> ... you don't get the /etc/krb5.keytab by default on a DC, you will need > to create it: > > samba-tool domain exportkeytab /etc/krb5.keytabExcellent! Thank you. I've done that now, but I have more issues more appropriate to a reply to mathias' message following. --Mark -----Original Message-----> To: samba at lists.samba.org > From: Rowland penny <rpenny at samba.org> > Date: Mon, 27 Jun 2016 08:09:47 +0100 > Subject: Re: [Samba] Where is krb5.keytab or equivalent? > > > I am running Samba 4.1.23 as an AD/DC. It has been running file for more than 1 1/2 years as a > > AD/DC for mostly Windows workstations. > > > > I'm trying to setup Dovecot with gssapi authentication. The config needs the location of the service > > keys located in the keytab file. The default location it looks for is: > > > > /etc/krb5.keytab > > > > There is no such file there, nor is there a so-named file on the AD/DC at all. I do find: > > > > /etc/samba/private/secrets.keytab > > /etc/samba/private/dns.keytab > > > > Is one of these what I can use for the Dovecot required config? > > > > THX --Mark > > > > Hi, you don't get the /etc/krb5.keytab by default on a DC, you will need > to create it: > > samba-tool domain exportkeytab /etc/krb5.keytab > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 27/06/16 19:47, Mark Foley wrote:>> ... you don't get the /etc/krb5.keytab by default on a DC, you will need >> to create it: >> >> samba-tool domain exportkeytab /etc/krb5.keytab > Excellent! Thank you. I've done that now, but I have more issues more appropriate to a reply to mathias' message following. > > --Mark > > -----Original Message----- >> To: samba at lists.samba.org >> From: Rowland penny <rpenny at samba.org> >> Date: Mon, 27 Jun 2016 08:09:47 +0100 >> Subject: Re: [Samba] Where is krb5.keytab or equivalent? >> >>> I am running Samba 4.1.23 as an AD/DC. It has been running file for more than 1 1/2 years as a >>> AD/DC for mostly Windows workstations. >>> >>> I'm trying to setup Dovecot with gssapi authentication. The config needs the location of the service >>> keys located in the keytab file. The default location it looks for is: >>> >>> /etc/krb5.keytab >>> >>> There is no such file there, nor is there a so-named file on the AD/DC at all. I do find: >>> >>> /etc/samba/private/secrets.keytab >>> /etc/samba/private/dns.keytab >>> >>> Is one of these what I can use for the Dovecot required config? >>> >>> THX --Mark >>> >> Hi, you don't get the /etc/krb5.keytab by default on a DC, you will need >> to create it: >> >> samba-tool domain exportkeytab /etc/krb5.keytab >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/sambaThe easiest way to find out what is in your keytab is with ktutil: root at dc1:~# ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 DC1$@SAMDOM.EXAMPLE.COM 2 1 DC1$@SAMDOM.EXAMPLE.COM 3 1 DC1$@SAMDOM.EXAMPLE.COM 4 1 DC1$@SAMDOM.EXAMPLE.COM 5 1 DC1$@SAMDOM.EXAMPLE.COM 6 1 DC2$@SAMDOM.EXAMPLE.COM 7 1 DC2$@SAMDOM.EXAMPLE.COM 8 1 DC2$@SAMDOM.EXAMPLE.COM 9 1 DC2$@SAMDOM.EXAMPLE.COM 10 1 DC2$@SAMDOM.EXAMPLE.COM .................................... ............................ ...................... ktutil: q root at dc1:~# You can also add to the keytab, is this what you need to do? Rowland
To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab file as required by Dovecot. I've also downloaded and installed Kerberos for access to the k* commands (ktutil, kinit, klist, ...). In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7 workstation is a domain member and works fine otherwise with Samba4 for AD user authentication, etc. Thunderbird gives the following error: "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm." One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a server at all, but rather the email address of the Thunderbird account. When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18 secs): user=<>". No message at all appears in the samba log although I have auth:10 level set. Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying: auth_mechanisms = plain login gssapi That's it (the other mechanism work just fine, BTW). Not much I can mess with there. I think the problem is with Samba and handling the authentication. I do not think my Samba4 is configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation for single-sign-on using Kerberos. He had me put the following lines into that workstation's smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server: security = ADS dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind nss info = rfc2307 winbind trusted domains only = no winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log message, "Samba detected misconfigured 'server role' and exited." He also had me put the following in /etc/nsswitch.conf: passwd: compat winbind group: compat winbind Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work. Need Help! Thanks --Mark -----Original Message-----> Subject: Re: [Samba] Where is krb5.keytab or equivalent? > To: Mark Foley <mfoley at ohprs.org> > From: Rowland penny <rpenny at samba.org> > Date: Mon, 27 Jun 2016 20:50:28 +0100 > > On 27/06/16 20:13, Mark Foley wrote: > > Rowland penny <rpenny at samba.org> wrote: > > > >> The easiest way to find out what is in your keytab is with ktutil: > > Probably, but as I replied to Mathias' message, I have none of the k* command installed on my system, including kutil. I'm researching as to how I can get these now. > > > > Thanks, Mark > > apt-get install krb5-user > > Or the equivalent on red-hat (except I think the required package is > krb5-workstation) > > Rowland >
