dovecot - Jun 2016 - Looking for GSSAPI config [was: Looking for NTLM config example]

On 27.06.2016 07:31, Mark Foley wrote:
> Thanks for the reply.  When you say it [NTLM] "should" work, I
understand you to be implying
> you've not actually tried NTLM yourself, right? I've never gotten a
response from someone
> saying they have or are actually using it. Your subsequent messages about
NTLM v[1|2] may be
> the problem, but email clients I've tried (Outlook, Thunderbird)
don't really give a choice.
>
> That's OK, I'd be glad to try something different that would
work!!! I am trying your advice
> for gssapi.  I've followed the instructions at
> http://wiki2.dovecot.org/Authentication/Kerberos.  In my 10-auth.conf I
changed the
> auth_mechanism line to:
>
> auth_mechanisms = plain login gssapi
>
> Which is only different from before with the addition of
"gssapi".  That's all I've done.  I'm
> using the same userdb as before which is /etc/passwd.  My doveconf -n is:
>
> ----------SNIP------------
>> doveconf -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = plain login gssapi
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
> 	  driver = shadow
> }
> protocols = imap
> ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> userdb {
> 	  driver = passwd
> }
> verbose_ssl = yes
> ------------PINS-------------
>
> I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a
Slackware 14.1 AD/DC. I
> selected "Kerberos/GSSAPI" as the authentication method on Tbird.
When trying the connection I
> got the following in my Dovecot log:
>
> Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be
used for ECDH and ECDHE key exchanges
> Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be
used for ECDH and ECDHE key exchanges
> Jun 27 00:04:54 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
> Jun 27 00:04:54 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
> Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken
(disconnected before auth was ready, waited 0 secs): user=<>,
rip=192.168.0.99, lip=98.102.63.107, session=<Zk1rnzo2IADAqABj>
>
> So, any idea why this is not working? I'll say up-front that I do not
have the auth_krb5_keytab
> configured in 10-auth.conf. I could find no such file on the host running
Dovecot. Is that file
> needed? If so, I've got a message in to the Samba4 folks asking where
it is located.
>
> I'm also using Dovecot 2.2.15. Too old?
>
> Do you think auth_krb5_keytab is my problem or something deeper?
>
> THX --Mark
>
You need to set up keytab. I'll assume you know nothing about kerberos,
so please if you already knew all this, sorry.

For kerberos to work PROPERLY you need to have

1. Functional AD or Kerberos environment
2. Time synced against your KDC (which is your Domain Controller on Windows)
3. /etc/krb5.conf configured
4. Both forward / reverse DNS names correct for clients and servers.
Reverse is only mandatory for servers, but having them right will work
wonders. Most kerberos problems are about DNS problems.
5. You need a keytab. This keytab needs to hold entries like
IMAP/your.host.name at REALM  and IMAP/$HOSTNAME at REALM. You can generate
these on any Windows DC server (at least).

Only bullet 5. is about Dovecot really, but since this is usually rather
hard to gather information, I'll recap these things here:

2. Time sync

Install ntpd and configure it to use *your* *ad* *server*. (Not some
generic service).

3. /etc/krb5.conf

Here is a *SAMPLE* configuration:

[libdefaults]
        default_realm = YOUR.REALM
        dns_lookup_kdc = true
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        fcc-mit-ticketflags = true

[realms]
        YOUR.REALM = {
                default_domain = your.domain.name
                auth_to_local_names = {
                        Administrator = root
                }
        }
[domain_realm]
      your.domain.name = YOUR.REALM
# this is not a mistake
      .your.domain.name = YOUR.REALM
[login]
        krb4_convert = true
        krb4_get_tickets = false

Note that some windows environments require additional configuration to
get this working.

4. Forward/reverse DNS.

For your *server* this is *absolutely* must. It has to match for your
clients and your server. So if your server name is mail.example.org, and
it has IP 10.0.2.3, then 10.0.2.3 MUST resolve to mail.example.org. It
will give you strange and convoluted errors otherwise.

5. Keytab

This is bit tricky to generate, and there are various ways to do this.
You can install samba, join it to your domain and use the samba tools to
generate a keytab. It's not a bad idea, just remember to add the
required spn's (service principal names) to the machine account. setspn
-q is helpful here, also setspn command in general.

You can use either system keytab file (/etc/krb5.keytab), or you can put
the dovecot specific (mainly IMAP/something) into dedicated keytab for
the service. Either way you need to tell dovecot about it with
auth_krb5_keytab setting.

