Am 30.06.2016 um 23:16 schrieb Mark Foley:> Achim, thanks a lot! A couple of questions on your suggested settings: > >> 1. Create an user >> samba-tool create user dovcot > I did this (actually `samba-tool user create dovecot`), but it asked for a password. I > entered one. You didn't mention that, so I hope it's OK.Yes> > >> 2. Add the spn >> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot >> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot > Did that too. No issue there.Well you must substitute server.domain.local with your mailserver fqdn and DOMAIN.LOCAL with HPRS.LOCAL.> >> 3. Create the keytab file >> ktutil >> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e >> arcfour-hmac >> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e >> arcfour-hmac >> wkt /etc/dovecot/dovecot.keytab > As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype] > should hve been the arcfour-hmac on the next line. So I did: > > $ ktutil > ktutil: addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac > ktutil: addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmacSame here substitute like above and as you said arcfour-hmac belongs in the same line.> Of course, that will probably also wrap when you get this message, but basically I put the > arcfour-hmac on the same line as the addent. Each time, these commands also asked for a > password. Again, you didn't mention that, but I used the same password I used for the > `samab-tool user create` command above. > > I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk". > Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply > transposed the letters. I tried it and it took.Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does not yet exist. Only the two keys you just added are required to get kerberos working. The system keytab you generated with samba-tool domain exportkeytab is not required.> > >> 4. Add this to your dovecot config >> >> # Kerberos >> auth_gssapi_hostname = "$ALL" >> auth_krb5_keytab = /etc/dovecot/dovecot.keytab > Did that. In addition, I set the keytab file's group to dovecot and made the file group > readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos. I also tried > making it world readable. Now, after doing all that and restarting dovecot I still get the > same dovecot error: > > Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6> > > and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the > IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm." > > As I've mentioned before, "mark at ohprs.org" is not a server. It is the email address of the > Thunderbird account (running on WIN7). > > Here is my doveconf -n (gssapi marked with *): > > auth_debug_passwords = yes > * auth_gssapi_hostname = $ALL > * auth_krb5_keytab = /etc/krb5.keytab > * auth_mechanisms = plain login gssapi > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > userdb { > driver = passwd > } > verbose_ssl = yes > > (yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?) > > Here is my keytab list (partial); note that every entry appears in triplicate. I don't see > 'dovecot' in there at all; maybe that's OK: > > ktutil: list > slot KVNO Principal > ---- ---- --------------------------------------------------------------------- > 1 18 COMMON$@HPRS.LOCAL > 2 18 COMMON$@HPRS.LOCAL > 3 18 COMMON$@HPRS.LOCAL > 4 1 MAIL$@HPRS.LOCAL > 5 1 MAIL$@HPRS.LOCAL > 6 1 MAIL$@HPRS.LOCAL > 7 1 charmaine at HPRS.LOCAL > 8 1 charmaine at HPRS.LOCAL > 9 1 charmaine at HPRS.LOCAL > : > 19 1 Administrator at HPRS.LOCAL > 20 1 Administrator at HPRS.LOCAL > 21 1 Administrator at HPRS.LOCAL > : > 91 1 krbtgt at HPRS.LOCAL > 92 1 krbtgt at HPRS.LOCAL > 93 1 krbtgt at HPRS.LOCAL > : > 97 1 smtp/server.domain.local at DOMAIN.LOCAL > 98 1 imap/server.domain.local at DOMAIN.LOCAL > > Can you tell from any of this why I'm still not able to authenticate?You only need the lines 97 and 98 and substitude fqdn and realm like i mentioned above. It must be possible for Thunderbird to use plain authentification with your windows account username. Can be you must configure userdb and passdb to do ldap lookups against active directory.> Thanks, --Mark > > -----Original Message----- >> To: samba at lists.samba.org >> From: Achim Gottinger <achim at ag-web.biz> >> Date: Thu, 30 Jun 2016 11:51:34 +0200 >> >> Am 30.06.2016 um 10:45 schrieb Mark Foley: >>> To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set >>> Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab >>> file as required by Dovecot. I've also downloaded and installed Kerberos for access to >>> the k* commands (ktutil, kinit, klist, ...). >>> >>> In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7 >>> workstation is a domain member and works fine otherwise with Samba4 for AD user authentication, >>> etc. Thunderbird gives the following error: >>> >>> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check >>> that you are logged in to the Kerberos/GSSAPI realm." >>> >>> One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a >>> server at all, but rather the email address of the Thunderbird account. >>> >>> When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18 >>> secs): user=<>". No message at all appears in the samba log although I have auth:10 level set. >>> Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying: >>> >>> auth_mechanisms = plain login gssapi >>> >>> That's it (the other mechanism work just fine, BTW). Not much I can mess with there. >>> >>> I think the problem is with Samba and handling the authentication. I do not think my Samba4 is >>> configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation >>> for single-sign-on using Kerberos. He had me put the following lines into that workstation's >>> smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server: >>> >>> security = ADS >>> dedicated keytab file = /etc/krb5.keytab >>> kerberos method = secrets and keytab >>> winbind nss info = rfc2307 >>> winbind trusted domains only = no >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind refresh tickets = Yes >>> >>> I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log >>> message, "Samba detected misconfigured 'server role' and exited." >>> >>> He also had me put the following in /etc/nsswitch.conf: >>> >>> passwd: compat winbind >>> group: compat winbind >>> >>> Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server >>> for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work. >>> >>> Need Help! Thanks --Mark >> Hello Mark, >> >> This is what i used in debian wheezy few years back. I assume >> arcfour-hmac is unsafe these days but i did not yet investigate into >> other working encryption methods here. >> If you need smtp (postfix with auth via dovecot) also add the smtp >> spn's. Use the password for user dovecot during keytab creation. >> >> 1. Create an user >> samba-tool create user dovcot >> >> 2. Add the spn >> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot >> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot >> >> 3. Create the keytab file >> ktutil >> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e >> arcfour-hmac >> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e >> arcfour-hmac >> wkt /etc/dovecot/dovecot.keytab >> >> 4. Add this to your dovecot config >> >> # Kerberos >> auth_gssapi_hostname = "$ALL" >> auth_krb5_keytab = /etc/dovecot/dovecot.keytab >> >> Hope it helps, >> achim~ >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Achim, I deleted the keytab file and did the following: $ samba-tool user delete dovecot $ samba-tool user add dovecot # again, that asked for a password and I assigned one. $ samba-tool spn add smpt/mail.hprs.local at HPRS.LOCAL dovecot $ samba-tool spn add imap/mail.hprs.local at HPRS.LOCAL dovecot $ ktutil ktutil: addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac Password for smtp/mail.hprs.local at HPRS.LOCAL: ktutil: addent -password -p imap/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac Password for imap/mail.hprs.local at HPRS.LOCAL: ktutil: wkt /etc/dovecot/dovecot.keytab ktutil: quit $ ktutil ktutil: read_kt /etc/dovecot/dovecot.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 smtp/mail.hprs.local at HPRS.LOCAL 2 1 imap/mail.hprs.local at HPRS.LOCAL So, much better. Duh for me not noticing that I had to change fqdn and domain to my own. Rloaded dovecot and tried again. Same error :( Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<OTQqf4Y2SgDAqAA6> You wrote:> It must be possible for Thunderbird to use plain authentification with your windows account > username. Can be you must configure userdb and passdb to do ldap lookups against active > directory.Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do plain text auth to dovecot. I will continue to need this for non-domain email clients. According to the dovecot folks, the passwd as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP authentication is another one (along with NTLM) that I haven't been able to get working with Dovecot. The only ones I've been able to get working are PLAIN and, believe it or not, checkpassword - which is basically a passdb driver for PLAIN. Perhaps there is some samba setting I'm missing? Here's my AD/DC smb.conf, do you seen anything missing I need? : [global] workgroup = HPRS realm = hprs.local netbios name = MAIL interfaces = lo, eth1 bind interfaces only = Yes server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes winbind use default domain = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes log level = 2 passdb:5 auth:10 winbind:2 lanman:10 max log size = 1000 [netlogon] path = /var/lib/samba/sysvol/hprs.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [Users] path = /redirectedFolders/Users comment = user folders for redirection read only = No [share] path = /var/lib/samba/share comment = Shared folder read only = No Thanks --Mark -----Original Message-----> To: samba at lists.samba.org > From: Achim Gottinger <achim at ag-web.biz> > Date: Thu, 30 Jun 2016 23:44:17 +0200 > Subject: Re: [Samba] Where is krb5.keytab or equivalent? > > Am 30.06.2016 um 23:16 schrieb Mark Foley: > > Achim, thanks a lot! A couple of questions on your suggested settings: > > > >> 1. Create an user > >> samba-tool create user dovcot > > I did this (actually `samba-tool user create dovecot`), but it asked for a password. I > > entered one. You didn't mention that, so I hope it's OK. > Yes > > > > > >> 2. Add the spn > >> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot > >> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot > > Did that too. No issue there. > Well you must substitute server.domain.local with your mailserver fqdn > and DOMAIN.LOCAL