samba - Jul 2016 - How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

> To: samba at lists.samba.org
> From: Rowland penny <rpenny at samba.org>
> Date: Mon, 4 Jul 2016 21:43:46 +0100
> Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot
>  [formerly Where is krb5.keytab or equivalent?]
>
> On 04/07/16 21:21, Mark Foley wrote:
> >> To: samba at lists.samba.org
> >> From: Achim Gottinger <achim at ag-web.biz>
> >> Date: Mon, 4 Jul 2016 09:29:02 +0200
> >> Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with
Dovecot
> >>
> >> Am 04.07.2016 um 01:34 schrieb Mark Foley:
> >>> After a nearly 2-year struggle to get Dovecot to do either
NTLM or GSSAPI authentication with
> >>> Samba4 AD/DC, I believe I've finally got it! Infinite
thanks to Achim Gottinger for his
> >>> patience in working this through with me.  Although my purpose
was for Dovecot to authenticate
> >>> mail clients, the configuration settings needed were on the
Samba side.  I hope these
> >>> instructions can eventually make it into:
> >>>
> >>>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> >>>
> >>> as those instruction contain nothing about the required
`samba-tool spn add` and samba-tool domain
> >>> exportkeytab` settings, without which it is impossible to get
Dovecot (and presumably other
> >>> local authenticators needing GSSAPI/Kerberos) to authenticate.
> >>>
> >>> You need kerberos as the Samba built-in kerberos does not have
needed commands like `klist`.
> >>>
> >>> My distro (Slackware 14.1) does not come with kerberos, but is
easily found at:
> >>>
> >>> https://slackbuilds.org/repository/14.1/network/krb5/
> >>>
> >>> Per the samba docs, copy the krb5.conf template created when
provisioned:
> >>>
> >>> $ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
> >>>
> >>> (Note: the actual docs advise symlinking:
> >>>
> >>>     ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf
> >>>
> >>> but I prefer making a copy in case I need to modify things).
> >>>
> >>> I've set The /etc/krb5.conf file to world readable. 
It's default contents are (and these do
> >>> not need to be changed):
> >>>
> >>> [libdefaults]
> >>>           default_realm = HPRS.LOCAL
> >>>           dns_lookup_realm = false
> >>>           dns_lookup_kdc = true
> >>>
> >>> where HPRS.LOCAL is my realm, of course use your own.
> >>>
> >>> Now, we need a samba user in order to create the necessary
SPNs (Server Principal Names):
> >>>
> >>> $ samba-tool user create dovecot
> >>> New Password:
> >>> Retype Password:
> >>> User 'dovecot' created successfully
> >>>
> >>> Next, add the SPN(s), and create the keytab:
> >>>
> >>> $ samba-tool spn add imap/mail.hprs.local dovecot
> >>> $ samba-tool domain exportkeytab --principal
imap/mail.hprs.local dovecot.keytab
> >>>
> >>> Dovecot does not do my (outgoing) SMTP serving, only
(incoming) IMAP, but if it did I'd have to
> >>> create another SPN for smtp:
> >>>
> >>> $ samba-tool spn add smtp/mail.hprs.local dovecot
> >>> $ samba-tool domain exportkeytab --principal
smtp/mail.hprs.local dovecot.keytab
> >>>
> >>> Dovecot needs to be able to read the keytab file:
> >>>
> >>> $ chgrp dovecot /etc/dovecot/dovecot.keytab
> >>> $ chmod g+r /etc/dovecot/dovecot.keytab
> >>>
> >>> my new keytab:
> >>>
> >>> $ klist -Kek /etc/dovecot/dovecot.keytab
> >>> Keytab name: FILE:/etc/dovecot/dovecot.keytab
> >>> KVNO Principal
> >>> ----
--------------------------------------------------------------------------
> >>>      1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) 
(0x232616c2a4fd08f7)
> >>>      1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) 
(0x232616c2a4fd08f7)
> >>>      1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) 
(0x9dae89a221dc374a39f560833352f60f)
> >>> (and if I also created the spn for smtp I would also have
these:)
> >>>      1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) 
(0x232616c2a4fd08f7)
> >>>      1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) 
(0x232616c2a4fd08f7)
> >>>      1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) 
(0x9dae89a221dc374a39f560833352f60f)
> >>>
> >>> DOVECOT SETTINGS:
> >>>
> >>> Of crucial importance is to buld dovecot with GSSAPI! That is
NOT one of the default settings.
> >>> In the build directory:
> >>>
> >>> ./configure --with-gssapi=yes
> >>>
> >>> Otherwise, settings are pretty simple. Add the following 3
settings to 10-auth.conf:
> >>>
> >>> auth_gssapi_hostname = "$ALL"
> >>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> >>> auth_mechanisms = plain login gssapi
> >>>
> >>> The auth_gssapi_hostname is supposedly not required according
to dovecotList comments, but my
> >>> 10-auth.conf template implies differently, so it can't
hurt.
> >>>
> >>> I couldn't get any of this working until I rebooted the
Samba AD/DC-Dovecot server, but that
> >>> just may have been me not stopping/starting Samba and Dovecot
in the right sequence (or, I
> >>> needed a Samba upgrade to 4.2!).
> >>>
> >>> In my WIN7 and Ubuntu Thunderbird clients I selected
gssapi/kerberos for the IMAP authenticate
> >>> method and it works!
> >>>
> >>> Again, thanks to Achim for his critical help.
> >>>
> >>> Someone please put at least the required samba-tool commands
into the wiki for other poor
> >>> schmucks like me.
> >>>
> >>> --Mark
> >>>
> >>>
> >> Glad you finaly got it working! Have you tried it without
> >> 'auth_gssapi_hostname = "$ALL"'? In my tests
with those principals it
> >> worked without it.
> >> With Samba 4.4.3 there are also aes 128/256 versions of the keys
in the
> >> exported keytab.
> >> On Windows 7 kinit shows what encryption was used. With
arcfour-hmac it
> >> shows rc4-hmac.
> >>
> >> achim~
> >>
> >>
> > Thanks Achim, no haven't tried without the auth_gssapi_hostname
settings, though it probably
> > will work. The dovecot people seemed to think so. I'm giving this
a rest to let my brain cool
> > down. Perhaps I'll try it later.
> >
> > Please weight in on Rowland's comment about restricting
documentation on kerberos
> > authentication to domain members.  I've posted a dissenting view,
but maybe I'm alone in my
> > opinion that there should be no issue running a mail server on the
same box as the AD/DC.
> > Perhaps few people do that, but my feeling is that most people do
that.  Feedback by you and
> > others as to real-world use could be valuable.
> >
> > --Mark
> >
>
> Perhaps this info would be better on the Dovecot wiki ?
> I have no real problem with putting the info on the Samba wiki, but as I 
> said, stuff like this used to be on the wiki and it was removed during 
> Marc's clean up.
>
> If Marc gives the go ahead, I will add it, if he says no, then I won't,
> there is no point in adding something that Marc is just going to remove.
>
> Rowland
>
Yes, they did add it to the dovecot wiki:
http://wiki2.dovecot.org/Authentication/Kerberos

Certainly, check with Marc. I wouldn't advocate doing things against policy
(but changing the
policy a bit?) Even though this is about dovecot specifically, in general, one
should be able
to authenticate locally, as you mention in your email of July 4, 21:30:

"Samba only recommends using the DC for authentication, ... I never said
that [kerberos
authentication is restricted to domain members], you can have kerberos
authentication on a DC,"

The instructions on letting dovecot authenticate on the DC is a paradigm
example. Users could
easily extrapolate that to other tools that need to authenticate. Perhaps the
instructions
could be generalized and leaving of the dovecot config stuff, and changing the
domain user and
keytab name to something not specifically saying "dovecot".

Thanks for all you help!

--Mark

On 14/07/16 15:53, Mark Foley wrote:
> Yes, they did add it to the dovecot wiki:
http://wiki2.dovecot.org/Authentication/Kerberos
>
> Certainly, check with Marc. I wouldn't advocate doing things against
policy (but changing the
> policy a bit?) Even though this is about dovecot specifically, in general,
one should be able
> to authenticate locally, as you mention in your email of July 4, 21:30:
>
> "Samba only recommends using the DC for authentication, ... I never
said that [kerberos
> authentication is restricted to domain members], you can have kerberos
authentication on a DC,"
>
> The instructions on letting dovecot authenticate on the DC is a paradigm
example. Users could
> easily extrapolate that to other tools that need to authenticate. Perhaps
the instructions
> could be generalized and leaving of the dovecot config stuff, and changing
the domain user and
> keytab name to something not specifically saying "dovecot".
>
> Thanks for all you help!
>
> --Mark
>
I don't think the problem is with mentioning 'Dovecot', it is with
using
the DC for anything other than authentication.

Reading the Dovecot wiki page, creating the user & SPN on the DC is 
okay, but once you start exporting the keytab to be used on the DC, you 
are doing something that Samba doesn't recommend, but I have thought of 
a way around this, phrase the page in the same way as the Apache page on 
the wiki.

By the way, did you know that 'samba-tool user create' has a switch to 
create a random password for you: '--random-password'

Rowland
Rowland

On Thu, 2016-07-14 at 16:20 +0100, Rowland penny wrote:
> I don't think the problem is with mentioning 'Dovecot', it is
with
> using 
> the DC for anything other than authentication.
> 
> Reading the Dovecot wiki page, creating the user & SPN on the DC is 
> okay, but once you start exporting the keytab to be used on the DC,
> you 
> are doing something that Samba doesn't recommend, but I have thought
> of 
> a way around this, phrase the page in the same way as the Apache page
> on 
> the wiki.
Rowland:

Running samba-tool domain exportkeytab for a specific user is quite a
reasonable thing to do, and is entirely sensible to recommand as part
of adding a new user with an SPN.  They keytab can then be deployed as
required. 

Running the exportkeytab file is not the same as loading up the DC with
other services.  Not that this is a total disaster (particularly for
small sites trying to replace SBS), but we do try and make folks think
before creating mega-servers. 

I'm very happy for such information to be in our wiki, as I do refer to
it and refer others to the apache page, which shows the same pattern as
required for mod_auth_kerb. 

https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_D
irectory

Indeed, we need to make this page easier to find.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Thu, 14 Jul 2016 16:20:22 +0100 Rowland penny <rpenny at samba.org>
wrote:
> By the way, did you know that 'samba-tool user create' has a switch
to
> create a random password for you: '--random-password'
>
> Rowland
Didn't even think of that.  I guess if there's never a need to log in as
that user (e.g.
creating the user for SPN), that's a great idea. 

--Mark