCAL
>>>>>    1 MAIL$@HPRS.LOCAL
>>>>>    1 MAIL$@HPRS.LOCAL
>>>>>    1 charmaine at HPRS.LOCAL
>>>>>    1 charmaine at HPRS.LOCAL
>>>>>    1 charmaine at HPRS.LOCAL
>>>>> 
>>>>> where COMMON and MAIL are hosts and charmaine is a user. I
don't really understand the listing,
>>>>> but am assuming it is OK.
>>>> 
>>>> Strange that you do not have any host/ entries. Maybe it works
without.
>>>> 
>>>>>> setspn -q is helpful here, also setspn command in
general.
>>>>> I have no such command in my system. Is that a Windows
thing?
>>>> 
>>>> Yes, but you can do those kind of things in Samba too.
>>>> 
>>>>> As to the /etc/krb5.conf, the default one generated by
samba is:
>>>>> 
>>>>> [libdefaults]
>>>>>         default_realm = HPRS.LOCAL
>>>>>         dns_lookup_realm = false
>>>>>         dns_lookup_kdc = true
>>>>> 
>>>>> I'd like to modify that to your suggestions, but I need
more help. You have (with my questions):
>>>>> 
>>>>>> Here is a *SAMPLE* configuration:
>>>>>> 
>>>>>> [libdefaults]
>>>>>>         default_realm = YOUR.REALM
>>>>>>         dns_lookup_kdc = true
>>>>>>         krb4_config = /etc/krb.conf
>>>>>>         krb4_realms = /etc/krb.realms
>>>>> Here, you have krb4_*. Do you mean that? My config file is
krb5.conf. Should I rather have:
>>>> 
>>>> You can remove the krb4_ stuff
>>>> 
>>>>>    krb5_config = /etc/krb5.conf
>>>>> 
>>>>> Also, I have no /etc/krb*.realms file. Do I need this? If
so, what should be in there?
>>>> You don't necessarely require that.
>>>> 
>>>>>>         kdc_timesync = 1
>>>>>>         ccache_type = 4
>>>>>>         forwardable = true
>>>>>>         proxiable = true
>>>>>>         fcc-mit-ticketflags = true
>>>>>> 
>>>>>> [realms]
>>>>>>         YOUR.REALM = {
>>>>>>                 default_domain = your.domain.name
>>>>>>                 auth_to_local_names = {
>>>>>>                         Administrator = root
>>>>>>                 }
>>>>>>         }
>>>>> I suppose my "YOUR.REALM" is HPRS.LOCAL, right?
Is my "your.domain.name" my FQDN for my AD
>>>>> server: mail.hprs.local, or is it just hprs.local? (or
something else!)
>>>> 
>>>> HPRS.LOCAL is your REALM, hprs.local is your domain name.
>>>>> 
>>>>>> [domain_realm]
>>>>>>       your.domain.name = YOUR.REALM
>>>>>> # this is not a mistake
>>>>>>       .your.domain.name = YOUR.REALM
>>>>>> [login]
>>>>>>         krb4_convert = true
>>>>>>         krb4_get_tickets = false
>>>>> Likewise here a question on the whole krb4 versus krb5
thing.
>>>>> 
>>>>> Your closing comment:
>>>>> 
>>>>>> Also, note that kerberos can only act as AUTHENTICATION
system. It
>>>>>> cannot act as USER DATABASE. For that you need to
configure LDAP or
>>>>>> something else. With Active Directory LDAP is probably
a damn good idea.
>>>>> I have the following doveconf -n:
>>>>> 
>>>>> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
>>>>> # OS: Linux 3.10.17 x86_64 Slackware 14.1
>>>>> auth_debug_passwords = yes
>>>>> auth_krb5_keytab = /etc/krb5.keytab
>>>>> auth_mechanisms = plain login gssapi
>>>>> auth_verbose = yes
>>>>> auth_verbose_passwords = plain
>>>>> disable_plaintext_auth = no
>>>>> info_log_path = /var/log/dovecot_info
>>>>> mail_location = maildir:~/Maildir
>>>>> passdb {
>>>>>   driver = shadow
>>>>> }
>>>>> protocols = imap
>>>>> ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
>>>>> ssl_key =
</etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>>>>> userdb {
>>>>>   driver = passwd
>>>>> }
>>>>> verbose_ssl = yes
>>>>> 
>>>>> I assume the passwd driver for the userdb is OK? Seems to
me it should work with gssapi, but in
>>>>> any case I still have all but this test workstation NOT
using gssapi, so I still need to
>>>>> accomodate them.
>>>>> 
>>>>> Thanks, --Mark
>>>> passwd driver is fine, yes, if you ensure that users can be
found.
>>>> 
>>>> Aki
>> 
>> Doh. Seems your dovecot isn't compiled with gssapi support? Can you
compile it yourself?
>> 
>> I'll try to check status of NTLM this week.
>> 
>> Aki
>>

The last log line shows "user=<>".  This indicates no
credentials were
presented.  If the rip field matches the client ip you tested from, I would
bet the appropriate kerberos ticket (imap/host.domain.tld at REALM) was not
pulled for the authentication.
On Jun 28, 2016 11:33 PM, "Mark Foley" <mfoley at ohprs.org>
wrote:
> Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi,
> and restarted. Now I
> don't get that "Unknown authentication mechanism
'gssapi'" message in
> maillog, and mail is
> delivered successfully to the other domain users having PLAIN
> authentication. That's a big
> step. In examining my original config.log output I apparently did not have
> --with-gssapi enabled.
>
> HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI'
still
> cannot correctly
> authenticate and retrieve mail. Here is the dovecot log for that host:
>
> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be
> used for ECDH and ECDHE key exchanges
> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be
> used for ECDH and ECDHE key exchanges
> Jun 28 22:44:05 auth: Debug: Loading modules from directory:
> /usr/local/lib/dovecot/auth
> Jun 28 22:44:05 auth: Debug: Read auth token secret from
> /usr/local/var/run/dovecot/auth-token-secret.dat
> Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076)
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept
> initialization [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept
> initialization [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3
> read client hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> client hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> server hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> key exchange A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> server done A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush
> data [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
> client certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
> client certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> client key exchange A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> certificate verify A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> finished A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> session ticket A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> change cipher spec A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> finished A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush
> data [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation
> finished successfully [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL
> negotiation finished successfully [192.168.0.58]
> Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
> Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
> Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6
> secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS,
> session=<WeZyumE25wDAqAA6>
>
> Does this tell you anything? `doveconf -n` and krb5.conf are configured as
> shown in previous
> messages below.
>
> Closer! --Mark
>
> -----Original Message-----
> From: Mark Foley <mfoley at ohprs.org>
> Date: Tue, 28 Jun 2016 22:04:42 -0400
> To: dovecot at dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config
> example]
>
> Aki, you wrote:
>
> > Doh. Seems your dovecot isn't compiled with gssapi support? Can
you
> compile it yourself?
> >
> > I'll try to check status of NTLM this week.
>
> I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.
>
> I do have the Dovecot sources and will peruse the possible options after I
> send this.  I am on
> version 2.2.15 and I see that the current downloadable version is 2.2.24.
> Should I upgrade? Do
> you think that would help? (a perusal of the changes since 2.2.15 shows
> nothing obvious
> realated to gssapi)
>
> --Mark
>
> -----Original Message-----
> > Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST)
> > From: aki.tuomi at dovecot.fi
> > To: dovecot at dovecot.org
> > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config
> example]
> >
> > > On June 28, 2016 at 5:17 PM Mark Foley <mfoley at
ohprs.org> wrote:
> > >
> > >
> > > Aki - made your suggested changes, but no joy :(
> > >
> > > My /etc/krb5.conf:
> > >
> > > ------SNIP--------
> > > [libdefaults]
> > >   default_realm = HPRS.LOCAL
> > >   dns_lookup_realm = false
> > >   dns_lookup_kdc = true
> > >
> > > [libdefaults]
> > >   default_realm = HPRS.LOCAL
> > >   dns_lookup_kdc = true
> > >   kdc_timesync = 1
> > >   ccache_type = 4
> > >   forwardable = true
> > >   proxiable = true
> > >   fcc-mit-ticketflags = true
> > >
> > > [realms]
> > >   HPRS.LOCAL = {
> > >     default_domain = hprs.local
> > >     auth_to_local_names = {
> > >     Administrator = root
> > >   }
> > > }
> > >
> > > [domain_realm]
> > >     hprs.local = HPRS.LOCAL
> > > # this is not a mistake
> > >     .hprs.local = HPRS.LOCAL
> > > ------PINS-----------
> > >
> > > you wrote:
> > > > You can remove the krb4_ stuff
> > >
> > > I've remove krb4_ stuff from the [libdefaults] and eliminated
the
> [login] section altogether.
> > > Question on [realms]Administrator: should that really be root or
> should it be my AD Administrator?
> > >
> > > my doveconf -n is exactly the same as posted below, but in
particular:
> > >
> > > auth_krb5_keytab = /etc/krb5.keytab
> > > auth_mechanisms = plain login gssapi
> > >
> > > When I reloaded dovecot no mail was delivered to anyone (even
though
> everyone was still using
> > > plain/ssl, no one yet configured for gssapi).
> > >
> > > In /var/log/maillog I got (repeatedly):
> > >
> > > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process
not
> responding, delayed sending initial response (greeting): user=<>,
> rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2>
> > > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication
> mechanism 'gssapi'
> > > Jun 28 09:43:37 mail dovecot: master: Error: service(auth):
command
> startup failed, throttling for 60 secs
> > > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process
not
> responding, delayed sending initial response (greeting): user=<>,
> rip=166.170.27.161, lip=98.102.63.107, TLS,
session=</GXn0lY22wCmqhuh>
> > >
> > > This looks pretty bad right off. Why "Unknown authentication
mechanism
> 'gssapi'"?
> > >
> > > Do you have any idea from the configs I've posted? I'm
rather
> depressed about this. I thought I'd
> > > finally able to get AD authentication going for Dovecot. Not
ready to
> give up though!
> > >
> > > Suggestions?
> > >
> > > THX -- Mark
> > >
> > > -----original Message-----
> > > > Subject: Re: Looking for GSSAPI config [was: Looking for
NTLM config
> example]
> > > > To: dovecot at dovecot.org
> > > > From: Aki Tuomi <aki.tuomi at dovecot.fi>
> > > > Date: Tue, 28 Jun 2016 15:13:11 +0300
> > > >
> > > > On 28.06.2016 09:27, Mark Foley wrote:
> > > > > Aki,
> > > > >
> > > > > To review your 5 points:
> > > > >
> > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi
<aki.tuomi at dovecot.fi>
> wrote:
> > > > >
> > > > >> 1. Functional AD or Kerberos environment
> > > > >> 2. Time synced against your KDC (which is your
Domain Controller
> on Windows)
> > > > >> 3. /etc/krb5.conf configured
> > > > >> 4. Both forward / reverse DNS names correct for
clients and
> servers.
> > > > >> Reverse is only mandatory for servers, but having
them right will
> work
> > > > >> wonders. Most kerberos problems are about DNS
problems.
> > > > >> 5. You need a keytab. This keytab needs to hold
entries like
> > > > >> IMAP/your.host.name at REALM  and IMAP/$HOSTNAME at
REALM. You can
> generate
> > > > >> these on any Windows DC server (at least).
> > > > > I believe I am good on 1,2 and 4.  I downloaded and
installed
> kerberos and tested it with kinit
> > > > > and klist according to the instructions at
> > > > >
>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> > > > >
> > > > > As to the the keytab (#5) I did the following:
> > > > >
> > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab
> > > > >
> > > > > which created the file.  I made this owned and readable
by group
> dovecot, per instructions at
> > > > > http://wiki2.dovecot.org/Authentication/Kerberos. 
Running `klist
> -k /etc/krb5.keytab` shows me
> > > > > configuration listing all the users and computers in
the domain,
> mostly in triplicate.  A
> > > > > partial list:
> > > > >
> > > > > Keytab name: FILE:/etc/krb5.keytab
> > > > > KVNO Principal
> > > > > ----
> --------------------------------------------------------------------------
> > > > >    18 COMMON$@HPRS.LOCAL
> > > > >    18 COMMON$@HPRS.LOCAL
> > > > >    18 COMMON$@HPRS.LOCAL
> > > > >     1 MAIL$@HPRS.LOCAL
> > > > >     1 MAIL$@HPRS.LOCAL
> > > > >     1 MAIL$@HPRS.LOCAL
> > > > >     1 charmaine at HPRS.LOCAL
> > > > >     1 charmaine at HPRS.LOCAL
> > > > >     1 charmaine at HPRS.LOCAL
> > > > >
> > > > > where COMMON and MAIL are hosts and charmaine is a
user. I don't
> really understand the listing,
> > > > > but am assuming it is OK.
> > > >
> > > > Strange that you do not have any host/ entries. Maybe it
works
> without.
> > > >
> > > > >> setspn -q is helpful here, also setspn command in
general.
> > > > > I have no such command in my system. Is that a Windows
thing?
> > > > >
> > > >
> > > > Yes, but you can do those kind of things in Samba too.
> > > >
> > > > > As to the /etc/krb5.conf, the default one generated by
samba is:
> > > > >
> > > > > [libdefaults]
> > > > >          default_realm = HPRS.LOCAL
> > > > >          dns_lookup_realm = false
> > > > >          dns_lookup_kdc = true
> > > > >
> > > > > I'd like to modify that to your suggestions, but I
need more help.
> You have (with my questions):
> > > > >
> > > > >> Here is a *SAMPLE* configuration:
> > > > >>
> > > > >> [libdefaults]
> > > > >>          default_realm = YOUR.REALM
> > > > >>          dns_lookup_kdc = true
> > > > >>          krb4_config = /etc/krb.conf
> > > > >>          krb4_realms = /etc/krb.realms
> > > > > Here, you have krb4_*. Do you mean that? My config file
is
> krb5.conf. Should I rather have:
> > > >
> > > > You can remove the krb4_ stuff
> > > >
> > > > >         krb5_config = /etc/krb5.conf
> > > > >
> > > > > Also, I have no /etc/krb*.realms file. Do I need this?
If so, what
> should be in there?
> > > > You don't necessarely require that.
> > > >
> > > > >>          kdc_timesync = 1
> > > > >>          ccache_type = 4
> > > > >>          forwardable = true
> > > > >>          proxiable = true
> > > > >>          fcc-mit-ticketflags = true
> > > > >>
> > > > >> [realms]
> > > > >>          YOUR.REALM = {
> > > > >>                  default_domain = your.domain.name
> > > > >>                  auth_to_local_names = {
> > > > >>                          Administrator = root
> > > > >>                  }
> > > > >>          }
> > > > > I suppose my "YOUR.REALM" is HPRS.LOCAL,
right? Is my "
> your.domain.name" my FQDN for my AD
> > > > > server: mail.hprs.local, or is it just hprs.local? (or
something
> else!)
> > > >
> > > > HPRS.LOCAL is your REALM, hprs.local is your domain name.
> > > > >
> > > > >> [domain_realm]
> > > > >>        your.domain.name = YOUR.REALM
> > > > >> # this is not a mistake
> > > > >>        .your.domain.name = YOUR.REALM
> > > > >> [login]
> > > > >>          krb4_convert = true
> > > > >>          krb4_get_tickets = false
> > > > > Likewise here a question on the whole krb4 versus krb5
thing.
> > > > >
> > > > > Your closing comment:
> > > > >
> > > > >> Also, note that kerberos can only act as
AUTHENTICATION system. It
> > > > >> cannot act as USER DATABASE. For that you need to
configure LDAP
> or
> > > > >> something else. With Active Directory LDAP is
probably a damn
> good idea.
> > > > > I have the following doveconf -n:
> > > > >
> > > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > > > auth_debug_passwords = yes
> > > > > auth_krb5_keytab = /etc/krb5.keytab
> > > > > auth_mechanisms = plain login gssapi
> > > > > auth_verbose = yes
> > > > > auth_verbose_passwords = plain
> > > > > disable_plaintext_auth = no
> > > > > info_log_path = /var/log/dovecot_info
> > > > > mail_location = maildir:~/Maildir
> > > > > passdb {
> > > > >    driver = shadow
> > > > > }
> > > > > protocols = imap
> > > > > ssl_cert >
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > > > > ssl_key =
</etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> > > > > userdb {
> > > > >    driver = passwd
> > > > > }
> > > > > verbose_ssl = yes
> > > > >
> > > > > I assume the passwd driver for the userdb is OK? Seems
to me it
> should work with gssapi, but in
> > > > > any case I still have all but this test workstation NOT
using
> gssapi, so I still need to
> > > > > accomodate them.
> > > > >
> > > > > Thanks, --Mark
> > > > passwd driver is fine, yes, if you ensure that users can be
found.
> > > >
> > > > Aki
> > > >
> >
> > Doh. Seems your dovecot isn't compiled with gssapi support? Can
you
> compile it yourself?
> >
> > I'll try to check status of NTLM this week.
> >
> > Aki
> >
>