with HPRS.LOCAL. > > > >> 3. Create the keytab file > >> ktutil > >> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e > >> arcfour-hmac > >> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e > >> arcfour-hmac > >> wkt /etc/dovecot/dovecot.keytab > > As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype] > > should hve been the arcfour-hmac on the next line. So I did: > > > > $ ktutil > > ktutil: addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac > > ktutil: addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac > Same here substitute like above and as you said arcfour-hmac belongs in > the same line. > > Of course, that will probably also wrap when you get this message, but basically I put the > > arcfour-hmac on the same line as the addent. Each time, these commands also asked for a > > password. Again, you didn't mention that, but I used the same password I used for the > > `samab-tool user create` command above. > > > > I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk". > > Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply > > transposed the letters. I tried it and it took. > Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does > not yet exist. > Only the two keys you just added are required to get kerberos working. > The system keytab you generated with samba-tool domain exportkeytab is > not required. > > > > > >> 4. Add this to your dovecot config > >> > >> # Kerberos > >> auth_gssapi_hostname = "$ALL" > >> auth_krb5_keytab = /etc/dovecot/dovecot.keytab > > Did that. In addition, I set the keytab file's group to dovecot and made the file group > > readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos. I also tried > > making it world readable. Now, after doing all that and restarting dovecot I still get the > > same dovecot error: > > > > Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6> > > > > and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the > > IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm." > > > > As I've mentioned before, "mark at ohprs.org" is not a server. It is the email address of the > > Thunderbird account (running on WIN7). > > > > Here is my doveconf -n (gssapi marked with *): > > > > auth_debug_passwords = yes > > * auth_gssapi_hostname = $ALL > > * auth_krb5_keytab = /etc/krb5.keytab > > * auth_mechanisms = plain login gssapi > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > > > (yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?) > > > > Here is my keytab list (partial); note that every entry appears in triplicate. I don't see > > 'dovecot' in there at all; maybe that's OK: > > > > ktutil: list > > slot KVNO Principal > > ---- ---- --------------------------------------------------------------------- > > 1 18 COMMON$@HPRS.LOCAL > > 2 18 COMMON$@HPRS.LOCAL > > 3 18 COMMON$@HPRS.LOCAL > > 4 1 MAIL$@HPRS.LOCAL > > 5 1 MAIL$@HPRS.LOCAL > > 6 1 MAIL$@HPRS.LOCAL > > 7 1 charmaine at HPRS.LOCAL > > 8 1 charmaine at HPRS.LOCAL > > 9 1 charmaine at HPRS.LOCAL > > : > > 19 1 Administrator at HPRS.LOCAL > > 20 1 Administrator at HPRS.LOCAL > > 21 1 Administrator at HPRS.LOCAL > > : > > 91 1 krbtgt at HPRS.LOCAL > > 92 1 krbtgt at HPRS.LOCAL > > 93 1 krbtgt at HPRS.LOCAL > > : > > 97 1 smtp/server.domain.local at DOMAIN.LOCAL > > 98 1 imap/server.domain.local at DOMAIN.LOCAL > > > > Can you tell from any of this why I'm still not able to authenticate? > You only need the lines 97 and 98 and substitude fqdn and realm like i > mentioned above. > It must be possible for Thunderbird to use plain authentification with > your windows account username. > Can be you must configure userdb and passdb to do ldap lookups against > active directory. > > Thanks, --Mark > > > > -----Original Message----- > >> To: samba at lists.samba.org > >> From: Achim Gottinger <achim at ag-web.biz> > >> Date: Thu, 30 Jun 2016 11:51:34 +0200 > >> > >> Am 30.06.2016 um 10:45 schrieb Mark Foley: > >>> To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set > >>> Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab > >>> file as required by Dovecot. I've also downloaded and installed Kerberos for access to > >>> the k* commands (ktutil, kinit, klist, ...). > >>> > >>> In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7 > >>> workstation is a domain member and works fine otherwise with Samba4 for AD user authentication, > >>> etc. Thunderbird gives the following error: > >>> > >>> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check > >>> that you are logged in to the Kerberos/GSSAPI realm." > >>> > >>> One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a > >>> server at all, but rather the email address of the Thunderbird account. > >>> > >>> When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18 > >>> secs): user=<>". No message at all appears in the samba log although I have auth:10 level set. > >>> Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying: > >>> > >>> auth_mechanisms = plain login gssapi > >>> > >>> That's it (the other mechanism work just fine, BTW). Not much I can mess with there. > >>> > >>> I think the problem is with Samba and handling the authentication. I do not think my Samba4 is > >>> configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation > >>> for single-sign-on using Kerberos. He had me put the following lines into that