Brendan Kearney
2016-Jul-04 14:40 UTC
Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On 07/04/2016 03:30 AM, Mark Foley wrote:> Actually, I see that you used host.domain.name further down. That's a good substitute for mail.hprs.local. > > Also, not to be a literary critic, but it might not hurt to show an example keytab beneath your > "Make sure your keytab has entry for ...". Just in case people don't exactly know how to "make sure: > > $ klist -Kek /etc/dovecot/dovecot.keytab > Keytab name: FILE:/etc/dovecot/dovecot.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > 1 imap/host.domain.name at MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) > 1 imap/host.domain.name at MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) > 1 imap/host.domain.name at MYREALM (arcfour-hmac) (0x9dae89a221dc374a39f560833 > > --Mark > > -----Original Message----- > From: Mark Foley <mfoley at ohprs.org> > Date: Mon, 04 Jul 2016 03:23:30 -0400 > Organization: Ohio Highway Patrol Retirement System > To: dovecot at dovecot.org > Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] > > On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > >>> http://wiki2.dovecot.org/Authentication/Kerberos >> It has been now updated. > Excellent! That was quick! > > Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, > no one can get to that, but it might be clearer to those of us who uncomprehendingly > monkey-type things from wiki's when we don't fully understand. Perhaps something more generic > would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that. > Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local. > >> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. >> I have to set up some kind of test environment to find out why it bugs. > I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll > check back with the list to see if you've come up with anything. > >> Aki > Again, thanks for all your help. > > --Mark > > -----Original Message----- >> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] >> To: dovecot at dovecot.org >> From: Aki Tuomi <aki.tuomi at dovecot.fi> >> Organization: Dovecot Oy >> Date: Mon, 4 Jul 2016 08:54:27 +0300 >> On 04.07.2016 07:44, Mark Foley wrote: >>> After a over a year and a half struggling to get Dovecot to do either NTLM or GSSAPI >>> authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all those in this >>> list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey especially Aki Tuomi; >>> and infinite thanks to Achim Gottinger on the SambaList for his patience in working this >>> through with me. Although my purpose was for Dovecot to authenticate mail clients, the >>> configuration settings needed were on the Samba side. I hope a variation of these instructions >>> can eventually make it into: >>> >>> http://wiki2.dovecot.org/Authentication/Kerberos >>> >>> >> It has been now updated. >> >> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. >> I have to set up some kind of test environment to find out why it bugs. >> >> Aki >>i have a document that i had written, recording each of the changes needed to each of the files to be modified, in order to have dovecot authenticate against kerberos and authorize against ldap. in addition, the use of nfs for maildir mailboxes and load balanced nuances are covered. the doc is in odt format (libre office writer), and i have attempted to post it to this mailing list, but it was quarantined. if there is any interest in the doc, reach out to me. i welcome input and feedback on it. brendan
Aki Tuomi
2016-Jul-04 18:40 UTC
Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On 04.07.2016 17:40, Brendan Kearney wrote:> On 07/04/2016 03:30 AM, Mark Foley wrote: >> Actually, I see that you used host.domain.name further down. That's a >> good substitute for mail.hprs.local. >> >> Also, not to be a literary critic, but it might not hurt to show an >> example keytab beneath your >> "Make sure your keytab has entry for ...". Just in case people don't >> exactly know how to "make sure: >> >> $ klist -Kek /etc/dovecot/dovecot.keytab >> Keytab name: FILE:/etc/dovecot/dovecot.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> 1 imap/host.domain.name at MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) >> 1 imap/host.domain.name at MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) >> 1 imap/host.domain.name at MYREALM (arcfour-hmac) >> (0x9dae89a221dc374a39f560833 >> >> --Mark >> >> -----Original Message----- >> From: Mark Foley <mfoley at ohprs.org> >> Date: Mon, 04 Jul 2016 03:23:30 -0400 >> Organization: Ohio Highway Patrol Retirement System >> To: dovecot at dovecot.org >> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for >> GSSAPI config] >> >> On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> >> wrote: >> >>>> http://wiki2.dovecot.org/Authentication/Kerberos >>> It has been now updated. >> Excellent! That was quick! >> >> Although, you used my actual local domain in your example: >> mail.hprs.local. Not that I care, >> no one can get to that, but it might be clearer to those of us who >> uncomprehendingly >> monkey-type things from wiki's when we don't fully understand. >> Perhaps something more generic >> would be clearer: myhost.myrealm, or myhost.mydom.local, or >> myLocalFDQN -- something like that. >> Not sure what is best; just don't want to imply that they HAVE TO use >> mail.hprs.local. >> >>> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. >>> I have to set up some kind of test environment to find out why it bugs. >> I'm going to give my brain a rest for a bit before I resume tilting >> at the NTML windmill! I'll >> check back with the list to see if you've come up with anything. >> >>> Aki >> Again, thanks for all your help. >> >> --Mark >> >> -----Original Message----- >>> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for >>> GSSAPI config] >>> To: dovecot at dovecot.org >>> From: Aki Tuomi <aki.tuomi at dovecot.fi> >>> Organization: Dovecot Oy >>> Date: Mon, 4 Jul 2016 08:54:27 +0300 >>> On 04.07.2016 07:44, Mark Foley wrote: >>>> After a over a year and a half struggling to get Dovecot to do >>>> either NTLM or GSSAPI >>>> authentication with Samba4 AD/DC, I believe I've finally got it! >>>> Thanks to all those in this >>>> list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom >>>> Talpey especially Aki Tuomi; >>>> and infinite thanks to Achim Gottinger on the SambaList for his >>>> patience in working this >>>> through with me. Although my purpose was for Dovecot to >>>> authenticate mail clients, the >>>> configuration settings needed were on the Samba side. I hope a >>>> variation of these instructions >>>> can eventually make it into: >>>> >>>> http://wiki2.dovecot.org/Authentication/Kerberos >>>> >>>> >>> It has been now updated. >>> >>> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. >>> I have to set up some kind of test environment to find out why it bugs. >>> >>> Aki >>> > i have a document that i had written, recording each of the changes > needed to each of the files to be modified, in order to have dovecot > authenticate against kerberos and authorize against ldap. in > addition, the use of nfs for maildir mailboxes and load balanced > nuances are covered. the doc is in odt format (libre office writer), > and i have attempted to post it to this mailing list, but it was > quarantined. > > if there is any interest in the doc, reach out to me. i welcome input > and feedback on it. > > brendanI would very much like to have a copy, please. Aki
Mark Foley
2016-Jul-04 19:58 UTC
Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
Brendan - yes, go ahead and send that doc directly to my email address. I've got Maildir folders going, but not nfs; and I'm curious about your load balance. THX --Mark -----Original Message-----> Date: Mon, 04 Jul 2016 10:40:06 -0400 > From: Brendan Kearney <bpk678 at gmail.com> > To: dovecot at dovecot.org > Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] > > On 07/04/2016 03:30 AM, Mark Foley wrote: > > Actually, I see that you used host.domain.name further down. That's a good substitute for mail.hprs.local. > > > > Also, not to be a literary critic, but it might not hurt to show an example keytab beneath your > > "Make sure your keytab has entry for ...". Just in case people don't exactly know how to "make sure: > > > > $ klist -Kek /etc/dovecot/dovecot.keytab > > Keytab name: FILE:/etc/dovecot/dovecot.keytab > > KVNO Principal > > ---- -------------------------------------------------------------------------- > > 1 imap/host.domain.name at MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) > > 1 imap/host.domain.name at MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) > > 1 imap/host.domain.name at MYREALM (arcfour-hmac) (0x9dae89a221dc374a39f560833 > > > > --Mark > > > > -----Original Message----- > > From: Mark Foley <mfoley at ohprs.org> > > Date: Mon, 04 Jul 2016 03:23:30 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot at dovecot.org > > Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] > > > > On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > > >>> http://wiki2.dovecot.org/Authentication/Kerberos > >> It has been now updated. > > Excellent! That was quick! > > > > Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, > > no one can get to that, but it might be clearer to those of us who uncomprehendingly > > monkey-type things from wiki's when we don't fully understand. Perhaps something more generic > > would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that. > > Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local. > > > >> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > >> I have to set up some kind of test environment to find out why it bugs. > > I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll > > check back with the list to see if you've come up with anything. > > > >> Aki > > Again, thanks for all your help. > > > > --Mark > > > > -----Original Message----- > >> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] > >> To: dovecot at dovecot.org > >> From: Aki Tuomi <aki.tuomi at dovecot.fi> > >> Organization: Dovecot Oy > >> Date: Mon, 4 Jul 2016 08:54:27 +0300 > >> On 04.07.2016 07:44, Mark Foley wrote: > >>> After a over a year and a half struggling to get Dovecot to do either NTLM or GSSAPI > >>> authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all those in this > >>> list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey especially Aki Tuomi; > >>> and infinite thanks to Achim Gottinger on the SambaList for his patience in working this > >>> through with me. Although my purpose was for Dovecot to authenticate mail clients, the > >>> configuration settings needed were on the Samba side. I hope a variation of these instructions > >>> can eventually make it into: > >>> > >>> http://wiki2.dovecot.org/Authentication/Kerberos > >>> > >>> > >> It has been now updated. > >> > >> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > >> I have to set up some kind of test environment to find out why it bugs. > >> > >> Aki > >> > i have a document that i had written, recording each of the changes > needed to each of the files to be modified, in order to have dovecot > authenticate against kerberos and authorize against ldap. in addition, > the use of nfs for maildir mailboxes and load balanced nuances are > covered. the doc is in odt format (libre office writer), and i have > attempted to post it to this mailing list, but it was quarantined. > > if there is any interest in the doc, reach out to me. i welcome input > and feedback on it. > > brendan >
Brendan Kearney
2016-Jul-05 12:52 UTC
Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On 07/04/2016 02:40 PM, Aki Tuomi wrote:> > > On 04.07.2016 17:40, Brendan Kearney wrote: >> On 07/04/2016 03:30 AM, Mark Foley wrote: >>> Actually, I see that you used host.domain.name further down. That's >>> a good substitute for mail.hprs.local. >>> >>> Also, not to be a literary critic, but it might not hurt to show an >>> example keytab beneath your >>> "Make sure your keytab has entry for ...". Just in case people don't >>> exactly know how to "make sure: >>> >>> $ klist -Kek /etc/dovecot/dovecot.keytab >>> Keytab name: FILE:/etc/dovecot/dovecot.keytab >>> KVNO Principal >>> ---- >>> -------------------------------------------------------------------------- >>> 1 imap/host.domain.name at MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) >>> 1 imap/host.domain.name at MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) >>> 1 imap/host.domain.name at MYREALM (arcfour-hmac) >>> (0x9dae89a221dc374a39f560833 >>> >>> --Mark >>> >>> -----Original Message----- >>> From: Mark Foley <mfoley at ohprs.org> >>> Date: Mon, 04 Jul 2016 03:23:30 -0400 >>> Organization: Ohio Highway Patrol Retirement System >>> To: dovecot at dovecot.org >>> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for >>> GSSAPI config] >>> >>> On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> >>> wrote: >>> >>>>> http://wiki2.dovecot.org/Authentication/Kerberos >>>> It has been now updated. >>> Excellent! That was quick! >>> >>> Although, you used my actual local domain in your example: >>> mail.hprs.local. Not that I care, >>> no one can get to that, but it might be clearer to those of us who >>> uncomprehendingly >>> monkey-type things from wiki's when we don't fully understand. >>> Perhaps something more generic >>> would be clearer: myhost.myrealm, or myhost.mydom.local, or >>> myLocalFDQN -- something like that. >>> Not sure what is best; just don't want to imply that they HAVE TO >>> use mail.hprs.local. >>> >>>> I had a look at the NTLM mechanism, it *should* support SSP and >>>> NTLMv2. >>>> I have to set up some kind of test environment to find out why it >>>> bugs. >>> I'm going to give my brain a rest for a bit before I resume tilting >>> at the NTML windmill! I'll >>> check back with the list to see if you've come up with anything. >>> >>>> Aki >>> Again, thanks for all your help. >>> >>> --Mark >>> >>> -----Original Message----- >>>> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for >>>> GSSAPI config] >>>> To: dovecot at dovecot.org >>>> From: Aki Tuomi <aki.tuomi at dovecot.fi> >>>> Organization: Dovecot Oy >>>> Date: Mon, 4 Jul 2016 08:54:27 +0300 >>>> On 04.07.2016 07:44, Mark Foley wrote: >>>>> After a over a year and a half struggling to get Dovecot to do >>>>> either NTLM or GSSAPI >>>>> authentication with Samba4 AD/DC, I believe I've finally got it! >>>>> Thanks to all those in this >>>>> list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom >>>>> Talpey especially Aki Tuomi; >>>>> and infinite thanks to Achim Gottinger on the SambaList for his >>>>> patience in working this >>>>> through with me. Although my purpose was for Dovecot to >>>>> authenticate mail clients, the >>>>> configuration settings needed were on the Samba side. I hope a >>>>> variation of these instructions >>>>> can eventually make it into: >>>>> >>>>> http://wiki2.dovecot.org/Authentication/Kerberos >>>>> >>>>> >>>> It has been now updated. >>>> >>>> I had a look at the NTLM mechanism, it *should* support SSP and >>>> NTLMv2. >>>> I have to set up some kind of test environment to find out why it >>>> bugs. >>>> >>>> Aki >>>> >> i have a document that i had written, recording each of the changes >> needed to each of the files to be modified, in order to have dovecot >> authenticate against kerberos and authorize against ldap. in >> addition, the use of nfs for maildir mailboxes and load balanced >> nuances are covered. the doc is in odt format (libre office writer), >> and i have attempted to post it to this mailing list, but it was >> quarantined. >> >> if there is any interest in the doc, reach out to me. i welcome >> input and feedback on it. >> >> brendan > > I would very much like to have a copy, please. > > Akireplied off list, as my doc is quarantined due to size.
Brendan Kearney
2016-Jul-06 14:26 UTC
Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On 07/04/2016 03:58 PM, Mark Foley wrote:> Brendan - yes, go ahead and send that doc directly to my email address. I've got Maildir > folders going, but not nfs; and I'm curious about your load balance. > > THX --Mark > > -----Original Message----- >> Date: Mon, 04 Jul 2016 10:40:06 -0400 >> From: Brendan Kearney <bpk678 at gmail.com> >> To: dovecot at dovecot.org >> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] >> >> On 07/04/2016 03:30 AM, Mark Foley wrote: >>> Actually, I see that you used host.domain.name further down. That's a good substitute for mail.hprs.local. >>> >>> Also, not to be a literary critic, but it might not hurt to show an example keytab beneath your >>> "Make sure your keytab has entry for ...". Just in case people don't exactly know how to "make sure: >>> >>> $ klist -Kek /etc/dovecot/dovecot.keytab >>> Keytab name: FILE:/etc/dovecot/dovecot.keytab >>> KVNO Principal >>> ---- -------------------------------------------------------------------------- >>> 1 imap/host.domain.name at MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) >>> 1 imap/host.domain.name at MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) >>> 1 imap/host.domain.name at MYREALM (arcfour-hmac) (0x9dae89a221dc374a39f560833 >>> >>> --Mark >>> >>> -----Original Message----- >>> From: Mark Foley <mfoley at ohprs.org> >>> Date: Mon, 04 Jul 2016 03:23:30 -0400 >>> Organization: Ohio Highway Patrol Retirement System >>> To: dovecot at dovecot.org >>> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] >>> >>> On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote: >>> >>>>> http://wiki2.dovecot.org/Authentication/Kerberos >>>> It has been now updated. >>> Excellent! That was quick! >>> >>> Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, >>> no one can get to that, but it might be clearer to those of us who uncomprehendingly >>> monkey-type things from wiki's when we don't fully understand. Perhaps something more generic >>> would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that. >>> Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local. >>> >>>> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. >>>> I have to set up some kind of test environment to find out why it bugs. >>> I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll >>> check back with the list to see if you've come up with anything. >>> >>>> Aki >>> Again, thanks for all your help. >>> >>> --Mark >>> >>> -----Original Message----- >>>> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] >>>> To: dovecot at dovecot.org >>>> From: Aki Tuomi <aki.tuomi at dovecot.fi> >>>> Organization: Dovecot Oy >>>> Date: Mon, 4 Jul 2016 08:54:27 +0300 >>>> On 04.07.2016 07:44, Mark Foley wrote: >>>>> After a over a year and a half struggling to get Dovecot to do either NTLM or GSSAPI >>>>> authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all those in this >>>>> list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey especially Aki Tuomi; >>>>> and infinite thanks to Achim Gottinger on the SambaList for his patience in working this >>>>> through with me. Although my purpose was for Dovecot to authenticate mail clients, the >>>>> configuration settings needed were on the Samba side. I hope a variation of these instructions >>>>> can eventually make it into: >>>>> >>>>> http://wiki2.dovecot.org/Authentication/Kerberos >>>>> >>>>> >>>> It has been now updated. >>>> >>>> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. >>>> I have to set up some kind of test environment to find out why it bugs. >>>> >>>> Aki >>>> >> i have a document that i had written, recording each of the changes >> needed to each of the files to be modified, in order to have dovecot >> authenticate against kerberos and authorize against ldap. in addition, >> the use of nfs for maildir mailboxes and load balanced nuances are >> covered. the doc is in odt format (libre office writer), and i have >> attempted to post it to this mailing list, but it was quarantined. >> >> if there is any interest in the doc, reach out to me. i welcome input >> and feedback on it. >> >> brendan >>replied off list as my doc is quarantined for size. having re-read the doc, nfs is not specifically mentioned. the default storage dir (or the one i specified), /var/spool/dovecot, is automounted to a nas share i have. my export on the nas looks like the below: /export/dovecot server[1-2].bpk2.com(rw,sync) mail.bpk2.com(rw,sync) i normally run sec=krb5p in addition to the rw,sync options, but i do not believe a way exists to have the maildir mounted with a credential set. the mount on the mailserver looks like the below: nas.bpk2.com:/export/dovecot on /var/spool/dovecot type nfs (rw,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.88.3,mountvers=3,mountport=20048,mountproto=udp,local_lock=none,addr=192.168.88.3) with the nas exporting the nfs share, and sssd managing the automount, the fact that the maildir is mounted across the network is transparent to dovecot. the use of nfs here allows each dovecot instance to leverage the same data and not require duplication. iscsi would require duplication of data. i believe the director functionality, along with session persistence at the load balancer would allow multiple dovecot instances to use the one data set, without stepping on other instances and causing possible write conflicts or contention. thoughts and/or feedback? brendan