Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer required with dovecot (2.2.13 here). Add "auth_debug=yes" to your dovecor config. 192.168.100.1 is my clients ip 192.168.100.101 is the servers ag is the domain account username I use to login to windows and also the username configured in thunderbird. On my debian system an package named libsasl2-modules-gssapi-mit must be installed. To test kerberos against dovecot from the command line install "mutt". I assume your windows account name is "mark" ~#kinit mark ~#MAIL=imap://mark at mail.hprs.local/ mutt An successfull login with mutt looks like this in the mail logfile: Debug: auth client connected (pid=22585) logon-zor dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=imap#011secured#011session=p/ahQ4c2/wB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=44287#011resp=<hidden> logon-zor dovecot: auth: Debug: gssapi(?,127.0.0.1,<p/ahQ4c2/wB/AAAB>): Obtaining credentials for imap@ logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>): security context state completed. logon-zor dovecot: auth: Debug: client passdb out: CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXAIZT4a2p58/+ylPphtphYA6sTnK4QCyRkHRm1VTnvrfjxc3Ya2ui9IHsBGnPggzjLVNScFx6aHJi99VCDG7s07zNUF8d4WHuNZz7el5gwK4Quy3AeUX8zVa7xkIECuTtT5W7BjpsBThhMclogon-zor dovecot: auth: Debug: client in: CONT<hidden> logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>): Negotiated security layer logon-zor dovecot: auth: Debug: client passdb out: CONT#0111#011BQQF/wAMAAAAAAAAKxVA5AH///8b1puThszycYxSFvElogon-zor dovecot: auth: Debug: client in: CONT<hidden> imap-login: Login: user=<ag>, method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=19022, TLS, session=<CdYH6IY2oADAwAw9> Also take a look at this page wiki2.dovecot.org/Authentication/Kerberos Looking at my spn's you may also need samba-tool spn add imap/mail.hprs.local dovecot Am 01.07.2016 um 00:46 schrieb Mark Foley:> Achim, > > I deleted the keytab file and did the following: > > $ samba-tool user delete dovecot > $ samba-tool user add dovecot > > # again, that asked for a password and I assigned one. > > $ samba-tool spn add smpt/mail.hprs.local at HPRS.LOCAL dovecot > $ samba-tool spn add imap/mail.hprs.local at HPRS.LOCAL dovecot > > $ ktutil > ktutil: addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac > Password for smtp/mail.hprs.local at HPRS.LOCAL: > ktutil: addent -password -p imap/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac > Password for imap/mail.hprs.local at HPRS.LOCAL: > ktutil: wkt /etc/dovecot/dovecot.keytab > ktutil: quit > > $ ktutil > ktutil: read_kt /etc/dovecot/dovecot.keytab > ktutil: list > slot KVNO Principal > ---- ---- --------------------------------------------------------------------- > 1 1 smtp/mail.hprs.local at HPRS.LOCAL > 2 1 imap/mail.hprs.local at HPRS.LOCAL > > So, much better. Duh for me not noticing that I had to change fqdn and domain to my own. > > Rloaded dovecot and tried again. Same error :( > > Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<OTQqf4Y2SgDAqAA6> > > You wrote: > >> It must be possible for Thunderbird to use plain authentification with your windows account >> username. Can be you must configure userdb and passdb to do ldap lookups against active >> directory. > Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do plain text auth to dovecot. I will > continue to need this for non-domain email clients. According to the dovecot folks, the passwd > as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP > authentication is another one (along with NTLM) that I haven't been able to get working with > Dovecot. The only ones I've been able to get working are PLAIN and, believe it or not, > checkpassword - which is basically a passdb driver for PLAIN. > > Perhaps there is some samba setting I'm missing? Here's my AD/DC smb.conf, do you seen anything > missing I need? : > > [global] > workgroup = HPRS > realm = hprs.local > netbios name = MAIL > interfaces = lo, eth1 > bind interfaces only = Yes > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > > winbind use default domain = yes > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > log level = 2 passdb:5 auth:10 winbind:2 lanman:10 > max log size = 1000 > > [netlogon] > path = /var/lib/samba/sysvol/hprs.local/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [Users] > path = /redirectedFolders/Users > comment = user folders for redirection > read only = No > > [share] > path = /var/lib/samba/share > comment = Shared folder > read only = No > > Thanks --Mark > > -----Original Message----- >> To: samba at lists.samba.org >> From: Achim Gottinger <achim at ag-web.biz> >> Date: Thu, 30 Jun 2016 23:44:17 +0200 >> Subject: Re: [Samba] Where is krb5.keytab or equivalent? >> >> Am 30.06.2016 um 23:16 schrieb Mark Foley: >>> Achim, thanks a lot! A couple of questions on your suggested settings: >>> >>>> 1. Create an user >>>> samba-tool create user dovcot >>> I did this (actually `samba-tool user create dovecot`), but it asked for a password. I >>> entered one. You didn't mention that, so I hope it's OK. >> Yes >>> >>> >>>> 2. Add the spn >>>> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot >>>> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot >>> Did that too. No issue there. >> Well you must substitute server.domain.local with your mailserver fqdn >> and DOMAIN.LOCAL with HPRS.LOCAL. >>>> 3. Create the keytab file >>>> ktutil >>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e >>>> arcfour-hmac >>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e >>>> arcfour-hmac >>>> wkt /etc/dovecot/dovecot.keytab >>> As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype] >>> should hve been the arcfour-hmac on the next line. So I did: >>> >>> $ ktutil >>> ktutil: addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac >>> ktutil: addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac >> Same here substitute like above and as you said arcfour-hmac belongs in >> the same line. >>> Of course, that will probably also wrap when you get this message, but basically I put the >>> arcfour-hmac on the same line as the addent. Each time, these commands also asked for a >>> password. Again, you didn't mention that, but I used the same password I used for the >>> `samab-tool user create` command above. >>> >>> I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk". >>> Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply >>> transposed the letters. I tried it and it took. >> Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does >> not yet exist. >> Only the two keys you just added are required to get kerberos working. >> The system keytab you generated with samba-tool domain exportkeytab is >> not required. >>> >>> >>>> 4. Add this to your dovecot config >>>> >>>> # Kerberos >>>> auth_gssapi_hostname = "$ALL" >>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab >>> Did that. In addition, I set the keytab file's group to dovecot and made the file group >>> readable, as suggested by wiki2.dovecot.org/Authentication/Kerberos. I also tried >>> making it world readable. Now, after doing all that and restarting dovecot I still get the >>> same dovecot error: >>> >>> Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6> >>> >>> and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the >>> IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm." >>> >>> As I've mentioned before, "mark at ohprs.org" is not a server. It is the email address of the >>> Thunderbird account (running on WIN7). >>> >>> Here is my doveconf -n (gssapi marked with *): >>> >>> auth_debug_passwords = yes >>> * auth_gssapi_hostname = $ALL >>> * auth_krb5_keytab = /etc/krb5.keytab >>> * auth_mechanisms = plain login gssapi >>> auth_verbose = yes >>> auth_verbose_passwords = plain >>> disable_plaintext_auth = no >>> info_log_path = /var/log/dovecot_info >>> mail_location = maildir:~/Maildir >>> passdb { >>> driver = shadow >>> } >>> protocols = imap >>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt >>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key >>> userdb { >>> driver = passwd >>> } >>> verbose_ssl = yes >>> >>> (yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?) >>> >>> Here is my keytab list (partial); note that every entry appears in triplicate. I don't see >>> 'dovecot' in there at all; maybe that's OK: >>> >>> ktutil: list >>> slot KVNO Principal >>> ---- ---- --------------------------------------------------------------------- >>> 1 18 COMMON$@HPRS.LOCAL >>> 2 18 COMMON$@HPRS.LOCAL >>> 3 18 COMMON$@HPRS.LOCAL >>> 4 1 MAIL$@HPRS.LOCAL >>> 5 1 MAIL$@HPRS.LOCAL >>> 6 1 MAIL$@HPRS.LOCAL >>> 7 1 charmaine at HPRS.LOCAL >>> 8 1 charmaine at HPRS.LOCAL >>> 9 1 charmaine at HPRS.LOCAL >>> : >>> 19 1 Administrator at HPRS.LOCAL >>> 20 1 Administrator at HPRS.LOCAL >>> 21 1 Administrator at HPRS.LOCAL >>> : >>> 91 1 krbtgt at HPRS.LOCAL >>> 92 1 krbtgt at HPRS.LOCAL >>> 93 1 krbtgt at HPRS.LOCAL >>> : >>> 97 1 smtp/server.domain.local at DOMAIN.LOCAL >>> 98 1 imap/server.domain.local at DOMAIN.LOCAL >>> >>> Can you tell from any of this why I'm still not able to authenticate? >> You only need the lines 97 and 98 and substitude fqdn and realm like i >> mentioned above. >> It must be possible for Thunderbird to use plain authentification with >> your windows account username. >> Can be you must configure userdb and passdb to do ldap lookups against >> active directory. >>> Thanks, --Mark >>> >>> -----Original Message----- >>>> To: samba at lists.samba.org >>>> From: Achim Gottinger <achim at ag-web.biz> >>>> Date: Thu, 30 Jun 2016 11:51:34 +0200 >>>> >>>> Am 30.06.2016 um 10:45 schrieb Mark Foley: >>>>> To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set >>>>> Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab >>>>> file as required by Dovecot. I've also downloaded and installed Kerberos for access to >>>>> the k* commands (ktutil, kinit, klist, ...). >>>>> >>>>> In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7 >>>>> workstation is a domain member and works fine otherwise with Samba4 for AD user authentication, >>>>> etc. Thunderbird gives the following error: >>>>> >>>>> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check >>>>> that you are logged in to the Kerberos/GSSAPI realm." >>>>> >>>>> One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a >>>>> server at all, but rather the email address of the Thunderbird account. >>>>> >>>>> When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18 >>>>> secs): user=<>". No message at all appears in the samba log although I have auth:10 level set. >>>>> Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying: >>>>> >>>>> auth_mechanisms = plain login gssapi >>>>> >>>>> That's it (the other mechanism work just fine, BTW). Not much I can mess with there. >>>>> >>>>> I think the problem is with Samba and handling the authentication. I do not think my Samba4 is >>>>> configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation >>>>> for single-sign-on using Kerberos. He had me put the following lines into that workstation's >>>>> smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server: >>>>> >>>>> security = ADS >>>>> dedicated keytab file = /etc/krb5.keytab >>>>> kerberos method = secrets and keytab >>>>> winbind nss info = rfc2307 >>>>> winbind trusted domains only = no >>>>> winbind enum users = yes >>>>> winbind enum groups = yes >>>>> winbind refresh tickets = Yes >>>>> >>>>> I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log >>>>> message, "Samba detected misconfigured 'server role' and exited." >>>>> >>>>> He also had me put the following in /etc/nsswitch.conf: >>>>> >>>>> passwd: compat winbind >>>>> group: compat winbind >>>>> >>>>> Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server >>>>> for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work. >>>>> >>>>> Need Help! Thanks --Mark >>>> Hello Mark, >>>> >>>> This is what i used in debian wheezy few years back. I assume >>>> arcfour-hmac is unsafe these days but i did not yet investigate into >>>> other working encryption methods here. >>>> If you need smtp (postfix with auth via dovecot) also add the smtp >>>> spn's. Use the password for user dovecot during keytab creation. >>>> >>>> 1. Create an user >>>> samba-tool create user dovcot >>>> >>>> 2. Add the spn >>>> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot >>>> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot >>>> >>>> 3. Create the keytab file >>>> ktutil >>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e >>>> arcfour-hmac >>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e >>>> arcfour-hmac >>>> wkt /etc/dovecot/dovecot.keytab >>>> >>>> 4. Add this to your dovecot config >>>> >>>> # Kerberos >>>> auth_gssapi_hostname = "$ALL" >>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab >>>> >>>> Hope it helps, >>>> achim~ >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: lists.samba.org/mailman/options/samba >>>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: lists.samba.org/mailman/options/samba >>
