thr3ads.net - samba - [Samba] Where is krb5.keytab or equivalent? [Jul 2016]

If this information is useful, please help other people find it:
Share via:

Mark Foley

2016-Jul-02 01:15 UTC

[Samba] Where is krb5.keytab or equivalent?

OK, let me go through exactly what you did:

you:> Here's the test (I must run mutt not telnet like i mentioned earlier to
> get the imap tickets).
>
> root at server:~# kinit achim
> Password for achim at DOMAIN.LOCAL:
> [I enter my password]
As root on AD/DC mail.hprs.local:

me:
$ kinit mark
Password for mark at HPRS.LOCAL:
[I enter my password]

you:> MAIL=imap://achim at server.domain.local/ mutt
me:
$ MAIL=imap://mark at server.domain.local/ mutt -F /etc/Muttrc

I get the mutt message, "Certificate host check failed: certificate owner
does not mathc
hosthame mail.hprs.local".

After that, in the mutt screen, I get:

-----BEGIN------
This certificate belongs to:
   mail.ohprs.org
   Unknown
   Unknown
   Domain Control Validated
   Unknown

This certificate was issued by:
   Go Daddy Secure Certificate Authority - G2
   Unknown
   GoDaddy.com, Inc.
   http:
   Scottsdale

This certificate is valid
   from Aug 14 21:38:38 2015 GMT
     to Aug 15 17:49:32 2016 GMT

Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
-----END-------

you:> root at server:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: achim at DOMAIN.LOCAL[etc ...]

me:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mark at HPRS.LOCAL

Valid starting       Expires              Service principal
07/01/2016 20:57:56  07/02/2016 06:57:56  krbtgt/HPRS.LOCAL at HPRS.LOCAL
        renew until 07/02/2016 20:57:52

Clearly, I am misconfigured at some level.  From my mouse-eye-view, the
certificate is for
mail.ohprs.org, not mail.hprs.local.  What about you? You must have a
certificate for
server.domain.local as well as your public domain, yes? Did you at some point
create a
self-signed certificate?

What do you suggest?

--Mark

-----Original Message-----> To: samba at lists.samba.org
> From: Achim Gottinger <achim at ag-web.biz>
> Date: Fri, 1 Jul 2016 23:29:35 +0200
> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>
> Here's the test (I must run mutt not telnet like i mentioned earlier to
> get the imap tickets).
>
> root at server:~# kinit achim
> Password for achim at DOMAIN.LOCAL:
> [I enter my password]
> MAIL=imap://achim at server.domain.local/ mutt
> [Mutt asks about the cert i select accept once and i endup on my INBOX. 
> I leave mutt by entring q+ENTER]
> root at server:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: achim at DOMAIN.LOCAL
>
> Valid starting       Expires              Service principal
> 01.07.2016 23:16:30  02.07.2016 09:16:30 krbtgt/DOMAIN.LOCAL at
DOMAIN.LOCAL
>          renew until 02.07.2016 23:16:28
> 01.07.2016 23:17:04  02.07.2016 09:16:30  imap/server.domain.local@
>          renew until 02.07.2016 23:16:28
> 01.07.2016 23:17:04  02.07.2016 09:16:30 
> imap/server.domain.local at DOMAIN.LOCAL
>          renew until 02.07.2016 23:16:28
>
> root at server:~# samba-tool spn list dovecot
> dovecot
> User CN=dovecot,CN=Users,DC=domain,DC=local has the following 
> servicePrincipalName:
>           smtp/server.domain.local at DOMAIN.LOCAL
>           imap/server.domain.local at DOMAIN.LOCAL
>           imap/server.domain.local
>
> root at server:~#cat /etc/hosts
> 127.0.0.1       localhost
> 192.168.100.102 server.domain.local server
>
> Excerpt from /var/log/mail.log ( On debian mail.log contains the debug 
> info).
>
> Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules from 
> directory: /usr/lib/dovecot/modules/auth
> Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded: 
> /usr/lib/dovecot/modules/auth/libmech_gssapi.so
> Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules from 
> directory: /usr/lib/dovecot/modules/auth
> Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded: 
> /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
> Jul  1 23:17:01 server dovecot: auth: Debug: Read auth token secret from 
> /var/run/dovecot/auth-token-secret.dat
> Jul  1 23:17:01 server dovecot: auth: Debug: passwd-file 
> /etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
> Jul  1 23:17:01 server dovecot: auth: Debug: auth client connected 
> (pid=21490)
> Jul  1 23:17:04 server dovecot: auth: Debug: client in: 
>
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
> Jul  1 23:17:04 server dovecot: auth: Debug: 
> gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
> Jul  1 23:17:04 server dovecot: auth: Debug: 
> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state 
> completed.
> Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out: 
> XXXXXXXXXXXXXXXXXXXXXXXXX
> Jul  1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
> Jul  1 23:17:04 server dovecot: auth: Debug: 
> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer
> Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out: 
> XXXXXXXXXXXXXXXXXXXXXXXXX
> Jul  1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
> ........
> Jul  1 23:17:04 server dovecot: imap-login: Login: user=<achim>, 
> method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS, 
> session=<ldMkgpk2dAB/AAAB>
>
> Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
> > I'm sure it will not work till you get that module build. :-)
> >
> >
> > Am 01.07.2016 um 20:53 schrieb Mark Foley:
> >> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at
domain.biz>
> >> wrote:
> >>
> >>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so?
Maybe
> >>> at an
> >>> different location. On debian this comes with the
dovecot-gssapi
> >>> package.
> >> That module is nowhere on my system.
> >>
> >> --Mark
> >>
> >
> >
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Achim Gottinger

2016-Jul-02 01:39 UTC

head link

[Samba] Where is krb5.keytab or equivalent?

Yes I created an self signed cert (with the easy-rsa scripts froom 
openvpn). Does mutt let you accept the cert anyway? On an earlier test 
you got past the cert state and had to enter an password or got an  no 
auth failure.

Also figure out where dovecot auth debug log entries get written (here 
dovecot writes logs to mail.info, mail.error, mail.log, debug only ends 
up in mail.log).

Am 02.07.2016 um 03:15 schrieb Mark Foley:> OK, let me go through exactly what you did:
>
> you:
>> Here's the test (I must run mutt not telnet like i mentioned
earlier to
>> get the imap tickets).
>>
>> root at server:~# kinit achim
>> Password for achim at DOMAIN.LOCAL:
>> [I enter my password]
> As root on AD/DC mail.hprs.local:
>
> me:
> $ kinit mark
> Password for mark at HPRS.LOCAL:
> [I enter my password]
>
> you:
>> MAIL=imap://achim at server.domain.local/ mutt
> me:
> $ MAIL=imap://mark at server.domain.local/ mutt -F /etc/Muttrc
>
> I get the mutt message, "Certificate host check failed: certificate
owner does not mathc
> hosthame mail.hprs.local".
>
> After that, in the mutt screen, I get:
>
> -----BEGIN------
> This certificate belongs to:
>     mail.ohprs.org
>     Unknown
>     Unknown
>     Domain Control Validated
>     Unknown
>
> This certificate was issued by:
>     Go Daddy Secure Certificate Authority - G2
>     Unknown
>     GoDaddy.com, Inc.
>     http:
>     Scottsdale
>
> This certificate is valid
>     from Aug 14 21:38:38 2015 GMT
>       to Aug 15 17:49:32 2016 GMT
>
> Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
> -----END-------
>
> you:
>> root at server:~# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: achim at DOMAIN.LOCAL
> [etc ...]
>
> me:
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: mark at HPRS.LOCAL
>
> Valid starting       Expires              Service principal
> 07/01/2016 20:57:56  07/02/2016 06:57:56  krbtgt/HPRS.LOCAL at HPRS.LOCAL
>          renew until 07/02/2016 20:57:52
>
> Clearly, I am misconfigured at some level.  From my mouse-eye-view, the
certificate is for
> mail.ohprs.org, not mail.hprs.local.  What about you? You must have a
certificate for
> server.domain.local as well as your public domain, yes? Did you at some
point create a
> self-signed certificate?
>
> What do you suggest?
>
> --Mark
>
> -----Original Message-----
>> To: samba at lists.samba.org
>> From: Achim Gottinger <achim at ag-web.biz>
>> Date: Fri, 1 Jul 2016 23:29:35 +0200
>> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>>
>> Here's the test (I must run mutt not telnet like i mentioned
earlier to
>> get the imap tickets).
>>
>> root at server:~# kinit achim
>> Password for achim at DOMAIN.LOCAL:
>> [I enter my password]
>> MAIL=imap://achim at server.domain.local/ mutt
>> [Mutt asks about the cert i select accept once and i endup on my INBOX.
>> I leave mutt by entring q+ENTER]
>> root at server:~# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: achim at DOMAIN.LOCAL
>>
>> Valid starting       Expires              Service principal
>> 01.07.2016 23:16:30  02.07.2016 09:16:30 krbtgt/DOMAIN.LOCAL at
DOMAIN.LOCAL
>>           renew until 02.07.2016 23:16:28
>> 01.07.2016 23:17:04  02.07.2016 09:16:30  imap/server.domain.local@
>>           renew until 02.07.2016 23:16:28
>> 01.07.2016 23:17:04  02.07.2016 09:16:30
>> imap/server.domain.local at DOMAIN.LOCAL
>>           renew until 02.07.2016 23:16:28
>>
>> root at server:~# samba-tool spn list dovecot
>> dovecot
>> User CN=dovecot,CN=Users,DC=domain,DC=local has the following
>> servicePrincipalName:
>>            smtp/server.domain.local at DOMAIN.LOCAL
>>            imap/server.domain.local at DOMAIN.LOCAL
>>            imap/server.domain.local
>>
>> root at server:~#cat /etc/hosts
>> 127.0.0.1       localhost
>> 192.168.100.102 server.domain.local server
>>
>> Excerpt from /var/log/mail.log ( On debian mail.log contains the debug
>> info).
>>
>> Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules from
>> directory: /usr/lib/dovecot/modules/auth
>> Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded:
>> /usr/lib/dovecot/modules/auth/libmech_gssapi.so
>> Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules from
>> directory: /usr/lib/dovecot/modules/auth
>> Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded:
>> /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
>> Jul  1 23:17:01 server dovecot: auth: Debug: Read auth token secret
from
>> /var/run/dovecot/auth-token-secret.dat
>> Jul  1 23:17:01 server dovecot: auth: Debug: passwd-file
>> /etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
>> Jul  1 23:17:01 server dovecot: auth: Debug: auth client connected
>> (pid=21490)
>> Jul  1 23:17:04 server dovecot: auth: Debug: client in:
>>
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
>> Jul  1 23:17:04 server dovecot: auth: Debug:
>> gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
>> Jul  1 23:17:04 server dovecot: auth: Debug:
>> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context
state
>> completed.
>> Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out:
>> XXXXXXXXXXXXXXXXXXXXXXXXX
>> Jul  1 23:17:04 server dovecot: auth: Debug: client in:
CONT<hidden>
>> Jul  1 23:17:04 server dovecot: auth: Debug:
>> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security
layer
>> Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out:
>> XXXXXXXXXXXXXXXXXXXXXXXXX
>> Jul  1 23:17:04 server dovecot: auth: Debug: client in:
CONT<hidden>
>> ........
>> Jul  1 23:17:04 server dovecot: imap-login: Login: user=<achim>,
>> method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
>> session=<ldMkgpk2dAB/AAAB>
>>
>> Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
>>> I'm sure it will not work till you get that module build. :-)
>>>
>>>
>>> Am 01.07.2016 um 20:53 schrieb Mark Foley:
>>>> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at
domain.biz>
>>>> wrote:
>>>>
>>>>> Do you have
/usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe
>>>>> at an
>>>>> different location. On debian this comes with the
dovecot-gssapi
>>>>> package.
>>>> That module is nowhere on my system.
>>>>
>>>> --Mark
>>>>
>>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

Mark Foley

2016-Jul-02 02:15 UTC

head link

[Samba] Where is krb5.keytab or equivalent?

Akim wrote:
> Yes I created an self signed cert (with the easy-rsa scripts froom 
> openvpn). 
Alright, I'll try that after this message and post back. In anticipation of
"problems", where
do I put the path to that new cert? my 10-ssl.conf has:

ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key

Which is the key mutt keeps showing. I don't suppose I put the path there?
> Does mutt let you accept the cert anyway? On an earlier test 
> you got past the cert state and had to enter an password or got an  no 
> auth failure.
Mutt lets me accept, but I get "No authenticators available", and the
mutt screen is blank.
When it asked me for a password previously it was because it fell back to PLAIN
authentication,
which worked.  Now my /etc/Muttrc has

set imap_authenticators="gssapi"

to prevent that.
> Also figure out where dovecot auth debug log entries get written (here 
> dovecot writes logs to mail.info, mail.error, mail.log, debug only ends 
> up in mail.log).
My /etc/dovecot.conf has 

# debug_log_path = /var/log/Dovecot/dovecot_debug.log

commented. I'll uncomment that before the next test. Otherwise, I see
nothing in maillog or
dovecot_info (info_log_path).

