search for: auth_gssapi_hostnam

...rucial importance is to buld dovecot with GSSAPI! That is NOT one of the default settings. > > In the build directory: > > > > ./configure --with-gssapi=yes > > > > Otherwise, settings are pretty simple. Add the following 3 settings to 10-auth.conf: > > > > auth_gssapi_hostname = "$ALL" > > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > > auth_mechanisms = plain login gssapi > > > > The auth_gssapi_hostname is supposedly not required according to dovecotList comments, but my > > 10-auth.conf template implies differently, so it ca...

...ac) (0x9dae89a221dc374a39f560833352f60f) DOVECOT SETTINGS: Of crucial importance is to buld dovecot with GSSAPI! That is NOT one of the default settings. In the build directory: ./configure --with-gssapi=yes Otherwise, settings are pretty simple. Add the following 3 settings to 10-auth.conf: auth_gssapi_hostname = "$ALL" auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi The auth_gssapi_hostname is supposedly not required according to dovecotList comments, but my 10-auth.conf template implies differently, so it can't hurt. I couldn't get any of this wor...

...to buld dovecot with GSSAPI! That is NOT one of the default settings. >>> In the build directory: >>> >>> ./configure --with-gssapi=yes >>> >>> Otherwise, settings are pretty simple. Add the following 3 settings to 10-auth.conf: >>> >>> auth_gssapi_hostname = "$ALL" >>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab >>> auth_mechanisms = plain login gssapi >>> >>> The auth_gssapi_hostname is supposedly not required according to dovecotList comments, but my >>> 10-auth.conf template implies differ...

...instructions as stated in the page https://wiki.dovecot.org/Authentication/Kerberos and considering the sentence that states [...]The Kerberos authentication mechanism doesn't require having a passdb, but you do need a userdb[...] I produced a configuration file that looked like this > auth_gssapi_hostname = $ALL > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > auth_mechanisms = gssapi > auth_username_format = %u > mail_location = > maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8 > managesieve_notify_capability = mailto > managesieve_sieve_...

...sapi(?,192.168.4.12): Obtaining credentials for imap at efim.test.local Aug 29 16:05:14 auth: Debug: client out: CONT 1 Aug 29 16:05:14 auth: Debug: client in: CONT<hidden> Aug 29 16:05:16 auth: Debug: client out: FAIL 1 ************************************* But (!). If I define << auth_gssapi_hostname = "$ALL" >> instead of << auth_gssapi_hostname = efim.test.local >> then everything works fine. I decided to find out where is the problem, so I dig into source code of gssapi module, "mech-gssapi.c". For versions 2.0.13 and 2.0.14 of dovecot I see there the f...

...t; DOVECOT SETTINGS: > > Of crucial importance is to buld dovecot with GSSAPI! That is NOT one of the default settings. > In the build directory: > > ./configure --with-gssapi=yes > > Otherwise, settings are pretty simple. Add the following 3 settings to 10-auth.conf: > > auth_gssapi_hostname = "$ALL" > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > auth_mechanisms = plain login gssapi > > The auth_gssapi_hostname is supposedly not required according to dovecotList comments, but my > 10-auth.conf template implies differently, so it can't hurt. > > I...

...temp Sep 5 18:57:05 oldbox dovecot: imap-login: Disconnected (auth failed, 1 attempts): method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=0, secured My configuration: # doveconf -n # 2.0.1 (a05834588ffb): /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-486 i586 Debian squeeze/sid auth_debug = yes auth_gssapi_hostname = rohan auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = gssapi auth_verbose = yes disable_plaintext_auth = no listen = * mail_location = maildir:~/mail managesieve_notify_capability = mailto managesieve_sieve_capability = comparator-i;octet comparator-i;ascii-casemap fileinto reject envelope...

...e done about it. This is my situation.. When you add windows into the mix, which uses a totally different set of rules to determine the principle all hope seems to be lost to have a single service principle name for an imap server :( I was able to make things work for my environment using only the auth_gssapi_hostname feature if only MIT kerberos was used, but as soon as windows SSPI was involved it choose a different hostname. Thus we want to have GSSAPI to match any service principle in the keytab. As far as security concerns go, the admin can configure the keytab for dovecot to be seperate from the system...

...OMAIN.LOCAL dovecot 3. Create the keytab file ktutil addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac wkt /etc/dovecot/dovecot.keytab 4. Add this to your dovecot config # Kerberos auth_gssapi_hostname = "$ALL" auth_krb5_keytab = /etc/dovecot/dovecot.keytab Hope it helps, achim~

...word] > ~# samba-tool spn add imap/server.domain.local dovecot > ~# samba-tool domain exportkeytab --principal dovecot at DOMAIN.LOCAL > dovecot.keytab If above line is replaced by ~# samba-tool domain exportkeytab --principal imap/server.domain.local dovecot.keytab It is working without auth_gssapi_hostname = "$ALL" again. To add the principal for smtp execute ~# samba-tool spn add smtp/server.domain.local dovecot ~# samba-tool domain exportkeytab --principal smtp/server.domain.local dovecot.keytab The keytab now has the follwoing content ~# klist -Kek /etc/dovecot/dovecot.conf Keytab nam...

The recent addition of auth_gssapi_hostname is a welcome addition, but a little more is needed for multi-homed (or multi-domained) sites. SSH recently added this enhancement to address this common need: GSSAPIStrictAcceptorCheck Determines whether to be strict about the identity of the GSSAPI acceptor a client authenti...

...s NOT one of the default settings. > >>> In the build directory: > >>> > >>> ./configure --with-gssapi=yes > >>> > >>> Otherwise, settings are pretty simple. Add the following 3 settings to 10-auth.conf: > >>> > >>> auth_gssapi_hostname = "$ALL" > >>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab > >>> auth_mechanisms = plain login gssapi > >>> > >>> The auth_gssapi_hostname is supposedly not required according to dovecotList comments, but my > >>> 10-auth.con...

...tc/dovecot/dovecot.keytab does not yet exist. Only the two keys you just added are required to get kerberos working. The system keytab you generated with samba-tool domain exportkeytab is not required. > > >> 4. Add this to your dovecot config >> >> # Kerberos >> auth_gssapi_hostname = "$ALL" >> auth_krb5_keytab = /etc/dovecot/dovecot.keytab > Did that. In addition, I set the keytab file's group to dovecot and made the file group > readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos. I also tried > making it world readable....

Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer required with dovecot (2.2.13 here). Add "auth_debug=yes" to your dovecor config. 192.168.100.1 is my clients ip 192.168.100.101 is the servers ag is the domain account username I use to login to windows and also the username configured in thund...

http://dovecot.org/releases/dovecot-1.0.rc29.tar.gz http://dovecot.org/releases/dovecot-1.0.rc29.tar.gz.sig Probably one more RC after this. * Security fix: If zlib plugin was loaded, it was possible to open gzipped mbox files outside the user's mail directory. + Added auth_gssapi_hostname setting. - IMAP: LIST "" "" didn't return anything if there didn't exist a namespace with empty prefix. This broke some clients. - If Dovecot is tried to be started when it's already running, don't delete existing auth sockets and break the running Dovec...

http://dovecot.org/releases/dovecot-1.0.rc29.tar.gz http://dovecot.org/releases/dovecot-1.0.rc29.tar.gz.sig Probably one more RC after this. * Security fix: If zlib plugin was loaded, it was possible to open gzipped mbox files outside the user's mail directory. + Added auth_gssapi_hostname setting. - IMAP: LIST "" "" didn't return anything if there didn't exist a namespace with empty prefix. This broke some clients. - If Dovecot is tried to be started when it's already running, don't delete existing auth sockets and break the running Dovec...

...tutil, but I got, "Unknown request "wtk". Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply transposed the letters. I tried it and it took. > 4. Add this to your dovecot config > > # Kerberos > auth_gssapi_hostname = "$ALL" > auth_krb5_keytab = /etc/dovecot/dovecot.keytab Did that. In addition, I set the keytab file's group to dovecot and made the file group readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos. I also tried making it world readable. Now, after doing...

...essage----- From: Mark Foley <mfoley at ohprs.org> Date: Fri, 01 Jul 2016 00:09:29 -0400 Organization: Ohio Highway Patrol Retirement System To: samba at lists.samba.org Subject: Re: [Samba] Where is krb5.keytab or equivalent? Achim - per your instructions ... > Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer > required with dovecot (2.2.13 here). My dovecot is 2.2.15 and the 10-auth.conf (from the template) has the comment: # Host name to use in GSSAPI principal names. The default is to use the # name returned by gethostname(). Use "$ALL" (with quo...

I'm sure it will not work till you get that module build. :-) Am 01.07.2016 um 20:53 schrieb Mark Foley: > On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at ag-web.biz> wrote: > >> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an >> different location. On debian this comes with the dovecot-gssapi package. > That module is nowhere

Achim - per your instructions ... > Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer > required with dovecot (2.2.13 here). My dovecot is 2.2.15 and the 10-auth.conf (from the template) has the comment: # Host name to use in GSSAPI principal names. The default is to use the # name returned by gethostname(). Use "$ALL" (with quo...