I myself have dovecot running and auth is against a samba4 dc running on the same host. Perhaps it can help you to let samba do the authentification. Greetings Daniel EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 Email: mueller at tropenklinik.de www.tropenklinik.de www.bauen-sie-mit.tropenklinik.de -----Ursprüngliche Nachricht----- Von: Mark Foley [mailto:mfoley at ohprs.org] Gesendet: Donnerstag, 30. Juni 2016 10:45 An: samba at lists.samba.org Betreff: Re: [Samba] Where is krb5.keytab or equivalent? To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab file as required by Dovecot. I've also downloaded and installed Kerberos for access to the k* commands (ktutil, kinit, klist, ...). In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7 workstation is a domain member and works fine otherwise with Samba4 for AD user authentication, etc. Thunderbird gives the following error: "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm." One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a server at all, but rather the email address of the Thunderbird account. When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18 secs): user=<>". No message at all appears in the samba log although I have auth:10 level set. Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying: auth_mechanisms = plain login gssapi That's it (the other mechanism work just fine, BTW). Not much I can mess with there. I think the problem is with Samba and handling the authentication. I do not think my Samba4 is configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation for single-sign-on using Kerberos. He had me put the following lines into that workstation's smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server: security = ADS dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind nss info = rfc2307 winbind trusted domains only = no winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log message, "Samba detected misconfigured 'server role' and exited." He also had me put the following in /etc/nsswitch.conf: passwd: compat winbind group: compat winbind Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work. Need Help! Thanks --Mark -----Original Message-----> Subject: Re: [Samba] Where is krb5.keytab or equivalent? > To: Mark Foley <mfoley at ohprs.org> > From: Rowland penny <rpenny at samba.org> > Date: Mon, 27 Jun 2016 20:50:28 +0100 > > On 27/06/16 20:13, Mark Foley wrote: > > Rowland penny <rpenny at samba.org> wrote: > > > >> The easiest way to find out what is in your keytab is with ktutil: > > Probably, but as I replied to Mathias' message, I have none of the k* command installed on my system, including kutil. I'm researching as to how I can get these now. > > > > Thanks, Mark > > apt-get install krb5-user > > Or the equivalent on red-hat (except I think the required package is > krb5-workstation) > > Rowland >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Am 30.06.2016 um 10:45 schrieb Mark Foley:> To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set > Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab > file as required by Dovecot. I've also downloaded and installed Kerberos for access to > the k* commands (ktutil, kinit, klist, ...). > > In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7 > workstation is a domain member and works fine otherwise with Samba4 for AD user authentication, > etc. Thunderbird gives the following error: > > "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check > that you are logged in to the Kerberos/GSSAPI realm." > > One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a > server at all, but rather the email address of the Thunderbird account. > > When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18 > secs): user=<>". No message at all appears in the samba log although I have auth:10 level set. > Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying: > > auth_mechanisms = plain login gssapi > > That's it (the other mechanism work just fine, BTW). Not much I can mess with there. > > I think the problem is with Samba and handling the authentication. I do not think my Samba4 is > configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation > for single-sign-on using Kerberos. He had me put the following lines into that workstation's > smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server: > > security = ADS > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log > message, "Samba detected misconfigured 'server role' and exited." > > He also had me put the following in /etc/nsswitch.conf: > > passwd: compat winbind > group: compat winbind > > Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server > for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work. > > Need Help! Thanks --Mark >Add this line to your dovecot configuration. auth_gssapi_hostname = "$ALL" Create the keytab with
Am 30.06.2016 um 10:45 schrieb Mark Foley:> To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set > Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab > file as required by Dovecot. I've also downloaded and installed Kerberos for access to > the k* commands (ktutil, kinit, klist, ...). > > In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7 > workstation is a domain member and works fine otherwise with Samba4 for AD user authentication, > etc. Thunderbird gives the following error: > > "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check > that you are logged in to the Kerberos/GSSAPI realm." > > One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a > server at all, but rather the email address of the Thunderbird account. > > When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18 > secs): user=<>". No message at all appears in the samba log although I have auth:10 level set. > Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying: > > auth_mechanisms = plain login gssapi > > That's it (the other mechanism work just fine, BTW). Not much I can mess with there. > > I think the problem is with Samba and handling the authentication. I do not think my Samba4 is > configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation > for single-sign-on using Kerberos. He had me put the following lines into that workstation's > smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server: > > security = ADS > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log > message, "Samba detected misconfigured 'server role' and exited." > > He also had me put the following in /etc/nsswitch.conf: > > passwd: compat winbind > group: compat winbind > > Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server > for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work. > > Need Help! Thanks --MarkHello Mark, This is what i used in debian wheezy few years back. I assume arcfour-hmac is unsafe these days but i did not yet investigate into other working encryption methods here. If you need smtp (postfix with auth via dovecot) also add the smtp spn's. Use the password for user dovecot during keytab creation. 1. Create an user samba-tool create user dovcot 2. Add the spn samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot 3. Create the keytab file ktutil addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac wkt /etc/dovecot/dovecot.keytab 4. Add this to your dovecot config # Kerberos auth_gssapi_hostname = "$ALL" auth_krb5_keytab = /etc/dovecot/dovecot.keytab Hope it helps, achim~
Am 30.06.2016 um 10:45 schrieb Mark Foley:> To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set > Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab > file as required by Dovecot. I've also downloaded and installed Kerberos for access to > the k* commands (ktutil, kinit, klist, ...). > > In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7 > workstation is a domain member and works fine otherwise with Samba4 for AD user authentication, > etc. Thunderbird gives the following error: > > "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check > that you are logged in to the Kerberos/GSSAPI realm." > > One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a > server at all, but rather the email address of the Thunderbird account. > > When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18 > secs): user=<>". No message at all appears in the samba log although I have auth:10 level set. > Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying: > > auth_mechanisms = plain login gssapi > > That's it (the other mechanism work just fine, BTW). Not much I can mess with there. > > I think the problem is with Samba and handling the authentication. I do not think my Samba4 is > configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation > for single-sign-on using Kerberos. He had me put the following lines into that workstation's > smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server: > > security = ADS > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log > message, "Samba detected misconfigured 'server role' and exited." > > He also had me put the following in /etc/nsswitch.conf: > > passwd: compat winbind > group: compat winbind > > Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server > for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work. > > Need Help! Thanks --MarkSorry for my first reply, had hit submit by accident. You may also need this in your dovecot configuration. # Strip domain part from username auth_username_format=%n