--Mark

-----Original Message-----> To: samba at lists.samba.org
> From: Achim Gottinger <achim at ag-web.biz>
> Date: Sat, 2 Jul 2016 03:39:42 +0200
>
> Yes I created an self signed cert (with the easy-rsa scripts froom 
> openvpn). Does mutt let you accept the cert anyway? On an earlier test 
> you got past the cert state and had to enter an password or got an  no 
> auth failure.
>
> Also figure out where dovecot auth debug log entries get written (here 
> dovecot writes logs to mail.info, mail.error, mail.log, debug only ends 
> up in mail.log).
>
> Am 02.07.2016 um 03:15 schrieb Mark Foley:
> > OK, let me go through exactly what you did:
> >
> > you:
> >> Here's the test (I must run mutt not telnet like i mentioned
earlier to
> >> get the imap tickets).
> >>
> >> root at server:~# kinit achim
> >> Password for achim at DOMAIN.LOCAL:
> >> [I enter my password]
> > As root on AD/DC mail.hprs.local:
> >
> > me:
> > $ kinit mark
> > Password for mark at HPRS.LOCAL:
> > [I enter my password]
> >
> > you:
> >> MAIL=imap://achim at server.domain.local/ mutt
> > me:
> > $ MAIL=imap://mark at server.domain.local/ mutt -F /etc/Muttrc
> >
> > I get the mutt message, "Certificate host check failed:
certificate owner does not mathc
> > hosthame mail.hprs.local".
> >
> > After that, in the mutt screen, I get:
> >
> > -----BEGIN------
> > This certificate belongs to:
> >     mail.ohprs.org
> >     Unknown
> >     Unknown
> >     Domain Control Validated
> >     Unknown
> >
> > This certificate was issued by:
> >     Go Daddy Secure Certificate Authority - G2
> >     Unknown
> >     GoDaddy.com, Inc.
> >     http:
> >     Scottsdale
> >
> > This certificate is valid
> >     from Aug 14 21:38:38 2015 GMT
> >       to Aug 15 17:49:32 2016 GMT
> >
> > Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
> > -----END-------
> >
> > you:
> >> root at server:~# klist
> >> Ticket cache: FILE:/tmp/krb5cc_0
> >> Default principal: achim at DOMAIN.LOCAL
> > [etc ...]
> >
> > me:
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: mark at HPRS.LOCAL
> >
> > Valid starting       Expires              Service principal
> > 07/01/2016 20:57:56  07/02/2016 06:57:56  krbtgt/HPRS.LOCAL at
HPRS.LOCAL
> >          renew until 07/02/2016 20:57:52
> >
> > Clearly, I am misconfigured at some level.  From my mouse-eye-view,
the certificate is for
> > mail.ohprs.org, not mail.hprs.local.  What about you? You must have a
certificate for
> > server.domain.local as well as your public domain, yes? Did you at
some point create a
> > self-signed certificate?
> >
> > What do you suggest?
> >
> > --Mark
> >
> > -----Original Message-----
> >> To: samba at lists.samba.org
> >> From: Achim Gottinger <achim at ag-web.biz>
> >> Date: Fri, 1 Jul 2016 23:29:35 +0200
> >> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
> >>
> >> Here's the test (I must run mutt not telnet like i mentioned
earlier to
> >> get the imap tickets).
> >>
> >> root at server:~# kinit achim
> >> Password for achim at DOMAIN.LOCAL:
> >> [I enter my password]
> >> MAIL=imap://achim at server.domain.local/ mutt
> >> [Mutt asks about the cert i select accept once and i endup on my
INBOX.
> >> I leave mutt by entring q+ENTER]
> >> root at server:~# klist
> >> Ticket cache: FILE:/tmp/krb5cc_0
> >> Default principal: achim at DOMAIN.LOCAL
> >>
> >> Valid starting       Expires              Service principal
> >> 01.07.2016 23:16:30  02.07.2016 09:16:30 krbtgt/DOMAIN.LOCAL at
DOMAIN.LOCAL
> >>           renew until 02.07.2016 23:16:28
> >> 01.07.2016 23:17:04  02.07.2016 09:16:30 
imap/server.domain.local@
> >>           renew until 02.07.2016 23:16:28
> >> 01.07.2016 23:17:04  02.07.2016 09:16:30
> >> imap/server.domain.local at DOMAIN.LOCAL
> >>           renew until 02.07.2016 23:16:28
> >>
> >> root at server:~# samba-tool spn list dovecot
> >> dovecot
> >> User CN=dovecot,CN=Users,DC=domain,DC=local has the following
> >> servicePrincipalName:
> >>            smtp/server.domain.local at DOMAIN.LOCAL
> >>            imap/server.domain.local at DOMAIN.LOCAL
> >>            imap/server.domain.local
> >>
> >> root at server:~#cat /etc/hosts
> >> 127.0.0.1       localhost
> >> 192.168.100.102 server.domain.local server
> >>
> >> Excerpt from /var/log/mail.log ( On debian mail.log contains the
debug
> >> info).
> >>
> >> Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules from
> >> directory: /usr/lib/dovecot/modules/auth
> >> Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded:
> >> /usr/lib/dovecot/modules/auth/libmech_gssapi.so
> >> Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules from
> >> directory: /usr/lib/dovecot/modules/auth
> >> Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded:
> >> /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
> >> Jul  1 23:17:01 server dovecot: auth: Debug: Read auth token
secret from
> >> /var/run/dovecot/auth-token-secret.dat
> >> Jul  1 23:17:01 server dovecot: auth: Debug: passwd-file
> >> /etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
> >> Jul  1 23:17:01 server dovecot: auth: Debug: auth client connected
> >> (pid=21490)
> >> Jul  1 23:17:04 server dovecot: auth: Debug: client in:
> >>
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
> >> Jul  1 23:17:04 server dovecot: auth: Debug:
> >> gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab
entries
> >> Jul  1 23:17:04 server dovecot: auth: Debug:
> >> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context
state
> >> completed.
> >> Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out:
> >> XXXXXXXXXXXXXXXXXXXXXXXXX
> >> Jul  1 23:17:04 server dovecot: auth: Debug: client in:
CONT<hidden>
> >> Jul  1 23:17:04 server dovecot: auth: Debug:
> >> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated
security layer
> >> Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out:
> >> XXXXXXXXXXXXXXXXXXXXXXXXX
> >> Jul  1 23:17:04 server dovecot: auth: Debug: client in:
CONT<hidden>
> >> ........
> >> Jul  1 23:17:04 server dovecot: imap-login: Login:
user=<achim>,
> >> method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
> >> session=<ldMkgpk2dAB/AAAB>
> >>
> >> Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
> >>> I'm sure it will not work till you get that module build.
:-)
> >>>
> >>>
> >>> Am 01.07.2016 um 20:53 schrieb Mark Foley:
> >>>> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger
<achim at domain.biz>
> >>>> wrote:
> >>>>
> >>>>> Do you have
/usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe
> >>>>> at an
> >>>>> different location. On debian this comes with the
dovecot-gssapi
> >>>>> package.
> >>>> That module is nowhere on my system.
> >>>>
> >>>> --Mark
> >>>>
> >>>
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Achim Gottinger

2016-Jul-02 10:44 UTC

head link

[Samba] Where is krb5.keytab or equivalent?

Hi Mark,

I'll keep replying to the list.
You must create an signed server certificate for your FQDN.

~# ./build-key-server mail.hprs.local

Then point to public and privat part in your dovecot config.

ssl_cert = </etc/easy-rsa/keys/reqs/mail.hprs.local.req
ssl_key = </etc/easy-rsa/keys/private/mail.hprs.local.key

But all that should not interfere with kerberos because you can accept 
the invalid cert.
What does show up in the auth debug log if you make the kinit/mutt test now?

achim~
Am 02.07.2016 um 08:43 schrieb Mark Foley:> Achim,
>
> I'm sending this message directly to you to spare the sambalist from my
certificate trials.
> I'm hoping you'll still hang in there a bit longer, though I'm
close to giving up on this
> whole thing myself.
>
> I used easy-rsa to create a cert. Files are:
>
> /etc/ssl/certs/OHPRS/easyrsa/ca.crt
> /etc/ssl/certs/OHPRS/easyrsa/reqs/MAIL.req
> /etc/ssl/certs/OHPRS/easyrsa/reqs/dovecot.req
> /etc/ssl/certs/OHPRS/easyrsa/private/ca.key
> /etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
> /etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
>
> $ openssl x509 -text -in /etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
>
> Certificate:
>      Data:
>          Version: 3 (0x2)
>          Serial Number: 1 (0x1)
>      Signature Algorithm: sha256WithRSAEncryption
>          Issuer: CN=mail.hprs.local
>          Validity
>              Not Before: Jul  2 05:54:26 2016 GMT
>              Not After : Jun 30 05:54:26 2026 GMT
>          Subject: CN=mail.hprs.local
>          Subject Public Key Info:
>              Public Key Algorithm: rsaEncryption
>                  Public-Key: (2048 bit)
>
> Now, how do I point Samba and/or Dovecot and/or kerberos and/or mutt to
this cert? (dovecot.crt)
>
> I tried in /etc/Muttrc:
>
> set certificate_file=/etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
>
> mutt seemed to ignored that as the usual GoDaddy cert was used (and
failed).
>
> I tried in 10-ssl.conf:
>
> ssl_key = </etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
> ssl_cert = </etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
>
> mutt gave the message, "Connection to mail.hprs.local closed".
>
> I've got no more guesses.
>
> On the bright side, the debug log seems to be working now.
>
> Thanks, --Mark
>
> -----Original Message-----
> From: Mark Foley <mfoley at ohprs.org>
> Date: Fri, 01 Jul 2016 22:15:05 -0400
> To: samba at lists.samba.org
> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>
> Akim wrote:
>
>> Yes I created an self signed cert (with the easy-rsa scripts froom
>> openvpn).
> Alright, I'll try that after this message and post back. In
anticipation of "problems", where
> do I put the path to that new cert? my 10-ssl.conf has:
>
> ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>
> Which is the key mutt keeps showing. I don't suppose I put the path
there?
>
>> Does mutt let you accept the cert anyway? On an earlier test
>> you got past the cert state and had to enter an password or got an  no
>> auth failure.
> Mutt lets me accept, but I get "No authenticators available", and
the mutt screen is blank.
> When it asked me for a password previously it was because it fell back to
PLAIN authentication,
> which worked.  Now my /etc/Muttrc has
>
> set imap_authenticators="gssapi"
>
> to prevent that.
>
>> Also figure out where dovecot auth debug log entries get written (here
>> dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
>> up in mail.log).
> My /etc/dovecot.conf has
>
> # debug_log_path = /var/log/Dovecot/dovecot_debug.log
>
> commented. I'll uncomment that before the next test. Otherwise, I see
nothing in maillog or
> dovecot_info (info_log_path).
>
> --Mark
>
> -----Original Message-----
>> To: samba at lists.samba.org
>> From: Achim Gottinger <achim at ag-web.biz>
>> Date: Sat, 2 Jul 2016 03:39:42 +0200
>>
>> Yes I created an self signed cert (with the easy-rsa scripts froom
>> openvpn). Does mutt let you accept the cert anyway? On an earlier test
>> you got past the cert state and had to enter an password or got an  no
>> auth failure.
>>
>> Also figure out where dovecot auth debug log entries get written (here
>> dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
>> up in mail.log).
>>
>> Am 02.07.2016 um 03:15 schrieb Mark Foley:
>>> OK, let me go through exactly what you did:
>>>
>>> you:
>>>> Here's the test (I must run mutt not telnet like i
mentioned earlier to
>>>> get the imap tickets).
>>>>
>>>> root at server:~# kinit achim
>>>> Password for achim at DOMAIN.LOCAL:
>>>> [I enter my password]
>>> As root on AD/DC mail.hprs.local:
>>>
>>> me:
>>> $ kinit mark
>>> Password for mark at HPRS.LOCAL:
>>> [I enter my password]
>>>
>>> you:
>>>> MAIL=imap://achim at server.domain.local/ mutt
>>> me:
>>> $ MAIL=imap://mark at server.domain.local/ mutt -F /etc/Muttrc
>>>
>>> I get the mutt message, "Certificate host check failed:
certificate owner does not mathc
>>> hosthame mail.hprs.local".
>>>
>>> After that, in the mutt screen, I get:
>>>
>>> -----BEGIN------
>>> This certificate belongs to:
>>>      mail.ohprs.org
>>>      Unknown
>>>      Unknown
>>>      Domain Control Validated
>>>      Unknown
>>>
>>> This certificate was issued by:
>>>      Go Daddy Secure Certificate Authority - G2
>>>      Unknown
>>>      GoDaddy.com, Inc.
>>>      http:
>>>      Scottsdale
>>>
>>> This certificate is valid
>>>      from Aug 14 21:38:38 2015 GMT
>>>        to Aug 15 17:49:32 2016 GMT
>>>
>>> Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
>>> -----END-------
>>>
>>> you:
>>>> root at server:~# klist
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: achim at DOMAIN.LOCAL
>>> [etc ...]
>>>
>>> me:
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: mark at HPRS.LOCAL
>>>
>>> Valid starting       Expires              Service principal
>>> 07/01/2016 20:57:56  07/02/2016 06:57:56  krbtgt/HPRS.LOCAL at
HPRS.LOCAL
>>>           renew until 07/02/2016 20:57:52
>>>
>>> Clearly, I am misconfigured at some level.  From my mouse-eye-view,
the certificate is for
>>> mail.ohprs.org, not mail.hprs.local.  What about you? You must have
a certificate for
>>> server.domain.local as well as your public domain, yes? Did you at
some point create a
>>> self-signed certificate?
>>>
>>> What do you suggest?
>>>
>>> --Mark
>>>
>>> -----Original Message-----
>>>> To: samba at lists.samba.org
>>>> From: Achim Gottinger <achim at ag-web.biz>
>>>> Date: Fri, 1 Jul 2016 23:29:35 +0200
>>>> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>>>>
>>>> Here's the test (I must run mutt not telnet like i
mentioned earlier to
>>>> get the imap tickets).
>>>>
>>>> root at server:~# kinit achim
>>>> Password for achim at DOMAIN.LOCAL:
>>>> [I enter my password]
>>>> MAIL=imap://achim at server.domain.local/ mutt
>>>> [Mutt asks about the cert i select accept once and i endup on
my INBOX.
>>>> I leave mutt by entring q+ENTER]
>>>> root at server:~# klist
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: achim at DOMAIN.LOCAL
>>>>
>>>> Valid starting       Expires              Service principal
>>>> 01.07.2016 23:16:30  02.07.2016 09:16:30 krbtgt/DOMAIN.LOCAL at
DOMAIN.LOCAL
>>>>            renew until 02.07.2016 23:16:28
>>>> 01.07.2016 23:17:04  02.07.2016 09:16:30 
imap/server.domain.local@
>>>>            renew until 02.07.2016 23:16:28
>>>> 01.07.2016 23:17:04  02.07.2016 09:16:30
>>>> imap/server.domain.local at DOMAIN.LOCAL
>>>>            renew until 02.07.2016 23:16:28
>>>>
>>>> root at server:~# samba-tool spn list dovecot
>>>> dovecot
>>>> User CN=dovecot,CN=Users,DC=domain,DC=local has the following
>>>> servicePrincipalName:
>>>>             smtp/server.domain.local at DOMAIN.LOCAL
>>>>             imap/server.domain.local at DOMAIN.LOCAL
>>>>             imap/server.domain.local
>>>>
>>>> root at server:~#cat /etc/hosts
>>>> 127.0.0.1       localhost
>>>> 192.168.100.102 server.domain.local server
>>>>
>>>> Excerpt from /var/log/mail.log ( On debian mail.log contains
the debug
>>>> info).
>>>>
>>>> Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules
from
>>>> directory: /usr/lib/dovecot/modules/auth
>>>> Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded:
>>>> /usr/lib/dovecot/modules/auth/libmech_gssapi.so
>>>> Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules
from
>>>> directory: /usr/lib/dovecot/modules/auth
>>>> Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded:
>>>> /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
>>>> Jul  1 23:17:01 server dovecot: auth: Debug: Read auth token
secret from
>>>> /var/run/dovecot/auth-token-secret.dat
>>>> Jul  1 23:17:01 server dovecot: auth: Debug: passwd-file
>>>> /etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
>>>> Jul  1 23:17:01 server dovecot: auth: Debug: auth client
connected
>>>> (pid=21490)
>>>> Jul  1 23:17:04 server dovecot: auth: Debug: client in:
>>>>
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
>>>> Jul  1 23:17:04 server dovecot: auth: Debug:
>>>> gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab
entries
>>>> Jul  1 23:17:04 server dovecot: auth: Debug:
>>>> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security
context state
>>>> completed.
>>>> Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out:
>>>> XXXXXXXXXXXXXXXXXXXXXXXXX
>>>> Jul  1 23:17:04 server dovecot: auth: Debug: client in:
CONT<hidden>
>>>> Jul  1 23:17:04 server dovecot: auth: Debug:
>>>> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated
security layer
>>>> Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out:
>>>> XXXXXXXXXXXXXXXXXXXXXXXXX
>>>> Jul  1 23:17:04 server dovecot: auth: Debug: client in:
CONT<hidden>
>>>> ........
>>>> Jul  1 23:17:04 server dovecot: imap-login: Login:
user=<achim>,
>>>> method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
>>>> session=<ldMkgpk2dAB/AAAB>
>>>>
>>>> Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
>>>>> I'm sure it will not work till you get that module
build. :-)
>>>>>
>>>>>
>>>>> Am 01.07.2016 um 20:53 schrieb Mark Foley:
>>>>>> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger
<achim at domain.biz>
>>>>>> wrote:
>>>>>>
>>>>>>> Do you have
/usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe
>>>>>>> at an
>>>>>>> different location. On debian this comes with the
dovecot-gssapi
>>>>>>> package.
>>>>>> That module is nowhere on my system.
>>>>>>
>>>>>> --Mark
>>>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

Mark Foley

2016-Jul-03 17:42 UTC

head link

[Samba] Where is krb5.keytab or equivalent?

Achim,

This is my most recent effort. If I cannot make progress from here I'm going
to give this idea a rest.

I used easy-rsa to create a cert. Files are:

/etc/ssl/certs/OHPRS/easyrsa/ca.crt
/etc/ssl/certs/OHPRS/easyrsa/reqs/MAIL.req
/etc/ssl/certs/OHPRS/easyrsa/reqs/dovecot.req
/etc/ssl/certs/OHPRS/easyrsa/private/ca.key
/etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
/etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt

$ openssl x509 -text -in /etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=mail.hprs.local
        Validity
            Not Before: Jul  2 05:54:26 2016 GMT
            Not After : Jun 30 05:54:26 2026 GMT
        Subject: CN=mail.hprs.local
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

Now, how do I point Samba and/or Dovecot and/or kerberos and/or mutt to this
cert? (dovecot.crt)

I tried in /etc/Muttrc:

set certificate_file=/etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt

mutt seemed to ignored that as the usual GoDaddy cert was used (and failed).

I tried in 10-ssl.conf:

ssl_key = </etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
ssl_cert = </etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt

mutt gave the message, "Connection to mail.hprs.local closed".

I've got no more guesses.

On the bright side, the debug log seems to be working now.

Thanks, --Mark

-----Original Message-----
From: Mark Foley <mfoley at ohprs.org>
Date: Fri, 01 Jul 2016 22:15:05 -0400
Organization: Ohio Highway Patrol Retirement System
To: samba at lists.samba.org
Subject: Re: [Samba] Where is krb5.keytab or equivalent?

Akim wrote:
> Yes I created an self signed cert (with the easy-rsa scripts froom 
> openvpn). 
Alright, I'll try that after this message and post back. In anticipation of
"problems", where
do I put the path to that new cert? my 10-ssl.conf has:

ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key

Which is the key mutt keeps showing. I don't suppose I put the path there?
> Does mutt let you accept the cert anyway? On an earlier test 
> you got past the cert state and had to enter an password or got an  no 
> auth failure.
Mutt lets me accept, but I get "No authenticators available", and the
mutt screen is blank.
When it asked me for a password previously it was because it fell back to PLAIN
authentication,
which worked.  Now my /etc/Muttrc has

set imap_authenticators="gssapi"

to prevent that.
> Also figure out where dovecot auth debug log entries get written (here 
> dovecot writes logs to mail.info, mail.error, mail.log, debug only ends 
> up in mail.log).
My /etc/dovecot.conf has 

# debug_log_path = /var/log/Dovecot/dovecot_debug.log

commented. I'll uncomment that before the next test. Otherwise, I see
nothing in maillog or
dovecot_info (info_log_path).

--Mark

-----Original Message-----> To: samba at lists.samba.org
> From: Achim Gottinger <achim at ag-web.biz>
> Date: Sat, 2 Jul 2016 03:39:42 +0200
>
> Yes I created an self signed cert (with the easy-rsa scripts froom 
> openvpn). Does mutt let you accept the cert anyway? On an earlier test 
> you got past the cert state and had to enter an password or got an  no 
> auth failure.
>
> Also figure out where dovecot auth debug log entries get written (here 
> dovecot writes logs to mail.info, mail.error, mail.log, debug only ends 
> up in mail.log).
>
> Am 02.07.2016 um 03:15 schrieb Mark Foley:
> > OK, let me go through exactly what you did:
> >
> > you:
> >> Here's the test (I must run mutt not telnet like i mentioned
earlier to
> >> get the imap tickets).
> >>
> >> root at server:~# kinit achim
> >> Password for achim at DOMAIN.LOCAL:
> >> [I enter my password]
> > As root on AD/DC mail.hprs.local:
> >
> > me:
> > $ kinit mark
> > Password for mark at HPRS.LOCAL:
> > [I enter my password]
> >
> > you:
> >> MAIL=imap://achim at server.domain.local/ mutt
> > me:
> > $ MAIL=imap://mark at server.domain.local/ mutt -F /etc/Muttrc
> >
> > I get the mutt message, "Certificate host check failed:
certificate owner does not mathc
> > hosthame mail.hprs.local".
> >
> > After that, in the mutt screen, I get:
> >
> > -----BEGIN------
> > This certificate belongs to:
> >     mail.ohprs.org
> >     Unknown
> >     Unknown
> >     Domain Control Validated
> >     Unknown
> >
> > This certificate was issued by:
> >     Go Daddy Secure Certificate Authority - G2
> >     Unknown
> >     GoDaddy.com, Inc.
> >     http:
> >     Scottsdale
> >
> > This certificate is valid
> >     from Aug 14 21:38:38 2015 GMT
> >       to Aug 15 17:49:32 2016 GMT
> >
> > Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
> > -----END-------
> >
> > you:
> >> root at server:~# klist
> >> Ticket cache: FILE:/tmp/krb5cc_0
> >> Default principal: achim at DOMAIN.LOCAL
> > [etc ...]
> >
> > me:
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: mark at HPRS.LOCAL
> >
> > Valid starting       Expires              Service principal
> > 07/01/2016 20:57:56  07/02/2016 06:57:56  krbtgt/HPRS.LOCAL at
HPRS.LOCAL
> >          renew until 07/02/2016 20:57:52
> >
> > Clearly, I am misconfigured at some level.  From my mouse-eye-view,
the certificate is for
> > mail.ohprs.org, not mail.hprs.local.  What about you? You must have a
certificate for
> > server.domain.local as well as your public domain, yes? Did you at
some point create a
> > self-signed certificate?
> >
> > What do you suggest?
> >
> > --Mark
> >
> > -----Original Message-----
> >> To: samba at lists.samba.org
> >> From: Achim Gottinger <achim at ag-web.biz>
> >> Date: Fri, 1 Jul 2016 23:29:35 +0200
> >> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
> >>
> >> Here's the test (I must run mutt not telnet like i mentioned
earlier to
> >> get the imap tickets).
> >>
> >> root at server:~# kinit achim
> >> Password for achim at DOMAIN.LOCAL:
> >> [I enter my password]
> >> MAIL=imap://achim at server.domain.local/ mutt
> >> [Mutt asks about the cert i select accept once and i endup on my
INBOX.
> >> I leave mutt by entring q+ENTER]
> >> root at server:~# klist
> >> Ticket cache: FILE:/tmp/krb5cc_0
> >> Default principal: achim at DOMAIN.LOCAL
> >>
> >> Valid starting       Expires              Service principal
> >> 01.07.2016 23:16:30  02.07.2016 09:16:30 krbtgt/DOMAIN.LOCAL at
DOMAIN.LOCAL
> >>           renew until 02.07.2016 23:16:28
> >> 01.07.2016 23:17:04  02.07.2016 09:16:30 
imap/server.domain.local@
> >>           renew until 02.07.2016 23:16:28
> >> 01.07.2016 23:17:04  02.07.2016 09:16:30
> >> imap/server.domain.local at DOMAIN.LOCAL
> >>           renew until 02.07.2016 23:16:28
> >>
> >> root at server:~# samba-tool spn list dovecot
> >> dovecot
> >> User CN=dovecot,CN=Users,DC=domain,DC=local has the following
> >> servicePrincipalName:
> >>            smtp/server.domain.local at DOMAIN.LOCAL
> >>            imap/server.domain.local at DOMAIN.LOCAL
> >>            imap/server.domain.local
> >>
> >> root at server:~#cat /etc/hosts
> >> 127.0.0.1       localhost
> >> 192.168.100.102 server.domain.local server
> >>
> >> Excerpt from /var/log/mail.log ( On debian mail.log contains the
debug
> >> info).
> >>
> >> Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules from
> >> directory: /usr/lib/dovecot/modules/auth
> >> Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded:
> >> /usr/lib/dovecot/modules/auth/libmech_gssapi.so
> >> Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules from
> >> directory: /usr/lib/dovecot/modules/auth
> >> Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded:
> >> /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
> >> Jul  1 23:17:01 server dovecot: auth: Debug: Read auth token
secret from
> >> /var/run/dovecot/auth-token-secret.dat
> >> Jul  1 23:17:01 server dovecot: auth: Debug: passwd-file
> >> /etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
> >> Jul  1 23:17:01 server dovecot: auth: Debug: auth client connected
> >> (pid=21490)
> >> Jul  1 23:17:04 server dovecot: auth: Debug: client in:
> >>
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
> >> Jul  1 23:17:04 server dovecot: auth: Debug:
> >> gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab
entries
> >> Jul  1 23:17:04 server dovecot: auth: Debug:
> >> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context
state
> >> completed.
> >> Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out:
> >> XXXXXXXXXXXXXXXXXXXXXXXXX
> >> Jul  1 23:17:04 server dovecot: auth: Debug: client in:
CONT<hidden>
> >> Jul  1 23:17:04 server dovecot: auth: Debug:
> >> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated
security layer
> >> Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out:
> >> XXXXXXXXXXXXXXXXXXXXXXXXX
> >> Jul  1 23:17:04 server dovecot: auth: Debug: client in:
CONT<hidden>
> >> ........
> >> Jul  1 23:17:04 server dovecot: imap-login: Login:
user=<achim>,
> >> method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
> >> session=<ldMkgpk2dAB/AAAB>
> >>
> >> Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
> >>> I'm sure it will not work till you get that module build.
:-)
> >>>
> >>>
> >>> Am 01.07.2016 um 20:53 schrieb Mark Foley:
> >>>> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger
<achim at domain.biz>
> >>>> wrote:
> >>>>
> >>>>> Do you have
/usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe
> >>>>> at an
> >>>>> different location. On debian this comes with the
dovecot-gssapi
> >>>>> package.
> >>>> That module is nowhere on my system.
> >>>>
> >>>> --Mark
> >>>>
> >>>
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Achim Gottinger

2016-Jul-03 17:56 UTC

head link

[Samba] Where is krb5.keytab or equivalent?

Debug log output please!
I think you still miss the gssapi module for dovecot.

Am 03.07.2016 um 19:42 schrieb Mark Foley:> Achim,
>
> This is my most recent effort. If I cannot make progress from here I'm
going to give this idea a rest.
>
> I used easy-rsa to create a cert. Files are:
>
> /etc/ssl/certs/OHPRS/easyrsa/ca.crt
> /etc/ssl/certs/OHPRS/easyrsa/reqs/MAIL.req
> /etc/ssl/certs/OHPRS/easyrsa/reqs/dovecot.req
> /etc/ssl/certs/OHPRS/easyrsa/private/ca.key
> /etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
> /etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
>
> $ openssl x509 -text -in /etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
>
> Certificate:
>      Data:
>          Version: 3 (0x2)
>          Serial Number: 1 (0x1)
>      Signature Algorithm: sha256WithRSAEncryption
>          Issuer: CN=mail.hprs.local
>          Validity
>              Not Before: Jul  2 05:54:26 2016 GMT
>              Not After : Jun 30 05:54:26 2026 GMT
>          Subject: CN=mail.hprs.local
>          Subject Public Key Info:
>              Public Key Algorithm: rsaEncryption
>                  Public-Key: (2048 bit)
>
> Now, how do I point Samba and/or Dovecot and/or kerberos and/or mutt to
this cert? (dovecot.crt)
>
> I tried in /etc/Muttrc:
>
> set certificate_file=/etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
>
> mutt seemed to ignored that as the usual GoDaddy cert was used (and
failed).
>
> I tried in 10-ssl.conf:
>
> ssl_key = </etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
> ssl_cert = </etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
>
> mutt gave the message, "Connection to mail.hprs.local closed".
>
> I've got no more guesses.
>
> On the bright side, the debug log seems to be working now.
>
> Thanks, --Mark
>
> -----Original Message-----
> From: Mark Foley <mfoley at ohprs.org>
> Date: Fri, 01 Jul 2016 22:15:05 -0400
> Organization: Ohio Highway Patrol Retirement System
> To: samba at lists.samba.org
> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>
> Akim wrote:
>
>> Yes I created an self signed cert (with the easy-rsa scripts froom
>> openvpn).
> Alright, I'll try that after this message and post back. In
anticipation of "problems", where
> do I put the path to that new cert? my 10-ssl.conf has:
>
> ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>
> Which is the key mutt keeps showing. I don't suppose I put the path
there?
>
>> Does mutt let you accept the cert anyway? On an earlier test
>> you got past the cert state and had to enter an password or got an  no
>> auth failure.
> Mutt lets me accept, but I get "No authenticators available", and
the mutt screen is blank.
> When it asked me for a password previously it was because it fell back to
PLAIN authentication,
> which worked.  Now my /etc/Muttrc has
>
> set imap_authenticators="gssapi"
>
> to prevent that.
>
>> Also figure out where dovecot auth debug log entries get written (here
>> dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
>> up in mail.log).
> My /etc/dovecot.conf has
>
> # debug_log_path = /var/log/Dovecot/dovecot_debug.log
>
> commented. I'll uncomment that before the next test. Otherwise, I see
nothing in maillog or
> dovecot_info (info_log_path).
>
> --Mark
>
> -----Original Message-----
>> To: samba at lists.samba.org
>> From: Achim Gottinger <achim at ag-web.biz>
>> Date: Sat, 2 Jul 2016 03:39:42 +0200
>>
>> Yes I created an self signed cert (with the easy-rsa scripts froom
>> openvpn). Does mutt let you accept the cert anyway? On an earlier test
>> you got past the cert state and had to enter an password or got an  no
>> auth failure.
>>
>> Also figure out where dovecot auth debug log entries get written (here
>> dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
>> up in mail.log).
>>
>> Am 02.07.2016 um 03:15 schrieb Mark Foley:
>>> OK, let me go through exactly what you did:
>>>
>>> you:
>>>> Here's the test (I must run mutt not telnet like i
mentioned earlier to
>>>> get the imap tickets).
>>>>
>>>> root at server:~# kinit achim
>>>> Password for achim at DOMAIN.LOCAL:
>>>> [I enter my password]
>>> As root on AD/DC mail.hprs.local:
>>>
>>> me:
>>> $ kinit mark
>>> Password for mark at HPRS.LOCAL:
>>> [I enter my password]
>>>
>>> you:
>>>> MAIL=imap://achim at server.domain.local/ mutt
>>> me:
>>> $ MAIL=imap://mark at server.domain.local/ mutt -F /etc/Muttrc
>>>
>>> I get the mutt message, "Certificate host check failed:
certificate owner does not mathc
>>> hosthame mail.hprs.local".
>>>
>>> After that, in the mutt screen, I get:
>>>
>>> -----BEGIN------
>>> This certificate belongs to:
>>>      mail.ohprs.org
>>>      Unknown
>>>      Unknown
>>>      Domain Control Validated
>>>      Unknown
>>>
>>> This certificate was issued by:
>>>      Go Daddy Secure Certificate Authority - G2
>>>      Unknown
>>>      GoDaddy.com, Inc.
>>>      http:
>>>      Scottsdale
>>>
>>> This certificate is valid
>>>      from Aug 14 21:38:38 2015 GMT
>>>        to Aug 15 17:49:32 2016 GMT
>>>
>>> Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
>>> -----END-------
>>>
>>> you:
>>>> root at server:~# klist
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: achim at DOMAIN.LOCAL
>>> [etc ...]
>>>
>>> me:
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: mark at HPRS.LOCAL
>>>
>>> Valid starting       Expires              Service principal
>>> 07/01/2016 20:57:56  07/02/2016 06:57:56  krbtgt/HPRS.LOCAL at
HPRS.LOCAL
>>>           renew until 07/02/2016 20:57:52
>>>
>>> Clearly, I am misconfigured at some level.  From my mouse-eye-view,
the certificate is for
>>> mail.ohprs.org, not mail.hprs.local.  What about you? You must have
a certificate for
>>> server.domain.local as well as your public domain, yes? Did you at
some point create a
>>> self-signed certificate?
>>>
>>> What do you suggest?
>>>
>>> --Mark
>>>
>>> -----Original Message-----
>>>> To: samba at lists.samba.org
>>>> From: Achim Gottinger <achim at ag-web.biz>
>>>> Date: Fri, 1 Jul 2016 23:29:35 +0200
>>>> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>>>>
>>>> Here's the test (I must run mutt not telnet like i
mentioned earlier to
>>>> get the imap tickets).
>>>>
>>>> root at server:~# kinit achim
>>>> Password for achim at DOMAIN.LOCAL:
>>>> [I enter my password]
>>>> MAIL=imap://achim at server.domain.local/ mutt
>>>> [Mutt asks about the cert i select accept once and i endup on
my INBOX.
>>>> I leave mutt by entring q+ENTER]
>>>> root at server:~# klist
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: achim at DOMAIN.LOCAL
>>>>
>>>> Valid starting       Expires              Service principal
>>>> 01.07.2016 23:16:30  02.07.2016 09:16:30 krbtgt/DOMAIN.LOCAL at
DOMAIN.LOCAL
>>>>            renew until 02.07.2016 23:16:28
>>>> 01.07.2016 23:17:04  02.07.2016 09:16:30 
imap/server.domain.local@
>>>>            renew until 02.07.2016 23:16:28
>>>> 01.07.2016 23:17:04  02.07.2016 09:16:30
>>>> imap/server.domain.local at DOMAIN.LOCAL
>>>>            renew until 02.07.2016 23:16:28
>>>>
>>>> root at server:~# samba-tool spn list dovecot
>>>> dovecot
>>>> User CN=dovecot,CN=Users,DC=domain,DC=local has the following
>>>> servicePrincipalName:
>>>>             smtp/server.domain.local at DOMAIN.LOCAL
>>>>             imap/server.domain.local at DOMAIN.LOCAL
>>>>             imap/server.domain.local
>>>>
>>>> root at server:~#cat /etc/hosts
>>>> 127.0.0.1       localhost
>>>> 192.168.100.102 server.domain.local server
>>>>
>>>> Excerpt from /var/log/mail.log ( On debian mail.log contains
the debug
>>>> info).
>>>>
>>>> Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules
from
>>>> directory: /usr/lib/dovecot/modules/auth
>>>> Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded:
>>>> /usr/lib/dovecot/modules/auth/libmech_gssapi.so
>>>> Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules
from
>>>> directory: /usr/lib/dovecot/modules/auth
>>>> Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded:
>>>> /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
>>>> Jul  1 23:17:01 server dovecot: auth: Debug: Read auth token
secret from
>>>> /var/run/dovecot/auth-token-secret.dat
>>>> Jul  1 23:17:01 server dovecot: auth: Debug: passwd-file
>>>> /etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
>>>> Jul  1 23:17:01 server dovecot: auth: Debug: auth client
connected
>>>> (pid=21490)
>>>> Jul  1 23:17:04 server dovecot: auth: Debug: client in:
>>>>
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
>>>> Jul  1 23:17:04 server dovecot: auth: Debug:
>>>> gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab
entries
>>>> Jul  1 23:17:04 server dovecot: auth: Debug:
>>>> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security
context state
>>>> completed.
>>>> Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out:
>>>> XXXXXXXXXXXXXXXXXXXXXXXXX
>>>> Jul  1 23:17:04 server dovecot: auth: Debug: client in:
CONT<hidden>
>>>> Jul  1 23:17:04 server dovecot: auth: Debug:
>>>> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated
security layer
>>>> Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out:
>>>> XXXXXXXXXXXXXXXXXXXXXXXXX
>>>> Jul  1 23:17:04 server dovecot: auth: Debug: client in:
CONT<hidden>
>>>> ........
>>>> Jul  1 23:17:04 server dovecot: imap-login: Login:
user=<achim>,
>>>> method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
>>>> session=<ldMkgpk2dAB/AAAB>
>>>>
>>>> Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
>>>>> I'm sure it will not work till you get that module
build. :-)
>>>>>
>>>>>
>>>>> Am 01.07.2016 um 20:53 schrieb Mark Foley:
>>>>>> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger
<achim at domain.biz>
>>>>>> wrote:
>>>>>>
>>>>>>> Do you have
/usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe
>>>>>>> at an
>>>>>>> different location. On debian this comes with the
dovecot-gssapi
>>>>>>> package.
>>>>>> That module is nowhere on my system.
>>>>>>
>>>>>> --Mark
>>>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

Seemingly Similar Threads

Search for more seemingly similar threads

samba - Jul 2016 - Where is krb5.keytab or equivalent?

[Samba] Where is krb5.keytab or equivalent?

[Samba] Where is krb5.keytab or equivalent?

[Samba] Where is krb5.keytab or equivalent?

[Samba] Where is krb5.keytab or equivalent?

[Samba] Where is krb5.keytab or equivalent?

[Samba] Where is krb5.keytab or equivalent?

Seemingly Similar Threads