Aki Tuomi
2016-Jun-30 06:58 UTC
Looking for GSSAPI config [was: Looking for NTLM config example]
I think the problem still is that your keytab file has no entry imap/hostname at DOMAIN and IMAP/hostname at DOMAIN you also have no host/hostname at DOMAIN Aki On 29.06.2016 18:40, Mark Foley wrote:> Yes, I think that's exactly correct. I just made a similar reply to Edgar Pettijohn about that. > The Thunderbird message is: > > "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check > that you are logged in to the Kerberos/GSSAPI realm." > > I made further comments in that message that I won't clutter the list by repeating here. Check > out that message and see what you think could be wrong. > > Thanks for your help! I'm sure this is solvable! > > --Mark > > -----Original Message----- >> Date: Wed, 29 Jun 2016 08:03:14 -0400 >> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >> From: brendan kearney <bpk678 at gmail.com> >> To: Mark Foley <mfoley at ohprs.org> >> Cc: dovecot at dovecot.org >> >> The last log line shows "user=<>". This indicates no credentials were >> presented. If the rip field matches the client ip you tested from, I would >> bet the appropriate kerberos ticket (imap/host.domain.tld at REALM) was not >> pulled for the authentication. >> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfoley at ohprs.org> wrote: > [deleted]
Mark Foley
2016-Jul-01 06:42 UTC
Looking for GSSAPI config [was: Looking for NTLM config example]
My keytab now has: ktutil: read_kt /etc/dovecot/dovecot.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 smtp/mail.hprs.local at HPRS.LOCAL 2 1 imap/mail.hprs.local at HPRS.LOCAL I added these in ktutil with: addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac Aki wrote:> I think the problem still is that your keytab file has no entry > imap/hostname at DOMAIN and IMAP/hostname at DOMAIN > you also have no host/hostname at DOMAINNot sure how to interpret your template. Are you suggesting I should ... addent -password -p IMAP/mail at HPRS.LOCAL -k 1 -e arcfour-hmac addent -password -p imap/mail at HPRS.LOCAL -k 1 -e arcfour-hmac (one IMAP uppercase and one lowercase?) I don't get your distinction between host and hostname in your 3rd example: host/hostname at DOMAIN Meanwhile ... Tried a bunch of things. No go so far. In fact, I'm questioning if gssapi is enabled in my dovecot. I did rebuild and reinstall using `./configure --with-gssapi=yes`, but if I only enable gssapi authentication, I get "No authenticators available" (mail client). How can I verify gssapi is really available? dovecot --build-options shows: Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail SQL drivers: Passdb: checkpassword passwd passwd-file shadow Userdb: checkpassword nss passwd prefetch passwd-file should I see authentication methods there? --Mark -----Original Message----- Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] To: dovecot at dovecot.org From: Aki Tuomi <aki.tuomi at dovecot.fi> Organization: Dovecot Oy Date: Thu, 30 Jun 2016 09:58:14 +0300 I think the problem still is that your keytab file has no entry imap/hostname at DOMAIN and IMAP/hostname at DOMAIN you also have no host/hostname at DOMAIN Aki On 29.06.2016 18:40, Mark Foley wrote:> Yes, I think that's exactly correct. I just made a similar reply to Edgar Pettijohn about that. > The Thunderbird message is: > > "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check > that you are logged in to the Kerberos/GSSAPI realm." > > I made further comments in that message that I won't clutter the list by repeating here. Check > out that message and see what you think could be wrong. > > Thanks for your help! I'm sure this is solvable! > > --Mark > > -----Original Message----- >> Date: Wed, 29 Jun 2016 08:03:14 -0400 >> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >> From: brendan kearney <bpk678 at gmail.com> >> To: Mark Foley <mfoley at ohprs.org> >> Cc: dovecot at dovecot.org >> >> The last log line shows "user=<>". This indicates no credentials were >> presented. If the rip field matches the client ip you tested from, I would >> bet the appropriate kerberos ticket (imap/host.domain.tld at REALM) was not >> pulled for the authentication. >> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfoley at ohprs.org> wrote: > [deleted]
Aki Tuomi
2016-Jul-01 07:10 UTC
Looking for GSSAPI config [was: Looking for NTLM config example]
The distinction is that kerberos principals are in form <service>/<hostname>@<REALM> the hostname bit *must* match to the host you are connecting to, exactly and verbatim. It can differ in case, I guess. The service is what service you are connecting to. These have special meanings and can be case sensitive (like http won't always work, it has to be HTTP). host/ is always needed in at least system keytab. Not sure if it's needed now in the service tab. But I suspect that you need to have IMAP and not imap. Also make sure and double-check that the hostname is correct. Once you've done the keytab you'll want to grab a cup of coffee and local newspaper or something and read it thru before trying, because it might take some time for it to work. Also, your client *and* host needs to be able to access KDC (all of them) on 88/tcp. Aki On 01.07.2016 09:42, Mark Foley wrote:> My keytab now has: > > ktutil: read_kt /etc/dovecot/dovecot.keytab > ktutil: list > slot KVNO Principal > ---- ---- --------------------------------------------------------------------- > 1 1 smtp/mail.hprs.local at HPRS.LOCAL > 2 1 imap/mail.hprs.local at HPRS.LOCAL > > I added these in ktutil with: > > addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac > > Aki wrote: > >> I think the problem still is that your keytab file has no entry >> imap/hostname at DOMAIN and IMAP/hostname at DOMAIN >> you also have no host/hostname at DOMAIN > Not sure how to interpret your template. Are you suggesting I should ... > > addent -password -p IMAP/mail at HPRS.LOCAL -k 1 -e arcfour-hmac > addent -password -p imap/mail at HPRS.LOCAL -k 1 -e arcfour-hmac > > (one IMAP uppercase and one lowercase?) > > I don't get your distinction between host and hostname in your 3rd example: host/hostname at DOMAIN > > Meanwhile ... > > Tried a bunch of things. No go so far. In fact, I'm questioning if gssapi is enabled in my > dovecot. I did rebuild and reinstall using `./configure --with-gssapi=yes`, but if I only > enable gssapi authentication, I get "No authenticators available" (mail client). How can I > verify gssapi is really available? dovecot --build-options shows: > > Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 > Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail > SQL drivers: > Passdb: checkpassword passwd passwd-file shadow > Userdb: checkpassword nss passwd prefetch passwd-file > > should I see authentication methods there? > > --Mark > > -----Original Message----- > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > To: dovecot at dovecot.org > From: Aki Tuomi <aki.tuomi at dovecot.fi> > Organization: Dovecot Oy > Date: Thu, 30 Jun 2016 09:58:14 +0300 > > I think the problem still is that your keytab file has no entry > imap/hostname at DOMAIN and IMAP/hostname at DOMAIN > > you also have no host/hostname at DOMAIN > > Aki > > On 29.06.2016 18:40, Mark Foley wrote: >> Yes, I think that's exactly correct. I just made a similar reply to Edgar Pettijohn about that. >> The Thunderbird message is: >> >> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check >> that you are logged in to the Kerberos/GSSAPI realm." >> >> I made further comments in that message that I won't clutter the list by repeating here. Check >> out that message and see what you think could be wrong. >> >> Thanks for your help! I'm sure this is solvable! >> >> --Mark >> >> -----Original Message----- >>> Date: Wed, 29 Jun 2016 08:03:14 -0400 >>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >>> From: brendan kearney <bpk678 at gmail.com> >>> To: Mark Foley <mfoley at ohprs.org> >>> Cc: dovecot at dovecot.org >>> >>> The last log line shows "user=<>". This indicates no credentials were >>> presented. If the rip field matches the client ip you tested from, I would >>> bet the appropriate kerberos ticket (imap/host.domain.tld at REALM) was not >>> pulled for the authentication. >>> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfoley at ohprs.org> wrote: >> [deleted]