You should have at least following entries in your keytab file. You can
see them with klist -k /path/to/keytab. The KVNO can be different.

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   3 host/mail.example.org at EXAMPLE.ORG
   3 host/mail.example.org at EXAMPLE.ORG
   3 host/mail.example.org at EXAMPLE.ORG
   3 host/mail.example.org at EXAMPLE.ORG
   3 host/mail.example.org at EXAMPLE.ORG
   3 IMAP/mail.example.org at EXAMPLE.ORG
   3 host/MAIL at EXAMPLE.ORG
   3 host/MAIL at EXAMPLE.ORG
   3 host/MAIL at EXAMPLE.ORG
   3 host/MAIL at EXAMPLE.ORG
   3 host/MAIL at EXAMPLE.ORG
   3 IMAP/MAIL at EXAMPLE.ORG
   3 MAIL$@EXAMPLE.ORG
   3 MAIL$@EXAMPLE.ORG
   3 MAIL$@EXAMPLE.ORG
   3 MAIL$@EXAMPLE.ORG
   3 MAIL$@EXAMPLE.ORG

This will at least get you somewhere. Kerberos is notoriously hard to
debug, but it usually is about

a) DNS
b) Keytab
c) Mismatch of some name somewhere
d) Encryption type support

Also, note that kerberos can only act as AUTHENTICATION system. It
cannot act as USER DATABASE. For that you need to configure LDAP or
something else. With Active Directory LDAP is probably a damn good idea.

If you want to try with something else first, which I recommend for the
server in any case, is to see if you can get sssd working with Kerberos
and LDAP. If you get that working, it's not very difficult anymore to
get Dovecot running with it.

----
Aki Tuomi
Dovecot oy

Aki, again, thanks A LOT for your reply. Concerning your checklist:
> 1. Functional AD or Kerberos environment
Check!
> 2. Time synced against your KDC (which is your Domain Controller on
Windows)
Check! (needed for AD/DC anyway)
> 3. /etc/krb5.conf configured
NO
> 4. Both forward / reverse DNS names correct for clients and servers.
> Reverse is only mandatory for servers, but having them right will work
> wonders. Most kerberos problems are about DNS problems.
Check!
> 5. You need a keytab. This keytab needs to hold entries like
> IMAP/your.host.name at REALM  and IMAP/$HOSTNAME at REALM. You can generate
> these on any Windows DC server (at least).
NO

So, I'm apparently lacking in the kerberos stuff. Here's the problem --
Samba4 uses Heimdal
Kerberos and when I provisioned my domain apparently none of these needed
kerberos files were
set up. I can, however, kerberos authenticate from domain workstations both WIN7
and Linux.

I will (and have already) contacted the Samba list to see what needs to be done.

I'll post back what I find.

Maybe I can finally get to the bottom of this problem.

Thanks again -- Mark

-----Original Message----
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config
example]
> To: dovecot at dovecot.org
> From: Aki Tuomi <aki.tuomi at dovecot.fi>
> Organization: Dovecot Oy
> Date: Mon, 27 Jun 2016 09:18:54 +0300
>
> On 27.06.2016 07:31, Mark Foley wrote:
> > Thanks for the reply.  When you say it [NTLM] "should" work,
I understand you to be implying
> > you've not actually tried NTLM yourself, right? I've never
gotten a response from someone
> > saying they have or are actually using it. Your subsequent messages
about NTLM v[1|2] may be
> > the problem, but email clients I've tried (Outlook, Thunderbird)
don't really give a choice.
> >
> > That's OK, I'd be glad to try something different that would
work!!! I am trying your advice
> > for gssapi.  I've followed the instructions at
> > http://wiki2.dovecot.org/Authentication/Kerberos.  In my 10-auth.conf
I changed the
> > auth_mechanism line to:
> >
> > auth_mechanisms = plain login gssapi
> >
> > Which is only different from before with the addition of
"gssapi".  That's all I've done.  I'm
> > using the same userdb as before which is /etc/passwd.  My doveconf -n
is:
> >
> > ----------SNIP------------
> >> doveconf -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = plain login gssapi
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> > 	  driver = shadow
> > }
> > protocols = imap
> > ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> > userdb {
> > 	  driver = passwd
> > }
> > verbose_ssl = yes
> > ------------PINS-------------
> >
> > I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on
a Slackware 14.1 AD/DC. I
> > selected "Kerberos/GSSAPI" as the authentication method on
Tbird. When trying the connection I
> > got the following in my Dovecot log:
> >
> > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will
be used for ECDH and ECDHE key exchanges
> > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will
be used for ECDH and ECDHE key exchanges
> > Jun 27 00:04:54 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
> > Jun 27 00:04:54 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
> > Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken
(disconnected before auth was ready, waited 0 secs): user=<>,
rip=192.168.0.99, lip=98.102.63.107, session=<Zk1rnzo2IADAqABj>
> >
> > So, any idea why this is not working? I'll say up-front that I do
not have the auth_krb5_keytab
> > configured in 10-auth.conf. I could find no such file on the host
running Dovecot. Is that file
> > needed? If so, I've got a message in to the Samba4 folks asking
where it is located.
> >
> > I'm also using Dovecot 2.2.15. Too old?
> >
> > Do you think auth_krb5_keytab is my problem or something deeper?
> >
> > THX --Mark
> >
>
> You need to set up keytab. I'll assume you know nothing about kerberos,
> so please if you already knew all this, sorry.
>
> For kerberos to work PROPERLY you need to have
>
> 1. Functional AD or Kerberos environment
> 2. Time synced against your KDC (which is your Domain Controller on
Windows)
> 3. /etc/krb5.conf configured
> 4. Both forward / reverse DNS names correct for clients and servers.
> Reverse is only mandatory for servers, but having them right will work
> wonders. Most kerberos problems are about DNS problems.
> 5. You need a keytab. This keytab needs to hold entries like
> IMAP/your.host.name at REALM  and IMAP/$HOSTNAME at REALM. You can generate
> these on any Windows DC server (at least).
>
> Only bullet 5. is about Dovecot really, but since this is usually rather
> hard to gather information, I'll recap these things here:
>
> 2. Time sync
>
> Install ntpd and configure it to use *your* *ad* *server*. (Not some
> generic service).
>
> 3. /etc/krb5.conf
>
> Here is a *SAMPLE* configuration:
>
> [libdefaults]
>         default_realm = YOUR.REALM
>         dns_lookup_kdc = true
>         krb4_config = /etc/krb.conf
>         krb4_realms = /etc/krb.realms
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
>         fcc-mit-ticketflags = true
>
> [realms]
>         YOUR.REALM = {
>                 default_domain = your.domain.name
>                 auth_to_local_names = {
>                         Administrator = root
>                 }
>         }
> [domain_realm]
>       your.domain.name = YOUR.REALM
> # this is not a mistake
>       .your.domain.name = YOUR.REALM
> [login]
>         krb4_convert = true
>         krb4_get_tickets = false
>
> Note that some windows environments require additional configuration to
> get this working.
>
> 4. Forward/reverse DNS.
>
> For your *server* this is *absolutely* must. It has to match for your
> clients and your server. So if your server name is mail.example.org, and
> it has IP 10.0.2.3, then 10.0.2.3 MUST resolve to mail.example.org. It
> will give you strange and convoluted errors otherwise.
>
> 5. Keytab
>
> This is bit tricky to generate, and there are various ways to do this.
> You can install samba, join it to your domain and use the samba tools to
> generate a keytab. It's not a bad idea, just remember to add the
> required spn's (service principal names) to the machine account. setspn
> -q is helpful here, also setspn command in general.
>
> You can use either system keytab file (/etc/krb5.keytab), or you can put
> the dovecot specific (mainly IMAP/something) into dedicated keytab for
> the service. Either way you need to tell dovecot about it with
> auth_krb5_keytab setting.
>
> You should have at least following entries in your keytab file. You can
> see them with klist -k /path/to/keytab. The KVNO can be different.
>
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    3 host/mail.example.org at EXAMPLE.ORG
>    3 host/mail.example.org at EXAMPLE.ORG
>    3 host/mail.example.org at EXAMPLE.ORG
>    3 host/mail.example.org at EXAMPLE.ORG
>    3 host/mail.example.org at EXAMPLE.ORG
>    3 IMAP/mail.example.org at EXAMPLE.ORG
>    3 host/MAIL at EXAMPLE.ORG
>    3 host/MAIL at EXAMPLE.ORG
>    3 host/MAIL at EXAMPLE.ORG
>    3 host/MAIL at EXAMPLE.ORG
>    3 host/MAIL at EXAMPLE.ORG
>    3 IMAP/MAIL at EXAMPLE.ORG
>    3 MAIL$@EXAMPLE.ORG
>    3 MAIL$@EXAMPLE.ORG
>    3 MAIL$@EXAMPLE.ORG
>    3 MAIL$@EXAMPLE.ORG
>    3 MAIL$@EXAMPLE.ORG
>
> This will at least get you somewhere. Kerberos is notoriously hard to
> debug, but it usually is about
>
> a) DNS
> b) Keytab
> c) Mismatch of some name somewhere
> d) Encryption type support
>
> Also, note that kerberos can only act as AUTHENTICATION system. It
> cannot act as USER DATABASE. For that you need to configure LDAP or
> something else. With Active Directory LDAP is probably a damn good idea.
>
> If you want to try with something else first, which I recommend for the
> server in any case, is to see if you can get sssd working with Kerberos
> and LDAP. If you get that working, it's not very difficult anymore to
> get Dovecot running with it.
>
> ----
> Aki Tuomi
> Dovecot oy

Hi,

On 27-06-2016 08:58, Mark Foley wrote:
> So, I'm apparently lacking in the kerberos stuff. Here's the
problem -- Samba4 uses Heimdal
> Kerberos and when I provisioned my domain apparently none of these needed
kerberos files were
> set up. I can, however, kerberos authenticate from domain workstations both
WIN7 and Linux.
You don't need any Samba4 stuff, to get it working. Samba is great, but 
can be hard to get right. I tend to steer clear of Samba when I don't 
really need it.

My first experience was with an OTRS helpdesk install, and trying to get 
it to do SSO. I was helped a great deal by wireshark, and this website: 
http://www.grolmsnet.de/kerbtut/

On a sidenote: mod_auth_kerb is rather ancient, in computer-terms. You'd 
be better off with mod_auth_gssapi.
In the case of Dovecot we are not using Apache, of course.

With Dovecot I got the SSO working with Kerberos, and this part is 
working great. Other parts (shared mailboxes, that sort of stuff) aren't 
working for me yet. This is my own fault, not a dovecot one, haven't 
looked into it enough. Anyway, the SSO is working great.

One of the tricky bits is you need a kerberos keytab with two services. 
I used ktutil:
# ktutil
   ktutil: read_kt mail-imap.keytab
   ktutil: read_kt mail-smtp.keytab
   ktutil: write_kt mail.keytab
   ktutil: quit

I'm using a windows 2003 r2 server as domain controller, to create a 
keytab file you need the windows 2003 support tools.

ktpass.exe -princ imap/mailserver.gcecad-service.nl at GCECAD-SERVICE.LOCAL 
-mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 
-ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab

ktpass.exe -princ smtp/mailserver.gcecad-service.nl at GCECAD-SERVICE.LOCAL 
-mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234 
-ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab

Most instructions on the internet do not quite work out that well. 
RC4-HMAC-NT crypto is needed if you still have Windows XP machines. It 
should work with a newer crypto but have not tested that.
FYI: Kerberos service names (imap, smtp) are sometimes capitalised, 
mostly when using HTTP. Great, isn't it?

On the dovecot server I had to install a kerberos package:
# yum install krb5-workstation
(I am using CentOS7, but it should not be too hard to translate this to 
your own distro)

My kerberos configuration:
# vi /etc/krb5.conf
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
  rdns = false
  default_realm = GCECAD-SERVICE.LOCAL
  default_keytab_file = /etc/krb5.keytab
  default_ccache_name = KEYRING:persistent:%{uid}
  allow_weak_crypto = true
  default_tkt_enctypes = arcfour-hmac-md5
  default_tgs_enctypes = arcfour-hmac-md5
  permitted_enctypes = arcfour-hmac-md5

[appdefaults]
  pam = {
   debug = false
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true
   krb4_convert = false
  }

[realms]
  GCECAD-SERVICE.LOCAL = {
   kdc = this.is.the.dns.name.of.your.kdc
   admin_server = this.is.the.dns.name.of.your.kdc
  }

[domain_realm]
  .gcecad-service.local = GCECAD-SERVICE.LOCAL
  gcecad-service.local = GCECAD-SERVICE.LOCAL
  .gcecad-service.nl = GCECAD-SERVICE.LOCAL
  gcecad-service.nl = GCECAD-SERVICE.LOCAL


Dovecot config, the needed parts:
In /etc/dovecot/conf.d/10-auth.conf :
auth_krb5_keytab = /etc/dovecot/mail.keytab
auth_mechanisms = plain gssapi

In /etc/dovecot/conf.d/auth-system.conf.ext :
passdb {
   driver = pam
}
userdb {
   driver = static
   args = uid=2000 gid=2000 home=/var/vmail/%Ln allow_all_users=yes
}

In /etc/pam.d/dovecot :
#%PAM-1.0
auth       sufficient   pam_krb5.so no_user_check validate
account    sufficient   pam_permit.so

I'm not entirely happy with the static userdb, because of the 
limitations with kerberos/pam, but this can of course be changed rather 
easily. The hardest part is to get the SSO working.
One of the limitiations is stated here: 
http://wiki.dovecot.org/UserDatabase/Static

Postfix SMTP auth is using LMTP, reading from my notes.

I hope you can get a clearer picture with this rather long and chaotic 
reply.

-- 
Jan Jurkus | ICT Beheerder | GCE cad-service B.V.
Postbus 12, 3220 AA Hellevoetsluis
Daltonweg 9, 3225 LR Hellevoetsluis
tel: 0181-336955 | fax: 0181-311899
j.jurkus at gcecad-service.nl | www.gcecad-service.nl

Aki,

To review your 5 points:

On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi at dovecot.fi>
wrote:
> 1. Functional AD or Kerberos environment
> 2. Time synced against your KDC (which is your Domain Controller on
Windows)
> 3. /etc/krb5.conf configured
> 4. Both forward / reverse DNS names correct for clients and servers.
> Reverse is only mandatory for servers, but having them right will work
> wonders. Most kerberos problems are about DNS problems.
> 5. You need a keytab. This keytab needs to hold entries like
> IMAP/your.host.name at REALM  and IMAP/$HOSTNAME at REALM. You can generate
> these on any Windows DC server (at least).
I believe I am good on 1,2 and 4.  I downloaded and installed kerberos and
tested it with kinit
and klist according to the instructions at
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos

As to the the keytab (#5) I did the following:

$ samba-tool domain exportkeytab /etc/krb5.keytab

which created the file.  I made this owned and readable by group dovecot, per
instructions at
http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k
/etc/krb5.keytab` shows me
configuration listing all the users and computers in the domain, mostly in
triplicate.  A
partial list:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  18 COMMON$@HPRS.LOCAL
  18 COMMON$@HPRS.LOCAL
  18 COMMON$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 charmaine at HPRS.LOCAL
   1 charmaine at HPRS.LOCAL
   1 charmaine at HPRS.LOCAL

where COMMON and MAIL are hosts and charmaine is a user. I don't really
understand the listing,
but am assuming it is OK.
> setspn -q is helpful here, also setspn command in general.
I have no such command in my system. Is that a Windows thing?


As to the /etc/krb5.conf, the default one generated by samba is:

[libdefaults]
        default_realm = HPRS.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true

I'd like to modify that to your suggestions, but I need more help. You have
(with my questions):
> Here is a *SAMPLE* configuration:
>
> [libdefaults]
>         default_realm = YOUR.REALM
>         dns_lookup_kdc = true
>         krb4_config = /etc/krb.conf
>         krb4_realms = /etc/krb.realms
Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I
rather have:

	krb5_config = /etc/krb5.conf

Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in
there?
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
>         fcc-mit-ticketflags = true
>
> [realms]
>         YOUR.REALM = {
>                 default_domain = your.domain.name
>                 auth_to_local_names = {
>                         Administrator = root
>                 }
>         }
I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my
"your.domain.name" my FQDN for my AD
server: mail.hprs.local, or is it just hprs.local? (or something else!)
> [domain_realm]
>       your.domain.name = YOUR.REALM
> # this is not a mistake
>       .your.domain.name = YOUR.REALM
> [login]
>         krb4_convert = true
>         krb4_get_tickets = false
Likewise here a question on the whole krb4 versus krb5 thing.

Your closing comment:
> Also, note that kerberos can only act as AUTHENTICATION system. It
> cannot act as USER DATABASE. For that you need to configure LDAP or
> something else. With Active Directory LDAP is probably a damn good idea.
I have the following doveconf -n:

# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
  driver = passwd
}
verbose_ssl = yes

I assume the passwd driver for the userdb is OK? Seems to me it should work with
gssapi, but in
any case I still have all but this test workstation NOT using gssapi, so I still
need to
accomodate them.

