I'm sure it will not work till you get that module build. :-) Am 01.07.2016 um 20:53 schrieb Mark Foley:> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at ag-web.biz> wrote: > >> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an >> different location. On debian this comes with the dovecot-gssapi package. > That module is nowhere on my system. > > --Mark >
Here's the test (I must run mutt not telnet like i mentioned earlier to
get the imap tickets).
root at server:~# kinit achim
Password for achim at DOMAIN.LOCAL:
[I enter my password]
MAIL=imap://achim at server.domain.local/ mutt
[Mutt asks about the cert i select accept once and i endup on my INBOX.
I leave mutt by entring q+ENTER]
root at server:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: achim at DOMAIN.LOCAL
Valid starting Expires Service principal
01.07.2016 23:16:30 02.07.2016 09:16:30 krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
renew until 02.07.2016 23:16:28
01.07.2016 23:17:04 02.07.2016 09:16:30 imap/server.domain.local@
renew until 02.07.2016 23:16:28
01.07.2016 23:17:04 02.07.2016 09:16:30
imap/server.domain.local at DOMAIN.LOCAL
renew until 02.07.2016 23:16:28
root at server:~# samba-tool spn list dovecot
dovecot
User CN=dovecot,CN=Users,DC=domain,DC=local has the following
servicePrincipalName:
smtp/server.domain.local at DOMAIN.LOCAL
imap/server.domain.local at DOMAIN.LOCAL
imap/server.domain.local
root at server:~#cat /etc/hosts
127.0.0.1 localhost
192.168.100.102 server.domain.local server
Excerpt from /var/log/mail.log ( On debian mail.log contains the debug
info).
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
Jul 1 23:17:01 server dovecot: auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libmech_gssapi.so
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
Jul 1 23:17:01 server dovecot: auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Jul 1 23:17:01 server dovecot: auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
Jul 1 23:17:01 server dovecot: auth: Debug: passwd-file
/etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
Jul 1 23:17:01 server dovecot: auth: Debug: auth client connected
(pid=21490)
Jul 1 23:17:04 server dovecot: auth: Debug: client in:
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
Jul 1 23:17:04 server dovecot: auth: Debug:
gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
Jul 1 23:17:04 server dovecot: auth: Debug:
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state
completed.
Jul 1 23:17:04 server dovecot: auth: Debug: client passdb out:
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
Jul 1 23:17:04 server dovecot: auth: Debug:
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer
Jul 1 23:17:04 server dovecot: auth: Debug: client passdb out:
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
........
Jul 1 23:17:04 server dovecot: imap-login: Login: user=<achim>,
method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
session=<ldMkgpk2dAB/AAAB>
Am 01.07.2016 um 22:40 schrieb Achim Gottinger:> I'm sure it will not work till you get that module build. :-)
>
>
> Am 01.07.2016 um 20:53 schrieb Mark Foley:
>> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at
domain.biz>
>> wrote:
>>
>>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe
>>> at an
>>> different location. On debian this comes with the dovecot-gssapi
>>> package.
>> That module is nowhere on my system.
>>
>> --Mark
>>
>
>
Here is an simpler way to create an user with the imap principal and the dovecot keymap ~# samba-tool user create dovecot [Assign password] ~# samba-tool spn add imap/server.domain.local dovecot ~# samba-tool domain exportkeytab --principal dovecot at DOMAIN.LOCAL dovecot.keytab ~# cp dovecot.keytab /etc/dovecot/dovecot.keytab ~#chgrp dovecot /etc/dovecot/dovecot.keytab ~#chmod g+r /etc/dovecot/dovecot.keytab As a side note. I test on an different server now and above and the mutt test from my other mail only works with auth_gssapi_hostname = "$ALL" defined in dovecot config. Otherwise I get these errors Jul 1 23:47:29 server dovecot: auth: Debug: gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): Obtaining credentials for imap@ Jul 1 23:47:33 server dovecot: auth: gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): While acquiring service credentials: Unspecified GSS failure. Minor code may provide more information Am 01.07.2016 um 22:40 schrieb Achim Gottinger:> I'm sure it will not work till you get that module build. :-) > > > Am 01.07.2016 um 20:53 schrieb Mark Foley: >> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at ag-web.biz> >> wrote: >> >>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe >>> at an >>> different location. On debian this comes with the dovecot-gssapi >>> package. >> That module is nowhere on my system. >> >> --Mark >> > >
Am 01.07.2016 um 23:52 schrieb Achim Gottinger:> Here is an simpler way to create an user with the imap principal and > the dovecot keymap > > ~# samba-tool user create dovecot > [Assign password] > ~# samba-tool spn add imap/server.domain.local dovecot > ~# samba-tool domain exportkeytab --principal dovecot at DOMAIN.LOCAL > dovecot.keytabIf above line is replaced by ~# samba-tool domain exportkeytab --principal imap/server.domain.local dovecot.keytab It is working without auth_gssapi_hostname = "$ALL" again. To add the principal for smtp execute ~# samba-tool spn add smtp/server.domain.local dovecot ~# samba-tool domain exportkeytab --principal smtp/server.domain.local dovecot.keytab The keytab now has the follwoing content ~# klist -Kek /etc/dovecot/dovecot.conf Keytab name: FILE:dovecot.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 imap/server.domain.local at DOMAIN.LOCAL (des-cbc-crc) (0x......) 3 imap/server.domain.local at DOMAIN.LOCAL (des-cbc-md5) (0x......) 3 imap/server.domain.local at DOMAIN.LOCAL (arcfour-hmac) (0x.................) 3 smtp/server.domain.local at DOMAIN.LOCAL (des-cbc-crc) (0x......) 3 smtp/server.domain.local at DOMAIN.LOCAL (des-cbc-md5) (0x......) 3 smtp/server.domain.local at DOMAIN.LOCAL (arcfour-hmac) (0x.................) The spn's are ~# samba-tool spn list dovecot dovecot User CN=dovecot,CN=Users,DC=domain,DC=local has the following servicePrincipalName: imap/server.domain.local smtp/server.domain.local I tried it with the hostname without zthe domain part and that did not work. Also it did not work using ~# samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot The SPN should not contain the realm like below ~# samba-tool spn add imap/server.domain.local dovecot But you really need that gssapi method library first. Check auth debug log there should be an line like Jul 1 23:17:01 server dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libmech_gssapi.so> ~# cp dovecot.keytab /etc/dovecot/dovecot.keytab > ~#chgrp dovecot /etc/dovecot/dovecot.keytab > ~#chmod g+r /etc/dovecot/dovecot.keytab > > As a side note. I test on an different server now and above and the > mutt test from my other mail only works with > auth_gssapi_hostname = "$ALL" > defined in dovecot config. > > Otherwise I get these errors > > Jul 1 23:47:29 server dovecot: auth: Debug: > gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): Obtaining credentials for imap@ > Jul 1 23:47:33 server dovecot: auth: > gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): While acquiring service > credentials: Unspecified GSS failure. Minor code may provide more > information > > > Am 01.07.2016 um 22:40 schrieb Achim Gottinger: >> I'm sure it will not work till you get that module build. :-) >> >> >> Am 01.07.2016 um 20:53 schrieb Mark Foley: >>> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at ag-web.biz> >>> wrote: >>> >>>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe >>>> at an >>>> different location. On debian this comes with the dovecot-gssapi >>>> package. >>> That module is nowhere on my system. >>> >>> --Mark >>> >> >> > >