Achim - per your instructions ...> Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer > required with dovecot (2.2.13 here).My dovecot is 2.2.15 and the 10-auth.conf (from the template) has the comment: # Host name to use in GSSAPI principal names. The default is to use the # name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab # entries. But, I've commented that out per your suggestion.> Add "auth_debug=yes" to your dovecor config.I already have: auth_debug_passwords = yes but I've added the auth_debug per your suggestion.> 192.168.100.1 is my clients ip 192.168.100.101 is the serversMy WIN7/Thunderbird client is 192.168.0.58 and AD/DC/Dovecot server is 192.168.0.2> ag is the domain account username I use to login to windows and also the > username configured in thunderbird.For me the dmain and Tbird account is 'mark'> On my debian system an package named libsasl2-modules-gssapi-mit must be > installed.I did install mit krb5. I am using Slackware which has a different package name, but it did install and compile OK, so I don't think I'm missing anything (but who knows?).> To test kerberos against dovecot from the command line install "mutt".I have mutt> I assume your windows account name is "mark"yes> ~#kinit markI did the above ... as root (should I have been 'mark'?) on the AD/DC server. ---------- $ kinit mark Password for mark at HPRS.LOCAL: $ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: mark at HPRS.LOCAL Valid starting Expires Service principal 06/30/2016 23:41:31 07/01/2016 09:41:31 krbtgt/HPRS.LOCAL at HPRS.LOCAL renew until 07/01/2016 23:41:27 ---------> ~#MAIL=imap://mark at mail.hprs.local/ muttDid that. A message quickly flashed: "Certificate host check failed: certificate owner does not match hosthame mail.hprs.org". Then a (presumably) mutt edit window came up with: ------- This certificate belongs to: mail.ohprs.org Unknown Unknown Domain Control Validated Unknown This certificate was issued by: Go Daddy Secure Certificate Authority - G2 Unknown GoDaddy.com, Inc. http: Scottsdale This certificate is valid from Aug 14 21:38:38 2015 GMT to Aug 15 17:49:32 2016 GMT Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064 (r)eject, accept (o)nce, (a)ccept always ------ I did (r), then quit. I also tried MAIL=imap://mark at ohprs.org mutt to no better results.> An successfull login with mutt looks like this in the mail logfile: >[deleted] Nothing at all in maillog. Dovecot log had: Jun 30 23:53:28 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [98.102.63.107] Jun 30 23:53:43 imap-login: Debug: SSL alert: close notify [98.102.63.107] Jun 30 23:53:43 imap-login: Info: Disconnected (no auth attempts in 15 secs): user=<>, rip=98.102.63.107, lip=98.102.63.107, TLS: Disconnected, session=<TD7I7oo2gQBiZj9r>> Also take a look at this page > wiki2.dovecot.org/Authentication/KerberosBeen to that page dozens of times :) A couple of things different on that page from our config thus far: 1) "... you will need to install a service ticket of the form imap/hostname at REALM." We added 'imap/mail.hprs.local dovecot', i.e. the fdqn, not just the hostname. Could this be a clue? 2) "Enable plaintext authentication to use Kerberos This is needed when some of your clients don't support GSSAPI and you still want them to authenticate against Kerberos." It then shows an /etc/pam.d/dovecot config, but I don't care about clients who do not support GSSAPI, so I don't think I need this.> Looking at my spn's you may also need > samba-tool spn add imap/mail.hprs.local dovecotI added that, didn't make any differece. does the "Certificate host check failed" message and the mutt output tell you anything? Thanks for your patience --Mark -----Original Message-----> To: samba at lists.samba.org > From: Achim Gottinger <achim at ag-web.biz> > Date: Fri, 1 Jul 2016 01:38:15 +0200 > > Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer > required with dovecot (2.2.13 here). > > Add "auth_debug=yes" to your dovecor config. > > 192.168.100.1 is my clients ip 192.168.100.101 is the servers > > ag is the domain account username I use to login to windows and also the > username configured in thunderbird. > > On my debian system an package named libsasl2-modules-gssapi-mit must be > installed. > > To test kerberos against dovecot from the command line install "mutt". > > I assume your windows account name is "mark" > > ~#kinit mark > ~#MAIL=imap://mark at mail.hprs.local/ mutt > > An successfull login with mutt looks like this in the mail logfile: > > Debug: auth client connected (pid=22585) > logon-zor dovecot: auth: Debug: client in: > AUTH#0111#011GSSAPI#011service=imap#011secured#011session=p/ahQ4c2/wB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=44287#011resp=<hidden> > logon-zor dovecot: auth: Debug: gssapi(?,127.0.0.1,<p/ahQ4c2/wB/AAAB>): > Obtaining credentials for imap@ > logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>): > security context state completed. > logon-zor dovecot: auth: Debug: client passdb out: > CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXAIZT4a2p58/+ylPphtphYA6sTnK4QCyRkHRm1VTnvrfjxc3Ya2ui9IHsBGnPggzjLVNScFx6aHJi99VCDG7s07zNUF8d4WHuNZz7el5gwK4Quy3AeUX8zVa7xkIECuTtT5W7BjpsBThhMc> logon-zor dovecot: auth: Debug: client in: CONT<hidden> > logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>): > Negotiated security layer > logon-zor dovecot: auth: Debug: client passdb out: > CONT#0111#011BQQF/wAMAAAAAAAAKxVA5AH///8b1puThszycYxSFvE> logon-zor dovecot: auth: Debug: client in: CONT<hidden> > > imap-login: Login: user=<ag>, method=GSSAPI, rip=127.0.0.1, > lip=127.0.0.1, mpid=19022, TLS, session=<CdYH6IY2oADAwAw9> > > > Also take a look at this page > wiki2.dovecot.org/Authentication/Kerberos > > Looking at my spn's you may also need > > samba-tool spn add imap/mail.hprs.local dovecot > > > > Am 01.07.2016 um 00:46 schrieb Mark Foley: > > Achim, > > > > I deleted the keytab file and did the following: > > > > $ samba-tool user delete dovecot > > $ samba-tool user add dovecot > > > > # again, that asked for a password and I assigned one. > > > > $ samba-tool spn add smpt/mail.hprs.local at HPRS.LOCAL dovecot > > $ samba-tool spn add imap/mail.hprs.local at HPRS.LOCAL dovecot > > > > $ ktutil > > ktutil: addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac > > Password for smtp/mail.hprs.local at HPRS.LOCAL: > > ktutil: addent -password -p imap/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac > > Password for imap/mail.hprs.local at HPRS.LOCAL: > > ktutil: wkt /etc/dovecot/dovecot.keytab > > ktutil: quit > > > > $ ktutil > > ktutil: read_kt /etc/dovecot/dovecot.keytab > > ktutil: list > > slot KVNO Principal > > ---- ---- --------------------------------------------------------------------- > > 1 1 smtp/mail.hprs.local at HPRS.LOCAL > > 2 1 imap/mail.hprs.local at HPRS.LOCAL > > > > So, much better. Duh for me not noticing that I had to change fqdn and domain to my own. > > > > Rloaded dovecot and tried again. Same error :( > > > > Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<OTQqf4Y2SgDAqAA6> > > > > You wrote: > > > >> It must be possible for Thunderbird to use plain authentification with your windows account > >> username. Can be you must configure userdb and passdb to do ldap lookups against active > >> directory. > > Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do plain text auth to dovecot. I will > > continue to need this for non-domain email clients. According to the dovecot folks, the passwd > > as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP > > authentication is another one (along with NTLM) that I haven't been able to get working with > > Dovecot. The only ones I've been able to get working are PLAIN and, believe it or not, > > checkpassword - which is basically a passdb driver for PLAIN. > > > > Perhaps there is some samba setting I'm missing? Here's my AD/DC smb.conf, do you seen anything > > missing I need? : > > > > [global] > > workgroup = HPRS > > realm = hprs.local > > netbios name = MAIL > > interfaces = lo, eth1 > > bind interfaces only = Yes > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate > > idmap_ldb:use rfc2307 = yes > > > > winbind use default domain = yes > > > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > > > log level = 2 passdb:5 auth:10 winbind:2 lanman:10 > > max log size = 1000 > > > > [netlogon] > > path = /var/lib/samba/sysvol/hprs.local/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > [Users] > > path = /redirectedFolders/Users > > comment = user folders for redirection > > read only = No > > > > [share] > > path = /var/lib/samba/share > > comment = Shared folder > > read only = No > > > > Thanks --Mark > > > > -----Original Message----- > >> To: samba at lists.samba.org > >> From: Achim Gottinger <achim at ag-web.biz> > >> Date: Thu, 30 Jun 2016 23:44:17 +0200 > >> Subject: Re: [Samba] Where is krb5.keytab or equivalent? > >> > >> Am 30.06.2016 um 23:16 schrieb Mark Foley: > >>> Achim, thanks a lot! A couple of questions on your suggested settings: > >>> > >>>> 1. Create an user > >>>> samba-tool create user dovcot > >>> I did this (actually `samba-tool user create dovecot`), but it asked for a password. I > >>> entered one. You didn't mention that, so I hope it's OK. > >> Yes > >>> > >>> > >>>> 2. Add the spn > >>>> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot > >>>> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot > >>> Did that too. No issue there. > >> Well you must substitute server.domain.local with your mailserver fqdn > >> and DOMAIN.LOCAL with HPRS.LOCAL. > >>>> 3. Create the keytab file > >>>> ktutil > >>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e > >>>> arcfour-hmac > >>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e > >>>> arcfour-hmac > >>>> wkt /etc/dovecot/dovecot.keytab > >>> As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype] > >>> should hve been the arcfour-hmac on the next line. So I did: > >>> > >>> $ ktutil > >>> ktutil: addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac > >>> ktutil: addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac > >> Same here substitute like above and as you said arcfour-hmac belongs in > >> the same line. > >>> Of course, that will probably also wrap when you get this message, but basically I put the > >>> arcfour-hmac on the same line as the addent. Each time, these commands also asked for a > >>> password. Again, you didn't mention that, but I used the same password I used for the > >>> `samab-tool user create` command above. > >>> > >>> I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk". > >>> Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply > >>> transposed the letters. I tried it and it took. > >> Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does > >> not yet exist. > >> Only the two keys you just added are required to get kerberos working. > >> The system keytab you generated with samba-tool domain exportkeytab is > >> not required. > >>> > >>> > >>>> 4. Add this to your dovecot config > >>>> > >>>> # Kerberos > >>>> auth_gssapi_hostname = "$ALL" > >>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab > >>> Did that. In addition, I set the keytab file's group to dovecot and made the file group > >>> readable, as suggested by wiki2.dovecot.org/Authentication/Kerberos. I also tried > >>> making it world readable. Now, after doing all that and restarting dovecot I still get the > >>> same dovecot error: > >>> > >>> Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6> > >>> > >>> and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the > >>> IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm." > >>> > >>> As I've mentioned before, "mark at ohprs.org" is not a server. It is the email address of the > >>> Thunderbird account (running on WIN7). > >>> > >>> Here is my doveconf -n (gssapi marked with *): > >>> > >>> auth_debug_passwords = yes > >>> * auth_gssapi_hostname = $ALL > >>> * auth_krb5_keytab = /etc/krb5.keytab > >>> * auth_mechanisms = plain login gssapi > >>> auth_verbose = yes > >>> auth_verbose_passwords = plain > >>> disable_plaintext_auth = no > >>> info_log_path = /var/log/dovecot_info > >>> mail_location = maildir:~/Maildir > >>> passdb { > >>> driver = shadow > >>> } > >>> protocols = imap > >>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > >>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >>> userdb { > >>> driver = passwd > >>> } > >>> verbose_ssl = yes > >>> > >>> (yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?) > >>> > >>> Here is my keytab list (partial); note that every entry appears in triplicate. I don't see > >>> 'dovecot' in there at all; maybe that's OK: > >>> > >>> ktutil: list > >>> slot KVNO Principal > >>> ---- ---- --------------------------------------------------------------------- > >>> 1 18 COMMON$@HPRS.LOCAL > >>> 2 18 COMMON$@HPRS.LOCAL > >>> 3 18 COMMON$@HPRS.LOCAL > >>> 4 1 MAIL$@HPRS.LOCAL > >>> 5 1 MAIL$@HPRS.LOCAL > >>> 6 1 MAIL$@HPRS.LOCAL > >>> 7 1 charmaine at HPRS.LOCAL > >>> 8 1 charmaine at HPRS.LOCAL > >>> 9 1 charmaine at HPRS.LOCAL > >>> : > >>> 19 1 Administrator at HPRS.LOCAL > >>> 20 1 Administrator at HPRS.LOCAL > >>> 21 1 Administrator at HPRS.LOCAL > >>> : > >>> 91 1 krbtgt at HPRS.LOCAL > >>> 92 1 krbtgt at HPRS.LOCAL > >>> 93 1 krbtgt at HPRS.LOCAL > >>> : > >>> 97 1 smtp/server.domain.local at DOMAIN.LOCAL > >>> 98 1 imap/server.domain.local at DOMAIN.LOCAL > >>> > >>> Can you tell from any of this why I'm still not able to authenticate? > >> You only need the lines 97 and 98 and substitude fqdn and realm like i > >> mentioned above. > >> It must be possible for Thunderbird to use plain authentification with > >> your windows account username. > >> Can be you must configure userdb and passdb to do ldap lookups against > >> active directory. > >>> Thanks, --Mark > >>> > >>> -----Original Message----- > >>>> To: samba at lists.samba.org > >>>> From: Achim Gottinger <achim at ag-web.biz> > >>>> Date: Thu, 30 Jun 2016 11:51:34 +0200 > >>>> > >>>> Am 30.06.2016 um 10:45 schrieb Mark Foley: > >>>>> To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set > >>>>> Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab > >>>>> file as required by Dovecot. I've also downloaded and installed Kerberos for access to > >>>>> the k* commands (ktutil, kinit, klist, ...). > >>>>> > >>>>> In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7 > >>>>> workstation is a domain member and works fine otherwise with Samba4 for AD user authentication, > >>>>> etc. Thunderbird gives the following error: > >>>>> > >>>>> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check > >>>>> that you are logged in to the Kerberos/GSSAPI realm." > >>>>> > >>>>> One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a > >>>>> server at all, but rather the email address of the Thunderbird account. > >>>>> > >>>>> When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18 > >>>>> secs): user=<>". No message at all appears in the samba log although I have auth:10 level set. > >>>>> Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying: > >>>>> > >>>>> auth_mechanisms = plain login gssapi > >>>>> > >>>>> That's it (the other mechanism work just fine, BTW). Not much I can mess with there. > >>>>> > >>>>> I think the problem is with Samba and handling the authentication. I do not think my Samba4 is > >>>>> configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation > >>>>> for single-sign-on using Kerberos. He had me put the following lines into that workstation's > >>>>> smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server: > >>>>> > >>>>> security = ADS > >>>>> dedicated keytab file = /etc/krb5.keytab > >>>>> kerberos method = secrets and keytab > >>>>> winbind nss info = rfc2307 > >>>>> winbind trusted domains only = no > >>>>> winbind enum users = yes > >>>>> winbind enum groups = yes > >>>>> winbind refresh tickets = Yes > >>>>> > >>>>> I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log > >>>>> message, "Samba detected misconfigured 'server role' and exited." > >>>>> > >>>>> He also had me put the following in /etc/nsswitch.conf: > >>>>> > >>>>> passwd: compat winbind > >>>>> group: compat winbind > >>>>> > >>>>> Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server > >>>>> for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work. > >>>>> > >>>>> Need Help! Thanks --Mark > >>>> Hello Mark, > >>>> > >>>> This is what i used in debian wheezy few years back. I assume > >>>> arcfour-hmac is unsafe these days but i did not yet investigate into > >>>> other working encryption methods here. > >>>> If you need smtp (postfix with auth via dovecot) also add the smtp > >>>> spn's. Use the password for user dovecot during keytab creation. > >>>> > >>>> 1. Create an user > >>>> samba-tool create user dovcot > >>>> > >>>> 2. Add the spn > >>>> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot > >>>> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot > >>>> > >>>> 3. Create the keytab file > >>>> ktutil > >>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e > >>>> arcfour-hmac > >>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e > >>>> arcfour-hmac > >>>> wkt /etc/dovecot/dovecot.keytab > >>>> > >>>> 4. Add this to your dovecot config > >>>> > >>>> # Kerberos > >>>> auth_gssapi_hostname = "$ALL" > >>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab > >>>> > >>>> Hope it helps, > >>>> achim~ > >>>> -- > >>>> To unsubscribe from this list go to the following URL and read the > >>>> instructions: lists.samba.org/mailman/options/samba > >>>> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: lists.samba.org/mailman/options/samba > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/options/samba >
More info ... when I do MAIL=imap://mark at mail.ohprs.org mutt (using the domain of the registered certificate). I do not get the message "Certificate host check failed: certificate owner does not match hosthame ..." I do get the same (mutt?) edit screen shown below with the "(r)eject, accept (o)nce, (a)ccept always" action at the bottom. If I "accept (o)nce", I am asked for the 'mark' password and put into what must be the mutt mail interface showing my imap://mark at mail.ohprs.org/INBOX. Nothing in maillog, but dovecot log show a successful PLAIN authentication. If I configure dovecot for only gssapi and run mutt it again, I get the messge "No authenticators available". I then created /tmp/testMuttrc with: set imap_authenticators="gssapi" and ran MAIL=imap://mark at mail.ohprs.org mutt -F /tmp/testMuttrc same: "No authenticators available" It's as if dovecot knows nothing about gssapi, so I did: $ dovecot --build-options Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail SQL drivers: Passdb: checkpassword passwd passwd-file shadow Userdb: checkpassword nss passwd prefetch passwd-file Should gssapi show up here? I did just rebuild dovecot with `./configure ----with-gssapi=yes` and the config log shows it: #define HAVE_GSSAPI_GSSAPI_H /**/ #define HAVE_GSSAPI_H /**/ #define HAVE_GSSAPI /**/ #define HAVE_GSSAPI_GSSAPI_EXT_H 1 #define HAVE_GSSAPI_GSSAPI_KRB5_H 1 #define HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY 1 #define HAVE_GSSAPI_SPNEGO /**/ #define BUILTIN_GSSAPI /**/ Maybe I need to ask the dovecot people how to confirm that I have gssapi. --Mark -----Original Message----- From: Mark Foley <mfoley at ohprs.org> Date: Fri, 01 Jul 2016 00:09:29 -0400 Organization: Ohio Highway Patrol Retirement System To: samba at lists.samba.org Subject: Re: [Samba] Where is krb5.keytab or equivalent? Achim - per your instructions ...> Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer > required with dovecot (2.2.13 here).My dovecot is 2.2.15 and the 10-auth.conf (from the template) has the comment: # Host name to use in GSSAPI principal names. The default is to use the # name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab # entries. But, I've commented that out per your suggestion.> Add "auth_debug=yes" to your dovecor config.I already have: auth_debug_passwords = yes but I've added the auth_debug per your suggestion.> 192.168.100.1 is my clients ip 192.168.100.101 is the serversMy WIN7/Thunderbird client is 192.168.0.58 and AD/DC/Dovecot server is 192.168.0.2> ag is the domain account username I use to login to windows and also the > username configured in thunderbird.For me the dmain and Tbird account is 'mark'> On my debian system an package named libsasl2-modules-gssapi-mit must be > installed.I did install mit krb5. I am using Slackware which has a different package name, but it did install and compile OK, so I don't think I'm missing anything (but who knows?).> To test kerberos against dovecot from the command line install "mutt".I have mutt> I assume your windows account name is "mark"yes> ~#kinit markI did the above ... as root (should I have been 'mark'?) on the AD/DC server. ---------- $ kinit mark Password for mark at HPRS.LOCAL: $ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: mark at HPRS.LOCAL Valid starting Expires Service principal 06/30/2016 23:41:31 07/01/2016 09:41:31 krbtgt/HPRS.LOCAL at HPRS.LOCAL renew until 07/01/2016 23:41:27 ---------> ~#MAIL=imap://mark at mail.hprs.local/ muttDid that. A message quickly flashed: "Certificate host check failed: certificate owner does not match hosthame mail.hprs.org". Then a (presumably) mutt edit window came up with: ------- This certificate belongs to: mail.ohprs.org Unknown Unknown Domain Control Validated Unknown This certificate was issued by: Go Daddy Secure Certificate Authority - G2 Unknown GoDaddy.com, Inc. http: Scottsdale This certificate is valid from Aug 14 21:38:38 2015 GMT to Aug 15 17:49:32 2016 GMT Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064 (r)eject, accept (o)nce, (a)ccept always ------ I did (r), then quit. I also tried MAIL=imap://mark at ohprs.org mutt to no better results.> An successfull login with mutt looks like this in the mail logfile: >[deleted] Nothing at all in maillog. Dovecot log had: Jun 30 23:53:28 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [98.102.63.107] Jun 30 23:53:43 imap-login: Debug: SSL alert: close notify [98.102.63.107] Jun 30 23:53:43 imap-login: Info: Disconnected (no auth attempts in 15 secs): user=<>, rip=98.102.63.107, lip=98.102.63.107, TLS: Disconnected, session=<TD7I7oo2gQBiZj9r>> Also take a look at this page > wiki2.dovecot.org/Authentication/KerberosBeen to that page dozens of times :) A couple of things different on that page from our config thus far: 1) "... you will need to install a service ticket of the form imap/hostname at REALM." We added 'imap/mail.hprs.local dovecot', i.e. the fdqn, not just the hostname. Could this be a clue? 2) "Enable plaintext authentication to use Kerberos This is needed when some of your clients don't support GSSAPI and you still want them to authenticate against Kerberos." It then shows an /etc/pam.d/dovecot config, but I don't care about clients who do not support GSSAPI, so I don't think I need this.> Looking at my spn's you may also need > samba-tool spn add imap/mail.hprs.local dovecotI added that, didn't make any differece. does the "Certificate host check failed" message and the mutt output tell you anything? Thanks for your patience --Mark -----Original Message-----> To: samba at lists.samba.org > From: Achim Gottinger <achim at ag-web.biz> > Date: Fri, 1 Jul 2016 01:38:15 +0200 > > Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer > required with dovecot (2.2.13 here). > > Add "auth_debug=yes" to your dovecor config. > > 192.168.100.1 is my clients ip 192.168.100.101 is the servers > > ag is the domain account username I use to login to windows and also the > username configured in thunderbird. > > On my debian system an package named libsasl2-modules-gssapi-mit must be > installed. > > To test kerberos against dovecot from the command line install "mutt". > > I assume your windows account name is "mark" > > ~#kinit mark > ~#MAIL=imap://mark at mail.hprs.local/ mutt > > An successfull login with mutt looks like this in the mail logfile: > > Debug: auth client connected (pid=22585) > logon-zor dovecot: auth: Debug: client in: > AUTH#0111#011GSSAPI#011service=imap#011secured#011session=p/ahQ4c2/wB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=44287#011resp=<hidden> > logon-zor dovecot: auth: Debug: gssapi(?,127.0.0.1,<p/ahQ4c2/wB/AAAB>): > Obtaining credentials for imap@ > logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>): > security context state completed. > logon-zor dovecot: auth: Debug: client passdb out: > CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXAIZT4a2p58/+ylPphtphYA6sTnK4QCyRkHRm1VTnvrfjxc3Ya2ui9IHsBGnPggzjLVNScFx6aHJi99VCDG7s07zNUF8d4WHuNZz7el5gwK4Quy3AeUX8zVa7xkIECuTtT5W7BjpsBThhMc> logon-zor dovecot: auth: Debug: client in: CONT<hidden> > logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>): > Negotiated security layer > logon-zor dovecot: auth: Debug: client passdb out: > CONT#0111#011BQQF/wAMAAAAAAAAKxVA5AH///8b1puThszycYxSFvE> logon-zor dovecot: auth: Debug: client in: CONT<hidden> > > imap-login: Login: user=<ag>, method=GSSAPI, rip=127.0.0.1, > lip=127.0.0.1, mpid=19022, TLS, session=<CdYH6IY2oADAwAw9> > > > Also take a look at this page > wiki2.dovecot.org/Authentication/Kerberos > > Looking at my spn's you may also need > > samba-tool spn add imap/mail.hprs.local dovecot > > > > Am 01.07.2016 um 00:46 schrieb Mark Foley: > > Achim, > > > > I deleted the keytab file and did the following: > > > > $ samba-tool user delete dovecot > > $ samba-tool user add dovecot > > > > # again, that asked for a password and I assigned one. > > > > $ samba-tool spn add smpt/mail.hprs.local at HPRS.LOCAL dovecot > > $ samba-tool spn add imap/mail.hprs.local at HPRS.LOCAL dovecot > > > > $ ktutil > > ktutil: addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac > > Password for smtp/mail.hprs.local at HPRS.LOCAL: > > ktutil: addent -password -p imap/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac > > Password for imap/mail.hprs.local at HPRS.LOCAL: > > ktutil: wkt /etc/dovecot/dovecot.keytab > > ktutil: quit > > > > $ ktutil > > ktutil: read_kt /etc/dovecot/dovecot.keytab > > ktutil: list > > slot KVNO Principal > > ---- ---- --------------------------------------------------------------------- > > 1 1 smtp/mail.hprs.local at HPRS.LOCAL > > 2 1 imap/mail.hprs.local at HPRS.LOCAL > > > > So, much better. Duh for me not noticing that I had to change fqdn and domain to my own. > > > > Rloaded dovecot and tried again. Same error :( > > > > Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<OTQqf4Y2SgDAqAA6> > > > > You wrote: > > > >> It must be possible for Thunderbird to use plain authentification with your windows account > >> username. Can be you must configure userdb and passdb to do ldap lookups against active > >> directory. > > Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do plain text auth to dovecot. I will > > continue to need this for non-domain email clients. According to the dovecot folks, the passwd > > as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP > > authentication is another one (along with NTLM) that I haven't been able to get working with > > Dovecot. The only ones I've been able to get working are PLAIN and, believe it or not, > > checkpassword - which is basically a passdb driver for PLAIN. > > > > Perhaps there is some samba setting I'm missing? Here's my AD/DC smb.conf, do you seen anything > > missing I need? : > > > > [global] > > workgroup = HPRS > > realm = hprs.local > > netbios name = MAIL > > interfaces = lo, eth1 > > bind interfaces only = Yes > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate > > idmap_ldb:use rfc2307 = yes > > > > winbind use default domain = yes > > > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > > > log level = 2 passdb:5 auth:10 winbind:2 lanman:10 > > max log size = 1000 > > > > [netlogon] > > path = /var/lib/samba/sysvol/hprs.local/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > [Users] > > path = /redirectedFolders/Users > > comment = user folders for redirection > > read only = No > > > > [share] > > path = /var/lib/samba/share > > comment = Shared folder > > read only = No > > > > Thanks --Mark > > > > -----Original Message----- > >> To: samba at lists.samba.org > >> From: Achim Gottinger <achim at ag-web.biz> > >> Date: Thu, 30 Jun 2016 23:44:17 +0200 > >> Subject: Re: [Samba] Where is krb5.keytab or equivalent? > >> > >> Am 30.06.2016 um 23:16 schrieb Mark Foley: > >>> Achim, thanks a lot! A couple of questions on your suggested settings: > >>> > >>>> 1. Create an user > >>>> samba-tool create user dovcot > >>> I did this (actually `samba-tool user create dovecot`), but it asked for a password. I > >>> entered one. You didn't mention that, so I hope it's OK. > >> Yes > >>> > >>> > >>>> 2. Add the spn > >>>> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot > >>>> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot > >>> Did that too. No issue there. > >> Well you must substitute server.domain.local with your mailserver fqdn > >> and DOMAIN.LOCAL with HPRS.LOCAL. > >>>> 3. Create the keytab file > >>>> ktutil > >>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e > >>>> arcfour-hmac > >>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e > >>>> arcfour-hmac > >>>> wkt /etc/dovecot/dovecot.keytab > >>> As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype] > >>> should hve been the arcfour-hmac on the next line. So I did: > >>> > >>> $ ktutil > >>> ktutil: addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac > >>> ktutil: addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac > >> Same here substitute like above and as you said arcfour-hmac belongs in > >> the same line. > >>> Of course, that will probably also wrap when you get this message, but basically I put the > >>> arcfour-hmac on the same line as the addent. Each time, these commands also asked for a > >>> password. Again, you didn't mention that, but I used the same password I used for the > >>> `samab-tool user create` command above. > >>> > >>> I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk". > >>> Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply > >>> transposed the letters. I tried it and it took. > >> Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does > >> not yet exist. > >> Only the two keys you just added are required to get kerberos working. > >> The system keytab you generated with samba-tool domain exportkeytab is > >> not required. > >>> > >>> > >>>> 4. Add this to your dovecot config > >>>> > >>>> # Kerberos > >>>> auth_gssapi_hostname = "$ALL" > >>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab > >>> Did that. In addition, I set the keytab file's group to dovecot and made the file group > >>> readable, as suggested by wiki2.dovecot.org/Authentication/Kerberos. I also tried > >>> making it world readable. Now, after doing all that and restarting dovecot I still get the > >>> same dovecot error: > >>> > >>> Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6> > >>> > >>> and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the > >>> IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm." > >>> > >>> As I've mentioned before, "mark at ohprs.org" is not a server. It is the email address of the > >>> Thunderbird account (running on WIN7). > >>> > >>> Here is my doveconf -n (gssapi marked with *): > >>> > >>> auth_debug_passwords = yes > >>> * auth_gssapi_hostname = $ALL > >>> * auth_krb5_keytab = /etc/krb5.keytab > >>> * auth_mechanisms = plain login gssapi > >>> auth_verbose = yes > >>> auth_verbose_passwords = plain > >>> disable_plaintext_auth = no > >>> info_log_path = /var/log/dovecot_info > >>> mail_location = maildir:~/Maildir > >>> passdb { > >>> driver = shadow > >>> } > >>> protocols = imap > >>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > >>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >>> userdb { > >>> driver = passwd > >>> } > >>> verbose_ssl = yes > >>> > >>> (yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?) > >>> > >>> Here is my keytab list (partial); note that every entry appears in triplicate. I don't see > >>> 'dovecot' in there at all; maybe that's OK: > >>> > >>> ktutil: list > >>> slot KVNO Principal > >>> ---- ---- --------------------------------------------------------------------- > >>> 1 18 COMMON$@HPRS.LOCAL > >>> 2 18 COMMON$@HPRS.LOCAL > >>> 3 18 COMMON$@HPRS.LOCAL > >>> 4 1 MAIL$@HPRS.LOCAL > >>> 5 1 MAIL$@HPRS.LOCAL > >>> 6 1 MAIL$@HPRS.LOCAL > >>> 7 1 charmaine at HPRS.LOCAL > >>> 8 1 charmaine at HPRS.LOCAL > >>> 9 1 charmaine at HPRS.LOCAL > >>> : > >>> 19 1 Administrator at HPRS.LOCAL > >>> 20 1 Administrator at HPRS.LOCAL > >>> 21 1 Administrator at HPRS.LOCAL > >>> : > >>> 91 1 krbtgt at HPRS.LOCAL > >>> 92 1 krbtgt at HPRS.LOCAL > >>> 93 1 krbtgt at HPRS.LOCAL > >>> : > >>> 97 1 smtp/server.domain.local at DOMAIN.LOCAL > >>> 98 1 imap/server.domain.local at DOMAIN.LOCAL > >>> > >>> Can you tell from any of this why I'm still not able to authenticate? > >> You only need the lines 97 and 98 and substitude fqdn and realm like i > >> mentioned above. > >> It must be possible for Thunderbird to use plain authentification with > >> your windows account username. > >> Can be you must configure userdb and passdb to do ldap lookups against > >> active directory. > >>> Thanks, --Mark > >>> > >>> -----Original Message----- > >>>> To: samba at lists.samba.org > >>>> From: Achim Gottinger <achim at ag-web.biz> > >>>> Date: Thu, 30 Jun 2016 11:51:34 +0200 > >>>> > >>>> Am 30.06.2016 um 10:45 schrieb Mark Foley: > >>>>> To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set > >>>>> Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab > >>>>> file as required by Dovecot. I've also downloaded and installed Kerberos for access to > >>>>> the k* commands (ktutil, kinit, klist, ...). > >>>>> > >>>>> In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7 > >>>>> workstation is a domain member and works fine otherwise with Samba4 for AD user authentication, > >>>>> etc. Thunderbird gives the following error: > >>>>> > >>>>> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check > >>>>> that you are logged in to the Kerberos/GSSAPI realm." > >>>>> > >>>>> One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a > >>>>> server at all, but rather the email address of the Thunderbird account. > >>>>> > >>>>> When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18 > >>>>> secs): user=<>". No message at all appears in the samba log although I have auth:10 level set. > >>>>> Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying: > >>>>> > >>>>> auth_mechanisms = plain login gssapi > >>>>> > >>>>> That's it (the other mechanism work just fine, BTW). Not much I can mess with there. > >>>>> > >>>>> I think the problem is with Samba and handling the authentication. I do not think my Samba4 is > >>>>> configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation > >>>>> for single-sign-on using Kerberos. He had me put the following lines into that workstation's > >>>>> smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server: > >>>>> > >>>>> security = ADS > >>>>> dedicated keytab file = /etc/krb5.keytab > >>>>> kerberos method = secrets and keytab > >>>>> winbind nss info = rfc2307 > >>>>> winbind trusted domains only = no > >>>>> winbind enum users = yes > >>>>> winbind enum groups = yes > >>>>> winbind refresh tickets = Yes > >>>>> > >>>>> I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log > >>>>> message, "Samba detected misconfigured 'server role' and exited." > >>>>> > >>>>> He also had me put the following in /etc/nsswitch.conf: > >>>>> > >>>>> passwd: compat winbind > >>>>> group: compat winbind > >>>>> > >>>>> Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server > >>>>> for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work. > >>>>> > >>>>> Need Help! Thanks --Mark > >>>> Hello Mark, > >>>> > >>>> This is what i used in debian wheezy few years back. I assume > >>>> arcfour-hmac is unsafe these days but i did not yet investigate into > >>>> other working encryption methods here. > >>>> If you need smtp (postfix with auth via dovecot) also add the smtp > >>>> spn's. Use the password for user dovecot during keytab creation. > >>>> > >>>> 1. Create an user > >>>> samba-tool create user dovcot > >>>> > >>>> 2. Add the spn > >>>> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot > >>>> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot > >>>> > >>>> 3. Create the keytab file > >>>> ktutil > >>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e > >>>> arcfour-hmac > >>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e > >>>> arcfour-hmac > >>>> wkt /etc/dovecot/dovecot.keytab > >>>> > >>>> 4. Add this to your dovecot config > >>>> > >>>> # Kerberos > >>>> auth_gssapi_hostname = "$ALL" > >>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab > >>>> > >>>> Hope it helps, > >>>> achim~ > >>>> -- > >>>> To unsubscribe from this list go to the following URL and read the > >>>> instructions: lists.samba.org/mailman/options/samba > >>>> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: lists.samba.org/mailman/options/samba > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/options/samba >-- To unsubscribe from this list go to the following URL and read the instructions: lists.samba.org/mailman/options/samba