On 12.12.18 15:49, Rowland Penny via samba wrote:> What is your functional level ?What dowes you mean? - dovecot machine is join to domain - keytab is setup. - see the users via wbinfo -u on dovecot server. - dovecot is setup like in the wiki with userdb=static. I have also try to use pam/krb5, when I enter a password I get mails. (Port 143 with starttls) TB setting: server: dovecot ip user: username at my.fqdn.com secu: SSL/TLS auth: Kerberos/GSSAPI port: 993 Results in root at dovecot:~# tail -f /var/log/dovecot.debug.log Dec 12 15:58:22 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Dec 12 15:58:22 auth: Debug: auth client connected (pid=2748) Dec 12 15:58:28 auth: Debug: auth client connected (pid=2751) Dec 12 16:06:50 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Dec 12 16:06:50 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_pgsql.so Dec 12 16:06:50 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Dec 12 16:06:50 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libmech_gssapi.so Dec 12 16:06:50 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Dec 12 16:06:50 auth: Debug: auth client connected (pid=2753) Dec 12 16:06:52 auth: Debug: auth client connected (pid=2757) But ticket not accepted. TB setting: server: dovecot.my.fqdn.com user: username at my.fqdn.com secu: SSL/TLS auth: Kerberos/GSSAPI port: 993 Results in no log entry.
On Wed, 12 Dec 2018 16:18:30 +0100 basti via samba <samba at lists.samba.org> wrote:> > > On 12.12.18 15:49, Rowland Penny via samba wrote: > > What is your functional level ? > > What dowes you mean? >What is the functional level of your Active Directory Domain ? You only showed 3 kerberos keys, this usually means functional level 2003 or lower. Rowland
OK, for now it seem to work. Server: dovecot.my.fqdn.com Security: STARTTLS Auth: Kerberos/GSSAPI Possible Problems: - Keytabfile (samba-tool delegation show dovecot\$) ? - IP as Servername - SSL/TLS Port 993 ? Maybe someone can complete the wiki with thunderbird settings? P.S. Roland kinit -V5 DOVECOTUSER at MY.FQDN.COM did also work I use the samba wiki, dont know why only export 3 keys. I have moved from samba NT4 domain to ad with debian update. can this be the reason? On 12.12.18 16:34, Rowland Penny via samba wrote:> On Wed, 12 Dec 2018 16:18:30 +0100 > basti via samba <samba at lists.samba.org> wrote: > >> >> >> On 12.12.18 15:49, Rowland Penny via samba wrote: >>> What is your functional level ? >> >> What dowes you mean? >> > > What is the functional level of your Active Directory Domain ? > You only showed 3 kerberos keys, this usually means functional level > 2003 or lower. > > Rowland >
L.P.H. van Belle
2018-Dec-12 15:50 UTC
[Samba] [Solved] GSSAPI/Kerberos authenticate with Dovecot
So tell us what did >> You << correct ? If you put it in the list mail everybody can enjoy from it ;-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > basti via samba > Verzonden: woensdag 12 december 2018 16:44 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] [Solved] GSSAPI/Kerberos authenticate > with Dovecot > > OK, for now it seem to work. > > Server: dovecot.my.fqdn.com > Security: STARTTLS > Auth: Kerberos/GSSAPI > > Possible Problems: > > - Keytabfile (samba-tool delegation show dovecot\$) ? > - IP as Servername > - SSL/TLS Port 993 ? > > Maybe someone can complete the wiki with thunderbird settings? > > P.S. > > Roland kinit -V5 DOVECOTUSER at MY.FQDN.COM did also work > I use the samba wiki, dont know why only export 3 keys. > > I have moved from samba NT4 domain to ad with debian update. > can this be the reason? > > On 12.12.18 16:34, Rowland Penny via samba wrote: > > On Wed, 12 Dec 2018 16:18:30 +0100 > > basti via samba <samba at lists.samba.org> wrote: > > > >> > >> > >> On 12.12.18 15:49, Rowland Penny via samba wrote: > >>> What is your functional level ? > >> > >> What dowes you mean? > >> > > > > What is the functional level of your Active Directory Domain ? > > You only showed 3 kerberos keys, this usually means functional level > > 2003 or lower. > > > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >