Mark Foley
2016-Jul-04  04:44 UTC
Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
After a over a year and a half struggling to get Dovecot to do either NTLM or
GSSAPI
authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to
all those in this
list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey
especially Aki Tuomi;
and infinite thanks to Achim Gottinger on the SambaList for his patience in
working this
through with me.  Although my purpose was for Dovecot to authenticate mail
clients, the
configuration settings needed were on the Samba side.  I hope a variation of
these instructions
can eventually make it into:
http://wiki2.dovecot.org/Authentication/Kerberos
What is essentially missing from the wiki is how to set up the proper Service
Principal Names
and the subsequent creation of a dovecot useable kerberos keytab file.  The wiki
comment on
"k5principals passdb" was not helpful and largely unintelligble to me.
Perhaps like many of you, I have switched from Microsoft SBS and Exchange to
Samaba4 and
Dovecot/IMAP. The transition was completely transparent to my users, except they
needed a
separate password for email authentication in the absence of NTLM or GSSAPI
working with
Dovecot. A mild inconvenience, but I have been on a "quest" to fill
that gap. This solution
finally takes care of that last piece.
The following describes how to create the SPNs and krb5 keytab files using
Samba4 which has
its own built-in (Heimdal) kerberos. The procedures are probably similar for
other facilities
such as setspn for Windows, but I've not used those so I won't attempt
to discuss those
mechanism here.
You do need kerberos as the Samba built-in kerberos does not have needed
commands like `klist`.
My distro (Slackware 14.1) does not come with kerberos (nor, I think, does
Ubuntu), but is
easily found at:
https://slackbuilds.org/repository/14.1/network/krb5/
Ubuntu/Debian: apt-get install krb5-config libpam-krb5 krb5-user ssh-krb5
(perhaps more)
After provisioning Samba4, copy the krb5.conf template to /etc/krb5.conf.
(Note: the actual docs advise symlinking:
  ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf
but I prefer making a copy in case I need to modify things).
I've set The /etc/krb5.conf file to world readable.  It's default
contents are (and these do
not need to be changed):
[libdefaults]
        default_realm = HPRS.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true
where HPRS.LOCAL is my realm, of course use your own.
Now, we need a samba user in order to create the necessary SPNs (Server
Principal Names):
$ samba-tool user create dovecot
New Password:
Retype Password:
User 'dovecot' created successfully
Next, add the SPN(s), and create the keytab:
$ samba-tool spn add imap/mail.hprs.local dovecot
$ samba-tool domain exportkeytab --principal imap/mail.hprs.local
/etc/dovecot/dovecot.keytab
Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, but if it
did I'd have to
create another SPN for smtp:
$ samba-tool spn add smtp/mail.hprs.local dovecot
$ samba-tool domain exportkeytab --principal smtp/mail.hprs.local
/etc/dovecot/dovecot.keytab
Dovecot needs to be able to read the keytab file:
$ chgrp dovecot /etc/dovecot/dovecot.keytab
$ chmod g+r /etc/dovecot/dovecot.keytab
my new keytab:
$ klist -Kek /etc/dovecot/dovecot.keytab
Keytab name: FILE:/etc/dovecot/dovecot.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
   1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
   1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) 
(0x9dae89a221dc374a39f560833352f60f)
(and if I also created the spn for smtp I would also have these:) 
   1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
   1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
   1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) 
(0x9dae89a221dc374a39f560833352f60f)
DOVECOT SETTINGS:
My version: 2.2.15
Of crucial importance is to build dovecot with GSSAPI! That is NOT one of the
default settings.
In the dovecot build directory:
./configure --with-gssapi=yes
Other than that serious build gotcha, settings are pretty simple.  Add the
following 3
settings to 10-auth.conf:
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi
The auth_gssapi_hostname is supposedly not required according to some of the
above-listed
commentors, but my 10-auth.conf template implies differently, so it can't
hurt.
gssapi does not require a passdb. Use whatever userdb you want. The dovecot wiki
doc has some
suggestions, not of which I've tried. I use the 'driver = passwd'
for my userdb for unrelated
reasons.
I couldn't get any of this working until I rebooted the Samba AD/DC-Dovecot
server, but that
just may have been me not stopping/starting Samba and Dovecot in the right
sequence (or,
everything happened to start working with a concurrent upgrade to Samba 4.2!). 
In my WIN7 and Ubuntu Thunderbird clients I selected gssapi/kerberos for the
IMAP authenticate
method and it works!
I've even changed the test user's AD password, just to make sure.
Someone please put at least the required info on creating the SPNs and krb
keytab file for
other poor schmucks like me. 
Now, if I can get NTLM figured out for the remaining Outlook users ... !
--Mark
Aki Tuomi
2016-Jul-04  05:54 UTC
Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On 04.07.2016 07:44, Mark Foley wrote:> After a over a year and a half struggling to get Dovecot to do either NTLM or GSSAPI > authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all those in this > list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey especially Aki Tuomi; > and infinite thanks to Achim Gottinger on the SambaList for his patience in working this > through with me. Although my purpose was for Dovecot to authenticate mail clients, the > configuration settings needed were on the Samba side. I hope a variation of these instructions > can eventually make it into: > > http://wiki2.dovecot.org/Authentication/Kerberos > >It has been now updated. I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. I have to set up some kind of test environment to find out why it bugs. Aki
Mark Foley
2016-Jul-04  07:23 UTC
Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote:> > http://wiki2.dovecot.org/Authentication/Kerberos > > It has been now updated.Excellent! That was quick! Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, no one can get to that, but it might be clearer to those of us who uncomprehendingly monkey-type things from wiki's when we don't fully understand. Perhaps something more generic would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that. Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local.> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > I have to set up some kind of test environment to find out why it bugs.I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll check back with the list to see if you've come up with anything.> AkiAgain, thanks for all your help. --Mark -----Original Message-----> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] > To: dovecot at dovecot.org > From: Aki Tuomi <aki.tuomi at dovecot.fi> > Organization: Dovecot Oy > Date: Mon, 4 Jul 2016 08:54:27 +0300> > On 04.07.2016 07:44, Mark Foley wrote: > > After a over a year and a half struggling to get Dovecot to do either NTLM or GSSAPI > > authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all those in this > > list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey especially Aki Tuomi; > > and infinite thanks to Achim Gottinger on the SambaList for his patience in working this > > through with me. Although my purpose was for Dovecot to authenticate mail clients, the > > configuration settings needed were on the Samba side. I hope a variation of these instructions > > can eventually make it into: > > > > http://wiki2.dovecot.org/Authentication/Kerberos > > > > > > It has been now updated. > > I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > I have to set up some kind of test environment to find out why it bugs. > > Aki >
Apparently Analagous Threads
- Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
- Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- Looking for GSSAPI config [was: Looking for NTLM config example]