workstation's > >>> smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server: > >>> > >>> security = ADS > >>> dedicated keytab file = /etc/krb5.keytab > >>> kerberos method = secrets and keytab > >>> winbind nss info = rfc2307 > >>> winbind trusted domains only = no > >>> winbind enum users = yes > >>> winbind enum groups = yes > >>> winbind refresh tickets = Yes > >>> > >>> I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log > >>> message, "Samba detected misconfigured 'server role' and exited." > >>> > >>> He also had me put the following in /etc/nsswitch.conf: > >>> > >>> passwd: compat winbind > >>> group: compat winbind > >>> > >>> Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server > >>> for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work. > >>> > >>> Need Help! Thanks --Mark > >> Hello Mark, > >> > >> This is what i used in debian wheezy few years back. I assume > >> arcfour-hmac is unsafe these days but i did not yet investigate into > >> other working encryption methods here. > >> If you need smtp (postfix with auth via dovecot) also add the smtp > >> spn's. Use the password for user dovecot during keytab creation. > >> > >> 1. Create an user > >> samba-tool create user dovcot > >> > >> 2. Add the spn > >> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot > >> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot > >> > >> 3. Create the keytab file > >> ktutil > >> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e > >> arcfour-hmac > >> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e > >> arcfour-hmac > >> wkt /etc/dovecot/dovecot.keytab > >> > >> 4. Add this to your dovecot config > >> > >> # Kerberos > >> auth_gssapi_hostname = "$ALL" > >> auth_krb5_keytab = /etc/dovecot/dovecot.keytab > >> > >> Hope it helps, > >> achim~ > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer required with dovecot (2.2.13 here). Add "auth_debug=yes" to your dovecor config. 192.168.100.1 is my clients ip 192.168.100.101 is the servers ag is the domain account username I use to login to windows and also the username configured in thunderbird. On my debian system an package named libsasl2-modules-gssapi-mit must be installed. To test kerberos against dovecot from the command line install "mutt". I assume your windows account name is "mark" ~#kinit mark ~#MAIL=imap://mark at mail.hprs.local/ mutt An successfull login with mutt looks like this in the mail logfile: Debug: auth client connected (pid=22585) logon-zor dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=imap#011secured#011session=p/ahQ4c2/wB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=44287#011resp=<hidden> logon-zor dovecot: auth: Debug: gssapi(?,127.0.0.1,<p/ahQ4c2/wB/AAAB>): Obtaining credentials for imap@ logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>): security context state completed. logon-zor dovecot: auth: Debug: client passdb out: CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXAIZT4a2p58/+ylPphtphYA6sTnK4QCyRkHRm1VTnvrfjxc3Ya2ui9IHsBGnPggzjLVNScFx6aHJi99VCDG7s07zNUF8d4WHuNZz7el5gwK4Quy3AeUX8zVa7xkIECuTtT5W7BjpsBThhMclogon-zor dovecot: auth: Debug: client in: CONT<hidden> logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>): Negotiated security layer logon-zor dovecot: auth: Debug: client passdb out: CONT#0111#011BQQF/wAMAAAAAAAAKxVA5AH///8b1puThszycYxSFvElogon-zor dovecot: auth: Debug: client in: CONT<hidden> imap-login: Login: user=<ag>, method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=19022, TLS, session=<CdYH6IY2oADAwAw9> Also take a look at this page http://wiki2.dovecot.org/Authentication/Kerberos Looking at my spn's you may also need samba-tool spn add imap/mail.hprs.local dovecot Am 01.07.2016 um 00:46 schrieb Mark Foley:> Achim, > > I deleted the keytab file and did the following: > > $ samba-tool user delete dovecot > $ samba-tool user add dovecot > > # again, that asked for a password and I assigned one. > > $ samba-tool spn add smpt/mail.hprs.local at HPRS.LOCAL dovecot > $ samba-tool spn add imap/mail.hprs.local at HPRS.LOCAL dovecot > > $ ktutil > ktutil: addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac > Password for smtp/mail.hprs.local at HPRS.LOCAL: > ktutil: addent -password -p imap/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac > Password for imap/mail.hprs.local at HPRS.LOCAL: > ktutil: wkt /etc/dovecot/dovecot.keytab > ktutil: quit > > $ ktutil > ktutil: read_kt /etc/dovecot/dovecot.keytab > ktutil: list > slot KVNO Principal > ---- ---- --------------------------------------------------------------------- > 1 1 smtp/mail.hprs.local at HPRS.LOCAL > 2 1 imap/mail.hprs.local at HPRS.LOCAL > > So, much better. Duh for me not noticing that I had to change fqdn and domain to my own. > > Rloaded dovecot and tried again. Same error :( > > Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<OTQqf4Y2SgDAqAA6> > > You wrote: > >> It must be possible for Thunderbird to use plain authentification with your windows account >> username. Can be you must configure userdb and passdb to do ldap lookups against active >> directory. > Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do plain text auth to dovecot. I will > continue to need this for non-domain email clients. According to the dovecot folks, the passwd > as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP > authentication is another one (along with NTLM) that I haven't been able to get working with > Dovecot. The only ones I've been able to get working are PLAIN and, believe it or not, > checkpassword - which is basically a passdb driver for PLAIN. > > Perhaps there is some samba setting I'm missing? Here's my AD/DC smb.conf, do you seen anything > missing I need? : > > [global] > workgroup = HPRS > realm = hprs.local > netbios name = MAIL > interfaces = lo, eth1 > bind interfaces only = Yes > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > > winbind use default domain = yes > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > log level = 2 passdb:5 auth:10 winbind:2 lanman:10 > max log size = 1000 > > [netlogon] > path = /var/lib/samba/sysvol/hprs.local/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [Users] > path = /redirectedFolders/Users > comment = user folders for redirection > read only = No > > [share] > path = /var/lib/samba/share > comment = Shared folder > read only = No > > Thanks --Mark > > -----Original Message----- >> To: samba at lists.samba.org >> From: Achim Gottinger <achim at ag-web.biz> >> Date: Thu, 30 Jun 2016 23:44:17 +0200 >> Subject: Re: [Samba] Where is krb5.keytab or equivalent? >> >> Am 30.06.2016 um 23:16 schrieb Mark Foley: >>> Achim, thanks a lot! A couple of questions on your suggested settings: >>> >>>> 1. Create an user >>>> samba-tool create user dovcot >>> I did this (actually `samba-tool user create dovecot`), but it asked for a password. I >>> entered one. You didn't mention that, so I hope it's OK. >> Yes >>> >>> >>>> 2. Add the spn >>>> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot >>>> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot >>> Did that too. No issue there. >> Well you must substitute server.domain.local with your mailserver fqdn >> and DOMAIN.LOCAL with HPRS.LOCAL. >>>> 3. Create the keytab file >>>> ktutil >>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e >>>> arcfour-hmac >>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e >>>> arcfour-hmac >>>> wkt /etc/dovecot/dovecot.keytab >>> As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype] >>> should hve been the arcfour-hmac on the next line. So I did: >>> >>> $ ktutil >>> ktutil: addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac >>> ktutil: addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac >> Same here substitute like above and as you said arcfour-hmac belongs in >> the same line. >>> Of course, that will probably also wrap when you get this message, but basically I put the >>> arcfour-hmac on the same line as the addent. Each time, these commands also asked for a >>> password. Again, you didn't mention that, but I used the same password I used for the >>> `samab-tool user create` command above. >>> >>> I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk". >>> Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply >>> transposed the letters. I tried it and it took. >> Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does >> not yet exist. >> Only the two keys you just added are required to get kerberos working. >> The system keytab you generated with samba-tool domain exportkeytab is >> not required. >>> >>> >>>> 4. Add this to your dovecot config >>>> >>>> # Kerberos >>>> auth_gssapi_hostname = "$ALL" >>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab >>> Did that. In addition, I set the keytab file's group to dovecot and made the file group >>> readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos. I also tried >>> making it world readable. Now, after doing all that and restarting dovecot I still get the >>> same dovecot error: >>> >>> Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6> >>> >>> and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the >>> IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm." >>> >>> As I've mentioned before, "mark at ohprs.org" is not a server. It is the email address of the >>> Thunderbird account (running on WIN7). >>> >>> Here is my doveconf -n (gssapi marked with *): >>> >>> auth_debug_passwords = yes >>> * auth_gssapi_hostname = $ALL >>> * auth_krb5_keytab = /etc/krb5.keytab >>> * auth_mechanisms = plain login gssapi >>> auth_verbose = yes >>> auth_verbose_passwords = plain >>> disable_plaintext_auth = no >>> info_log_path = /var/log/dovecot_info >>> mail_location = maildir:~/Maildir >>> passdb { >>> driver = shadow >>> } >>> protocols = imap >>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt >>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key >>> userdb { >>> driver = passwd >>> } >>> verbose_ssl = yes >>> >>> (yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?) >>> >>> Here is my keytab list (partial); note that every entry appears in triplicate. I don't see >>> 'dovecot' in there at all; maybe that's OK: >>> >>> ktutil: list >>> slot KVNO Principal >>> ---- ---- --------------------------------------------------------------------- >>> 1 18 COMMON$@HPRS.LOCAL >>> 2 18 COMMON$@HPRS.LOCAL >>> 3 18 COMMON$@HPRS.LOCAL >>> 4 1 MAIL$@HPRS.LOCAL >>> 5 1 MAIL$@HPRS.LOCAL >>> 6 1 MAIL$@HPRS.LOCAL >>> 7 1 charmaine at HPRS.LOCAL >>> 8 1 charmaine at HPRS.LOCAL >>> 9 1 charmaine at HPRS.LOCAL >>> : >>> 19 1 Administrator at HPRS.LOCAL >>> 20 1 Administrator at HPRS.LOCAL >>> 21 1 Administrator at HPRS.LOCAL >>> : >>> 91 1 krbtgt at HPRS.LOCAL >>> 92 1 krbtgt at HPRS.LOCAL >>> 93 1 krbtgt at HPRS.LOCAL >>> : >>> 97 1 smtp/server.domain.local at DOMAIN.LOCAL >>> 98 1 imap/server.domain.local at DOMAIN.LOCAL >>> >>> Can you tell from any of this why I'm still not able to authenticate? >> You only need the lines 97 and 98 and substitude fqdn and realm like i >> mentioned above. >> It must be possible for Thunderbird to use plain authentification with >> your windows account username. >> Can be you must configure userdb and passdb to do ldap lookups against >> active directory. >>> Thanks, --Mark >>> >>> -----Original Message----- >>>> To: samba at lists.samba.org >>>> From: Achim Gottinger <achim at ag-web.biz> >>>> Date: Thu, 30 Jun 2016 11:51:34 +0200 >>>> >>>> Am 30.06.2016 um 10:45 schrieb Mark Foley: >>>>> To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set >>>>> Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab >>>>> file as required by Dovecot. I've also downloaded and installed Kerberos for access to >>>>> the k* commands (ktutil, kinit, klist, ...). >>>>> >>>>> In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7 >>>>> workstation is a domain member and works fine otherwise with Samba4 for AD user authentication, >>>>> etc. Thunderbird gives the following error: >>>>> >>>>> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check >>>>> that you are logged in to the Kerberos/GSSAPI realm." >>>>> >>>>> One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a >>>>> server at all, but rather the email address of the Thunderbird account. >>>>> >>>>> When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18 >>>>> secs): user=<>". No message at all appears in the samba log although I have auth:10 level set. >>>>> Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying: >>>>> >>>>> auth_mechanisms = plain login gssapi >>>>> >>>>> That's it (the other mechanism work just fine, BTW). Not much I can mess with there. >>>>> >>>>> I think the problem is with Samba and handling the authentication. I do not think my Samba4 is >>>>> configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation >>>>> for single-sign-on using Kerberos. He had me put the following lines into that workstation's >>>>> smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server: >>>>> >>>>> security = ADS >>>>> dedicated keytab file = /etc/krb5.keytab >>>>> kerberos method = secrets and keytab >>>>> winbind nss info = rfc2307 >>>>> winbind trusted domains only = no >>>>> winbind enum users = yes >>>>> winbind enum groups = yes >>>>> winbind refresh tickets = Yes >>>>> >>>>> I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log >>>>> message, "Samba detected misconfigured 'server role' and exited." >>>>> >>>>> He also had me put the following in /etc/nsswitch.conf: >>>>> >>>>> passwd: compat winbind >>>>> group: compat winbind >>>>> >>>>> Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server >>>>> for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work. >>>>> >>>>> Need Help! Thanks --Mark >>>> Hello Mark, >>>> >>>> This is what i used in debian wheezy few years back. I assume >>>> arcfour-hmac is unsafe these days but i did not yet investigate into >>>> other working encryption methods here. >>>> If you need smtp (postfix with auth via dovecot) also add the smtp >>>> spn's. Use the password for user dovecot during keytab creation. >>>> >>>> 1. Create an user >>>> samba-tool create user dovcot >>>> >>>> 2. Add the spn >>>> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot >>>> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot >>>> >>>> 3. Create the keytab file >>>> ktutil >>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e >>>> arcfour-hmac >>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e >>>> arcfour-hmac >>>> wkt /etc/dovecot/dovecot.keytab >>>> >>>> 4. Add this to your dovecot config >>>> >>>> # Kerberos >>>> auth_gssapi_hostname = "$ALL" >>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab >>>> >>>> Hope it helps, >>>> achim~ >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
My dovecot-ldap.conf.ext. I use the field mail in ads so my user logins are: user at tplk.loc and Windows password. hosts = ip.mysamb.dc:389 dn = cn=myuserfordevecotlogintoads,cn=users,dc=tplk,dc=loc dnpass = mysecretpassword auth_bind = yes ldap_version = 3 base = cn=Users,dc=tplk,dc=loc scope = subtree user_filter = (mail=%u) pass_filter = (mail=%u) pass_attrs = mail=%u,= userPassword=password EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 Email: mueller at tropenklinik.de www.tropenklinik.de www.bauen-sie-mit.tropenklinik.de -----Ursprüngliche Nachricht----- Von: Mark Foley [mailto:mfoley at ohprs.org] Gesendet: Freitag, 1. Juli 2016 00:47 An: samba at lists.samba.org Betreff: Re: [Samba] Where is krb5.keytab or equivalent? Achim, I deleted the keytab file and did the following: $ samba-tool user delete dovecot $ samba-tool user add dovecot # again, that asked for a password and I assigned one. $ samba-tool spn add smpt/mail.hprs.local at HPRS.LOCAL dovecot $ samba-tool spn add imap/mail.hprs.local at HPRS.LOCAL dovecot $ ktutil ktutil: addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac Password for smtp/mail.hprs.local at HPRS.LOCAL: ktutil: addent -password -p imap/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac Password for imap/mail.hprs.local at HPRS.LOCAL: ktutil: wkt /etc/dovecot/dovecot.keytab ktutil: quit $ ktutil ktutil: read_kt /etc/dovecot/dovecot.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 smtp/mail.hprs.local at HPRS.LOCAL 2 1 imap/mail.hprs.local at HPRS.LOCAL So, much better. Duh for me not noticing that I had to change fqdn and domain to my own. Rloaded dovecot and tried again. Same error :( Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<OTQqf4Y2SgDAqAA6> You wrote:> It must be possible for Thunderbird to use plain authentification with > your windows account username. Can be you must configure userdb and > passdb to do ldap lookups against active directory.Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do plain text auth to dovecot. I will continue to need this for non-domain email clients. According to the dovecot folks, the passwd as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP authentication is another one (along with NTLM) that I haven't been able to get working with Dovecot. The only ones I've been able to get working are PLAIN and, believe it or not, checkpassword - which is basically a passdb driver for PLAIN. Perhaps there is some samba setting I'm missing? Here's my AD/DC smb.conf, do you seen anything missing I need? : [global] workgroup = HPRS realm = hprs.local netbios name = MAIL interfaces = lo, eth1 bind interfaces only = Yes server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes winbind use default domain = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes log level = 2 passdb:5 auth:10 winbind:2 lanman:10 max log size = 1000 [netlogon] path = /var/lib/samba/sysvol/hprs.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [Users] path = /redirectedFolders/Users comment = user folders for redirection read only = No [share] path = /var/lib/samba/share comment = Shared folder read only = No Thanks --Mark -----Original Message-----> To: samba at lists.samba.org > From: Achim Gottinger <achim at ag-web.biz> > Date: Thu, 30 Jun 2016 23:44:17 +0200 > Subject: Re: [Samba] Where is krb5.keytab or equivalent? > > Am 30.06.2016 um 23:16 schrieb Mark Foley: > > Achim, thanks a lot! A couple of questions on your suggested settings: > > > >> 1. Create an user > >> samba-tool create user dovcot > > I did this (actually `samba-tool user create dovecot`), but it asked > > for a password. I entered one. You didn't mention that, so I hope it's OK. > Yes > > > > > >> 2. Add the spn > >> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot > >> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot > > Did that too. No issue there. > Well you must substitute server.domain.local with your mailserver fqdn > and DOMAIN.LOCAL with HPRS.LOCAL. > > > >> 3. Create the keytab file > >> ktutil > >> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e > >> arcfour-hmac addent -password -p > >> imap/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac wkt > >> /etc/dovecot/dovecot.keytab > > As you can see, your text wrapped, but from the error message I got > > I assumed the -e [enctype] should hve been the arcfour-hmac on the next line. So I did: > > > > $ ktutil > > ktutil: addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k > > 1 -e arcfour-hmac > > ktutil: addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k > > 1 -e arcfour-hmac > Same here substitute like above and as you said arcfour-hmac belongs > in the same line. > > Of course, that will probably also wrap when you get this message, > > but basically I put the arcfour-hmac on the same line as the addent. > > Each time, these commands also asked for a password. Again, you > > didn't mention that, but I used the same password I used for the `samab-tool user create` command above. > > > > I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk". > > Type '?' for a request list." In looking at the "?" list I saw > > 'wkt', so I assumed you simply transposed the letters. I tried it and it took. > Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does > not yet exist. > Only the two keys you just added are required to get kerberos working. > The system keytab you generated with samba-tool domain exportkeytab is > not required. > > > > > >> 4. Add this to your dovecot config > >> > >> # Kerberos > >> auth_gssapi_hostname = "$ALL" > >> auth_krb5_keytab = /etc/dovecot/dovecot.keytab > > Did that. In addition, I set the keytab file's group to dovecot and > > made the file group readable, as suggested by > > http://wiki2.dovecot.org/Authentication/Kerberos. I also tried > > making it world readable. Now, after doing all that and restarting dovecot I still get the same dovecot error: > > > > Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in > > 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, > > session=<3hLnJoU2vgDAqAA6> > > > > and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket > > was not accepted by the IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm." > > > > As I've mentioned before, "mark at ohprs.org" is not a server. It is > > the email address of the Thunderbird account (running on WIN7). > > > > Here is my doveconf -n (gssapi marked with *): > > > > auth_debug_passwords = yes > > * auth_gssapi_hostname = $ALL > > * auth_krb5_keytab = /etc/krb5.keytab > > * auth_mechanisms = plain login gssapi auth_verbose = yes > > auth_verbose_passwords = plain disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info mail_location = > > maildir:~/Maildir passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = > > </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > > > (yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. > > Should be OK, right?) > > > > Here is my keytab list (partial); note that every entry appears in > > triplicate. I don't see 'dovecot' in there at all; maybe that's OK: > > > > ktutil: list > > slot KVNO Principal > > ---- ---- --------------------------------------------------------------------- > > 1 18 COMMON$@HPRS.LOCAL > > 2 18 COMMON$@HPRS.LOCAL > > 3 18 COMMON$@HPRS.LOCAL > > 4 1 MAIL$@HPRS.LOCAL > > 5 1 MAIL$@HPRS.LOCAL > > 6 1 MAIL$@HPRS.LOCAL > > 7 1 charmaine at HPRS.LOCAL > > 8 1 charmaine at HPRS.LOCAL > > 9 1 charmaine at HPRS.LOCAL > > : > > 19 1 Administrator at HPRS.LOCAL > > 20 1 Administrator at HPRS.LOCAL > > 21 1 Administrator at HPRS.LOCAL > > : > > 91 1 krbtgt at HPRS.LOCAL > > 92 1 krbtgt at HPRS.LOCAL > > 93 1 krbtgt at HPRS.LOCAL > > : > > 97 1 smtp/server.domain.local at DOMAIN.LOCAL > > 98 1 imap/server.domain.local at DOMAIN.LOCAL > > > > Can you tell from any of this why I'm still not able to authenticate? > You only need the lines 97 and 98 and substitude fqdn and realm like i > mentioned above. > It must be possible for Thunderbird to use plain authentification with > your windows account username. > Can be you must configure userdb and passdb to do ldap lookups against > active directory. > > Thanks, --Mark > > > > -----Original Message----- > >> To: samba at lists.samba.org > >> From: Achim Gottinger <achim at ag-web.biz> > >> Date: Thu, 30 Jun 2016 11:51:34 +0200 > >> > >> Am 30.06.2016 um 10:45 schrieb Mark Foley: > >>> To revisit my problem: I have Dovecot running on the same host as > >>> Samba4 AD/DC. I've set Thunderbird to authenticate with GSSAPI on > >>> a domain workstation. I have an /etc/krb5.keytab file as required > >>> by Dovecot. I've also downloaded and installed Kerberos for access to the k* commands (ktutil, kinit, klist, ...). > >>> > >>> In my current setup, the Thunderbird client (WIN7 workstation) is > >>> not connecting. The WIN7 workstation is a domain member and works > >>> fine otherwise with Samba4 for AD user authentication, etc. Thunderbird gives the following error: > >>> > >>> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server > >>> mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm." > >>> > >>> One disconcerting bit about that message is the named IMAP server > >>> "mark at ohprs.org" is not a server at all, but rather the email address of the Thunderbird account. > >>> > >>> When attempting to connect, the Dovecot log simply has > >>> "Disconnected (no auth attempts in 18 > >>> secs): user=<>". No message at all appears in the samba log although I have auth:10 level set. > >>> Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying: > >>> > >>> auth_mechanisms = plain login gssapi > >>> > >>> That's it (the other mechanism work just fine, BTW). Not much I can mess with there. > >>> > >>> I think the problem is with Samba and handling the authentication. > >>> I do not think my Samba4 is configured correctly. Over a year ago > >>> Rowland Penny helped me configure a Ubuntu workstation for > >>> single-sign-on using Kerberos. He had me put the following lines into that workstation's smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server: > >>> > >>> security = ADS > >>> dedicated keytab file = /etc/krb5.keytab kerberos method = secrets > >>> and keytab winbind nss info = rfc2307 winbind trusted domains only > >>> = no winbind enum users = yes winbind enum groups = yes winbind > >>> refresh tickets = Yes > >>> > >>> I've tried sticking all of these in the AD/DC smb.conf and, when > >>> restarting Samba, I get a log message, "Samba detected misconfigured 'server role' and exited." > >>> > >>> He also had me put the following in /etc/nsswitch.conf: > >>> > >>> passwd: compat winbind > >>> group: compat winbind > >>> > >>> Do I possibly need some of these (or others?) settings in these > >>> conf files on the AD/DC server for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work. > >>> > >>> Need Help! Thanks --Mark > >> Hello Mark, > >> > >> This is what i used in debian wheezy few years back. I assume > >> arcfour-hmac is unsafe these days but i did not yet investigate > >> into other working encryption methods here. > >> If you need smtp (postfix with auth via dovecot) also add the smtp > >> spn's. Use the password for user dovecot during keytab creation. > >> > >> 1. Create an user > >> samba-tool create user dovcot > >> > >> 2. Add the spn > >> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot > >> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot > >> > >> 3. Create the keytab file > >> ktutil > >> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e > >> arcfour-hmac addent -password -p > >> imap/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac wkt > >> /etc/dovecot/dovecot.keytab > >> > >> 4. Add this to your dovecot config > >> > >> # Kerberos > >> auth_gssapi_hostname = "$ALL" > >> auth_krb5_keytab = /etc/dovecot/dovecot.keytab > >> > >> Hope it helps, > >> achim~ > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba