Hello, I try to setup Dovecot with Kerberos/GSSAPI and use this howto: https://wiki.samba.org/index.php/Authenticating_Dovecot_against_Active_Directory#Create_the_Dovecot_user_and_keytab I also try https://wiki.dovecot.org/Authentication/Kerberos I can login as windows user on win7 and access shares. When I open Thunderbird I get the message: "kerberos/gssapi ticket was not accepted" For debuging I use Kerbtray. The Tickets I get are: MY.FQDN.COM |-- cifs/dc1.my.fqdn.com |-- cifs/files.my.fqdn.com |-- krbtgt/MY.FQDN.COM |-- krbtgt/MY.FQDN.COM |-- LDAP/dc1.my.fqdn.com/my.fqdn.com There is *no* imap ticket. root at dovecot:~# ktutil ktutil: rkt /etc/dovecot/dovecot.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM 2 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM 3 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM ktutil: q root at dovecot:~# Best Regards,
On Wed, 12 Dec 2018 15:30:38 +0100 basti via samba <samba at lists.samba.org> wrote:> Hello, > > I try to setup Dovecot with Kerberos/GSSAPI and use this howto: > https://wiki.samba.org/index.php/Authenticating_Dovecot_against_Active_Directory#Create_the_Dovecot_user_and_keytab > > I also try https://wiki.dovecot.org/Authentication/Kerberos > > I can login as windows user on win7 and access shares. > When I open Thunderbird I get the message: > > "kerberos/gssapi ticket was not accepted" > > For debuging I use Kerbtray. > > The Tickets I get are: > > MY.FQDN.COM > |-- cifs/dc1.my.fqdn.com > |-- cifs/files.my.fqdn.com > |-- krbtgt/MY.FQDN.COM > |-- krbtgt/MY.FQDN.COM > |-- LDAP/dc1.my.fqdn.com/my.fqdn.com > > There is *no* imap ticket. > > root at dovecot:~# ktutil > ktutil: rkt /etc/dovecot/dovecot.keytab > ktutil: l > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM > 2 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM > 3 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM > ktutil: q > root at dovecot:~# > > Best Regards, >What is your functional level ? Rowland
Whats set for the server in its delegation? sudo samba-tool delegation show dovecot\$ Run this on the DC, or add the -S YourDC.hostname You need something like this: samba-tool delegation for-any-service dovecot\$ on Or setup for only imap, but cifs/nfs automounts may need this to. After you've set it, i suggest, export the imap keytab again. Not really sure if its needed, but if it does not work, try it. And use stop and start command not restart/reload. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > basti via samba > Verzonden: woensdag 12 december 2018 15:31 > Aan: samba at lists.samba.org > Onderwerp: [Samba] GSSAPI/Kerberos authenticate with Dovecot > > Hello, > > I try to setup Dovecot with Kerberos/GSSAPI and use this howto: > https://wiki.samba.org/index.php/Authenticating_Dovecot_agains > t_Active_Directory#Create_the_Dovecot_user_and_keytab > > I also try https://wiki.dovecot.org/Authentication/Kerberos > > I can login as windows user on win7 and access shares. > When I open Thunderbird I get the message: > > "kerberos/gssapi ticket was not accepted" > > For debuging I use Kerbtray. > > The Tickets I get are: > > MY.FQDN.COM > |-- cifs/dc1.my.fqdn.com > |-- cifs/files.my.fqdn.com > |-- krbtgt/MY.FQDN.COM > |-- krbtgt/MY.FQDN.COM > |-- LDAP/dc1.my.fqdn.com/my.fqdn.com > > There is *no* imap ticket. > > root at dovecot:~# ktutil > ktutil: rkt /etc/dovecot/dovecot.keytab > ktutil: l > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM > 2 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM > 3 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM > ktutil: q > root at dovecot:~# > > Best Regards, > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
I have try. root at dc1:~# samba-tool delegation show dovecot\$ Account-DN: CN=DOVECOT,CN=Computers,DC=MY,DC=FQDN,DC=COM UF_TRUSTED_FOR_DELEGATION: True UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: False root at dc1:~# The error is the same. On 12.12.18 15:51, L.P.H. van Belle via samba wrote:> Whats set for the server in its delegation? > > sudo samba-tool delegation show dovecot\$ > Run this on the DC, or add the -S YourDC.hostname > > You need something like this: > samba-tool delegation for-any-service dovecot\$ on > Or setup for only imap, but cifs/nfs automounts may need this to. > After you've set it, i suggest, export the imap keytab again. > Not really sure if its needed, but if it does not work, try it. > And use stop and start command not restart/reload. > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> basti via samba >> Verzonden: woensdag 12 december 2018 15:31 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] GSSAPI/Kerberos authenticate with Dovecot >> >> Hello, >> >> I try to setup Dovecot with Kerberos/GSSAPI and use this howto: >> https://wiki.samba.org/index.php/Authenticating_Dovecot_agains >> t_Active_Directory#Create_the_Dovecot_user_and_keytab >> >> I also try https://wiki.dovecot.org/Authentication/Kerberos >> >> I can login as windows user on win7 and access shares. >> When I open Thunderbird I get the message: >> >> "kerberos/gssapi ticket was not accepted" >> >> For debuging I use Kerbtray. >> >> The Tickets I get are: >> >> MY.FQDN.COM >> |-- cifs/dc1.my.fqdn.com >> |-- cifs/files.my.fqdn.com >> |-- krbtgt/MY.FQDN.COM >> |-- krbtgt/MY.FQDN.COM >> |-- LDAP/dc1.my.fqdn.com/my.fqdn.com >> >> There is *no* imap ticket. >> >> root at dovecot:~# ktutil >> ktutil: rkt /etc/dovecot/dovecot.keytab >> ktutil: l >> slot KVNO Principal >> ---- ---- >> --------------------------------------------------------------------- >> 1 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM >> 2 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM >> 3 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM >> ktutil: q >> root at dovecot:~# >> >> Best Regards, >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
