similar to: Enhanced Kerberos support

http://bugzilla.mindrot.org/show_bug.cgi?id=928 simon at sxw.org.uk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |simon at sxw.org.uk ------- Comment #2 from simon at sxw.org.uk 2006-08-19 08:31 ------- I'd rather see us move towards just using

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

Hi, I solved my ssh GSSAPI problem. There were a lot of solutions on google referring to a proper fqdn in the /etc/hosts file and having the fqdn's/principals in the kerberos server's keytab file but I found out that my problem was that the samba4/kerberos server was running on a multi-homed machine and that the ssh server kerberos authentication needed the following parameter in order

>From a security standpoint, if the default keytab (/etc/krb5.keytab) contains only ONE principal, does it matter if GSSAPIStrictAcceptorCheck is set to "yes" or "no"? My company uses an internally built OpenSSH package that includes the GSSAPI Key Exchange patch. Because we have 1000s of hosts, we need to use a "standard" sshd_config file that works for the

More info ... when I do MAIL=imap://mark at mail.ohprs.org/ mutt (using the domain of the registered certificate). I do not get the message "Certificate host check failed: certificate owner does not match hosthame ..." I do get the same (mutt?) edit screen shown below with the "(r)eject, accept (o)nce, (a)ccept always" action at the bottom. If I "accept (o)nce",

Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer required with dovecot (2.2.13 here). Add "auth_debug=yes" to your dovecor config. 192.168.100.1 is my clients ip 192.168.100.101 is the servers ag is the domain account username I use to login to windows and also the username configured in thunderbird. On my debian system an package named

> To: samba at lists.samba.org > From: Achim Gottinger <achim at ag-web.biz> > Date: Mon, 4 Jul 2016 09:29:02 +0200 > Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot > > Am 04.07.2016 um 01:34 schrieb Mark Foley: > > After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with > > Samba4 AD/DC, I believe

After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his patience in working this through with me. Although my purpose was for Dovecot to authenticate mail clients, the configuration settings needed were on the Samba side. I hope these instructions can eventually make

Am 30.06.2016 um 10:45 schrieb Mark Foley: > To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set > Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab > file as required by Dovecot. I've also downloaded and installed Kerberos for access to > the k* commands (ktutil, kinit, klist, ...). > > In my

I try to get Samba 4 with ssh running. I found in the Script from Matthieu Patou tot he sysvol sync the follwing intresting line. --- kinit -k -t /etc/krb5.keytab `hostname -s | tr "[:lower:]" "[:upper:]"`\$ rsync -X -u -a $dc_account_name\$@${dc}.${domain}:$SYSVOL $STAGING --- when i understand correct he uses the domain controller service principle to connect to the

Hi, I'm trying to setup dovecot 2.0.1 on a debian squeeze test box. I want to integrate it into an already working kerberos5 setup, but I don't get it to work. I've added created host/ smtp/ and imap/ service principals with random key for the test machine and added them to its keytab. I can also obtain user credentials using kinit, but when I try to telnet to port 143, I only get

I'm sure it will not work till you get that module build. :-) Am 01.07.2016 um 20:53 schrieb Mark Foley: > On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at ag-web.biz> wrote: > >> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an >> different location. On debian this comes with the dovecot-gssapi package. > That module is nowhere

Am 30.06.2016 um 23:16 schrieb Mark Foley: > Achim, thanks a lot! A couple of questions on your suggested settings: > >> 1. Create an user >> samba-tool create user dovcot > I did this (actually `samba-tool user create dovecot`), but it asked for a password. I > entered one. You didn't mention that, so I hope it's OK. Yes > > >> 2. Add the spn

Good afternoon. I'm configuring dovecot to authenticate users against a samba server running as an active directory domain controller. I followed the instructions as stated in the page https://wiki.dovecot.org/Authentication/Kerberos and considering the sentence that states [...]The Kerberos authentication mechanism doesn't require having a passdb, but you do need a userdb[...] I

I saw some past chatter on this in the list archives, but here is another stab and another rational. This patch follows a similar patch to openssh in that it allows any key in the specified keytab to match the incoming host key. This is necessary for multihomed hosts. See: https://bugzilla.mindrot.org/show_bug.cgi?id=928 IMAP/POP seem to be a strong candidate to be multihomed because they are

with passdb ldap i guess. ---Aki TuomiDovecot oy -------- Original message --------From: Mark Foley <mfoley at ohprs.org> Date: 03/12/2017 21:18 (GMT+02:00) To: dovecot at dovecot.org Subject: Re: Howto authenticate smartPhone via Active Directory Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2 shows: passdb pam { } used for

Am 01.07.2016 um 23:52 schrieb Achim Gottinger: > Here is an simpler way to create an user with the imap principal and > the dovecot keymap > > ~# samba-tool user create dovecot > [Assign password] > ~# samba-tool spn add imap/server.domain.local dovecot > ~# samba-tool domain exportkeytab --principal dovecot at DOMAIN.LOCAL > dovecot.keytab If above line is replaced by

I've switched a user to being an active directory user. That user's email client authorizes just fine with dovecot using GSSAPI. However, now his iPhone won't authorize. In the dovecot log file I get: Dec 01 14:27:28 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=q4n3W0xfggBiZj9s lip=98.102.63.107 rip=98.102.63.108 lport=993

On 2015-09-09 14:21, Mike wrote: > Yep, I have it working. It's been almost 6 months since I set it up so > don't recall many details other than it was NOT trivial :). Have only > used alpine and thunderbird clients, both work fine. I wonder if that means Evolution is broken. In any case, could you tell me the changes you made to 10-auth.conf and any other files for GSSAPI auth

I am migrating an existing dovecot server to a new server. The existing server uses pam_krb5 and works with the plain and gssapi methods. The new server plain/pam_krb5 normal password authentication works. However, the gssapi (tickets) authentication is producing the following error: === Begin Error ==== imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.7.61,