Mark Foley
2016-Jul-03 23:34 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his patience in working this through with me. Although my purpose was for Dovecot to authenticate mail clients, the configuration settings needed were on the Samba side. I hope these instructions can eventually make it into: https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos as those instruction contain nothing about the required `samba-tool spn add` and samba-tool domain exportkeytab` settings, without which it is impossible to get Dovecot (and presumably other local authenticators needing GSSAPI/Kerberos) to authenticate. You need kerberos as the Samba built-in kerberos does not have needed commands like `klist`. My distro (Slackware 14.1) does not come with kerberos, but is easily found at: https://slackbuilds.org/repository/14.1/network/krb5/ Per the samba docs, copy the krb5.conf template created when provisioned: $ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf (Note: the actual docs advise symlinking: ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf but I prefer making a copy in case I need to modify things). I've set The /etc/krb5.conf file to world readable. It's default contents are (and these do not need to be changed): [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true where HPRS.LOCAL is my realm, of course use your own. Now, we need a samba user in order to create the necessary SPNs (Server Principal Names): $ samba-tool user create dovecot New Password: Retype Password: User 'dovecot' created successfully Next, add the SPN(s), and create the keytab: $ samba-tool spn add imap/mail.hprs.local dovecot $ samba-tool domain exportkeytab --principal imap/mail.hprs.local dovecot.keytab Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, but if it did I'd have to create another SPN for smtp: $ samba-tool spn add smtp/mail.hprs.local dovecot $ samba-tool domain exportkeytab --principal smtp/mail.hprs.local dovecot.keytab Dovecot needs to be able to read the keytab file: $ chgrp dovecot /etc/dovecot/dovecot.keytab $ chmod g+r /etc/dovecot/dovecot.keytab my new keytab: $ klist -Kek /etc/dovecot/dovecot.keytab Keytab name: FILE:/etc/dovecot/dovecot.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7) 1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7) 1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f) (and if I also created the spn for smtp I would also have these:) 1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7) 1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7) 1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f) DOVECOT SETTINGS: Of crucial importance is to buld dovecot with GSSAPI! That is NOT one of the default settings. In the build directory: ./configure --with-gssapi=yes Otherwise, settings are pretty simple. Add the following 3 settings to 10-auth.conf: auth_gssapi_hostname = "$ALL" auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi The auth_gssapi_hostname is supposedly not required according to dovecotList comments, but my 10-auth.conf template implies differently, so it can't hurt. I couldn't get any of this working until I rebooted the Samba AD/DC-Dovecot server, but that just may have been me not stopping/starting Samba and Dovecot in the right sequence (or, I needed a Samba upgrade to 4.2!). In my WIN7 and Ubuntu Thunderbird clients I selected gssapi/kerberos for the IMAP authenticate method and it works! Again, thanks to Achim for his critical help. Someone please put at least the required samba-tool commands into the wiki for other poor schmucks like me. --Mark
Rowland penny
2016-Jul-04 07:18 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
On 04/07/16 00:34, Mark Foley wrote:> After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with > Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his > patience in working this through with me. Although my purpose was for Dovecot to authenticate > mail clients, the configuration settings needed were on the Samba side. I hope these > instructions can eventually make it into: > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > as those instruction contain nothing about the required `samba-tool spn add` and samba-tool domain > exportkeytab` settings, without which it is impossible to get Dovecot (and presumably other > local authenticators needing GSSAPI/Kerberos) to authenticate.The problem is that Samba doesn't recommend using the DC as a fileserver etc This is why it isn't mentioned, on a correctly set up domain member, the keytab is created during the join.> > You need kerberos as the Samba built-in kerberos does not have needed commands like `klist`.No you don't need kerberos, Samba comes with kerberos, you need the kerberos tools.> > My distro (Slackware 14.1) does not come with kerberos, but is easily found at: > > https://slackbuilds.org/repository/14.1/network/krb5/ > > Per the samba docs, copy the krb5.conf template created when provisioned: > > $ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf > > (Note: the actual docs advise symlinking: > > ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf > > but I prefer making a copy in case I need to modify things). > > I've set The /etc/krb5.conf file to world readable. It's default contents are (and these do > not need to be changed): > > [libdefaults] > default_realm = HPRS.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > where HPRS.LOCAL is my realm, of course use your own. > > Now, we need a samba user in order to create the necessary SPNs (Server Principal Names): > > $ samba-tool user create dovecot > New Password: > Retype Password: > User 'dovecot' created successfully > > Next, add the SPN(s), and create the keytab: > > $ samba-tool spn add imap/mail.hprs.local dovecot > $ samba-tool domain exportkeytab --principal imap/mail.hprs.local dovecot.keytab > > Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, but if it did I'd have to > create another SPN for smtp: > > $ samba-tool spn add smtp/mail.hprs.local dovecot > $ samba-tool domain exportkeytab --principal smtp/mail.hprs.local dovecot.keytab > > Dovecot needs to be able to read the keytab file: > > $ chgrp dovecot /etc/dovecot/dovecot.keytab > $ chmod g+r /etc/dovecot/dovecot.keytab > > my new keytab: > > $ klist -Kek /etc/dovecot/dovecot.keytab > Keytab name: FILE:/etc/dovecot/dovecot.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > 1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7) > 1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7) > 1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f) > (and if I also created the spn for smtp I would also have these:) > 1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7) > 1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7) > 1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f) > > DOVECOT SETTINGS: > > Of crucial importance is to buld dovecot with GSSAPI! That is NOT one of the default settings. > In the build directory: > > ./configure --with-gssapi=yes > > Otherwise, settings are pretty simple. Add the following 3 settings to 10-auth.conf: > > auth_gssapi_hostname = "$ALL" > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > auth_mechanisms = plain login gssapi > > The auth_gssapi_hostname is supposedly not required according to dovecotList comments, but my > 10-auth.conf template implies differently, so it can't hurt. > > I couldn't get any of this working until I rebooted the Samba AD/DC-Dovecot server, but that > just may have been me not stopping/starting Samba and Dovecot in the right sequence (or, I > needed a Samba upgrade to 4.2!). > > In my WIN7 and Ubuntu Thunderbird clients I selected gssapi/kerberos for the IMAP authenticate > method and it works! > > Again, thanks to Achim for his critical help. > > Someone please put at least the required samba-tool commands into the wiki for other poor > schmucks like me. > > --Mark > >Will do, but it will be phrased in the context of using a domain member not a DC. Rowland
Achim Gottinger
2016-Jul-04 07:29 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
Am 04.07.2016 um 01:34 schrieb Mark Foley:> After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with > Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his > patience in working this through with me. Although my purpose was for Dovecot to authenticate > mail clients, the configuration settings needed were on the Samba side. I hope these > instructions can eventually make it into: > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > as those instruction contain nothing about the required `samba-tool spn add` and samba-tool domain > exportkeytab` settings, without which it is impossible to get Dovecot (and presumably other > local authenticators needing GSSAPI/Kerberos) to authenticate. > > You need kerberos as the Samba built-in kerberos does not have needed commands like `klist`. > > My distro (Slackware 14.1) does not come with kerberos, but is easily found at: > > https://slackbuilds.org/repository/14.1/network/krb5/ > > Per the samba docs, copy the krb5.conf template created when provisioned: > > $ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf > > (Note: the actual docs advise symlinking: > > ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf > > but I prefer making a copy in case I need to modify things). > > I've set The /etc/krb5.conf file to world readable. It's default contents are (and these do > not need to be changed): > > [libdefaults] > default_realm = HPRS.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > where HPRS.LOCAL is my realm, of course use your own. > > Now, we need a samba user in order to create the necessary SPNs (Server Principal Names): > > $ samba-tool user create dovecot > New Password: > Retype Password: > User 'dovecot' created successfully > > Next, add the SPN(s), and create the keytab: > > $ samba-tool spn add imap/mail.hprs.local dovecot > $ samba-tool domain exportkeytab --principal imap/mail.hprs.local dovecot.keytab > > Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, but if it did I'd have to > create another SPN for smtp: > > $ samba-tool spn add smtp/mail.hprs.local dovecot > $ samba-tool domain exportkeytab --principal smtp/mail.hprs.local dovecot.keytab > > Dovecot needs to be able to read the keytab file: > > $ chgrp dovecot /etc/dovecot/dovecot.keytab > $ chmod g+r /etc/dovecot/dovecot.keytab > > my new keytab: > > $ klist -Kek /etc/dovecot/dovecot.keytab > Keytab name: FILE:/etc/dovecot/dovecot.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > 1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7) > 1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7) > 1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f) > (and if I also created the spn for smtp I would also have these:) > 1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7) > 1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7) > 1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f) > > DOVECOT SETTINGS: > > Of crucial importance is to buld dovecot with GSSAPI! That is NOT one of the default settings. > In the build directory: > > ./configure --with-gssapi=yes > > Otherwise, settings are pretty simple. Add the following 3 settings to 10-auth.conf: > > auth_gssapi_hostname = "$ALL" > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > auth_mechanisms = plain login gssapi > > The auth_gssapi_hostname is supposedly not required according to dovecotList comments, but my > 10-auth.conf template implies differently, so it can't hurt. > > I couldn't get any of this working until I rebooted the Samba AD/DC-Dovecot server, but that > just may have been me not stopping/starting Samba and Dovecot in the right sequence (or, I > needed a Samba upgrade to 4.2!). > > In my WIN7 and Ubuntu Thunderbird clients I selected gssapi/kerberos for the IMAP authenticate > method and it works! > > Again, thanks to Achim for his critical help. > > Someone please put at least the required samba-tool commands into the wiki for other poor > schmucks like me. > > --Mark > >Glad you finaly got it working! Have you tried it without 'auth_gssapi_hostname = "$ALL"'? In my tests with those principals it worked without it. With Samba 4.4.3 there are also aes 128/256 versions of the keys in the exported keytab. On Windows 7 kinit shows what encryption was used. With arcfour-hmac it shows rc4-hmac. achim~
Mark Foley
2016-Jul-04 20:15 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
On Mon, 4 Jul 2016 08:18:11 +0100 Rowland penny <rpenny at samba.org> wrote:> The problem is that Samba doesn't recommend using the DC as a fileserver > etc This is why it isn't mentioned,Well, I don't see that the DC is being used as an actual file server simply by hosting an email server. There is no share defined in smb.conf to accomodate this. Furthermore, I think it is common practice for the AD/DC to also be the mail server. Certainly that has been my experience, esp. coming from the Microsoft universe with the typical small business configuration of SBS and Exchange on the same host; now replaced by Samba4 and Dovecot/IMAP. Since Dovecot is only trying to authenticate, I don't see how this could possibly be a NOT RECOMMENDED configuration.> on a correctly set up domain member, the keytab is created during the join.Probably true for a domain member, but not for the AD/DC. I disagree that you should restrict kerberos authentication to domain members.> > Someone please put at least the required samba-tool commands into the wiki for other poor > > schmucks like me. > > > > --Mark> Will do, but it will be phrased in the context of using a domain member > not a DC.Your the boss, but I don't think that covers the issue. You helped me set up a domain member for single-sign-on about a year ago and that required nothing special on the AD/DC. I think Samba/Kerberos works for domain members, but not for authentication on the same host running the DC. I think it's fallacious to assume the mail server will be on a standalone host/domain member. Maybe in the Microsoft world, but Linux certainly has the horsepower to handle AD/DC and Mailserver on the same box. --Mark -----Original Message-----> To: samba at lists.samba.org > From: Rowland penny <rpenny at samba.org> > Date: Mon, 4 Jul 2016 08:18:11 +0100 > Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot > > On 04/07/16 00:34, Mark Foley wrote: > > After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with > > Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his > > patience in working this through with me. Although my purpose was for Dovecot to authenticate > > mail clients, the configuration settings needed were on the Samba side. I hope these > > instructions can eventually make it into: > > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > as those instruction contain nothing about the required `samba-tool spn add` and samba-tool domain > > exportkeytab` settings, without which it is impossible to get Dovecot (and presumably other > > local authenticators needing GSSAPI/Kerberos) to authenticate. > > The problem is that Samba doesn't recommend using the DC as a fileserver > etc This is why it isn't mentioned, on a correctly set up domain member, > the keytab is created during the join. > > > > > You need kerberos as the Samba built-in kerberos does not have needed commands like `klist`. > > No you don't need kerberos, Samba comes with kerberos, you need the > kerberos tools. > > > > > My distro (Slackware 14.1) does not come with kerberos, but is easily found at: > > > > https://slackbuilds.org/repository/14.1/network/krb5/ > > > > Per the samba docs, copy the krb5.conf template created when provisioned: > > > > $ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf > > > > (Note: the actual docs advise symlinking: > > > > ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf > > > > but I prefer making a copy in case I need to modify things). > > > > I've set The /etc/krb5.conf file to world readable. It's default contents are (and these do > > not need to be changed): > > > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > where HPRS.LOCAL is my realm, of course use your own. > > > > Now, we need a samba user in order to create the necessary SPNs (Server Principal Names): > > > > $ samba-tool user create dovecot > > New Password: > > Retype Password: > > User 'dovecot' created successfully > > > > Next, add the SPN(s), and create the keytab: > > > > $ samba-tool spn add imap/mail.hprs.local dovecot > > $ samba-tool domain exportkeytab --principal imap/mail.hprs.local dovecot.keytab > > > > Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, but if it did I'd have to > > create another SPN for smtp: > > > > $ samba-tool spn add smtp/mail.hprs.local dovecot > > $ samba-tool domain exportkeytab --principal smtp/mail.hprs.local dovecot.keytab > > > > Dovecot needs to be able to read the keytab file: > > > > $ chgrp dovecot /etc/dovecot/dovecot.keytab > > $ chmod g+r /etc/dovecot/dovecot.keytab > > > > my new keytab: > > > > $ klist -Kek /etc/dovecot/dovecot.keytab > > Keytab name: FILE:/etc/dovecot/dovecot.keytab > > KVNO Principal > > ---- -------------------------------------------------------------------------- > > 1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7) > > 1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7) > > 1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f) > > (and if I also created the spn for smtp I would also have these:) > > 1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7) > > 1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7) > > 1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f) > > > > DOVECOT SETTINGS: > > > > Of crucial importance is to buld dovecot with GSSAPI! That is NOT one of the default settings. > > In the build directory: > > > > ./configure --with-gssapi=yes > > > > Otherwise, settings are pretty simple. Add the following 3 settings to 10-auth.conf: > > > > auth_gssapi_hostname = "$ALL" > > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > > auth_mechanisms = plain login gssapi > > > > The auth_gssapi_hostname is supposedly not required according to dovecotList comments, but my > > 10-auth.conf template implies differently, so it can't hurt. > > > > I couldn't get any of this working until I rebooted the Samba AD/DC-Dovecot server, but that > > just may have been me not stopping/starting Samba and Dovecot in the right sequence (or, I > > needed a Samba upgrade to 4.2!). > > > > In my WIN7 and Ubuntu Thunderbird clients I selected gssapi/kerberos for the IMAP authenticate > > method and it works! > > > > Again, thanks to Achim for his critical help. > > > > Someone please put at least the required samba-tool commands into the wiki for other poor > > schmucks like me. > > > > --Mark > > > > > > Will do, but it will be phrased in the context of using a domain member > not a DC. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Mark Foley
2016-Jul-04 20:21 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
> To: samba at lists.samba.org > From: Achim Gottinger <achim at ag-web.biz> > Date: Mon, 4 Jul 2016 09:29:02 +0200 > Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot > > Am 04.07.2016 um 01:34 schrieb Mark Foley: > > After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with > > Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his > > patience in working this through with me. Although my purpose was for Dovecot to authenticate > > mail clients, the configuration settings needed were on the Samba side. I hope these > > instructions can eventually make it into: > > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > as those instruction contain nothing about the required `samba-tool spn add` and samba-tool domain > > exportkeytab` settings, without which it is impossible to get Dovecot (and presumably other > > local authenticators needing GSSAPI/Kerberos) to authenticate. > > > > You need kerberos as the Samba built-in kerberos does not have needed commands like `klist`. > > > > My distro (Slackware 14.1) does not come with kerberos, but is easily found at: > > > > https://slackbuilds.org/repository/14.1/network/krb5/ > > > > Per the samba docs, copy the krb5.conf template created when provisioned: > > > > $ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf > > > > (Note: the actual docs advise symlinking: > > > > ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf > > > > but I prefer making a copy in case I need to modify things). > > > > I've set The /etc/krb5.conf file to world readable. It's default contents are (and these do > > not need to be changed): > > > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > where HPRS.LOCAL is my realm, of course use your own. > > > > Now, we need a samba user in order to create the necessary SPNs (Server Principal Names): > > > > $ samba-tool user create dovecot > > New Password: > > Retype Password: > > User 'dovecot' created successfully > > > > Next, add the SPN(s), and create the keytab: > > > > $ samba-tool spn add imap/mail.hprs.local dovecot > > $ samba-tool domain exportkeytab --principal imap/mail.hprs.local dovecot.keytab > > > > Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, but if it did I'd have to > > create another SPN for smtp: > > > > $ samba-tool spn add smtp/mail.hprs.local dovecot > > $ samba-tool domain exportkeytab --principal smtp/mail.hprs.local dovecot.keytab > > > > Dovecot needs to be able to read the keytab file: > > > > $ chgrp dovecot /etc/dovecot/dovecot.keytab > > $ chmod g+r /etc/dovecot/dovecot.keytab > > > > my new keytab: > > > > $ klist -Kek /etc/dovecot/dovecot.keytab > > Keytab name: FILE:/etc/dovecot/dovecot.keytab > > KVNO Principal > > ---- -------------------------------------------------------------------------- > > 1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7) > > 1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7) > > 1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f) > > (and if I also created the spn for smtp I would also have these:) > > 1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7) > > 1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7) > > 1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f) > > > > DOVECOT SETTINGS: > > > > Of crucial importance is to buld dovecot with GSSAPI! That is NOT one of the default settings. > > In the build directory: > > > > ./configure --with-gssapi=yes > > > > Otherwise, settings are pretty simple. Add the following 3 settings to 10-auth.conf: > > > > auth_gssapi_hostname = "$ALL" > > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > > auth_mechanisms = plain login gssapi > > > > The auth_gssapi_hostname is supposedly not required according to dovecotList comments, but my > > 10-auth.conf template implies differently, so it can't hurt. > > > > I couldn't get any of this working until I rebooted the Samba AD/DC-Dovecot server, but that > > just may have been me not stopping/starting Samba and Dovecot in the right sequence (or, I > > needed a Samba upgrade to 4.2!). > > > > In my WIN7 and Ubuntu Thunderbird clients I selected gssapi/kerberos for the IMAP authenticate > > method and it works! > > > > Again, thanks to Achim for his critical help. > > > > Someone please put at least the required samba-tool commands into the wiki for other poor > > schmucks like me. > > > > --Mark > > > > > Glad you finaly got it working! Have you tried it without > 'auth_gssapi_hostname = "$ALL"'? In my tests with those principals it > worked without it. > With Samba 4.4.3 there are also aes 128/256 versions of the keys in the > exported keytab. > On Windows 7 kinit shows what encryption was used. With arcfour-hmac it > shows rc4-hmac. > > achim~ > >Thanks Achim, no haven't tried without the auth_gssapi_hostname settings, though it probably will work. The dovecot people seemed to think so. I'm giving this a rest to let my brain cool down. Perhaps I'll try it later. Please weight in on Rowland's comment about restricting documentation on kerberos authentication to domain members. I've posted a dissenting view, but maybe I'm alone in my opinion that there should be no issue running a mail server on the same box as the AD/DC. Perhaps few people do that, but my feeling is that most people do that. Feedback by you and others as to real-world use could be valuable. --Mark
Jules Houantonon
2016-Jul-04 21:11 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
Thank you for sharing this Informations. Good job ! Le 4 juil. 2016 12:39 AM, "Mark Foley" <mfoley at ohprs.org> a écrit :> After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI > authentication with > Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim > Gottinger for his > patience in working this through with me. Although my purpose was for > Dovecot to authenticate > mail clients, the configuration settings needed were on the Samba side. I > hope these > instructions can eventually make it into: > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > as those instruction contain nothing about the required `samba-tool spn > add` and samba-tool domain > exportkeytab` settings, without which it is impossible to get Dovecot (and > presumably other > local authenticators needing GSSAPI/Kerberos) to authenticate. > > You need kerberos as the Samba built-in kerberos does not have needed > commands like `klist`. > > My distro (Slackware 14.1) does not come with kerberos, but is easily > found at: > > https://slackbuilds.org/repository/14.1/network/krb5/ > > Per the samba docs, copy the krb5.conf template created when provisioned: > > $ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf > > (Note: the actual docs advise symlinking: > > ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf > > but I prefer making a copy in case I need to modify things). > > I've set The /etc/krb5.conf file to world readable. It's default contents > are (and these do > not need to be changed): > > [libdefaults] > default_realm = HPRS.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > where HPRS.LOCAL is my realm, of course use your own. > > Now, we need a samba user in order to create the necessary SPNs (Server > Principal Names): > > $ samba-tool user create dovecot > New Password: > Retype Password: > User 'dovecot' created successfully > > Next, add the SPN(s), and create the keytab: > > $ samba-tool spn add imap/mail.hprs.local dovecot > $ samba-tool domain exportkeytab --principal imap/mail.hprs.local > dovecot.keytab > > Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, but > if it did I'd have to > create another SPN for smtp: > > $ samba-tool spn add smtp/mail.hprs.local dovecot > $ samba-tool domain exportkeytab --principal smtp/mail.hprs.local > dovecot.keytab > > Dovecot needs to be able to read the keytab file: > > $ chgrp dovecot /etc/dovecot/dovecot.keytab > $ chmod g+r /etc/dovecot/dovecot.keytab > > my new keytab: > > $ klist -Kek /etc/dovecot/dovecot.keytab > Keytab name: FILE:/etc/dovecot/dovecot.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7) > 1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7) > 1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) > (0x9dae89a221dc374a39f560833352f60f) > (and if I also created the spn for smtp I would also have these:) > 1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7) > 1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7) > 1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) > (0x9dae89a221dc374a39f560833352f60f) > > DOVECOT SETTINGS: > > Of crucial importance is to buld dovecot with GSSAPI! That is NOT one of > the default settings. > In the build directory: > > ./configure --with-gssapi=yes > > Otherwise, settings are pretty simple. Add the following 3 settings to > 10-auth.conf: > > auth_gssapi_hostname = "$ALL" > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > auth_mechanisms = plain login gssapi > > The auth_gssapi_hostname is supposedly not required according to > dovecotList comments, but my > 10-auth.conf template implies differently, so it can't hurt. > > I couldn't get any of this working until I rebooted the Samba > AD/DC-Dovecot server, but that > just may have been me not stopping/starting Samba and Dovecot in the right > sequence (or, I > needed a Samba upgrade to 4.2!). > > In my WIN7 and Ubuntu Thunderbird clients I selected gssapi/kerberos for > the IMAP authenticate > method and it works! > > Again, thanks to Achim for his critical help. > > Someone please put at least the required samba-tool commands into the wiki > for other poor > schmucks like me. > > --Mark > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Andrew Bartlett
2016-Jul-14 20:52 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
On Sun, 2016-07-03 at 19:34 -0400, Mark Foley wrote:> After a nearly 2-year struggle to get Dovecot to do either NTLM or > GSSAPI authentication with > Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim > Gottinger for his > patience in working this through with me. Although my purpose was > for Dovecot to authenticate > mail clients, the configuration settings needed were on the Samba > side. I hope these > instructions can eventually make it into: > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domai > n_Controller#Configure_Kerberos > > as those instruction contain nothing about the required `samba-tool > spn add` and samba-tool domain > exportkeytab` settings, without which it is impossible to get Dovecot > (and presumably other > local authenticators needing GSSAPI/Kerberos) to authenticate. > > You need kerberos as the Samba built-in kerberos does not have needed > commands like `klist`. > > My distro (Slackware 14.1) does not come with kerberos, but is easily > found at: > > https://slackbuilds.org/repository/14.1/network/krb5/ > > Per the samba docs, copy the krb5.conf template created when > provisioned: > > $ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf > > (Note: the actual docs advise symlinking: > > ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf > > but I prefer making a copy in case I need to modify things). > > I've set The /etc/krb5.conf file to world readable. It's default > contents are (and these do > not need to be changed): > > [libdefaults] > default_realm = HPRS.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > where HPRS.LOCAL is my realm, of course use your own. > > Now, we need a samba user in order to create the necessary SPNs > (Server Principal Names): > > $ samba-tool user create dovecot > New Password: > Retype Password: > User 'dovecot' created successfully > > Next, add the SPN(s), and create the keytab: > > $ samba-tool spn add imap/mail.hprs.local dovecot > $ samba-tool domain exportkeytab --principal imap/mail.hprs.local > dovecot.keytab > > Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, > but if it did I'd have to > create another SPN for smtp: > > $ samba-tool spn add smtp/mail.hprs.local dovecot > $ samba-tool domain exportkeytab --principal smtp/mail.hprs.local > dovecot.keytab > > Dovecot needs to be able to read the keytab file: > > $ chgrp dovecot /etc/dovecot/dovecot.keytab > $ chmod g+r /etc/dovecot/dovecot.keytab > > my new keytab: > > $ klist -Kek /etc/dovecot/dovecot.keytab > Keytab name: FILE:/etc/dovecot/dovecot.keytab > KVNO Principal > ---- ---------------------------------------------------------------- > ---------- > 1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) > (0x232616c2a4fd08f7) > 1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) > (0x232616c2a4fd08f7) > 1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) > (0x9dae89a221dc374a39f560833352f60f) > (and if I also created the spn for smtp I would also have these:) > 1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) > (0x232616c2a4fd08f7) > 1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) > (0x232616c2a4fd08f7) > 1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) > (0x9dae89a221dc374a39f560833352f60f) > > DOVECOT SETTINGS: > > Of crucial importance is to buld dovecot with GSSAPI! That is NOT one > of the default settings. > In the build directory: > > ./configure --with-gssapi=yes > > Otherwise, settings are pretty simple. Add the following 3 settings > to 10-auth.conf: > > auth_gssapi_hostname = "$ALL" > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > auth_mechanisms = plain login gssapi > > The auth_gssapi_hostname is supposedly not required according to > dovecotList comments, but my > 10-auth.conf template implies differently, so it can't hurt. > > I couldn't get any of this working until I rebooted the Samba AD/DC > -Dovecot server, but that > just may have been me not stopping/starting Samba and Dovecot in the > right sequence (or, I > needed a Samba upgrade to 4.2!). > > In my WIN7 and Ubuntu Thunderbird clients I selected gssapi/kerberos > for the IMAP authenticate > method and it works! > > Again, thanks to Achim for his critical help. > > Someone please put at least the required samba-tool commands into the > wiki for other poor > schmucks like me.This looks really great. I'm glad it worked out for you, and that we had the tools you needed. In particular, I can confirm this is the recomended approach for additional services, be they on the DC or (more usually) another server. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Apparently Analagous Threads
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]