brendan kearney
2016-Jun-29 12:03 UTC
Looking for GSSAPI config [was: Looking for NTLM config example]
The last log line shows "user=<>". This indicates no credentials were presented. If the rip field matches the client ip you tested from, I would bet the appropriate kerberos ticket (imap/host.domain.tld at REALM) was not pulled for the authentication. On Jun 28, 2016 11:33 PM, "Mark Foley" <mfoley at ohprs.org> wrote:> Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, > and restarted. Now I > don't get that "Unknown authentication mechanism 'gssapi'" message in > maillog, and mail is > delivered successfully to the other domain users having PLAIN > authentication. That's a big > step. In examining my original config.log output I apparently did not have > --with-gssapi enabled. > > HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still > cannot correctly > authenticate and retrieve mail. Here is the dovecot log for that host: > > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be > used for ECDH and ECDHE key exchanges > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be > used for ECDH and ECDHE key exchanges > Jun 28 22:44:05 auth: Debug: Loading modules from directory: > /usr/local/lib/dovecot/auth > Jun 28 22:44:05 auth: Debug: Read auth token secret from > /usr/local/var/run/dovecot/auth-token-secret.dat > Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept > initialization [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept > initialization [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 > read client hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > client hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > server hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > key exchange A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > server done A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush > data [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read > client certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read > client certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > client key exchange A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > certificate verify A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > finished A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > session ticket A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > change cipher spec A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > finished A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush > data [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation > finished successfully [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL > negotiation finished successfully [192.168.0.58] > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 > secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, > session=<WeZyumE25wDAqAA6> > > Does this tell you anything? `doveconf -n` and krb5.conf are configured as > shown in previous > messages below. > > Closer! --Mark > > -----Original Message----- > From: Mark Foley <mfoley at ohprs.org> > Date: Tue, 28 Jun 2016 22:04:42 -0400 > To: dovecot at dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config > example] > > Aki, you wrote: > > > Doh. Seems your dovecot isn't compiled with gssapi support? Can you > compile it yourself? > > > > I'll try to check status of NTLM this week. > > I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. > > I do have the Dovecot sources and will peruse the possible options after I > send this. I am on > version 2.2.15 and I see that the current downloadable version is 2.2.24. > Should I upgrade? Do > you think that would help? (a perusal of the changes since 2.2.15 shows > nothing obvious > realated to gssapi) > > --Mark > > -----Original Message----- > > Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) > > From: aki.tuomi at dovecot.fi > > To: dovecot at dovecot.org > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config > example] > > > > > On June 28, 2016 at 5:17 PM Mark Foley <mfoley at ohprs.org> wrote: > > > > > > > > > Aki - made your suggested changes, but no joy :( > > > > > > My /etc/krb5.conf: > > > > > > ------SNIP-------- > > > [libdefaults] > > > default_realm = HPRS.LOCAL > > > dns_lookup_realm = false > > > dns_lookup_kdc = true > > > > > > [libdefaults] > > > default_realm = HPRS.LOCAL > > > dns_lookup_kdc = true > > > kdc_timesync = 1 > > > ccache_type = 4 > > > forwardable = true > > > proxiable = true > > > fcc-mit-ticketflags = true > > > > > > [realms] > > > HPRS.LOCAL = { > > > default_domain = hprs.local > > > auth_to_local_names = { > > > Administrator = root > > > } > > > } > > > > > > [domain_realm] > > > hprs.local = HPRS.LOCAL > > > # this is not a mistake > > > .hprs.local = HPRS.LOCAL > > > ------PINS----------- > > > > > > you wrote: > > > > You can remove the krb4_ stuff > > > > > > I've remove krb4_ stuff from the [libdefaults] and eliminated the > [login] section altogether. > > > Question on [realms]Administrator: should that really be root or > should it be my AD Administrator? > > > > > > my doveconf -n is exactly the same as posted below, but in particular: > > > > > > auth_krb5_keytab = /etc/krb5.keytab > > > auth_mechanisms = plain login gssapi > > > > > > When I reloaded dovecot no mail was delivered to anyone (even though > everyone was still using > > > plain/ssl, no one yet configured for gssapi). > > > > > > In /var/log/maillog I got (repeatedly): > > > > > > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not > responding, delayed sending initial response (greeting): user=<>, > rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2> > > > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication > mechanism 'gssapi' > > > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command > startup failed, throttling for 60 secs > > > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not > responding, delayed sending initial response (greeting): user=<>, > rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh> > > > > > > This looks pretty bad right off. Why "Unknown authentication mechanism > 'gssapi'"? > > > > > > Do you have any idea from the configs I've posted? I'm rather > depressed about this. I thought I'd > > > finally able to get AD authentication going for Dovecot. Not ready to > give up though! > > > > > > Suggestions? > > > > > > THX -- Mark > > > > > > -----original Message----- > > > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config > example] > > > > To: dovecot at dovecot.org > > > > From: Aki Tuomi <aki.tuomi at dovecot.fi> > > > > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > > > > > > > On 28.06.2016 09:27, Mark Foley wrote: > > > > > Aki, > > > > > > > > > > To review your 5 points: > > > > > > > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> > wrote: > > > > > > > > > >> 1. Functional AD or Kerberos environment > > > > >> 2. Time synced against your KDC (which is your Domain Controller > on Windows) > > > > >> 3. /etc/krb5.conf configured > > > > >> 4. Both forward / reverse DNS names correct for clients and > servers. > > > > >> Reverse is only mandatory for servers, but having them right will > work > > > > >> wonders. Most kerberos problems are about DNS problems. > > > > >> 5. You need a keytab. This keytab needs to hold entries like > > > > >> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can > generate > > > > >> these on any Windows DC server (at least). > > > > > I believe I am good on 1,2 and 4. I downloaded and installed > kerberos and tested it with kinit > > > > > and klist according to the instructions at > > > > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > > > > > > > As to the the keytab (#5) I did the following: > > > > > > > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > > > > > > > which created the file. I made this owned and readable by group > dovecot, per instructions at > > > > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist > -k /etc/krb5.keytab` shows me > > > > > configuration listing all the users and computers in the domain, > mostly in triplicate. A > > > > > partial list: > > > > > > > > > > Keytab name: FILE:/etc/krb5.keytab > > > > > KVNO Principal > > > > > ---- > -------------------------------------------------------------------------- > > > > > 18 COMMON$@HPRS.LOCAL > > > > > 18 COMMON$@HPRS.LOCAL > > > > > 18 COMMON$@HPRS.LOCAL > > > > > 1 MAIL$@HPRS.LOCAL > > > > > 1 MAIL$@HPRS.LOCAL > > > > > 1 MAIL$@HPRS.LOCAL > > > > > 1 charmaine at HPRS.LOCAL > > > > > 1 charmaine at HPRS.LOCAL > > > > > 1 charmaine at HPRS.LOCAL > > > > > > > > > > where COMMON and MAIL are hosts and charmaine is a user. I don't > really understand the listing, > > > > > but am assuming it is OK. > > > > > > > > Strange that you do not have any host/ entries. Maybe it works > without. > > > > > > > > >> setspn -q is helpful here, also setspn command in general. > > > > > I have no such command in my system. Is that a Windows thing? > > > > > > > > > > > > > Yes, but you can do those kind of things in Samba too. > > > > > > > > > As to the /etc/krb5.conf, the default one generated by samba is: > > > > > > > > > > [libdefaults] > > > > > default_realm = HPRS.LOCAL > > > > > dns_lookup_realm = false > > > > > dns_lookup_kdc = true > > > > > > > > > > I'd like to modify that to your suggestions, but I need more help. > You have (with my questions): > > > > > > > > > >> Here is a *SAMPLE* configuration: > > > > >> > > > > >> [libdefaults] > > > > >> default_realm = YOUR.REALM > > > > >> dns_lookup_kdc = true > > > > >> krb4_config = /etc/krb.conf > > > > >> krb4_realms = /etc/krb.realms > > > > > Here, you have krb4_*. Do you mean that? My config file is > krb5.conf. Should I rather have: > > > > > > > > You can remove the krb4_ stuff > > > > > > > > > krb5_config = /etc/krb5.conf > > > > > > > > > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what > should be in there? > > > > You don't necessarely require that. > > > > > > > > >> kdc_timesync = 1 > > > > >> ccache_type = 4 > > > > >> forwardable = true > > > > >> proxiable = true > > > > >> fcc-mit-ticketflags = true > > > > >> > > > > >> [realms] > > > > >> YOUR.REALM = { > > > > >> default_domain = your.domain.name > > > > >> auth_to_local_names = { > > > > >> Administrator = root > > > > >> } > > > > >> } > > > > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my " > your.domain.name" my FQDN for my AD > > > > > server: mail.hprs.local, or is it just hprs.local? (or something > else!) > > > > > > > > HPRS.LOCAL is your REALM, hprs.local is your domain name. > > > > > > > > > >> [domain_realm] > > > > >> your.domain.name = YOUR.REALM > > > > >> # this is not a mistake > > > > >> .your.domain.name = YOUR.REALM > > > > >> [login] > > > > >> krb4_convert = true > > > > >> krb4_get_tickets = false > > > > > Likewise here a question on the whole krb4 versus krb5 thing. > > > > > > > > > > Your closing comment: > > > > > > > > > >> Also, note that kerberos can only act as AUTHENTICATION system. It > > > > >> cannot act as USER DATABASE. For that you need to configure LDAP > or > > > > >> something else. With Active Directory LDAP is probably a damn > good idea. > > > > > I have the following doveconf -n: > > > > > > > > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > > > auth_debug_passwords = yes > > > > > auth_krb5_keytab = /etc/krb5.keytab > > > > > auth_mechanisms = plain login gssapi > > > > > auth_verbose = yes > > > > > auth_verbose_passwords = plain > > > > > disable_plaintext_auth = no > > > > > info_log_path = /var/log/dovecot_info > > > > > mail_location = maildir:~/Maildir > > > > > passdb { > > > > > driver = shadow > > > > > } > > > > > protocols = imap > > > > > ssl_cert > </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > > > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > > > > userdb { > > > > > driver = passwd > > > > > } > > > > > verbose_ssl = yes > > > > > > > > > > I assume the passwd driver for the userdb is OK? Seems to me it > should work with gssapi, but in > > > > > any case I still have all but this test workstation NOT using > gssapi, so I still need to > > > > > accomodate them. > > > > > > > > > > Thanks, --Mark > > > > passwd driver is fine, yes, if you ensure that users can be found. > > > > > > > > Aki > > > > > > > > Doh. Seems your dovecot isn't compiled with gssapi support? Can you > compile it yourself? > > > > I'll try to check status of NTLM this week. > > > > Aki > > >
Mark Foley
2016-Jun-29 15:40 UTC
Looking for GSSAPI config [was: Looking for NTLM config example]
Yes, I think that's exactly correct. I just made a similar reply to Edgar Pettijohn about that. The Thunderbird message is: "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm." I made further comments in that message that I won't clutter the list by repeating here. Check out that message and see what you think could be wrong. Thanks for your help! I'm sure this is solvable! --Mark -----Original Message-----> Date: Wed, 29 Jun 2016 08:03:14 -0400 > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > From: brendan kearney <bpk678 at gmail.com> > To: Mark Foley <mfoley at ohprs.org> > Cc: dovecot at dovecot.org > > The last log line shows "user=<>". This indicates no credentials were > presented. If the rip field matches the client ip you tested from, I would > bet the appropriate kerberos ticket (imap/host.domain.tld at REALM) was not > pulled for the authentication. > On Jun 28, 2016 11:33 PM, "Mark Foley" <mfoley at ohprs.org> wrote:[deleted]
Aki Tuomi
2016-Jun-30 06:58 UTC
Looking for GSSAPI config [was: Looking for NTLM config example]
I think the problem still is that your keytab file has no entry imap/hostname at DOMAIN and IMAP/hostname at DOMAIN you also have no host/hostname at DOMAIN Aki On 29.06.2016 18:40, Mark Foley wrote:> Yes, I think that's exactly correct. I just made a similar reply to Edgar Pettijohn about that. > The Thunderbird message is: > > "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check > that you are logged in to the Kerberos/GSSAPI realm." > > I made further comments in that message that I won't clutter the list by repeating here. Check > out that message and see what you think could be wrong. > > Thanks for your help! I'm sure this is solvable! > > --Mark > > -----Original Message----- >> Date: Wed, 29 Jun 2016 08:03:14 -0400 >> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >> From: brendan kearney <bpk678 at gmail.com> >> To: Mark Foley <mfoley at ohprs.org> >> Cc: dovecot at dovecot.org >> >> The last log line shows "user=<>". This indicates no credentials were >> presented. If the rip field matches the client ip you tested from, I would >> bet the appropriate kerberos ticket (imap/host.domain.tld at REALM) was not >> pulled for the authentication. >> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfoley at ohprs.org> wrote: > [deleted]