Thanks, --Mark

On 28.06.2016 09:27, Mark Foley wrote:
> Aki,
>
> To review your 5 points:
>
> On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi at
dovecot.fi> wrote:
>
>> 1. Functional AD or Kerberos environment
>> 2. Time synced against your KDC (which is your Domain Controller on
Windows)
>> 3. /etc/krb5.conf configured
>> 4. Both forward / reverse DNS names correct for clients and servers.
>> Reverse is only mandatory for servers, but having them right will work
>> wonders. Most kerberos problems are about DNS problems.
>> 5. You need a keytab. This keytab needs to hold entries like
>> IMAP/your.host.name at REALM  and IMAP/$HOSTNAME at REALM. You can
generate
>> these on any Windows DC server (at least).
> I believe I am good on 1,2 and 4.  I downloaded and installed kerberos and
tested it with kinit
> and klist according to the instructions at
>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
>
> As to the the keytab (#5) I did the following:
>
> $ samba-tool domain exportkeytab /etc/krb5.keytab
>
> which created the file.  I made this owned and readable by group dovecot,
per instructions at
> http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k
/etc/krb5.keytab` shows me
> configuration listing all the users and computers in the domain, mostly in
triplicate.  A
> partial list:
>
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
--------------------------------------------------------------------------
>    18 COMMON$@HPRS.LOCAL
>    18 COMMON$@HPRS.LOCAL
>    18 COMMON$@HPRS.LOCAL
>     1 MAIL$@HPRS.LOCAL
>     1 MAIL$@HPRS.LOCAL
>     1 MAIL$@HPRS.LOCAL
>     1 charmaine at HPRS.LOCAL
>     1 charmaine at HPRS.LOCAL
>     1 charmaine at HPRS.LOCAL
>
> where COMMON and MAIL are hosts and charmaine is a user. I don't really
understand the listing,
> but am assuming it is OK.
Strange that you do not have any host/ entries. Maybe it works without.
>> setspn -q is helpful here, also setspn command in general.
> I have no such command in my system. Is that a Windows thing?
>
Yes, but you can do those kind of things in Samba too.
> As to the /etc/krb5.conf, the default one generated by samba is:
>
> [libdefaults]
>          default_realm = HPRS.LOCAL
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>
> I'd like to modify that to your suggestions, but I need more help. You
have (with my questions):
>
>> Here is a *SAMPLE* configuration:
>>
>> [libdefaults]
>>          default_realm = YOUR.REALM
>>          dns_lookup_kdc = true
>>          krb4_config = /etc/krb.conf
>>          krb4_realms = /etc/krb.realms
> Here, you have krb4_*. Do you mean that? My config file is krb5.conf.
Should I rather have:
You can remove the krb4_ stuff
> 	krb5_config = /etc/krb5.conf
>
> Also, I have no /etc/krb*.realms file. Do I need this? If so, what should
be in there?
You don't necessarely require that.
>>          kdc_timesync = 1
>>          ccache_type = 4
>>          forwardable = true
>>          proxiable = true
>>          fcc-mit-ticketflags = true
>>
>> [realms]
>>          YOUR.REALM = {
>>                  default_domain = your.domain.name
>>                  auth_to_local_names = {
>>                          Administrator = root
>>                  }
>>          }
> I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my
"your.domain.name" my FQDN for my AD
> server: mail.hprs.local, or is it just hprs.local? (or something else!)
HPRS.LOCAL is your REALM, hprs.local is your domain
name.
>
>> [domain_realm]
>>        your.domain.name = YOUR.REALM
>> # this is not a mistake
>>        .your.domain.name = YOUR.REALM
>> [login]
>>          krb4_convert = true
>>          krb4_get_tickets = false
> Likewise here a question on the whole krb4 versus krb5 thing.
>
> Your closing comment:
>
>> Also, note that kerberos can only act as AUTHENTICATION system. It
>> cannot act as USER DATABASE. For that you need to configure LDAP or
>> something else. With Active Directory LDAP is probably a damn good
idea.
> I have the following doveconf -n:
>
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_krb5_keytab = /etc/krb5.keytab
> auth_mechanisms = plain login gssapi
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>    driver = shadow
> }
> protocols = imap
> ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> userdb {
>    driver = passwd
> }
> verbose_ssl = yes
>
> I assume the passwd driver for the userdb is OK? Seems to me it should work
with gssapi, but in
> any case I still have all but this test workstation NOT using gssapi, so I
still need to
> accomodate them.
>
> Thanks, --Mark
passwd driver is fine, yes, if you ensure that users can be found.

Aki