On 12.12.18 15:49, Rowland Penny via samba wrote:> What is your functional level ?What dowes you mean? - dovecot machine is join to domain - keytab is setup. - see the users via wbinfo -u on dovecot server. - dovecot is setup like in the wiki with userdb=static. I have also try to use pam/krb5, when I enter a password I get mails. (Port 143 with starttls) TB setting: server: dovecot ip user: username at my.fqdn.com secu: SSL/TLS auth: Kerberos/GSSAPI port: 993 Results in root at dovecot:~# tail -f /var/log/dovecot.debug.log Dec 12 15:58:22 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Dec 12 15:58:22 auth: Debug: auth client connected (pid=2748) Dec 12 15:58:28 auth: Debug: auth client connected (pid=2751) Dec 12 16:06:50 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Dec 12 16:06:50 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_pgsql.so Dec 12 16:06:50 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Dec 12 16:06:50 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libmech_gssapi.so Dec 12 16:06:50 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Dec 12 16:06:50 auth: Debug: auth client connected (pid=2753) Dec 12 16:06:52 auth: Debug: auth client connected (pid=2757) But ticket not accepted. TB setting: server: dovecot.my.fqdn.com user: username at my.fqdn.com secu: SSL/TLS auth: Kerberos/GSSAPI port: 993 Results in no log entry.
Ah, i think whats going on here. The wiki example and your are using different setup. The wiki uses a separate account, and not the computer account like you. Based on that wiki. - install server + samba. ( already dont ) - join the domain. ( also done ) Good you said you have share access.. ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf << not needed. Just use the default /etc/krb5.conf as long you default realm is defined. Dont use $ samba-tool spn add imap/host.domain.com dovecot $ samba-tool domain exportkeytab --principal imap/host.domain.com /etc/dovecot/dovecot.keytab But on the member use : net ads keytab add idmap/your.host.tld at REALM This add the spn to the local keytab file AND the AD. Here you have 2 options. Use the system default keytab file or setup a separated. And you might need to add in the krb5.conf the line ignore k5login # due to krb5_kuserok() is used to check if access is allowed. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > basti via samba > Verzonden: woensdag 12 december 2018 16:02 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] GSSAPI/Kerberos authenticate with Dovecot > > I have try. > > root at dc1:~# samba-tool delegation show dovecot\$ > Account-DN: CN=DOVECOT,CN=Computers,DC=MY,DC=FQDN,DC=COM > UF_TRUSTED_FOR_DELEGATION: True > UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: False > root at dc1:~# > > The error is the same. > > On 12.12.18 15:51, L.P.H. van Belle via samba wrote: > > Whats set for the server in its delegation? > > > > sudo samba-tool delegation show dovecot\$ > > Run this on the DC, or add the -S YourDC.hostname > > > > You need something like this: > > samba-tool delegation for-any-service dovecot\$ on > > Or setup for only imap, but cifs/nfs automounts may need this to. > > After you've set it, i suggest, export the imap keytab again. > > Not really sure if its needed, but if it does not work, try it. > > And use stop and start command not restart/reload. > > > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> basti via samba > >> Verzonden: woensdag 12 december 2018 15:31 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] GSSAPI/Kerberos authenticate with Dovecot > >> > >> Hello, > >> > >> I try to setup Dovecot with Kerberos/GSSAPI and use this howto: > >> https://wiki.samba.org/index.php/Authenticating_Dovecot_agains > >> t_Active_Directory#Create_the_Dovecot_user_and_keytab > >> > >> I also try https://wiki.dovecot.org/Authentication/Kerberos > >> > >> I can login as windows user on win7 and access shares. > >> When I open Thunderbird I get the message: > >> > >> "kerberos/gssapi ticket was not accepted" > >> > >> For debuging I use Kerbtray. > >> > >> The Tickets I get are: > >> > >> MY.FQDN.COM > >> |-- cifs/dc1.my.fqdn.com > >> |-- cifs/files.my.fqdn.com > >> |-- krbtgt/MY.FQDN.COM > >> |-- krbtgt/MY.FQDN.COM > >> |-- LDAP/dc1.my.fqdn.com/my.fqdn.com > >> > >> There is *no* imap ticket. > >> > >> root at dovecot:~# ktutil > >> ktutil: rkt /etc/dovecot/dovecot.keytab > >> ktutil: l > >> slot KVNO Principal > >> ---- ---- > >> > --------------------------------------------------------------------- > >> 1 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM > >> 2 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM > >> 3 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM > >> ktutil: q > >> root at dovecot:~# > >> > >> Best Regards, > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >