Mark Foley
2016-Jun-28 14:17 UTC
Looking for GSSAPI config [was: Looking for NTLM config example]
Aki - made your suggested changes, but no joy :( My /etc/krb5.conf: ------SNIP-------- [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true [libdefaults] default_realm = HPRS.LOCAL dns_lookup_kdc = true kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true [realms] HPRS.LOCAL = { default_domain = hprs.local auth_to_local_names = { Administrator = root } } [domain_realm] hprs.local = HPRS.LOCAL # this is not a mistake .hprs.local = HPRS.LOCAL ------PINS----------- you wrote:> You can remove the krb4_ stuffI've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. Question on [realms]Administrator: should that really be root or should it be my AD Administrator? my doveconf -n is exactly the same as posted below, but in particular: auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using plain/ssl, no one yet configured for gssapi). In /var/log/maillog I got (repeatedly): Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2> Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh> This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"? Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd finally able to get AD authentication going for Dovecot. Not ready to give up though! Suggestions? THX -- Mark -----original Message-----> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > To: dovecot at dovecot.org > From: Aki Tuomi <aki.tuomi at dovecot.fi> > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > On 28.06.2016 09:27, Mark Foley wrote: > > Aki, > > > > To review your 5 points: > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > > >> 1. Functional AD or Kerberos environment > >> 2. Time synced against your KDC (which is your Domain Controller on Windows) > >> 3. /etc/krb5.conf configured > >> 4. Both forward / reverse DNS names correct for clients and servers. > >> Reverse is only mandatory for servers, but having them right will work > >> wonders. Most kerberos problems are about DNS problems. > >> 5. You need a keytab. This keytab needs to hold entries like > >> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate > >> these on any Windows DC server (at least). > > I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit > > and klist according to the instructions at > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > As to the the keytab (#5) I did the following: > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > which created the file. I made this owned and readable by group dovecot, per instructions at > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me > > configuration listing all the users and computers in the domain, mostly in triplicate. A > > partial list: > > > > Keytab name: FILE:/etc/krb5.keytab > > KVNO Principal > > ---- -------------------------------------------------------------------------- > > 18 COMMON$@HPRS.LOCAL > > 18 COMMON$@HPRS.LOCAL > > 18 COMMON$@HPRS.LOCAL > > 1 MAIL$@HPRS.LOCAL > > 1 MAIL$@HPRS.LOCAL > > 1 MAIL$@HPRS.LOCAL > > 1 charmaine at HPRS.LOCAL > > 1 charmaine at HPRS.LOCAL > > 1 charmaine at HPRS.LOCAL > > > > where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, > > but am assuming it is OK. > > Strange that you do not have any host/ entries. Maybe it works without. > > >> setspn -q is helpful here, also setspn command in general. > > I have no such command in my system. Is that a Windows thing? > > > > Yes, but you can do those kind of things in Samba too. > > > As to the /etc/krb5.conf, the default one generated by samba is: > > > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > I'd like to modify that to your suggestions, but I need more help. You have (with my questions): > > > >> Here is a *SAMPLE* configuration: > >> > >> [libdefaults] > >> default_realm = YOUR.REALM > >> dns_lookup_kdc = true > >> krb4_config = /etc/krb.conf > >> krb4_realms = /etc/krb.realms > > Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: > > You can remove the krb4_ stuff > > > krb5_config = /etc/krb5.conf > > > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? > You don't necessarely require that. > > >> kdc_timesync = 1 > >> ccache_type = 4 > >> forwardable = true > >> proxiable = true > >> fcc-mit-ticketflags = true > >> > >> [realms] > >> YOUR.REALM = { > >> default_domain = your.domain.name > >> auth_to_local_names = { > >> Administrator = root > >> } > >> } > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD > > server: mail.hprs.local, or is it just hprs.local? (or something else!) > > HPRS.LOCAL is your REALM, hprs.local is your domain name. > > > >> [domain_realm] > >> your.domain.name = YOUR.REALM > >> # this is not a mistake > >> .your.domain.name = YOUR.REALM > >> [login] > >> krb4_convert = true > >> krb4_get_tickets = false > > Likewise here a question on the whole krb4 versus krb5 thing. > > > > Your closing comment: > > > >> Also, note that kerberos can only act as AUTHENTICATION system. It > >> cannot act as USER DATABASE. For that you need to configure LDAP or > >> something else. With Active Directory LDAP is probably a damn good idea. > > I have the following doveconf -n: > > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_krb5_keytab = /etc/krb5.keytab > > auth_mechanisms = plain login gssapi > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > > > I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in > > any case I still have all but this test workstation NOT using gssapi, so I still need to > > accomodate them. > > > > Thanks, --Mark > passwd driver is fine, yes, if you ensure that users can be found. > > Aki >
aki.tuomi at dovecot.fi
2016-Jun-28 15:06 UTC
Looking for GSSAPI config [was: Looking for NTLM config example]
> On June 28, 2016 at 5:17 PM Mark Foley <mfoley at ohprs.org> wrote: > > > Aki - made your suggested changes, but no joy :( > > My /etc/krb5.conf: > > ------SNIP-------- > [libdefaults] > default_realm = HPRS.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > [libdefaults] > default_realm = HPRS.LOCAL > dns_lookup_kdc = true > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > fcc-mit-ticketflags = true > > [realms] > HPRS.LOCAL = { > default_domain = hprs.local > auth_to_local_names = { > Administrator = root > } > } > > [domain_realm] > hprs.local = HPRS.LOCAL > # this is not a mistake > .hprs.local = HPRS.LOCAL > ------PINS----------- > > you wrote: > > You can remove the krb4_ stuff > > I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. > Question on [realms]Administrator: should that really be root or should it be my AD Administrator? > > my doveconf -n is exactly the same as posted below, but in particular: > > auth_krb5_keytab = /etc/krb5.keytab > auth_mechanisms = plain login gssapi > > When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using > plain/ssl, no one yet configured for gssapi). > > In /var/log/maillog I got (repeatedly): > > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2> > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh> > > This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"? > > Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd > finally able to get AD authentication going for Dovecot. Not ready to give up though! > > Suggestions? > > THX -- Mark > > -----original Message----- > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > To: dovecot at dovecot.org > > From: Aki Tuomi <aki.tuomi at dovecot.fi> > > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > > > On 28.06.2016 09:27, Mark Foley wrote: > > > Aki, > > > > > > To review your 5 points: > > > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > > > > >> 1. Functional AD or Kerberos environment > > >> 2. Time synced against your KDC (which is your Domain Controller on Windows) > > >> 3. /etc/krb5.conf configured > > >> 4. Both forward / reverse DNS names correct for clients and servers. > > >> Reverse is only mandatory for servers, but having them right will work > > >> wonders. Most kerberos problems are about DNS problems. > > >> 5. You need a keytab. This keytab needs to hold entries like > > >> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate > > >> these on any Windows DC server (at least). > > > I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit > > > and klist according to the instructions at > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > > > As to the the keytab (#5) I did the following: > > > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > > > which created the file. I made this owned and readable by group dovecot, per instructions at > > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me > > > configuration listing all the users and computers in the domain, mostly in triplicate. A > > > partial list: > > > > > > Keytab name: FILE:/etc/krb5.keytab > > > KVNO Principal > > > ---- -------------------------------------------------------------------------- > > > 18 COMMON$@HPRS.LOCAL > > > 18 COMMON$@HPRS.LOCAL > > > 18 COMMON$@HPRS.LOCAL > > > 1 MAIL$@HPRS.LOCAL > > > 1 MAIL$@HPRS.LOCAL > > > 1 MAIL$@HPRS.LOCAL > > > 1 charmaine at HPRS.LOCAL > > > 1 charmaine at HPRS.LOCAL > > > 1 charmaine at HPRS.LOCAL > > > > > > where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, > > > but am assuming it is OK. > > > > Strange that you do not have any host/ entries. Maybe it works without. > > > > >> setspn -q is helpful here, also setspn command in general. > > > I have no such command in my system. Is that a Windows thing? > > > > > > > Yes, but you can do those kind of things in Samba too. > > > > > As to the /etc/krb5.conf, the default one generated by samba is: > > > > > > [libdefaults] > > > default_realm = HPRS.LOCAL > > > dns_lookup_realm = false > > > dns_lookup_kdc = true > > > > > > I'd like to modify that to your suggestions, but I need more help. You have (with my questions): > > > > > >> Here is a *SAMPLE* configuration: > > >> > > >> [libdefaults] > > >> default_realm = YOUR.REALM > > >> dns_lookup_kdc = true > > >> krb4_config = /etc/krb.conf > > >> krb4_realms = /etc/krb.realms > > > Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: > > > > You can remove the krb4_ stuff > > > > > krb5_config = /etc/krb5.conf > > > > > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? > > You don't necessarely require that. > > > > >> kdc_timesync = 1 > > >> ccache_type = 4 > > >> forwardable = true > > >> proxiable = true > > >> fcc-mit-ticketflags = true > > >> > > >> [realms] > > >> YOUR.REALM = { > > >> default_domain = your.domain.name > > >> auth_to_local_names = { > > >> Administrator = root > > >> } > > >> } > > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD > > > server: mail.hprs.local, or is it just hprs.local? (or something else!) > > > > HPRS.LOCAL is your REALM, hprs.local is your domain name. > > > > > >> [domain_realm] > > >> your.domain.name = YOUR.REALM > > >> # this is not a mistake > > >> .your.domain.name = YOUR.REALM > > >> [login] > > >> krb4_convert = true > > >> krb4_get_tickets = false > > > Likewise here a question on the whole krb4 versus krb5 thing. > > > > > > Your closing comment: > > > > > >> Also, note that kerberos can only act as AUTHENTICATION system. It > > >> cannot act as USER DATABASE. For that you need to configure LDAP or > > >> something else. With Active Directory LDAP is probably a damn good idea. > > > I have the following doveconf -n: > > > > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > auth_debug_passwords = yes > > > auth_krb5_keytab = /etc/krb5.keytab > > > auth_mechanisms = plain login gssapi > > > auth_verbose = yes > > > auth_verbose_passwords = plain > > > disable_plaintext_auth = no > > > info_log_path = /var/log/dovecot_info > > > mail_location = maildir:~/Maildir > > > passdb { > > > driver = shadow > > > } > > > protocols = imap > > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > > userdb { > > > driver = passwd > > > } > > > verbose_ssl = yes > > > > > > I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in > > > any case I still have all but this test workstation NOT using gssapi, so I still need to > > > accomodate them. > > > > > > Thanks, --Mark > > passwd driver is fine, yes, if you ensure that users can be found. > > > > Aki > >Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? I'll try to check status of NTLM this week. Aki
Mark Foley
2016-Jun-29 02:04 UTC
Looking for GSSAPI config [was: Looking for NTLM config example]
Aki, you wrote:> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? > > I'll try to check status of NTLM this week.I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. I do have the Dovecot sources and will peruse the possible options after I send this. I am on version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious realated to gssapi) --Mark -----Original Message-----> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) > From: aki.tuomi at dovecot.fi > To: dovecot at dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > On June 28, 2016 at 5:17 PM Mark Foley <mfoley at ohprs.org> wrote: > > > > > > Aki - made your suggested changes, but no joy :( > > > > My /etc/krb5.conf: > > > > ------SNIP-------- > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_kdc = true > > kdc_timesync = 1 > > ccache_type = 4 > > forwardable = true > > proxiable = true > > fcc-mit-ticketflags = true > > > > [realms] > > HPRS.LOCAL = { > > default_domain = hprs.local > > auth_to_local_names = { > > Administrator = root > > } > > } > > > > [domain_realm] > > hprs.local = HPRS.LOCAL > > # this is not a mistake > > .hprs.local = HPRS.LOCAL > > ------PINS----------- > > > > you wrote: > > > You can remove the krb4_ stuff > > > > I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. > > Question on [realms]Administrator: should that really be root or should it be my AD Administrator? > > > > my doveconf -n is exactly the same as posted below, but in particular: > > > > auth_krb5_keytab = /etc/krb5.keytab > > auth_mechanisms = plain login gssapi > > > > When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using > > plain/ssl, no one yet configured for gssapi). > > > > In /var/log/maillog I got (repeatedly): > > > > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2> > > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' > > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs > > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh> > > > > This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"? > > > > Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd > > finally able to get AD authentication going for Dovecot. Not ready to give up though! > > > > Suggestions? > > > > THX -- Mark > > > > -----original Message----- > > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > To: dovecot at dovecot.org > > > From: Aki Tuomi <aki.tuomi at dovecot.fi> > > > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > > > > > On 28.06.2016 09:27, Mark Foley wrote: > > > > Aki, > > > > > > > > To review your 5 points: > > > > > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > > > > > > >> 1. Functional AD or Kerberos environment > > > >> 2. Time synced against your KDC (which is your Domain Controller on Windows) > > > >> 3. /etc/krb5.conf configured > > > >> 4. Both forward / reverse DNS names correct for clients and servers. > > > >> Reverse is only mandatory for servers, but having them right will work > > > >> wonders. Most kerberos problems are about DNS problems. > > > >> 5. You need a keytab. This keytab needs to hold entries like > > > >> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate > > > >> these on any Windows DC server (at least). > > > > I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit > > > > and klist according to the instructions at > > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > > > > > As to the the keytab (#5) I did the following: > > > > > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > > > > > which created the file. I made this owned and readable by group dovecot, per instructions at > > > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me > > > > configuration listing all the users and computers in the domain, mostly in triplicate. A > > > > partial list: > > > > > > > > Keytab name: FILE:/etc/krb5.keytab > > > > KVNO Principal > > > > ---- -------------------------------------------------------------------------- > > > > 18 COMMON$@HPRS.LOCAL > > > > 18 COMMON$@HPRS.LOCAL > > > > 18 COMMON$@HPRS.LOCAL > > > > 1 MAIL$@HPRS.LOCAL > > > > 1 MAIL$@HPRS.LOCAL > > > > 1 MAIL$@HPRS.LOCAL > > > > 1 charmaine at HPRS.LOCAL > > > > 1 charmaine at HPRS.LOCAL > > > > 1 charmaine at HPRS.LOCAL > > > > > > > > where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, > > > > but am assuming it is OK. > > > > > > Strange that you do not have any host/ entries. Maybe it works without. > > > > > > >> setspn -q is helpful here, also setspn command in general. > > > > I have no such command in my system. Is that a Windows thing? > > > > > > > > > > Yes, but you can do those kind of things in Samba too. > > > > > > > As to the /etc/krb5.conf, the default one generated by samba is: > > > > > > > > [libdefaults] > > > > default_realm = HPRS.LOCAL > > > > dns_lookup_realm = false > > > > dns_lookup_kdc = true > > > > > > > > I'd like to modify that to your suggestions, but I need more help. You have (with my questions): > > > > > > > >> Here is a *SAMPLE* configuration: > > > >> > > > >> [libdefaults] > > > >> default_realm = YOUR.REALM > > > >> dns_lookup_kdc = true > > > >> krb4_config = /etc/krb.conf > > > >> krb4_realms = /etc/krb.realms > > > > Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: > > > > > > You can remove the krb4_ stuff > > > > > > > krb5_config = /etc/krb5.conf > > > > > > > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? > > > You don't necessarely require that. > > > > > > >> kdc_timesync = 1 > > > >> ccache_type = 4 > > > >> forwardable = true > > > >> proxiable = true > > > >> fcc-mit-ticketflags = true > > > >> > > > >> [realms] > > > >> YOUR.REALM = { > > > >> default_domain = your.domain.name > > > >> auth_to_local_names = { > > > >> Administrator = root > > > >> } > > > >> } > > > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD > > > > server: mail.hprs.local, or is it just hprs.local? (or something else!) > > > > > > HPRS.LOCAL is your REALM, hprs.local is your domain name. > > > > > > > >> [domain_realm] > > > >> your.domain.name = YOUR.REALM > > > >> # this is not a mistake > > > >> .your.domain.name = YOUR.REALM > > > >> [login] > > > >> krb4_convert = true > > > >> krb4_get_tickets = false > > > > Likewise here a question on the whole krb4 versus krb5 thing. > > > > > > > > Your closing comment: > > > > > > > >> Also, note that kerberos can only act as AUTHENTICATION system. It > > > >> cannot act as USER DATABASE. For that you need to configure LDAP or > > > >> something else. With Active Directory LDAP is probably a damn good idea. > > > > I have the following doveconf -n: > > > > > > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > > auth_debug_passwords = yes > > > > auth_krb5_keytab = /etc/krb5.keytab > > > > auth_mechanisms = plain login gssapi > > > > auth_verbose = yes > > > > auth_verbose_passwords = plain > > > > disable_plaintext_auth = no > > > > info_log_path = /var/log/dovecot_info > > > > mail_location = maildir:~/Maildir > > > > passdb { > > > > driver = shadow > > > > } > > > > protocols = imap > > > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > > > userdb { > > > > driver = passwd > > > > } > > > > verbose_ssl = yes > > > > > > > > I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in > > > > any case I still have all but this test workstation NOT using gssapi, so I still need to > > > > accomodate them. > > > > > > > > Thanks, --Mark > > > passwd driver is fine, yes, if you ensure that users can be found. > > > > > > Aki > > > > > Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? > > I'll try to check status of NTLM this week. > > Aki >
Reasonably Related Threads
- Looking for GSSAPI config [was: Looking for NTLM config example]
- Looking for GSSAPI config [was: Looking for NTLM config example]
- Looking for GSSAPI config [was: Looking for NTLM config example]
- Looking for GSSAPI config [was: Looking for NTLM config example]
- Howto authenticate smartPhone via Active Directory