similar to: Where is krb5.keytab or equivalent?

You can specify which principal you want in your keytab with samba-tool, check the manual. You can check which principal is in your keytab using klist: klist -k or klist -ke /path/to/keytab 2016-06-27 9:09 GMT+02:00 Rowland penny <rpenny at samba.org>: > On 27/06/16 04:27, Mark Foley wrote: > >> I am running Samba 4.1.23 as an AD/DC. It has been running file for more >>

> ... you don't get the /etc/krb5.keytab by default on a DC, you will need > to create it: > > samba-tool domain exportkeytab /etc/krb5.keytab Excellent! Thank you. I've done that now, but I have more issues more appropriate to a reply to mathias' message following. --Mark -----Original Message----- > To: samba at lists.samba.org > From: Rowland penny <rpenny

After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his patience in working this through with me. Although my purpose was for Dovecot to authenticate mail clients, the configuration settings needed were on the Samba side. I hope these instructions can eventually make

> To: samba at lists.samba.org > From: Achim Gottinger <achim at ag-web.biz> > Date: Mon, 4 Jul 2016 09:29:02 +0200 > Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot > > Am 04.07.2016 um 01:34 schrieb Mark Foley: > > After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with > > Samba4 AD/DC, I believe

Am 01.07.2016 um 23:52 schrieb Achim Gottinger: > Here is an simpler way to create an user with the imap principal and > the dovecot keymap > > ~# samba-tool user create dovecot > [Assign password] > ~# samba-tool spn add imap/server.domain.local dovecot > ~# samba-tool domain exportkeytab --principal dovecot at DOMAIN.LOCAL > dovecot.keytab If above line is replaced by

I'm sure it will not work till you get that module build. :-) Am 01.07.2016 um 20:53 schrieb Mark Foley: > On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at ag-web.biz> wrote: > >> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an >> different location. On debian this comes with the dovecot-gssapi package. > That module is nowhere

I myself have dovecot running and auth is against a samba4 dc running on the same host. Perhaps it can help you to let samba do the authentification. Greetings Daniel EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 Email: mueller at tropenklinik.de www.tropenklinik.de

Am 30.06.2016 um 10:45 schrieb Mark Foley: > To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set > Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab > file as required by Dovecot. I've also downloaded and installed Kerberos for access to > the k* commands (ktutil, kinit, klist, ...). > > In my

Am 30.06.2016 um 23:16 schrieb Mark Foley: > Achim, thanks a lot! A couple of questions on your suggested settings: > >> 1. Create an user >> samba-tool create user dovcot > I did this (actually `samba-tool user create dovecot`), but it asked for a password. I > entered one. You didn't mention that, so I hope it's OK. Yes > > >> 2. Add the spn

> To: samba at lists.samba.org > From: Rowland penny <rpenny at samba.org> > Date: Mon, 4 Jul 2016 21:43:46 +0100 > Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot > [formerly Where is krb5.keytab or equivalent?] > > On 04/07/16 21:21, Mark Foley wrote: > >> To: samba at lists.samba.org > >> From: Achim Gottinger <achim at

Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer required with dovecot (2.2.13 here). Add "auth_debug=yes" to your dovecor config. 192.168.100.1 is my clients ip 192.168.100.101 is the servers ag is the domain account username I use to login to windows and also the username configured in thunderbird. On my debian system an package named

More info ... when I do MAIL=imap://mark at mail.ohprs.org/ mutt (using the domain of the registered certificate). I do not get the message "Certificate host check failed: certificate owner does not match hosthame ..." I do get the same (mutt?) edit screen shown below with the "(r)eject, accept (o)nce, (a)ccept always" action at the bottom. If I "accept (o)nce",

Debug log output please! I think you still miss the gssapi module for dovecot. Am 03.07.2016 um 19:42 schrieb Mark Foley: > Achim, > > This is my most recent effort. If I cannot make progress from here I'm going to give this idea a rest. > > I used easy-rsa to create a cert. Files are: > > /etc/ssl/certs/OHPRS/easyrsa/ca.crt > /etc/ssl/certs/OHPRS/easyrsa/reqs/MAIL.req

OK, let me go through exactly what you did: you: > Here's the test (I must run mutt not telnet like i mentioned earlier to > get the imap tickets). > > root at server:~# kinit achim > Password for achim at DOMAIN.LOCAL: > [I enter my password] As root on AD/DC mail.hprs.local: me: $ kinit mark Password for mark at HPRS.LOCAL: [I enter my password] you: >

On Mon, 4 Jul 2016 08:18:11 +0100 Rowland penny <rpenny at samba.org> wrote: > The problem is that Samba doesn't recommend using the DC as a fileserver > etc This is why it isn't mentioned, Well, I don't see that the DC is being used as an actual file server simply by hosting an email server. There is no share defined in smb.conf to accomodate this. Furthermore, I

Aki - made your suggested changes, but no joy :( My /etc/krb5.conf: ------SNIP-------- [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true [libdefaults] default_realm = HPRS.LOCAL dns_lookup_kdc = true kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true [realms] HPRS.LOCAL = {

Aki, you wrote: > Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? > > I'll try to check status of NTLM this week. I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. I do have the Dovecot sources and will peruse the possible options after I send this. I am on version 2.2.15 and I see that the current downloadable

On 16/07/16 19:09, Mark Foley wrote: > On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> wrote: > >> On 15/07/16 08:17, Rowland penny wrote: >>> On 15/07/16 00:34, Andrew Bartlett wrote: >>>> On Thu, 2016-07-14 at 22:05 +0100, Rowland penny wrote: >>>>> On 14/07/16 21:52, Andrew Bartlett wrote: >>>>>>

On 2016-06-27 11:18 GMT+02:00 mathias dufresne wrote: > You can check which principal is in your keytab using klist: klist -k or > klist -ke /path/to/keytab Mathias, thank you. I've created the /etc/krb5.keytab per Rowland's instructions. And, per older instruction from when I first installed Samba4 2 years ago I've done: ln -s /etc/samba/private/krb5.conf /etc/krb5.conf The

On 15/07/16 08:17, Rowland penny wrote: > On 15/07/16 00:34, Andrew Bartlett wrote: >> On Thu, 2016-07-14 at 22:05 +0100, Rowland penny wrote: >>> On 14/07/16 21:52, Andrew Bartlett wrote: >>>> Rowland: >>>> >>>> Running samba-tool domain exportkeytab for a specific user is quite >>>> a >>>> reasonable thing to do, and