OK, let me go through exactly what you did: you:> Here's the test (I must run mutt not telnet like i mentioned earlier to > get the imap tickets). > > root at server:~# kinit achim > Password for achim at DOMAIN.LOCAL: > [I enter my password]As root on AD/DC mail.hprs.local: me: $ kinit mark Password for mark at HPRS.LOCAL: [I enter my password] you:> MAIL=imap://achim at server.domain.local/ muttme: $ MAIL=imap://mark at server.domain.local/ mutt -F /etc/Muttrc I get the mutt message, "Certificate host check failed: certificate owner does not mathc hosthame mail.hprs.local". After that, in the mutt screen, I get: -----BEGIN------ This certificate belongs to: mail.ohprs.org Unknown Unknown Domain Control Validated Unknown This certificate was issued by: Go Daddy Secure Certificate Authority - G2 Unknown GoDaddy.com, Inc. http: Scottsdale This certificate is valid from Aug 14 21:38:38 2015 GMT to Aug 15 17:49:32 2016 GMT Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064 -----END------- you:> root at server:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: achim at DOMAIN.LOCAL[etc ...] me: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: mark at HPRS.LOCAL Valid starting Expires Service principal 07/01/2016 20:57:56 07/02/2016 06:57:56 krbtgt/HPRS.LOCAL at HPRS.LOCAL renew until 07/02/2016 20:57:52 Clearly, I am misconfigured at some level. From my mouse-eye-view, the certificate is for mail.ohprs.org, not mail.hprs.local. What about you? You must have a certificate for server.domain.local as well as your public domain, yes? Did you at some point create a self-signed certificate? What do you suggest? --Mark -----Original Message-----> To: samba at lists.samba.org > From: Achim Gottinger <achim at ag-web.biz> > Date: Fri, 1 Jul 2016 23:29:35 +0200 > Subject: Re: [Samba] Where is krb5.keytab or equivalent? > > Here's the test (I must run mutt not telnet like i mentioned earlier to > get the imap tickets). > > root at server:~# kinit achim > Password for achim at DOMAIN.LOCAL: > [I enter my password] > MAIL=imap://achim at server.domain.local/ mutt > [Mutt asks about the cert i select accept once and i endup on my INBOX. > I leave mutt by entring q+ENTER] > root at server:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: achim at DOMAIN.LOCAL > > Valid starting Expires Service principal > 01.07.2016 23:16:30 02.07.2016 09:16:30 krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL > renew until 02.07.2016 23:16:28 > 01.07.2016 23:17:04 02.07.2016 09:16:30 imap/server.domain.local@ > renew until 02.07.2016 23:16:28 > 01.07.2016 23:17:04 02.07.2016 09:16:30 > imap/server.domain.local at DOMAIN.LOCAL > renew until 02.07.2016 23:16:28 > > root at server:~# samba-tool spn list dovecot > dovecot > User CN=dovecot,CN=Users,DC=domain,DC=local has the following > servicePrincipalName: > smtp/server.domain.local at DOMAIN.LOCAL > imap/server.domain.local at DOMAIN.LOCAL > imap/server.domain.local > > root at server:~#cat /etc/hosts > 127.0.0.1 localhost > 192.168.100.102 server.domain.local server > > Excerpt from /var/log/mail.log ( On debian mail.log contains the debug > info). > > Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from > directory: /usr/lib/dovecot/modules/auth > Jul 1 23:17:01 server dovecot: auth: Debug: Module loaded: > /usr/lib/dovecot/modules/auth/libmech_gssapi.so > Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from > directory: /usr/lib/dovecot/modules/auth > Jul 1 23:17:01 server dovecot: auth: Debug: Module loaded: > /usr/lib/dovecot/modules/auth/libauthdb_ldap.so > Jul 1 23:17:01 server dovecot: auth: Debug: Read auth token secret from > /var/run/dovecot/auth-token-secret.dat > Jul 1 23:17:01 server dovecot: auth: Debug: passwd-file > /etc/dovecot/passwd.masterusers: Read 0 users in 0 secs > Jul 1 23:17:01 server dovecot: auth: Debug: auth client connected > (pid=21490) > Jul 1 23:17:04 server dovecot: auth: Debug: client in: > AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden> > Jul 1 23:17:04 server dovecot: auth: Debug: > gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries > Jul 1 23:17:04 server dovecot: auth: Debug: > gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state > completed. > Jul 1 23:17:04 server dovecot: auth: Debug: client passdb out: > XXXXXXXXXXXXXXXXXXXXXXXXX > Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden> > Jul 1 23:17:04 server dovecot: auth: Debug: > gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer > Jul 1 23:17:04 server dovecot: auth: Debug: client passdb out: > XXXXXXXXXXXXXXXXXXXXXXXXX > Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden> > ........ > Jul 1 23:17:04 server dovecot: imap-login: Login: user=<achim>, > method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS, > session=<ldMkgpk2dAB/AAAB> > > Am 01.07.2016 um 22:40 schrieb Achim Gottinger: > > I'm sure it will not work till you get that module build. :-) > > > > > > Am 01.07.2016 um 20:53 schrieb Mark Foley: > >> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at domain.biz> > >> wrote: > >> > >>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe > >>> at an > >>> different location. On debian this comes with the dovecot-gssapi > >>> package. > >> That module is nowhere on my system. > >> > >> --Mark > >> > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Following your example for 2nd test ... you:> ~# samba-tool user create dovecot > [Assign password] > ~# samba-tool spn add imap/server.domain.local dovecot > ~# samba-tool domain exportkeytab --principal dovecot at DOMAIN.LOCAL > dovecot.keytab > ~# cp dovecot.keytab /etc/dovecot/dovecot.keytab > ~#chgrp dovecot /etc/dovecot/dovecot.keytab > ~#chmod g+r /etc/dovecot/dovecot.keytabme: root at mail > samba-tool user delete dovecot # to get rid of previous defs. Deleted user dovecot root at mail > samba-tool user create dovecot New Password: Retype Password: User 'dovecot' created successfully root at mail > samba-tool domain exportkeytab --principal dovecot at HPRS.LOCAL dovecot.keytab root at mail > cp dovecot.keytab /etc/dovecot/dovecot.keytab root at mail > chgrp dovecot /etc/dovecot//dovecot.keytab root at mail > chmod g+r /etc/dovecot/dovecot.keytab root at mail > dovecot reload> As a side note. I test on an different server now and above and the mutt > test from my other mail only works with > auth_gssapi_hostname = "$ALL" > defined in dovecot config.I added that back in before reloading dovecot. Some commentor had me remove it during previous testing. Re-ran mutt, sadly same result as previous test, "Certificate host check failed: certificate owner does not match hostname mail.hprs.local". Nothing in maillog. I think certificate is fooped. --Mark -----Original Message-----> To: samba at lists.samba.org > From: Achim Gottinger <achim at ag-web.biz> > Date: Fri, 1 Jul 2016 23:52:53 +0200 > Subject: Re: [Samba] Where is krb5.keytab or equivalent? > > Here is an simpler way to create an user with the imap principal and the > dovecot keymap > > ~# samba-tool user create dovecot > [Assign password] > ~# samba-tool spn add imap/server.domain.local dovecot > ~# samba-tool domain exportkeytab --principal dovecot at DOMAIN.LOCAL > dovecot.keytab > ~# cp dovecot.keytab /etc/dovecot/dovecot.keytab > ~#chgrp dovecot /etc/dovecot/dovecot.keytab > ~#chmod g+r /etc/dovecot/dovecot.keytab > > As a side note. I test on an different server now and above and the mutt > test from my other mail only works with > auth_gssapi_hostname = "$ALL" > defined in dovecot config. > > Otherwise I get these errors > > Jul 1 23:47:29 server dovecot: auth: Debug: > gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): Obtaining credentials for imap@ > Jul 1 23:47:33 server dovecot: auth: > gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): While acquiring service > credentials: Unspecified GSS failure. Minor code may provide more > information > > > Am 01.07.2016 um 22:40 schrieb Achim Gottinger: > > I'm sure it will not work till you get that module build. :-) > > > > > > Am 01.07.2016 um 20:53 schrieb Mark Foley: > >> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at ag-web.biz> > >> wrote: > >> > >>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe > >>> at an > >>> different location. On debian this comes with the dovecot-gssapi > >>> package. > >> That module is nowhere on my system. > >> > >> --Mark > >> > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >