Discussion:
[Samba] Where is krb5.keytab or equivalent?
Mark Foley
2016-06-27 03:27:39 UTC
Permalink
I am running Samba 4.1.23 as an AD/DC. It has been running file for more than 1 1/2 years as a
AD/DC for mostly Windows workstations.

I'm trying to setup Dovecot with gssapi authentication. The config needs the location of the service
keys located in the keytab file. The default location it looks for is:

/etc/krb5.keytab

There is no such file there, nor is there a so-named file on the AD/DC at all. I do find:

/etc/samba/private/secrets.keytab
/etc/samba/private/dns.keytab

Is one of these what I can use for the Dovecot required config?

THX --Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-06-27 09:18:39 UTC
Permalink
You can specify which principal you want in your keytab with samba-tool,
check the manual.
You can check which principal is in your keytab using klist: klist -k or
klist -ke /path/to/keytab
Post by Mark Foley
I am running Samba 4.1.23 as an AD/DC. It has been running file for more
than 1 1/2 years as a
AD/DC for mostly Windows workstations.
I'm trying to setup Dovecot with gssapi authentication. The config needs
the location of the service
/etc/krb5.keytab
/etc/samba/private/secrets.keytab
/etc/samba/private/dns.keytab
Is one of these what I can use for the Dovecot required config?
THX --Mark
Hi, you don't get the /etc/krb5.keytab by default on a DC, you will need
samba-tool domain exportkeytab /etc/krb5.keytab
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2016-06-27 18:59:43 UTC
Permalink
Post by mathias dufresne
You can check which principal is in your keytab using klist: klist -k or
klist -ke /path/to/keytab
Mathias, thank you. I've created the /etc/krb5.keytab per Rowland's instructions. And, per
older instruction from when I first installed Samba4 2 years ago I've done:

ln -s /etc/samba/private/krb5.conf /etc/krb5.conf

The contents of which are:

[libdefaults]
default_realm = HPRS.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true

I don't know if I need that file or not, but the Dovecot people say I do. I now have those
files (krb5.keytab and krb5.conf) in /etc.

Now, the problem is I cannot do your suggested `klist` command, nor the `kinit` as described in
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos

I don't seem to have these commands. Do these come with the Samba4 installation or are they
supposed to already be on the system, or to be downloaded separately?

--Mark

-----Original Message-----
Post by mathias dufresne
Date: Mon, 27 Jun 2016 11:18:39 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
You can specify which principal you want in your keytab with samba-tool,
check the manual.
You can check which principal is in your keytab using klist: klist -k or
klist -ke /path/to/keytab
Post by Mark Foley
I am running Samba 4.1.23 as an AD/DC. It has been running file for more
than 1 1/2 years as a
AD/DC for mostly Windows workstations.
I'm trying to setup Dovecot with gssapi authentication. The config needs
the location of the service
/etc/krb5.keytab
There is no such file there, nor is there a so-named file on the AD/DC at
/etc/samba/private/secrets.keytab
/etc/samba/private/dns.keytab
Is one of these what I can use for the Dovecot required config?
THX --Mark
Hi, you don't get the /etc/krb5.keytab by default on a DC, you will need
samba-tool domain exportkeytab /etc/krb5.keytab
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2016-06-27 18:47:45 UTC
Permalink
... you don't get the /etc/krb5.keytab by default on a DC, you will need
samba-tool domain exportkeytab /etc/krb5.keytab
Excellent! Thank you. I've done that now, but I have more issues more appropriate to a reply to mathias' message following.

--Mark

-----Original Message-----
Date: Mon, 27 Jun 2016 08:09:47 +0100
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Post by Mark Foley
I am running Samba 4.1.23 as an AD/DC. It has been running file for more than 1 1/2 years as a
AD/DC for mostly Windows workstations.
I'm trying to setup Dovecot with gssapi authentication. The config needs the location of the service
/etc/krb5.keytab
/etc/samba/private/secrets.keytab
/etc/samba/private/dns.keytab
Is one of these what I can use for the Dovecot required config?
THX --Mark
Hi, you don't get the /etc/krb5.keytab by default on a DC, you will need
samba-tool domain exportkeytab /etc/krb5.keytab
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2016-06-30 08:45:28 UTC
Permalink
To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
file as required by Dovecot. I've also downloaded and installed Kerberos for access to
the k* commands (ktutil, kinit, klist, ...).

In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7
workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
etc. Thunderbird gives the following error:

"The Kerberos/GSSAPI ticket was not accepted by the IMAP server ***@ohprs.org. Please check
that you are logged in to the Kerberos/GSSAPI realm."

One disconcerting bit about that message is the named IMAP server "***@ohprs.org" is not a
server at all, but rather the email address of the Thunderbird account.

When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying:

auth_mechanisms = plain login gssapi

That's it (the other mechanism work just fine, BTW). Not much I can mess with there.

I think the problem is with Samba and handling the authentication. I do not think my Samba4 is
configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
for single-sign-on using Kerberos. He had me put the following lines into that workstation's
smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server:

security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind nss info = rfc2307
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes

I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
message, "Samba detected misconfigured 'server role' and exited."

He also had me put the following in /etc/nsswitch.conf:

passwd: compat winbind
group: compat winbind

Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.

Need Help! Thanks --Mark

-----Original Message-----
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Date: Mon, 27 Jun 2016 20:50:28 +0100
Probably, but as I replied to Mathias' message, I have none of the k* command installed on my system, including kutil. I'm researching as to how I can get these now.
Thanks, Mark
apt-get install krb5-user
Or the equivalent on red-hat (except I think the required package is
krb5-workstation)
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mueller
2016-06-30 09:18:52 UTC
Permalink
I myself have dovecot running and auth is against a samba4 dc running on the same host.
Perhaps it can help you to let samba do the authentification.

Greetings
Daniel


EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
Email: ***@tropenklinik.de
www.tropenklinik.de
www.bauen-sie-mit.tropenklinik.de




-----Ursprüngliche Nachricht-----
Von: Mark Foley [mailto:***@ohprs.org]
Gesendet: Donnerstag, 30. Juni 2016 10:45
An: ***@lists.samba.org
Betreff: Re: [Samba] Where is krb5.keytab or equivalent?

To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab file as required by Dovecot. I've also downloaded and installed Kerberos for access to the k* commands (ktutil, kinit, klist, ...).

In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7 workstation is a domain member and works fine otherwise with Samba4 for AD user authentication, etc. Thunderbird gives the following error:

"The Kerberos/GSSAPI ticket was not accepted by the IMAP server ***@ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm."

One disconcerting bit about that message is the named IMAP server "***@ohprs.org" is not a server at all, but rather the email address of the Thunderbird account.

When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying:

auth_mechanisms = plain login gssapi

That's it (the other mechanism work just fine, BTW). Not much I can mess with there.

I think the problem is with Samba and handling the authentication. I do not think my Samba4 is configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation for single-sign-on using Kerberos. He had me put the following lines into that workstation's smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server:

security = ADS
dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind nss info = rfc2307 winbind trusted domains only = no winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes

I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log message, "Samba detected misconfigured 'server role' and exited."

He also had me put the following in /etc/nsswitch.conf:

passwd: compat winbind
group: compat winbind

Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.

Need Help! Thanks --Mark

-----Original Message-----
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Date: Mon, 27 Jun 2016 20:50:28 +0100
Probably, but as I replied to Mathias' message, I have none of the k* command installed on my system, including kutil. I'm researching as to how I can get these now.
Thanks, Mark
apt-get install krb5-user
Or the equivalent on red-hat (except I think the required package is
krb5-workstation)
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2016-06-30 20:34:39 UTC
Permalink
Danielm Yes! Exactly! What config settings do I need for samba to accomplish this?

What Dovecot settings do I need? Would you mind sharing your config files.

BTW - you are the first person in over a year who has actually said they have this setup running!

Thanks --Mark

-----Original Message-----
Subject: AW: [Samba] Where is krb5.keytab or equivalent?
Date: Thu, 30 Jun 2016 11:18:52 +0200
Organization: Tropenklinik Paul-Lechler-Krankenhaus
I myself have dovecot running and auth is against a samba4 dc running on the same host.
Perhaps it can help you to let samba do the authentification.
Greetings
Daniel
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
www.tropenklinik.de
www.bauen-sie-mit.tropenklinik.de
-----Ursprüngliche Nachricht-----
Gesendet: Donnerstag, 30. Juni 2016 10:45
Betreff: Re: [Samba] Where is krb5.keytab or equivalent?
To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab file as required by Dovecot. I've also downloaded and installed Kerberos for access to the k* commands (ktutil, kinit, klist, ...).
When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
auth_mechanisms = plain login gssapi
That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
security = ADS
dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind nss info = rfc2307 winbind trusted domains only = no winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes
I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log message, "Samba detected misconfigured 'server role' and exited."
passwd: compat winbind
group: compat winbind
Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
Need Help! Thanks --Mark
-----Original Message-----
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Date: Mon, 27 Jun 2016 20:50:28 +0100
Probably, but as I replied to Mathias' message, I have none of the k* command installed on my system, including kutil. I'm researching as to how I can get these now.
Thanks, Mark
apt-get install krb5-user
Or the equivalent on red-hat (except I think the required package is
krb5-workstation)
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-06-30 09:42:15 UTC
Permalink
Post by Mark Foley
To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
file as required by Dovecot. I've also downloaded and installed Kerberos for access to
the k* commands (ktutil, kinit, klist, ...).
In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7
workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
that you are logged in to the Kerberos/GSSAPI realm."
server at all, but rather the email address of the Thunderbird account.
When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
auth_mechanisms = plain login gssapi
That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
I think the problem is with Samba and handling the authentication. I do not think my Samba4 is
configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
for single-sign-on using Kerberos. He had me put the following lines into that workstation's
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind nss info = rfc2307
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
message, "Samba detected misconfigured 'server role' and exited."
passwd: compat winbind
group: compat winbind
Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
Need Help! Thanks --Mark
Add this line to your dovecot configuration.

auth_gssapi_hostname = "$ALL"

Create the keytab with
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-06-30 09:51:34 UTC
Permalink
Post by Mark Foley
To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
file as required by Dovecot. I've also downloaded and installed Kerberos for access to
the k* commands (ktutil, kinit, klist, ...).
In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7
workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
that you are logged in to the Kerberos/GSSAPI realm."
server at all, but rather the email address of the Thunderbird account.
When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
auth_mechanisms = plain login gssapi
That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
I think the problem is with Samba and handling the authentication. I do not think my Samba4 is
configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
for single-sign-on using Kerberos. He had me put the following lines into that workstation's
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind nss info = rfc2307
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
message, "Samba detected misconfigured 'server role' and exited."
passwd: compat winbind
group: compat winbind
Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
Need Help! Thanks --Mark
Hello Mark,

This is what i used in debian wheezy few years back. I assume
arcfour-hmac is unsafe these days but i did not yet investigate into
other working encryption methods here.
If you need smtp (postfix with auth via dovecot) also add the smtp
spn's. Use the password for user dovecot during keytab creation.

1. Create an user
samba-tool create user dovcot

2. Add the spn
samba-tool spn add smtp/***@DOMAIN.LOCAL dovecot
samba-tool spn add imap/***@DOMAIN.LOCAL dovecot

3. Create the keytab file
ktutil
addent -password -p smtp/***@DOMAIN.LOCAL -k 1 -e
arcfour-hmac
addent -password -p imap/***@DOMAIN.LOCAL -k 1 -e
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab

4. Add this to your dovecot config

# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab

Hope it helps,
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2016-06-30 21:16:53 UTC
Permalink
Post by Achim Gottinger
1. Create an user
samba-tool create user dovcot
I did this (actually `samba-tool user create dovecot`), but it asked for a password. I
entered one. You didn't mention that, so I hope it's OK.
Post by Achim Gottinger
2. Add the spn
Did that too. No issue there.
Post by Achim Gottinger
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype]
should hve been the arcfour-hmac on the next line. So I did:

$ ktutil
ktutil: addent -password -p smtp/***@DOMAIN.LOCAL -k 1 -e arcfour-hmac
ktutil: addent -password -p imap/***@DOMAIN.LOCAL -k 1 -e arcfour-hmac

Of course, that will probably also wrap when you get this message, but basically I put the
arcfour-hmac on the same line as the addent. Each time, these commands also asked for a
password. Again, you didn't mention that, but I used the same password I used for the
`samab-tool user create` command above.

I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk".
Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply
transposed the letters. I tried it and it took.
Post by Achim Gottinger
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Did that. In addition, I set the keytab file's group to dovecot and made the file group
readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos. I also tried
making it world readable. Now, after doing all that and restarting dovecot I still get the
same dovecot error:

Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6>

and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the
IMAP server ***@ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm."

As I've mentioned before, "***@ohprs.org" is not a server. It is the email address of the
Thunderbird account (running on WIN7).

Here is my doveconf -n (gssapi marked with *):

auth_debug_passwords = yes
* auth_gssapi_hostname = $ALL
* auth_krb5_keytab = /etc/krb5.keytab
* auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes

(yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?)

Here is my keytab list (partial); note that every entry appears in triplicate. I don't see
'dovecot' in there at all; maybe that's OK:

ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 18 COMMON$@HPRS.LOCAL
2 18 COMMON$@HPRS.LOCAL
3 18 COMMON$@HPRS.LOCAL
4 1 MAIL$@HPRS.LOCAL
5 1 MAIL$@HPRS.LOCAL
6 1 MAIL$@HPRS.LOCAL
7 1 ***@HPRS.LOCAL
8 1 ***@HPRS.LOCAL
9 1 ***@HPRS.LOCAL
:
19 1 ***@HPRS.LOCAL
20 1 ***@HPRS.LOCAL
21 1 ***@HPRS.LOCAL
:
91 1 ***@HPRS.LOCAL
92 1 ***@HPRS.LOCAL
93 1 ***@HPRS.LOCAL
:
97 1 smtp/***@DOMAIN.LOCAL
98 1 imap/***@DOMAIN.LOCAL

Can you tell from any of this why I'm still not able to authenticate?

Thanks, --Mark

-----Original Message-----
Post by Achim Gottinger
Date: Thu, 30 Jun 2016 11:51:34 +0200
Post by Mark Foley
To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
file as required by Dovecot. I've also downloaded and installed Kerberos for access to
the k* commands (ktutil, kinit, klist, ...).
In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7
workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
that you are logged in to the Kerberos/GSSAPI realm."
server at all, but rather the email address of the Thunderbird account.
When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
auth_mechanisms = plain login gssapi
That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
I think the problem is with Samba and handling the authentication. I do not think my Samba4 is
configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
for single-sign-on using Kerberos. He had me put the following lines into that workstation's
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind nss info = rfc2307
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
message, "Samba detected misconfigured 'server role' and exited."
passwd: compat winbind
group: compat winbind
Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
Need Help! Thanks --Mark
Hello Mark,
This is what i used in debian wheezy few years back. I assume
arcfour-hmac is unsafe these days but i did not yet investigate into
other working encryption methods here.
If you need smtp (postfix with auth via dovecot) also add the smtp
spn's. Use the password for user dovecot during keytab creation.
1. Create an user
samba-tool create user dovcot
2. Add the spn
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Hope it helps,
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-06-30 21:44:17 UTC
Permalink
Post by Mark Foley
Post by Achim Gottinger
1. Create an user
samba-tool create user dovcot
I did this (actually `samba-tool user create dovecot`), but it asked for a password. I
entered one. You didn't mention that, so I hope it's OK.
Yes
Post by Mark Foley
Post by Achim Gottinger
2. Add the spn
Did that too. No issue there.
Well you must substitute server.domain.local with your mailserver fqdn
and DOMAIN.LOCAL with HPRS.LOCAL.
Post by Mark Foley
Post by Achim Gottinger
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype]
$ ktutil
Same here substitute like above and as you said arcfour-hmac belongs in
the same line.
Post by Mark Foley
Of course, that will probably also wrap when you get this message, but basically I put the
arcfour-hmac on the same line as the addent. Each time, these commands also asked for a
password. Again, you didn't mention that, but I used the same password I used for the
`samab-tool user create` command above.
I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk".
Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply
transposed the letters. I tried it and it took.
Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does
not yet exist.
Only the two keys you just added are required to get kerberos working.
The system keytab you generated with samba-tool domain exportkeytab is
not required.
Post by Mark Foley
Post by Achim Gottinger
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Did that. In addition, I set the keytab file's group to dovecot and made the file group
readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos. I also tried
making it world readable. Now, after doing all that and restarting dovecot I still get the
Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6>
and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the
Thunderbird account (running on WIN7).
auth_debug_passwords = yes
* auth_gssapi_hostname = $ALL
* auth_krb5_keytab = /etc/krb5.keytab
* auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
(yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?)
Here is my keytab list (partial); note that every entry appears in triplicate. I don't see
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
Can you tell from any of this why I'm still not able to authenticate?
You only need the lines 97 and 98 and substitude fqdn and realm like i
mentioned above.
It must be possible for Thunderbird to use plain authentification with
your windows account username.
Can be you must configure userdb and passdb to do ldap lookups against
active directory.
Post by Mark Foley
Thanks, --Mark
-----Original Message-----
Post by Achim Gottinger
Date: Thu, 30 Jun 2016 11:51:34 +0200
Post by Mark Foley
To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
file as required by Dovecot. I've also downloaded and installed Kerberos for access to
the k* commands (ktutil, kinit, klist, ...).
In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7
workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
that you are logged in to the Kerberos/GSSAPI realm."
server at all, but rather the email address of the Thunderbird account.
When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
auth_mechanisms = plain login gssapi
That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
I think the problem is with Samba and handling the authentication. I do not think my Samba4 is
configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
for single-sign-on using Kerberos. He had me put the following lines into that workstation's
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind nss info = rfc2307
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
message, "Samba detected misconfigured 'server role' and exited."
passwd: compat winbind
group: compat winbind
Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
Need Help! Thanks --Mark
Hello Mark,
This is what i used in debian wheezy few years back. I assume
arcfour-hmac is unsafe these days but i did not yet investigate into
other working encryption methods here.
If you need smtp (postfix with auth via dovecot) also add the smtp
spn's. Use the password for user dovecot during keytab creation.
1. Create an user
samba-tool create user dovcot
2. Add the spn
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Hope it helps,
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2016-06-30 22:46:51 UTC
Permalink
Achim,

I deleted the keytab file and did the following:

$ samba-tool user delete dovecot
$ samba-tool user add dovecot

# again, that asked for a password and I assigned one.

$ samba-tool spn add smpt/***@HPRS.LOCAL dovecot
$ samba-tool spn add imap/***@HPRS.LOCAL dovecot

$ ktutil
ktutil: addent -password -p smtp/***@HPRS.LOCAL -k 1 -e arcfour-hmac
Password for smtp/***@HPRS.LOCAL:
ktutil: addent -password -p imap/***@HPRS.LOCAL -k 1 -e arcfour-hmac
Password for imap/***@HPRS.LOCAL:
ktutil: wkt /etc/dovecot/dovecot.keytab
ktutil: quit

$ ktutil
ktutil: read_kt /etc/dovecot/dovecot.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 smtp/***@HPRS.LOCAL
2 1 imap/***@HPRS.LOCAL

So, much better. Duh for me not noticing that I had to change fqdn and domain to my own.

Rloaded dovecot and tried again. Same error :(

Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<OTQqf4Y2SgDAqAA6>
It must be possible for Thunderbird to use plain authentification with your windows account
username. Can be you must configure userdb and passdb to do ldap lookups against active
directory.
Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do plain text auth to dovecot. I will
continue to need this for non-domain email clients. According to the dovecot folks, the passwd
as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP
authentication is another one (along with NTLM) that I haven't been able to get working with
Dovecot. The only ones I've been able to get working are PLAIN and, believe it or not,
checkpassword - which is basically a passdb driver for PLAIN.

Perhaps there is some samba setting I'm missing? Here's my AD/DC smb.conf, do you seen anything
missing I need? :

[global]
workgroup = HPRS
realm = hprs.local
netbios name = MAIL
interfaces = lo, eth1
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes

winbind use default domain = yes

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

log level = 2 passdb:5 auth:10 winbind:2 lanman:10
max log size = 1000

[netlogon]
path = /var/lib/samba/sysvol/hprs.local/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[Users]
path = /redirectedFolders/Users
comment = user folders for redirection
read only = No

[share]
path = /var/lib/samba/share
comment = Shared folder
read only = No

Thanks --Mark

-----Original Message-----
Date: Thu, 30 Jun 2016 23:44:17 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Post by Mark Foley
Post by Achim Gottinger
1. Create an user
samba-tool create user dovcot
I did this (actually `samba-tool user create dovecot`), but it asked for a password. I
entered one. You didn't mention that, so I hope it's OK.
Yes
Post by Mark Foley
Post by Achim Gottinger
2. Add the spn
Did that too. No issue there.
Well you must substitute server.domain.local with your mailserver fqdn
and DOMAIN.LOCAL with HPRS.LOCAL.
Post by Mark Foley
Post by Achim Gottinger
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype]
$ ktutil
Same here substitute like above and as you said arcfour-hmac belongs in
the same line.
Post by Mark Foley
Of course, that will probably also wrap when you get this message, but basically I put the
arcfour-hmac on the same line as the addent. Each time, these commands also asked for a
password. Again, you didn't mention that, but I used the same password I used for the
`samab-tool user create` command above.
I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk".
Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply
transposed the letters. I tried it and it took.
Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does
not yet exist.
Only the two keys you just added are required to get kerberos working.
The system keytab you generated with samba-tool domain exportkeytab is
not required.
Post by Mark Foley
Post by Achim Gottinger
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Did that. In addition, I set the keytab file's group to dovecot and made the file group
readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos. I also tried
making it world readable. Now, after doing all that and restarting dovecot I still get the
Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6>
and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the
Thunderbird account (running on WIN7).
auth_debug_passwords = yes
* auth_gssapi_hostname = $ALL
* auth_krb5_keytab = /etc/krb5.keytab
* auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
(yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?)
Here is my keytab list (partial); note that every entry appears in triplicate. I don't see
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
Can you tell from any of this why I'm still not able to authenticate?
You only need the lines 97 and 98 and substitude fqdn and realm like i
mentioned above.
It must be possible for Thunderbird to use plain authentification with
your windows account username.
Can be you must configure userdb and passdb to do ldap lookups against
active directory.
Post by Mark Foley
Thanks, --Mark
-----Original Message-----
Post by Achim Gottinger
Date: Thu, 30 Jun 2016 11:51:34 +0200
Post by Mark Foley
To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
file as required by Dovecot. I've also downloaded and installed Kerberos for access to
the k* commands (ktutil, kinit, klist, ...).
In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7
workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
that you are logged in to the Kerberos/GSSAPI realm."
server at all, but rather the email address of the Thunderbird account.
When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
auth_mechanisms = plain login gssapi
That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
I think the problem is with Samba and handling the authentication. I do not think my Samba4 is
configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
for single-sign-on using Kerberos. He had me put the following lines into that workstation's
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind nss info = rfc2307
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
message, "Samba detected misconfigured 'server role' and exited."
passwd: compat winbind
group: compat winbind
Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
Need Help! Thanks --Mark
Hello Mark,
This is what i used in debian wheezy few years back. I assume
arcfour-hmac is unsafe these days but i did not yet investigate into
other working encryption methods here.
If you need smtp (postfix with auth via dovecot) also add the smtp
spn's. Use the password for user dovecot during keytab creation.
1. Create an user
samba-tool create user dovcot
2. Add the spn
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Hope it helps,
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-06-30 23:38:15 UTC
Permalink
Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
required with dovecot (2.2.13 here).

Add "auth_debug=yes" to your dovecor config.

192.168.100.1 is my clients ip 192.168.100.101 is the servers

ag is the domain account username I use to login to windows and also the
username configured in thunderbird.

On my debian system an package named libsasl2-modules-gssapi-mit must be
installed.

To test kerberos against dovecot from the command line install "mutt".

I assume your windows account name is "mark"

~#kinit mark
~#MAIL=imap://***@mail.hprs.local/ mutt

An successfull login with mutt looks like this in the mail logfile:

Debug: auth client connected (pid=22585)
logon-zor dovecot: auth: Debug: client in:
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=p/ahQ4c2/wB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=44287#011resp=<hidden>
logon-zor dovecot: auth: Debug: gssapi(?,127.0.0.1,<p/ahQ4c2/wB/AAAB>):
Obtaining credentials for imap@
logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>):
security context state completed.
logon-zor dovecot: auth: Debug: client passdb out:
CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXAIZT4a2p58/+ylPphtphYA6sTnK4QCyRkHRm1VTnvrfjxc3Ya2ui9IHsBGnPggzjLVNScFx6aHJi99VCDG7s07zNUF8d4WHuNZz7el5gwK4Quy3AeUX8zVa7xkIECuTtT5W7BjpsBThhMc=
logon-zor dovecot: auth: Debug: client in: CONT<hidden>
logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>):
Negotiated security layer
logon-zor dovecot: auth: Debug: client passdb out:
CONT#0111#011BQQF/wAMAAAAAAAAKxVA5AH///8b1puThszycYxSFvE=
logon-zor dovecot: auth: Debug: client in: CONT<hidden>

imap-login: Login: user=<ag>, method=GSSAPI, rip=127.0.0.1,
lip=127.0.0.1, mpid=19022, TLS, session=<CdYH6IY2oADAwAw9>


Also take a look at this page
http://wiki2.dovecot.org/Authentication/Kerberos

Looking at my spn's you may also need

samba-tool spn add imap/mail.hprs.local dovecot
Post by Mark Foley
Achim,
$ samba-tool user delete dovecot
$ samba-tool user add dovecot
# again, that asked for a password and I assigned one.
$ ktutil
ktutil: wkt /etc/dovecot/dovecot.keytab
ktutil: quit
$ ktutil
ktutil: read_kt /etc/dovecot/dovecot.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
So, much better. Duh for me not noticing that I had to change fqdn and domain to my own.
Rloaded dovecot and tried again. Same error :(
Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<OTQqf4Y2SgDAqAA6>
It must be possible for Thunderbird to use plain authentification with your windows account
username. Can be you must configure userdb and passdb to do ldap lookups against active
directory.
Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do plain text auth to dovecot. I will
continue to need this for non-domain email clients. According to the dovecot folks, the passwd
as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP
authentication is another one (along with NTLM) that I haven't been able to get working with
Dovecot. The only ones I've been able to get working are PLAIN and, believe it or not,
checkpassword - which is basically a passdb driver for PLAIN.
Perhaps there is some samba setting I'm missing? Here's my AD/DC smb.conf, do you seen anything
[global]
workgroup = HPRS
realm = hprs.local
netbios name = MAIL
interfaces = lo, eth1
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
winbind use default domain = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log level = 2 passdb:5 auth:10 winbind:2 lanman:10
max log size = 1000
[netlogon]
path = /var/lib/samba/sysvol/hprs.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[Users]
path = /redirectedFolders/Users
comment = user folders for redirection
read only = No
[share]
path = /var/lib/samba/share
comment = Shared folder
read only = No
Thanks --Mark
-----Original Message-----
Date: Thu, 30 Jun 2016 23:44:17 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Post by Mark Foley
Post by Achim Gottinger
1. Create an user
samba-tool create user dovcot
I did this (actually `samba-tool user create dovecot`), but it asked for a password. I
entered one. You didn't mention that, so I hope it's OK.
Yes
Post by Mark Foley
Post by Achim Gottinger
2. Add the spn
Did that too. No issue there.
Well you must substitute server.domain.local with your mailserver fqdn
and DOMAIN.LOCAL with HPRS.LOCAL.
Post by Mark Foley
Post by Achim Gottinger
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype]
$ ktutil
Same here substitute like above and as you said arcfour-hmac belongs in
the same line.
Post by Mark Foley
Of course, that will probably also wrap when you get this message, but basically I put the
arcfour-hmac on the same line as the addent. Each time, these commands also asked for a
password. Again, you didn't mention that, but I used the same password I used for the
`samab-tool user create` command above.
I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk".
Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply
transposed the letters. I tried it and it took.
Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does
not yet exist.
Only the two keys you just added are required to get kerberos working.
The system keytab you generated with samba-tool domain exportkeytab is
not required.
Post by Mark Foley
Post by Achim Gottinger
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Did that. In addition, I set the keytab file's group to dovecot and made the file group
readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos. I also tried
making it world readable. Now, after doing all that and restarting dovecot I still get the
Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6>
and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the
Thunderbird account (running on WIN7).
auth_debug_passwords = yes
* auth_gssapi_hostname = $ALL
* auth_krb5_keytab = /etc/krb5.keytab
* auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
(yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?)
Here is my keytab list (partial); note that every entry appears in triplicate. I don't see
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
Can you tell from any of this why I'm still not able to authenticate?
You only need the lines 97 and 98 and substitude fqdn and realm like i
mentioned above.
It must be possible for Thunderbird to use plain authentification with
your windows account username.
Can be you must configure userdb and passdb to do ldap lookups against
active directory.
Post by Mark Foley
Thanks, --Mark
-----Original Message-----
Post by Achim Gottinger
Date: Thu, 30 Jun 2016 11:51:34 +0200
Post by Mark Foley
To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
file as required by Dovecot. I've also downloaded and installed Kerberos for access to
the k* commands (ktutil, kinit, klist, ...).
In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7
workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
that you are logged in to the Kerberos/GSSAPI realm."
server at all, but rather the email address of the Thunderbird account.
When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
auth_mechanisms = plain login gssapi
That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
I think the problem is with Samba and handling the authentication. I do not think my Samba4 is
configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
for single-sign-on using Kerberos. He had me put the following lines into that workstation's
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind nss info = rfc2307
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
message, "Samba detected misconfigured 'server role' and exited."
passwd: compat winbind
group: compat winbind
Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
Need Help! Thanks --Mark
Hello Mark,
This is what i used in debian wheezy few years back. I assume
arcfour-hmac is unsafe these days but i did not yet investigate into
other working encryption methods here.
If you need smtp (postfix with auth via dovecot) also add the smtp
spn's. Use the password for user dovecot during keytab creation.
1. Create an user
samba-tool create user dovcot
2. Add the spn
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Hope it helps,
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2016-07-01 04:09:29 UTC
Permalink
Achim - per your instructions ...
Post by Achim Gottinger
Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
required with dovecot (2.2.13 here).
My dovecot is 2.2.15 and the 10-auth.conf (from the template) has the comment:

# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.

But, I've commented that out per your suggestion.
Post by Achim Gottinger
Add "auth_debug=yes" to your dovecor config.
I already have:

auth_debug_passwords = yes

but I've added the auth_debug per your suggestion.
Post by Achim Gottinger
192.168.100.1 is my clients ip 192.168.100.101 is the servers
My WIN7/Thunderbird client is 192.168.0.58 and AD/DC/Dovecot server is 192.168.0.2
Post by Achim Gottinger
ag is the domain account username I use to login to windows and also the
username configured in thunderbird.
For me the dmain and Tbird account is 'mark'
Post by Achim Gottinger
On my debian system an package named libsasl2-modules-gssapi-mit must be
installed.
I did install mit krb5. I am using Slackware which has a different package name, but it did
install and compile OK, so I don't think I'm missing anything (but who knows?).
Post by Achim Gottinger
To test kerberos against dovecot from the command line install "mutt".
I have mutt
Post by Achim Gottinger
I assume your windows account name is "mark"
yes
Post by Achim Gottinger
~#kinit mark
I did the above ... as root (should I have been 'mark'?) on the AD/DC server.

----------
$ kinit mark
Password for ***@HPRS.LOCAL:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@HPRS.LOCAL

Valid starting Expires Service principal
06/30/2016 23:41:31 07/01/2016 09:41:31 krbtgt/***@HPRS.LOCAL
renew until 07/01/2016 23:41:27
---------
Did that. A message quickly flashed: "Certificate host check failed: certificate owner does
not match hosthame mail.hprs.org".

Then a (presumably) mutt edit window came up with:

-------
This certificate belongs to:
mail.ohprs.org
Unknown
Unknown
Domain Control Validated
Unknown

This certificate was issued by:
Go Daddy Secure Certificate Authority - G2
Unknown
GoDaddy.com, Inc.
http:
Scottsdale

This certificate is valid
from Aug 14 21:38:38 2015 GMT
to Aug 15 17:49:32 2016 GMT

Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064

(r)eject, accept (o)nce, (a)ccept always
------

I did (r), then quit. I also tried

MAIL=imap://***@ohprs.org/ mutt

to no better results.
[deleted]

Nothing at all in maillog. Dovecot log had:

Jun 30 23:53:28 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [98.102.63.107]
Jun 30 23:53:43 imap-login: Debug: SSL alert: close notify [98.102.63.107]
Jun 30 23:53:43 imap-login: Info: Disconnected (no auth attempts in 15 secs): user=<>, rip=98.102.63.107, lip=98.102.63.107, TLS: Disconnected, session=<TD7I7oo2gQBiZj9r>
Post by Achim Gottinger
Also take a look at this page
http://wiki2.dovecot.org/Authentication/Kerberos
Been to that page dozens of times :) A couple of things different on that page from our config
thus far:

1) "... you will need to install a service ticket of the form imap/***@REALM."

We added 'imap/mail.hprs.local dovecot', i.e. the fdqn, not just the hostname. Could this be a
clue?

2) "Enable plaintext authentication to use Kerberos
This is needed when some of your clients don't support GSSAPI and you still want them to
authenticate against Kerberos."

It then shows an /etc/pam.d/dovecot config, but I don't care about clients who do not support
GSSAPI, so I don't think I need this.
Post by Achim Gottinger
Looking at my spn's you may also need
samba-tool spn add imap/mail.hprs.local dovecot
I added that, didn't make any differece.

does the "Certificate host check failed" message and the mutt output tell you anything?

Thanks for your patience --Mark

-----Original Message-----
Post by Achim Gottinger
Date: Fri, 1 Jul 2016 01:38:15 +0200
Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
required with dovecot (2.2.13 here).
Add "auth_debug=yes" to your dovecor config.
192.168.100.1 is my clients ip 192.168.100.101 is the servers
ag is the domain account username I use to login to windows and also the
username configured in thunderbird.
On my debian system an package named libsasl2-modules-gssapi-mit must be
installed.
To test kerberos against dovecot from the command line install "mutt".
I assume your windows account name is "mark"
~#kinit mark
Debug: auth client connected (pid=22585)
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=p/ahQ4c2/wB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=44287#011resp=<hidden>
security context state completed.
CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXAIZT4a2p58/+ylPphtphYA6sTnK4QCyRkHRm1VTnvrfjxc3Ya2ui9IHsBGnPggzjLVNScFx6aHJi99VCDG7s07zNUF8d4WHuNZz7el5gwK4Quy3AeUX8zVa7xkIECuTtT5W7BjpsBThhMc=
logon-zor dovecot: auth: Debug: client in: CONT<hidden>
Negotiated security layer
CONT#0111#011BQQF/wAMAAAAAAAAKxVA5AH///8b1puThszycYxSFvE=
logon-zor dovecot: auth: Debug: client in: CONT<hidden>
imap-login: Login: user=<ag>, method=GSSAPI, rip=127.0.0.1,
lip=127.0.0.1, mpid=19022, TLS, session=<CdYH6IY2oADAwAw9>
Also take a look at this page
http://wiki2.dovecot.org/Authentication/Kerberos
Looking at my spn's you may also need
samba-tool spn add imap/mail.hprs.local dovecot
Post by Mark Foley
Achim,
$ samba-tool user delete dovecot
$ samba-tool user add dovecot
# again, that asked for a password and I assigned one.
$ ktutil
ktutil: wkt /etc/dovecot/dovecot.keytab
ktutil: quit
$ ktutil
ktutil: read_kt /etc/dovecot/dovecot.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
So, much better. Duh for me not noticing that I had to change fqdn and domain to my own.
Rloaded dovecot and tried again. Same error :(
Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<OTQqf4Y2SgDAqAA6>
It must be possible for Thunderbird to use plain authentification with your windows account
username. Can be you must configure userdb and passdb to do ldap lookups against active
directory.
Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do plain text auth to dovecot. I will
continue to need this for non-domain email clients. According to the dovecot folks, the passwd
as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP
authentication is another one (along with NTLM) that I haven't been able to get working with
Dovecot. The only ones I've been able to get working are PLAIN and, believe it or not,
checkpassword - which is basically a passdb driver for PLAIN.
Perhaps there is some samba setting I'm missing? Here's my AD/DC smb.conf, do you seen anything
[global]
workgroup = HPRS
realm = hprs.local
netbios name = MAIL
interfaces = lo, eth1
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
winbind use default domain = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log level = 2 passdb:5 auth:10 winbind:2 lanman:10
max log size = 1000
[netlogon]
path = /var/lib/samba/sysvol/hprs.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[Users]
path = /redirectedFolders/Users
comment = user folders for redirection
read only = No
[share]
path = /var/lib/samba/share
comment = Shared folder
read only = No
Thanks --Mark
-----Original Message-----
Date: Thu, 30 Jun 2016 23:44:17 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Post by Mark Foley
Post by Achim Gottinger
1. Create an user
samba-tool create user dovcot
I did this (actually `samba-tool user create dovecot`), but it asked for a password. I
entered one. You didn't mention that, so I hope it's OK.
Yes
Post by Mark Foley
Post by Achim Gottinger
2. Add the spn
Did that too. No issue there.
Well you must substitute server.domain.local with your mailserver fqdn
and DOMAIN.LOCAL with HPRS.LOCAL.
Post by Mark Foley
Post by Achim Gottinger
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype]
$ ktutil
Same here substitute like above and as you said arcfour-hmac belongs in
the same line.
Post by Mark Foley
Of course, that will probably also wrap when you get this message, but basically I put the
arcfour-hmac on the same line as the addent. Each time, these commands also asked for a
password. Again, you didn't mention that, but I used the same password I used for the
`samab-tool user create` command above.
I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk".
Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply
transposed the letters. I tried it and it took.
Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does
not yet exist.
Only the two keys you just added are required to get kerberos working.
The system keytab you generated with samba-tool domain exportkeytab is
not required.
Post by Mark Foley
Post by Achim Gottinger
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Did that. In addition, I set the keytab file's group to dovecot and made the file group
readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos. I also tried
making it world readable. Now, after doing all that and restarting dovecot I still get the
Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6>
and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the
Thunderbird account (running on WIN7).
auth_debug_passwords = yes
* auth_gssapi_hostname = $ALL
* auth_krb5_keytab = /etc/krb5.keytab
* auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
(yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?)
Here is my keytab list (partial); note that every entry appears in triplicate. I don't see
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
Can you tell from any of this why I'm still not able to authenticate?
You only need the lines 97 and 98 and substitude fqdn and realm like i
mentioned above.
It must be possible for Thunderbird to use plain authentification with
your windows account username.
Can be you must configure userdb and passdb to do ldap lookups against
active directory.
Post by Mark Foley
Thanks, --Mark
-----Original Message-----
Post by Achim Gottinger
Date: Thu, 30 Jun 2016 11:51:34 +0200
Post by Mark Foley
To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
file as required by Dovecot. I've also downloaded and installed Kerberos for access to
the k* commands (ktutil, kinit, klist, ...).
In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7
workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
that you are logged in to the Kerberos/GSSAPI realm."
server at all, but rather the email address of the Thunderbird account.
When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
auth_mechanisms = plain login gssapi
That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
I think the problem is with Samba and handling the authentication. I do not think my Samba4 is
configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
for single-sign-on using Kerberos. He had me put the following lines into that workstation's
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind nss info = rfc2307
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
message, "Samba detected misconfigured 'server role' and exited."
passwd: compat winbind
group: compat winbind
Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
Need Help! Thanks --Mark
Hello Mark,
This is what i used in debian wheezy few years back. I assume
arcfour-hmac is unsafe these days but i did not yet investigate into
other working encryption methods here.
If you need smtp (postfix with auth via dovecot) also add the smtp
spn's. Use the password for user dovecot during keytab creation.
1. Create an user
samba-tool create user dovcot
2. Add the spn
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Hope it helps,
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2016-07-01 06:21:45 UTC
Permalink
More info ...

when I do

MAIL=imap://***@mail.ohprs.org/ mutt

(using the domain of the registered certificate). I do not get the message "Certificate host
check failed: certificate owner does not match hosthame ..."

I do get the same (mutt?) edit screen shown below with the "(r)eject, accept (o)nce, (a)ccept
always" action at the bottom. If I "accept (o)nce", I am asked for the 'mark' password and put
into what must be the mutt mail interface showing my imap://***@mail.ohprs.org/INBOX.

Nothing in maillog, but dovecot log show a successful PLAIN authentication. If I configure
dovecot for only gssapi and run mutt it again, I get the messge "No authenticators available".

I then created /tmp/testMuttrc with:

set imap_authenticators="gssapi"

and ran

MAIL=imap://***@mail.ohprs.org/ mutt -F /tmp/testMuttrc

same: "No authenticators available"

It's as if dovecot knows nothing about gssapi, so I did:

$ dovecot --build-options
Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192
Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail
SQL drivers:
Passdb: checkpassword passwd passwd-file shadow
Userdb: checkpassword nss passwd prefetch passwd-file

Should gssapi show up here? I did just rebuild dovecot with `./configure ----with-gssapi=yes`
and the config log shows it:

#define HAVE_GSSAPI_GSSAPI_H /**/
#define HAVE_GSSAPI_H /**/
#define HAVE_GSSAPI /**/
#define HAVE_GSSAPI_GSSAPI_EXT_H 1
#define HAVE_GSSAPI_GSSAPI_KRB5_H 1
#define HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY 1
#define HAVE_GSSAPI_SPNEGO /**/
#define BUILTIN_GSSAPI /**/

Maybe I need to ask the dovecot people how to confirm that I have gssapi.

--Mark

-----Original Message-----
From: Mark Foley <***@ohprs.org>
Date: Fri, 01 Jul 2016 00:09:29 -0400
Organization: Ohio Highway Patrol Retirement System
To: ***@lists.samba.org
Subject: Re: [Samba] Where is krb5.keytab or equivalent?

Achim - per your instructions ...
Post by Achim Gottinger
Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
required with dovecot (2.2.13 here).
My dovecot is 2.2.15 and the 10-auth.conf (from the template) has the comment:

# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.

But, I've commented that out per your suggestion.
Post by Achim Gottinger
Add "auth_debug=yes" to your dovecor config.
I already have:

auth_debug_passwords = yes

but I've added the auth_debug per your suggestion.
Post by Achim Gottinger
192.168.100.1 is my clients ip 192.168.100.101 is the servers
My WIN7/Thunderbird client is 192.168.0.58 and AD/DC/Dovecot server is 192.168.0.2
Post by Achim Gottinger
ag is the domain account username I use to login to windows and also the
username configured in thunderbird.
For me the dmain and Tbird account is 'mark'
Post by Achim Gottinger
On my debian system an package named libsasl2-modules-gssapi-mit must be
installed.
I did install mit krb5. I am using Slackware which has a different package name, but it did
install and compile OK, so I don't think I'm missing anything (but who knows?).
Post by Achim Gottinger
To test kerberos against dovecot from the command line install "mutt".
I have mutt
Post by Achim Gottinger
I assume your windows account name is "mark"
yes
Post by Achim Gottinger
~#kinit mark
I did the above ... as root (should I have been 'mark'?) on the AD/DC server.

----------
$ kinit mark
Password for ***@HPRS.LOCAL:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@HPRS.LOCAL

Valid starting Expires Service principal
06/30/2016 23:41:31 07/01/2016 09:41:31 krbtgt/***@HPRS.LOCAL
renew until 07/01/2016 23:41:27
---------
Did that. A message quickly flashed: "Certificate host check failed: certificate owner does
not match hosthame mail.hprs.org".

Then a (presumably) mutt edit window came up with:

-------
This certificate belongs to:
mail.ohprs.org
Unknown
Unknown
Domain Control Validated
Unknown

This certificate was issued by:
Go Daddy Secure Certificate Authority - G2
Unknown
GoDaddy.com, Inc.
http:
Scottsdale

This certificate is valid
from Aug 14 21:38:38 2015 GMT
to Aug 15 17:49:32 2016 GMT

Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064

(r)eject, accept (o)nce, (a)ccept always
------

I did (r), then quit. I also tried

MAIL=imap://***@ohprs.org/ mutt

to no better results.
[deleted]

Nothing at all in maillog. Dovecot log had:

Jun 30 23:53:28 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [98.102.63.107]
Jun 30 23:53:43 imap-login: Debug: SSL alert: close notify [98.102.63.107]
Jun 30 23:53:43 imap-login: Info: Disconnected (no auth attempts in 15 secs): user=<>, rip=98.102.63.107, lip=98.102.63.107, TLS: Disconnected, session=<TD7I7oo2gQBiZj9r>
Post by Achim Gottinger
Also take a look at this page
http://wiki2.dovecot.org/Authentication/Kerberos
Been to that page dozens of times :) A couple of things different on that page from our config
thus far:

1) "... you will need to install a service ticket of the form imap/***@REALM."

We added 'imap/mail.hprs.local dovecot', i.e. the fdqn, not just the hostname. Could this be a
clue?

2) "Enable plaintext authentication to use Kerberos
This is needed when some of your clients don't support GSSAPI and you still want them to
authenticate against Kerberos."

It then shows an /etc/pam.d/dovecot config, but I don't care about clients who do not support
GSSAPI, so I don't think I need this.
Post by Achim Gottinger
Looking at my spn's you may also need
samba-tool spn add imap/mail.hprs.local dovecot
I added that, didn't make any differece.

does the "Certificate host check failed" message and the mutt output tell you anything?

Thanks for your patience --Mark

-----Original Message-----
Post by Achim Gottinger
Date: Fri, 1 Jul 2016 01:38:15 +0200
Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
required with dovecot (2.2.13 here).
Add "auth_debug=yes" to your dovecor config.
192.168.100.1 is my clients ip 192.168.100.101 is the servers
ag is the domain account username I use to login to windows and also the
username configured in thunderbird.
On my debian system an package named libsasl2-modules-gssapi-mit must be
installed.
To test kerberos against dovecot from the command line install "mutt".
I assume your windows account name is "mark"
~#kinit mark
Debug: auth client connected (pid=22585)
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=p/ahQ4c2/wB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=44287#011resp=<hidden>
security context state completed.
CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXAIZT4a2p58/+ylPphtphYA6sTnK4QCyRkHRm1VTnvrfjxc3Ya2ui9IHsBGnPggzjLVNScFx6aHJi99VCDG7s07zNUF8d4WHuNZz7el5gwK4Quy3AeUX8zVa7xkIECuTtT5W7BjpsBThhMc=
logon-zor dovecot: auth: Debug: client in: CONT<hidden>
Negotiated security layer
CONT#0111#011BQQF/wAMAAAAAAAAKxVA5AH///8b1puThszycYxSFvE=
logon-zor dovecot: auth: Debug: client in: CONT<hidden>
imap-login: Login: user=<ag>, method=GSSAPI, rip=127.0.0.1,
lip=127.0.0.1, mpid=19022, TLS, session=<CdYH6IY2oADAwAw9>
Also take a look at this page
http://wiki2.dovecot.org/Authentication/Kerberos
Looking at my spn's you may also need
samba-tool spn add imap/mail.hprs.local dovecot
Post by Mark Foley
Achim,
$ samba-tool user delete dovecot
$ samba-tool user add dovecot
# again, that asked for a password and I assigned one.
$ ktutil
ktutil: wkt /etc/dovecot/dovecot.keytab
ktutil: quit
$ ktutil
ktutil: read_kt /etc/dovecot/dovecot.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
So, much better. Duh for me not noticing that I had to change fqdn and domain to my own.
Rloaded dovecot and tried again. Same error :(
Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<OTQqf4Y2SgDAqAA6>
It must be possible for Thunderbird to use plain authentification with your windows account
username. Can be you must configure userdb and passdb to do ldap lookups against active
directory.
Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do plain text auth to dovecot. I will
continue to need this for non-domain email clients. According to the dovecot folks, the passwd
as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP
authentication is another one (along with NTLM) that I haven't been able to get working with
Dovecot. The only ones I've been able to get working are PLAIN and, believe it or not,
checkpassword - which is basically a passdb driver for PLAIN.
Perhaps there is some samba setting I'm missing? Here's my AD/DC smb.conf, do you seen anything
[global]
workgroup = HPRS
realm = hprs.local
netbios name = MAIL
interfaces = lo, eth1
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
winbind use default domain = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log level = 2 passdb:5 auth:10 winbind:2 lanman:10
max log size = 1000
[netlogon]
path = /var/lib/samba/sysvol/hprs.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[Users]
path = /redirectedFolders/Users
comment = user folders for redirection
read only = No
[share]
path = /var/lib/samba/share
comment = Shared folder
read only = No
Thanks --Mark
-----Original Message-----
Date: Thu, 30 Jun 2016 23:44:17 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Post by Mark Foley
Post by Achim Gottinger
1. Create an user
samba-tool create user dovcot
I did this (actually `samba-tool user create dovecot`), but it asked for a password. I
entered one. You didn't mention that, so I hope it's OK.
Yes
Post by Mark Foley
Post by Achim Gottinger
2. Add the spn
Did that too. No issue there.
Well you must substitute server.domain.local with your mailserver fqdn
and DOMAIN.LOCAL with HPRS.LOCAL.
Post by Mark Foley
Post by Achim Gottinger
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype]
$ ktutil
Same here substitute like above and as you said arcfour-hmac belongs in
the same line.
Post by Mark Foley
Of course, that will probably also wrap when you get this message, but basically I put the
arcfour-hmac on the same line as the addent. Each time, these commands also asked for a
password. Again, you didn't mention that, but I used the same password I used for the
`samab-tool user create` command above.
I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk".
Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply
transposed the letters. I tried it and it took.
Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does
not yet exist.
Only the two keys you just added are required to get kerberos working.
The system keytab you generated with samba-tool domain exportkeytab is
not required.
Post by Mark Foley
Post by Achim Gottinger
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Did that. In addition, I set the keytab file's group to dovecot and made the file group
readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos. I also tried
making it world readable. Now, after doing all that and restarting dovecot I still get the
Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6>
and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the
Thunderbird account (running on WIN7).
auth_debug_passwords = yes
* auth_gssapi_hostname = $ALL
* auth_krb5_keytab = /etc/krb5.keytab
* auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
(yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?)
Here is my keytab list (partial); note that every entry appears in triplicate. I don't see
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
Can you tell from any of this why I'm still not able to authenticate?
You only need the lines 97 and 98 and substitude fqdn and realm like i
mentioned above.
It must be possible for Thunderbird to use plain authentification with
your windows account username.
Can be you must configure userdb and passdb to do ldap lookups against
active directory.
Post by Mark Foley
Thanks, --Mark
-----Original Message-----
Post by Achim Gottinger
Date: Thu, 30 Jun 2016 11:51:34 +0200
Post by Mark Foley
To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
file as required by Dovecot. I've also downloaded and installed Kerberos for access to
the k* commands (ktutil, kinit, klist, ...).
In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7
workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
that you are logged in to the Kerberos/GSSAPI realm."
server at all, but rather the email address of the Thunderbird account.
When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
auth_mechanisms = plain login gssapi
That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
I think the problem is with Samba and handling the authentication. I do not think my Samba4 is
configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
for single-sign-on using Kerberos. He had me put the following lines into that workstation's
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind nss info = rfc2307
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
message, "Samba detected misconfigured 'server role' and exited."
passwd: compat winbind
group: compat winbind
Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
Need Help! Thanks --Mark
Hello Mark,
This is what i used in debian wheezy few years back. I assume
arcfour-hmac is unsafe these days but i did not yet investigate into
other working encryption methods here.
If you need smtp (postfix with auth via dovecot) also add the smtp
spn's. Use the password for user dovecot during keytab creation.
1. Create an user
samba-tool create user dovcot
2. Add the spn
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Hope it helps,
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-01 08:37:51 UTC
Permalink
It's getting abit offtopic for the samba list :-)

Look at the testing section in
http://wiki2.dovecot.org/Authentication/Kerberos do what is mentioned
below "Test that the server can access the keytab".

If i run the telnet authenticated test and klist afterwards contains the
imap keys.
Post by Mark Foley
More info ...
when I do
(using the domain of the registered certificate). I do not get the message "Certificate host
check failed: certificate owner does not match hosthame ..."
I do get the same (mutt?) edit screen shown below with the "(r)eject, accept (o)nce, (a)ccept
always" action at the bottom. If I "accept (o)nce", I am asked for the 'mark' password and put
Nothing in maillog, but dovecot log show a successful PLAIN authentication. If I configure
dovecot for only gssapi and run mutt it again, I get the messge "No authenticators available".
set imap_authenticators="gssapi"
and ran
same: "No authenticators available"
$ dovecot --build-options
Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192
Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail
Passdb: checkpassword passwd passwd-file shadow
Userdb: checkpassword nss passwd prefetch passwd-file
Should gssapi show up here? I did just rebuild dovecot with `./configure ----with-gssapi=yes`
#define HAVE_GSSAPI_GSSAPI_H /**/
#define HAVE_GSSAPI_H /**/
#define HAVE_GSSAPI /**/
#define HAVE_GSSAPI_GSSAPI_EXT_H 1
#define HAVE_GSSAPI_GSSAPI_KRB5_H 1
#define HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY 1
#define HAVE_GSSAPI_SPNEGO /**/
#define BUILTIN_GSSAPI /**/
Maybe I need to ask the dovecot people how to confirm that I have gssapi.
--Mark
-----Original Message-----
Date: Fri, 01 Jul 2016 00:09:29 -0400
Organization: Ohio Highway Patrol Retirement System
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Achim - per your instructions ...
Post by Achim Gottinger
Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
required with dovecot (2.2.13 here).
# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
But, I've commented that out per your suggestion.
Post by Achim Gottinger
Add "auth_debug=yes" to your dovecor config.
auth_debug_passwords = yes
but I've added the auth_debug per your suggestion.
Post by Achim Gottinger
192.168.100.1 is my clients ip 192.168.100.101 is the servers
My WIN7/Thunderbird client is 192.168.0.58 and AD/DC/Dovecot server is 192.168.0.2
Post by Achim Gottinger
ag is the domain account username I use to login to windows and also the
username configured in thunderbird.
For me the dmain and Tbird account is 'mark'
Post by Achim Gottinger
On my debian system an package named libsasl2-modules-gssapi-mit must be
installed.
I did install mit krb5. I am using Slackware which has a different package name, but it did
install and compile OK, so I don't think I'm missing anything (but who knows?).
Post by Achim Gottinger
To test kerberos against dovecot from the command line install "mutt".
I have mutt
Post by Achim Gottinger
I assume your windows account name is "mark"
yes
Post by Achim Gottinger
~#kinit mark
I did the above ... as root (should I have been 'mark'?) on the AD/DC server.
----------
$ kinit mark
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
renew until 07/01/2016 23:41:27
---------
Did that. A message quickly flashed: "Certificate host check failed: certificate owner does
not match hosthame mail.hprs.org".
-------
mail.ohprs.org
Unknown
Unknown
Domain Control Validated
Unknown
Go Daddy Secure Certificate Authority - G2
Unknown
GoDaddy.com, Inc.
Scottsdale
This certificate is valid
from Aug 14 21:38:38 2015 GMT
to Aug 15 17:49:32 2016 GMT
Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
(r)eject, accept (o)nce, (a)ccept always
------
I did (r), then quit. I also tried
to no better results.
[deleted]
Jun 30 23:53:28 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [98.102.63.107]
Jun 30 23:53:43 imap-login: Debug: SSL alert: close notify [98.102.63.107]
Jun 30 23:53:43 imap-login: Info: Disconnected (no auth attempts in 15 secs): user=<>, rip=98.102.63.107, lip=98.102.63.107, TLS: Disconnected, session=<TD7I7oo2gQBiZj9r>
Post by Achim Gottinger
Also take a look at this page
http://wiki2.dovecot.org/Authentication/Kerberos
Been to that page dozens of times :) A couple of things different on that page from our config
We added 'imap/mail.hprs.local dovecot', i.e. the fdqn, not just the hostname. Could this be a
clue?
2) "Enable plaintext authentication to use Kerberos
This is needed when some of your clients don't support GSSAPI and you still want them to
authenticate against Kerberos."
It then shows an /etc/pam.d/dovecot config, but I don't care about clients who do not support
GSSAPI, so I don't think I need this.
Post by Achim Gottinger
Looking at my spn's you may also need
samba-tool spn add imap/mail.hprs.local dovecot
I added that, didn't make any differece.
does the "Certificate host check failed" message and the mutt output tell you anything?
Thanks for your patience --Mark
-----Original Message-----
Post by Achim Gottinger
Date: Fri, 1 Jul 2016 01:38:15 +0200
Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
required with dovecot (2.2.13 here).
Add "auth_debug=yes" to your dovecor config.
192.168.100.1 is my clients ip 192.168.100.101 is the servers
ag is the domain account username I use to login to windows and also the
username configured in thunderbird.
On my debian system an package named libsasl2-modules-gssapi-mit must be
installed.
To test kerberos against dovecot from the command line install "mutt".
I assume your windows account name is "mark"
~#kinit mark
Debug: auth client connected (pid=22585)
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=p/ahQ4c2/wB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=44287#011resp=<hidden>
security context state completed.
CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXAIZT4a2p58/+ylPphtphYA6sTnK4QCyRkHRm1VTnvrfjxc3Ya2ui9IHsBGnPggzjLVNScFx6aHJi99VCDG7s07zNUF8d4WHuNZz7el5gwK4Quy3AeUX8zVa7xkIECuTtT5W7BjpsBThhMc=
logon-zor dovecot: auth: Debug: client in: CONT<hidden>
Negotiated security layer
CONT#0111#011BQQF/wAMAAAAAAAAKxVA5AH///8b1puThszycYxSFvE=
logon-zor dovecot: auth: Debug: client in: CONT<hidden>
imap-login: Login: user=<ag>, method=GSSAPI, rip=127.0.0.1,
lip=127.0.0.1, mpid=19022, TLS, session=<CdYH6IY2oADAwAw9>
Also take a look at this page
http://wiki2.dovecot.org/Authentication/Kerberos
Looking at my spn's you may also need
samba-tool spn add imap/mail.hprs.local dovecot
Post by Mark Foley
Achim,
$ samba-tool user delete dovecot
$ samba-tool user add dovecot
# again, that asked for a password and I assigned one.
$ ktutil
ktutil: wkt /etc/dovecot/dovecot.keytab
ktutil: quit
$ ktutil
ktutil: read_kt /etc/dovecot/dovecot.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
So, much better. Duh for me not noticing that I had to change fqdn and domain to my own.
Rloaded dovecot and tried again. Same error :(
Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<OTQqf4Y2SgDAqAA6>
It must be possible for Thunderbird to use plain authentification with your windows account
username. Can be you must configure userdb and passdb to do ldap lookups against active
directory.
Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do plain text auth to dovecot. I will
continue to need this for non-domain email clients. According to the dovecot folks, the passwd
as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP
authentication is another one (along with NTLM) that I haven't been able to get working with
Dovecot. The only ones I've been able to get working are PLAIN and, believe it or not,
checkpassword - which is basically a passdb driver for PLAIN.
Perhaps there is some samba setting I'm missing? Here's my AD/DC smb.conf, do you seen anything
[global]
workgroup = HPRS
realm = hprs.local
netbios name = MAIL
interfaces = lo, eth1
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
winbind use default domain = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log level = 2 passdb:5 auth:10 winbind:2 lanman:10
max log size = 1000
[netlogon]
path = /var/lib/samba/sysvol/hprs.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[Users]
path = /redirectedFolders/Users
comment = user folders for redirection
read only = No
[share]
path = /var/lib/samba/share
comment = Shared folder
read only = No
Thanks --Mark
-----Original Message-----
Date: Thu, 30 Jun 2016 23:44:17 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Post by Mark Foley
Post by Achim Gottinger
1. Create an user
samba-tool create user dovcot
I did this (actually `samba-tool user create dovecot`), but it asked for a password. I
entered one. You didn't mention that, so I hope it's OK.
Yes
Post by Mark Foley
Post by Achim Gottinger
2. Add the spn
Did that too. No issue there.
Well you must substitute server.domain.local with your mailserver fqdn
and DOMAIN.LOCAL with HPRS.LOCAL.
Post by Mark Foley
Post by Achim Gottinger
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype]
$ ktutil
Same here substitute like above and as you said arcfour-hmac belongs in
the same line.
Post by Mark Foley
Of course, that will probably also wrap when you get this message, but basically I put the
arcfour-hmac on the same line as the addent. Each time, these commands also asked for a
password. Again, you didn't mention that, but I used the same password I used for the
`samab-tool user create` command above.
I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk".
Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply
transposed the letters. I tried it and it took.
Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does
not yet exist.
Only the two keys you just added are required to get kerberos working.
The system keytab you generated with samba-tool domain exportkeytab is
not required.
Post by Mark Foley
Post by Achim Gottinger
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Did that. In addition, I set the keytab file's group to dovecot and made the file group
readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos. I also tried
making it world readable. Now, after doing all that and restarting dovecot I still get the
Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6>
and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the
Thunderbird account (running on WIN7).
auth_debug_passwords = yes
* auth_gssapi_hostname = $ALL
* auth_krb5_keytab = /etc/krb5.keytab
* auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
(yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?)
Here is my keytab list (partial); note that every entry appears in triplicate. I don't see
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
Can you tell from any of this why I'm still not able to authenticate?
You only need the lines 97 and 98 and substitude fqdn and realm like i
mentioned above.
It must be possible for Thunderbird to use plain authentification with
your windows account username.
Can be you must configure userdb and passdb to do ldap lookups against
active directory.
Post by Mark Foley
Thanks, --Mark
-----Original Message-----
Post by Achim Gottinger
Date: Thu, 30 Jun 2016 11:51:34 +0200
Post by Mark Foley
To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
file as required by Dovecot. I've also downloaded and installed Kerberos for access to
the k* commands (ktutil, kinit, klist, ...).
In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7
workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
that you are logged in to the Kerberos/GSSAPI realm."
server at all, but rather the email address of the Thunderbird account.
When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
auth_mechanisms = plain login gssapi
That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
I think the problem is with Samba and handling the authentication. I do not think my Samba4 is
configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
for single-sign-on using Kerberos. He had me put the following lines into that workstation's
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind nss info = rfc2307
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
message, "Samba detected misconfigured 'server role' and exited."
passwd: compat winbind
group: compat winbind
Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
Need Help! Thanks --Mark
Hello Mark,
This is what i used in debian wheezy few years back. I assume
arcfour-hmac is unsafe these days but i did not yet investigate into
other working encryption methods here.
If you need smtp (postfix with auth via dovecot) also add the smtp
spn's. Use the password for user dovecot during keytab creation.
1. Create an user
samba-tool create user dovcot
2. Add the spn
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Hope it helps,
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-01 09:55:20 UTC
Permalink
Post by Achim Gottinger
It's getting abit offtopic for the samba list :-)
Look at the testing section in
http://wiki2.dovecot.org/Authentication/Kerberos do what is mentioned
below "Test that the server can access the keytab".
If i run the telnet authenticated test and klist afterwards contains
the imap keys.
Post by Mark Foley
More info ...
when I do
(using the domain of the registered certificate). I do not get the
message "Certificate host
check failed: certificate owner does not match hosthame ..."
I do get the same (mutt?) edit screen shown below with the "(r)eject,
accept (o)nce, (a)ccept
always" action at the bottom. If I "accept (o)nce", I am asked for
the 'mark' password and put
into what must be the mutt mail interface showing my
Nothing in maillog, but dovecot log show a successful PLAIN
authentication. If I configure
dovecot for only gssapi and run mutt it again, I get the messge "No
authenticators available".
set imap_authenticators="gssapi"
and ran
same: "No authenticators available"
$ dovecot --build-options
Build options: ioloop=epoll notify=inotify ipv6 openssl
io_block_size=8192
Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail
Passdb: checkpassword passwd passwd-file shadow
Userdb: checkpassword nss passwd prefetch passwd-file
Should gssapi show up here? I did just rebuild dovecot with
`./configure ----with-gssapi=yes`
#define HAVE_GSSAPI_GSSAPI_H /**/
#define HAVE_GSSAPI_H /**/
#define HAVE_GSSAPI /**/
#define HAVE_GSSAPI_GSSAPI_EXT_H 1
#define HAVE_GSSAPI_GSSAPI_KRB5_H 1
#define HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY 1
#define HAVE_GSSAPI_SPNEGO /**/
#define BUILTIN_GSSAPI /**/
Maybe I need to ask the dovecot people how to confirm that I have gssapi.
Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an
different location. On debian this comes with the dovecot-gssapi package.
Post by Achim Gottinger
Post by Mark Foley
--Mark
-----Original Message-----
Date: Fri, 01 Jul 2016 00:09:29 -0400
Organization: Ohio Highway Patrol Retirement System
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Achim - per your instructions ...
Post by Achim Gottinger
Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
required with dovecot (2.2.13 here).
# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
But, I've commented that out per your suggestion.
Post by Achim Gottinger
Add "auth_debug=yes" to your dovecor config.
auth_debug_passwords = yes
but I've added the auth_debug per your suggestion.
Post by Achim Gottinger
192.168.100.1 is my clients ip 192.168.100.101 is the servers
My WIN7/Thunderbird client is 192.168.0.58 and AD/DC/Dovecot server is 192.168.0.2
Post by Achim Gottinger
ag is the domain account username I use to login to windows and also the
username configured in thunderbird.
For me the dmain and Tbird account is 'mark'
Post by Achim Gottinger
On my debian system an package named libsasl2-modules-gssapi-mit must be
installed.
I did install mit krb5. I am using Slackware which has a different
package name, but it did
install and compile OK, so I don't think I'm missing anything (but who knows?).
Post by Achim Gottinger
To test kerberos against dovecot from the command line install "mutt".
I have mutt
Post by Achim Gottinger
I assume your windows account name is "mark"
yes
Post by Achim Gottinger
~#kinit mark
I did the above ... as root (should I have been 'mark'?) on the AD/DC server.
----------
$ kinit mark
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
renew until 07/01/2016 23:41:27
---------
certificate owner does
not match hosthame mail.hprs.org".
-------
mail.ohprs.org
Unknown
Unknown
Domain Control Validated
Unknown
Go Daddy Secure Certificate Authority - G2
Unknown
GoDaddy.com, Inc.
Scottsdale
This certificate is valid
from Aug 14 21:38:38 2015 GMT
to Aug 15 17:49:32 2016 GMT
Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
(r)eject, accept (o)nce, (a)ccept always
------
I did (r), then quit. I also tried
to no better results.
[deleted]
Jun 30 23:53:28 imap-login: Debug: SSL: where=0x2002, ret=1: SSL
negotiation finished successfully [98.102.63.107]
Jun 30 23:53:43 imap-login: Debug: SSL alert: close notify
[98.102.63.107]
Jun 30 23:53:43 imap-login: Info: Disconnected (no auth attempts in
Disconnected, session=<TD7I7oo2gQBiZj9r>
Post by Achim Gottinger
Also take a look at this page
http://wiki2.dovecot.org/Authentication/Kerberos
Been to that page dozens of times :) A couple of things different on
that page from our config
1) "... you will need to install a service ticket of the form
We added 'imap/mail.hprs.local dovecot', i.e. the fdqn, not just the
hostname. Could this be a
clue?
2) "Enable plaintext authentication to use Kerberos
This is needed when some of your clients don't support GSSAPI and you still want them to
authenticate against Kerberos."
It then shows an /etc/pam.d/dovecot config, but I don't care about
clients who do not support
GSSAPI, so I don't think I need this.
Post by Achim Gottinger
Looking at my spn's you may also need
samba-tool spn add imap/mail.hprs.local dovecot
I added that, didn't make any differece.
does the "Certificate host check failed" message and the mutt output tell you anything?
Thanks for your patience --Mark
-----Original Message-----
Post by Achim Gottinger
Date: Fri, 1 Jul 2016 01:38:15 +0200
Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
required with dovecot (2.2.13 here).
Add "auth_debug=yes" to your dovecor config.
192.168.100.1 is my clients ip 192.168.100.101 is the servers
ag is the domain account username I use to login to windows and also the
username configured in thunderbird.
On my debian system an package named libsasl2-modules-gssapi-mit must be
installed.
To test kerberos against dovecot from the command line install "mutt".
I assume your windows account name is "mark"
~#kinit mark
Debug: auth client connected (pid=22585)
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=p/ahQ4c2/wB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=44287#011resp=<hidden>
security context state completed.
CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXAIZT4a2p58/+ylPphtphYA6sTnK4QCyRkHRm1VTnvrfjxc3Ya2ui9IHsBGnPggzjLVNScFx6aHJi99VCDG7s07zNUF8d4WHuNZz7el5gwK4Quy3AeUX8zVa7xkIECuTtT5W7BjpsBThhMc=
logon-zor dovecot: auth: Debug: client in: CONT<hidden>
Negotiated security layer
CONT#0111#011BQQF/wAMAAAAAAAAKxVA5AH///8b1puThszycYxSFvE=
logon-zor dovecot: auth: Debug: client in: CONT<hidden>
imap-login: Login: user=<ag>, method=GSSAPI, rip=127.0.0.1,
lip=127.0.0.1, mpid=19022, TLS, session=<CdYH6IY2oADAwAw9>
Also take a look at this page
http://wiki2.dovecot.org/Authentication/Kerberos
Looking at my spn's you may also need
samba-tool spn add imap/mail.hprs.local dovecot
Post by Mark Foley
Achim,
$ samba-tool user delete dovecot
$ samba-tool user add dovecot
# again, that asked for a password and I assigned one.
$ ktutil
ktutil: wkt /etc/dovecot/dovecot.keytab
ktutil: quit
$ ktutil
ktutil: read_kt /etc/dovecot/dovecot.keytab
ktutil: list
slot KVNO Principal
---- ----
---------------------------------------------------------------------
So, much better. Duh for me not noticing that I had to change fqdn
and domain to my own.
Rloaded dovecot and tried again. Same error :(
Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in
6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS,
session=<OTQqf4Y2SgDAqAA6>
Post by Achim Gottinger
It must be possible for Thunderbird to use plain authentification
with your windows account
username. Can be you must configure userdb and passdb to do ldap
lookups against active
directory.
Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do
plain text auth to dovecot. I will
continue to need this for non-domain email clients. According to
the dovecot folks, the passwd
as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP
authentication is another one (along with NTLM) that I haven't been
able to get working with
Dovecot. The only ones I've been able to get working are PLAIN and,
believe it or not,
checkpassword - which is basically a passdb driver for PLAIN.
Perhaps there is some samba setting I'm missing? Here's my AD/DC
smb.conf, do you seen anything
[global]
workgroup = HPRS
realm = hprs.local
netbios name = MAIL
interfaces = lo, eth1
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
winbind use default domain = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log level = 2 passdb:5 auth:10 winbind:2 lanman:10
max log size = 1000
[netlogon]
path = /var/lib/samba/sysvol/hprs.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[Users]
path = /redirectedFolders/Users
comment = user folders for redirection
read only = No
[share]
path = /var/lib/samba/share
comment = Shared folder
read only = No
Thanks --Mark
-----Original Message-----
Post by Achim Gottinger
Date: Thu, 30 Jun 2016 23:44:17 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Post by Mark Foley
Post by Achim Gottinger
1. Create an user
samba-tool create user dovcot
I did this (actually `samba-tool user create dovecot`), but it
asked for a password. I
entered one. You didn't mention that, so I hope it's OK.
Yes
Post by Mark Foley
Post by Achim Gottinger
2. Add the spn
Did that too. No issue there.
Well you must substitute server.domain.local with your mailserver fqdn
and DOMAIN.LOCAL with HPRS.LOCAL.
Post by Mark Foley
Post by Achim Gottinger
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
As you can see, your text wrapped, but from the error message I
got I assumed the -e [enctype]
$ ktutil
-k 1 -e arcfour-hmac
-k 1 -e arcfour-hmac
Same here substitute like above and as you said arcfour-hmac belongs in
the same line.
Post by Mark Foley
Of course, that will probably also wrap when you get this
message, but basically I put the
arcfour-hmac on the same line as the addent. Each time, these
commands also asked for a
password. Again, you didn't mention that, but I used the same
password I used for the
`samab-tool user create` command above.
I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I
got, "Unknown request "wtk".
Type '?' for a request list." In looking at the "?" list I saw
'wkt', so I assumed you simply
transposed the letters. I tried it and it took.
Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does
not yet exist.
Only the two keys you just added are required to get kerberos working.
The system keytab you generated with samba-tool domain
exportkeytab is
not required.
Post by Mark Foley
Post by Achim Gottinger
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Did that. In addition, I set the keytab file's group to dovecot
and made the file group
readable, as suggested by
http://wiki2.dovecot.org/Authentication/Kerberos. I also tried
making it world readable. Now, after doing all that and
restarting dovecot I still get the
Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts
in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS,
session=<3hLnJoU2vgDAqAA6>
and still the same error in Thunderbird: "The Kerberos/DSSAPI
ticket was not accepted by the
to the Kerberos/GSSAPI realm."
the email address of the
Thunderbird account (running on WIN7).
auth_debug_passwords = yes
* auth_gssapi_hostname = $ALL
* auth_krb5_keytab = /etc/krb5.keytab
* auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
(yes, I put the keytab file in /etc/krb5.keytab, not in
etc/dovecot. Should be OK, right?)
Here is my keytab list (partial); note that every entry appears
in triplicate. I don't see
ktutil: list
slot KVNO Principal
---- ----
---------------------------------------------------------------------
Can you tell from any of this why I'm still not able to
authenticate?
You only need the lines 97 and 98 and substitude fqdn and realm like i
mentioned above.
It must be possible for Thunderbird to use plain authentification with
your windows account username.
Can be you must configure userdb and passdb to do ldap lookups against
active directory.
Post by Mark Foley
Thanks, --Mark
-----Original Message-----
Post by Achim Gottinger
Date: Thu, 30 Jun 2016 11:51:34 +0200
Post by Mark Foley
To revisit my problem: I have Dovecot running on the same host
as Samba4 AD/DC. I've set
Thunderbird to authenticate with GSSAPI on a domain
workstation. I have an /etc/krb5.keytab
file as required by Dovecot. I've also downloaded and installed
Kerberos for access to
the k* commands (ktutil, kinit, klist, ...).
In my current setup, the Thunderbird client (WIN7 workstation)
is not connecting. The WIN7
workstation is a domain member and works fine otherwise with
Samba4 for AD user authentication,
"The Kerberos/GSSAPI ticket was not accepted by the IMAP server
that you are logged in to the Kerberos/GSSAPI realm."
One disconcerting bit about that message is the named IMAP
server at all, but rather the email address of the Thunderbird account.
When attempting to connect, the Dovecot log simply has
"Disconnected (no auth attempts in 18
secs): user=<>". No message at all appears in the samba log
although I have auth:10 level set.
Dovecot's 'configuration' for GSSAPI consists of nothing more
auth_mechanisms = plain login gssapi
That's it (the other mechanism work just fine, BTW). Not much I
can mess with there.
I think the problem is with Samba and handling the
authentication. I do not think my Samba4 is
configured correctly. Over a year ago Rowland Penny helped me
configure a Ubuntu workstation
for single-sign-on using Kerberos. He had me put the following
lines into that workstation's
smb.conf file, none of which appear in the provisioned smb.conf
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind nss info = rfc2307
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
I've tried sticking all of these in the AD/DC smb.conf and,
when restarting Samba, I get a log
message, "Samba detected misconfigured 'server role' and exited."
passwd: compat winbind
group: compat winbind
Do I possibly need some of these (or others?) settings in these
conf files on the AD/DC server
for Dovecot to authenticate? Obviously, blindly throwing them
all into smb.conf doesn't work.
Need Help! Thanks --Mark
Hello Mark,
This is what i used in debian wheezy few years back. I assume
arcfour-hmac is unsafe these days but i did not yet investigate into
other working encryption methods here.
If you need smtp (postfix with auth via dovecot) also add the smtp
spn's. Use the password for user dovecot during keytab creation.
1. Create an user
samba-tool create user dovcot
2. Add the spn
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Hope it helps,
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2016-07-01 18:53:35 UTC
Permalink
Post by Achim Gottinger
Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an
different location. On debian this comes with the dovecot-gssapi package.
That module is nowhere on my system.

--Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-01 20:40:19 UTC
Permalink
I'm sure it will not work till you get that module build. :-)
Post by Mark Foley
Post by Achim Gottinger
Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an
different location. On debian this comes with the dovecot-gssapi package.
That module is nowhere on my system.
--Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-01 21:29:35 UTC
Permalink
Here's the test (I must run mutt not telnet like i mentioned earlier to
get the imap tickets).

***@server:~# kinit achim
Password for ***@DOMAIN.LOCAL:
[I enter my password]
MAIL=imap://***@server.domain.local/ mutt
[Mutt asks about the cert i select accept once and i endup on my INBOX.
I leave mutt by entring q+ENTER]
***@server:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@DOMAIN.LOCAL

Valid starting Expires Service principal
01.07.2016 23:16:30 02.07.2016 09:16:30 krbtgt/***@DOMAIN.LOCAL
renew until 02.07.2016 23:16:28
01.07.2016 23:17:04 02.07.2016 09:16:30 imap/server.domain.local@
renew until 02.07.2016 23:16:28
01.07.2016 23:17:04 02.07.2016 09:16:30
imap/***@DOMAIN.LOCAL
renew until 02.07.2016 23:16:28

***@server:~# samba-tool spn list dovecot
dovecot
User CN=dovecot,CN=Users,DC=domain,DC=local has the following
servicePrincipalName:
smtp/***@DOMAIN.LOCAL
imap/***@DOMAIN.LOCAL
imap/server.domain.local

***@server:~#cat /etc/hosts
127.0.0.1 localhost
192.168.100.102 server.domain.local server

Excerpt from /var/log/mail.log ( On debian mail.log contains the debug
info).

Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
Jul 1 23:17:01 server dovecot: auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libmech_gssapi.so
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
Jul 1 23:17:01 server dovecot: auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Jul 1 23:17:01 server dovecot: auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
Jul 1 23:17:01 server dovecot: auth: Debug: passwd-file
/etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
Jul 1 23:17:01 server dovecot: auth: Debug: auth client connected
(pid=21490)
Jul 1 23:17:04 server dovecot: auth: Debug: client in:
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
Jul 1 23:17:04 server dovecot: auth: Debug:
gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
Jul 1 23:17:04 server dovecot: auth: Debug:
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state
completed.
Jul 1 23:17:04 server dovecot: auth: Debug: client passdb out:
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
Jul 1 23:17:04 server dovecot: auth: Debug:
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer
Jul 1 23:17:04 server dovecot: auth: Debug: client passdb out:
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
........
Jul 1 23:17:04 server dovecot: imap-login: Login: user=<achim>,
method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
session=<ldMkgpk2dAB/AAAB>
Post by Achim Gottinger
I'm sure it will not work till you get that module build. :-)
Post by Mark Foley
Post by Achim Gottinger
Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an
different location. On debian this comes with the dovecot-gssapi package.
That module is nowhere on my system.
--Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2016-07-02 01:15:58 UTC
Permalink
Post by Achim Gottinger
Here's the test (I must run mutt not telnet like i mentioned earlier to
get the imap tickets).
[I enter my password]
As root on AD/DC mail.hprs.local:

me:
$ kinit mark
Password for ***@HPRS.LOCAL:
[I enter my password]
me:
$ MAIL=imap://***@server.domain.local/ mutt -F /etc/Muttrc

I get the mutt message, "Certificate host check failed: certificate owner does not mathc
hosthame mail.hprs.local".

After that, in the mutt screen, I get:

-----BEGIN------
This certificate belongs to:
mail.ohprs.org
Unknown
Unknown
Domain Control Validated
Unknown

This certificate was issued by:
Go Daddy Secure Certificate Authority - G2
Unknown
GoDaddy.com, Inc.
http:
Scottsdale

This certificate is valid
from Aug 14 21:38:38 2015 GMT
to Aug 15 17:49:32 2016 GMT

Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
-----END-------
Post by Achim Gottinger
Ticket cache: FILE:/tmp/krb5cc_0
[etc ...]

me:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@HPRS.LOCAL

Valid starting Expires Service principal
07/01/2016 20:57:56 07/02/2016 06:57:56 krbtgt/***@HPRS.LOCAL
renew until 07/02/2016 20:57:52

Clearly, I am misconfigured at some level. From my mouse-eye-view, the certificate is for
mail.ohprs.org, not mail.hprs.local. What about you? You must have a certificate for
server.domain.local as well as your public domain, yes? Did you at some point create a
self-signed certificate?

What do you suggest?

--Mark

-----Original Message-----
Post by Achim Gottinger
Date: Fri, 1 Jul 2016 23:29:35 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Here's the test (I must run mutt not telnet like i mentioned earlier to
get the imap tickets).
[I enter my password]
[Mutt asks about the cert i select accept once and i endup on my INBOX.
I leave mutt by entring q+ENTER]
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
renew until 02.07.2016 23:16:28
renew until 02.07.2016 23:16:28
01.07.2016 23:17:04 02.07.2016 09:16:30
renew until 02.07.2016 23:16:28
dovecot
User CN=dovecot,CN=Users,DC=domain,DC=local has the following
imap/server.domain.local
127.0.0.1 localhost
192.168.100.102 server.domain.local server
Excerpt from /var/log/mail.log ( On debian mail.log contains the debug
info).
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
/usr/lib/dovecot/modules/auth/libmech_gssapi.so
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
/usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Jul 1 23:17:01 server dovecot: auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
Jul 1 23:17:01 server dovecot: auth: Debug: passwd-file
/etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
Jul 1 23:17:01 server dovecot: auth: Debug: auth client connected
(pid=21490)
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state
completed.
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
........
Jul 1 23:17:04 server dovecot: imap-login: Login: user=<achim>,
method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
session=<ldMkgpk2dAB/AAAB>
Post by Achim Gottinger
I'm sure it will not work till you get that module build. :-)
Post by Mark Foley
Post by Achim Gottinger
Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an
different location. On debian this comes with the dovecot-gssapi package.
That module is nowhere on my system.
--Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-02 01:39:42 UTC
Permalink
Yes I created an self signed cert (with the easy-rsa scripts froom
openvpn). Does mutt let you accept the cert anyway? On an earlier test
you got past the cert state and had to enter an password or got an no
auth failure.

Also figure out where dovecot auth debug log entries get written (here
dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
up in mail.log).
Post by Mark Foley
Post by Achim Gottinger
Here's the test (I must run mutt not telnet like i mentioned earlier to
get the imap tickets).
[I enter my password]
$ kinit mark
[I enter my password]
I get the mutt message, "Certificate host check failed: certificate owner does not mathc
hosthame mail.hprs.local".
-----BEGIN------
mail.ohprs.org
Unknown
Unknown
Domain Control Validated
Unknown
Go Daddy Secure Certificate Authority - G2
Unknown
GoDaddy.com, Inc.
Scottsdale
This certificate is valid
from Aug 14 21:38:38 2015 GMT
to Aug 15 17:49:32 2016 GMT
Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
-----END-------
Post by Achim Gottinger
Ticket cache: FILE:/tmp/krb5cc_0
[etc ...]
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
renew until 07/02/2016 20:57:52
Clearly, I am misconfigured at some level. From my mouse-eye-view, the certificate is for
mail.ohprs.org, not mail.hprs.local. What about you? You must have a certificate for
server.domain.local as well as your public domain, yes? Did you at some point create a
self-signed certificate?
What do you suggest?
--Mark
-----Original Message-----
Post by Achim Gottinger
Date: Fri, 1 Jul 2016 23:29:35 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Here's the test (I must run mutt not telnet like i mentioned earlier to
get the imap tickets).
[I enter my password]
[Mutt asks about the cert i select accept once and i endup on my INBOX.
I leave mutt by entring q+ENTER]
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
renew until 02.07.2016 23:16:28
renew until 02.07.2016 23:16:28
01.07.2016 23:17:04 02.07.2016 09:16:30
renew until 02.07.2016 23:16:28
dovecot
User CN=dovecot,CN=Users,DC=domain,DC=local has the following
imap/server.domain.local
127.0.0.1 localhost
192.168.100.102 server.domain.local server
Excerpt from /var/log/mail.log ( On debian mail.log contains the debug
info).
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
/usr/lib/dovecot/modules/auth/libmech_gssapi.so
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
/usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Jul 1 23:17:01 server dovecot: auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
Jul 1 23:17:01 server dovecot: auth: Debug: passwd-file
/etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
Jul 1 23:17:01 server dovecot: auth: Debug: auth client connected
(pid=21490)
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state
completed.
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
........
Jul 1 23:17:04 server dovecot: imap-login: Login: user=<achim>,
method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
session=<ldMkgpk2dAB/AAAB>
Post by Achim Gottinger
I'm sure it will not work till you get that module build. :-)
Post by Mark Foley
Post by Achim Gottinger
Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an
different location. On debian this comes with the dovecot-gssapi package.
That module is nowhere on my system.
--Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2016-07-02 02:15:05 UTC
Permalink
Post by Achim Gottinger
Yes I created an self signed cert (with the easy-rsa scripts froom
openvpn).
Alright, I'll try that after this message and post back. In anticipation of "problems", where
do I put the path to that new cert? my 10-ssl.conf has:

ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key

Which is the key mutt keeps showing. I don't suppose I put the path there?
Post by Achim Gottinger
Does mutt let you accept the cert anyway? On an earlier test
you got past the cert state and had to enter an password or got an no
auth failure.
Mutt lets me accept, but I get "No authenticators available", and the mutt screen is blank.
When it asked me for a password previously it was because it fell back to PLAIN authentication,
which worked. Now my /etc/Muttrc has

set imap_authenticators="gssapi"

to prevent that.
Post by Achim Gottinger
Also figure out where dovecot auth debug log entries get written (here
dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
up in mail.log).
My /etc/dovecot.conf has

# debug_log_path = /var/log/Dovecot/dovecot_debug.log

commented. I'll uncomment that before the next test. Otherwise, I see nothing in maillog or
dovecot_info (info_log_path).

--Mark

-----Original Message-----
Post by Achim Gottinger
Date: Sat, 2 Jul 2016 03:39:42 +0200
Yes I created an self signed cert (with the easy-rsa scripts froom
openvpn). Does mutt let you accept the cert anyway? On an earlier test
you got past the cert state and had to enter an password or got an no
auth failure.
Also figure out where dovecot auth debug log entries get written (here
dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
up in mail.log).
Post by Mark Foley
Post by Achim Gottinger
Here's the test (I must run mutt not telnet like i mentioned earlier to
get the imap tickets).
[I enter my password]
$ kinit mark
[I enter my password]
I get the mutt message, "Certificate host check failed: certificate owner does not mathc
hosthame mail.hprs.local".
-----BEGIN------
mail.ohprs.org
Unknown
Unknown
Domain Control Validated
Unknown
Go Daddy Secure Certificate Authority - G2
Unknown
GoDaddy.com, Inc.
Scottsdale
This certificate is valid
from Aug 14 21:38:38 2015 GMT
to Aug 15 17:49:32 2016 GMT
Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
-----END-------
Post by Achim Gottinger
Ticket cache: FILE:/tmp/krb5cc_0
[etc ...]
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
renew until 07/02/2016 20:57:52
Clearly, I am misconfigured at some level. From my mouse-eye-view, the certificate is for
mail.ohprs.org, not mail.hprs.local. What about you? You must have a certificate for
server.domain.local as well as your public domain, yes? Did you at some point create a
self-signed certificate?
What do you suggest?
--Mark
-----Original Message-----
Post by Achim Gottinger
Date: Fri, 1 Jul 2016 23:29:35 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Here's the test (I must run mutt not telnet like i mentioned earlier to
get the imap tickets).
[I enter my password]
[Mutt asks about the cert i select accept once and i endup on my INBOX.
I leave mutt by entring q+ENTER]
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
renew until 02.07.2016 23:16:28
renew until 02.07.2016 23:16:28
01.07.2016 23:17:04 02.07.2016 09:16:30
renew until 02.07.2016 23:16:28
dovecot
User CN=dovecot,CN=Users,DC=domain,DC=local has the following
imap/server.domain.local
127.0.0.1 localhost
192.168.100.102 server.domain.local server
Excerpt from /var/log/mail.log ( On debian mail.log contains the debug
info).
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
/usr/lib/dovecot/modules/auth/libmech_gssapi.so
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
/usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Jul 1 23:17:01 server dovecot: auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
Jul 1 23:17:01 server dovecot: auth: Debug: passwd-file
/etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
Jul 1 23:17:01 server dovecot: auth: Debug: auth client connected
(pid=21490)
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state
completed.
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
........
Jul 1 23:17:04 server dovecot: imap-login: Login: user=<achim>,
method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
session=<ldMkgpk2dAB/AAAB>
Post by Achim Gottinger
I'm sure it will not work till you get that module build. :-)
Post by Mark Foley
Post by Achim Gottinger
Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an
different location. On debian this comes with the dovecot-gssapi package.
That module is nowhere on my system.
--Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-02 10:44:00 UTC
Permalink
Hi Mark,

I'll keep replying to the list.
You must create an signed server certificate for your FQDN.

~# ./build-key-server mail.hprs.local

Then point to public and privat part in your dovecot config.

ssl_cert = </etc/easy-rsa/keys/reqs/mail.hprs.local.req
ssl_key = </etc/easy-rsa/keys/private/mail.hprs.local.key

But all that should not interfere with kerberos because you can accept
the invalid cert.
What does show up in the auth debug log if you make the kinit/mutt test now?

achim~
Post by Mark Foley
Achim,
I'm sending this message directly to you to spare the sambalist from my certificate trials.
I'm hoping you'll still hang in there a bit longer, though I'm close to giving up on this
whole thing myself.
/etc/ssl/certs/OHPRS/easyrsa/ca.crt
/etc/ssl/certs/OHPRS/easyrsa/reqs/MAIL.req
/etc/ssl/certs/OHPRS/easyrsa/reqs/dovecot.req
/etc/ssl/certs/OHPRS/easyrsa/private/ca.key
/etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
/etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
$ openssl x509 -text -in /etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=mail.hprs.local
Validity
Not Before: Jul 2 05:54:26 2016 GMT
Not After : Jun 30 05:54:26 2026 GMT
Subject: CN=mail.hprs.local
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Now, how do I point Samba and/or Dovecot and/or kerberos and/or mutt to this cert? (dovecot.crt)
set certificate_file=/etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
mutt seemed to ignored that as the usual GoDaddy cert was used (and failed).
ssl_key = </etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
ssl_cert = </etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
mutt gave the message, "Connection to mail.hprs.local closed".
I've got no more guesses.
On the bright side, the debug log seems to be working now.
Thanks, --Mark
-----Original Message-----
Date: Fri, 01 Jul 2016 22:15:05 -0400
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Post by Achim Gottinger
Yes I created an self signed cert (with the easy-rsa scripts froom
openvpn).
Alright, I'll try that after this message and post back. In anticipation of "problems", where
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
Which is the key mutt keeps showing. I don't suppose I put the path there?
Post by Achim Gottinger
Does mutt let you accept the cert anyway? On an earlier test
you got past the cert state and had to enter an password or got an no
auth failure.
Mutt lets me accept, but I get "No authenticators available", and the mutt screen is blank.
When it asked me for a password previously it was because it fell back to PLAIN authentication,
which worked. Now my /etc/Muttrc has
set imap_authenticators="gssapi"
to prevent that.
Post by Achim Gottinger
Also figure out where dovecot auth debug log entries get written (here
dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
up in mail.log).
My /etc/dovecot.conf has
# debug_log_path = /var/log/Dovecot/dovecot_debug.log
commented. I'll uncomment that before the next test. Otherwise, I see nothing in maillog or
dovecot_info (info_log_path).
--Mark
-----Original Message-----
Post by Achim Gottinger
Date: Sat, 2 Jul 2016 03:39:42 +0200
Yes I created an self signed cert (with the easy-rsa scripts froom
openvpn). Does mutt let you accept the cert anyway? On an earlier test
you got past the cert state and had to enter an password or got an no
auth failure.
Also figure out where dovecot auth debug log entries get written (here
dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
up in mail.log).
Post by Mark Foley
Post by Achim Gottinger
Here's the test (I must run mutt not telnet like i mentioned earlier to
get the imap tickets).
[I enter my password]
$ kinit mark
[I enter my password]
I get the mutt message, "Certificate host check failed: certificate owner does not mathc
hosthame mail.hprs.local".
-----BEGIN------
mail.ohprs.org
Unknown
Unknown
Domain Control Validated
Unknown
Go Daddy Secure Certificate Authority - G2
Unknown
GoDaddy.com, Inc.
Scottsdale
This certificate is valid
from Aug 14 21:38:38 2015 GMT
to Aug 15 17:49:32 2016 GMT
Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
-----END-------
Post by Achim Gottinger
Ticket cache: FILE:/tmp/krb5cc_0
[etc ...]
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
renew until 07/02/2016 20:57:52
Clearly, I am misconfigured at some level. From my mouse-eye-view, the certificate is for
mail.ohprs.org, not mail.hprs.local. What about you? You must have a certificate for
server.domain.local as well as your public domain, yes? Did you at some point create a
self-signed certificate?
What do you suggest?
--Mark
-----Original Message-----
Post by Achim Gottinger
Date: Fri, 1 Jul 2016 23:29:35 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Here's the test (I must run mutt not telnet like i mentioned earlier to
get the imap tickets).
[I enter my password]
[Mutt asks about the cert i select accept once and i endup on my INBOX.
I leave mutt by entring q+ENTER]
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
renew until 02.07.2016 23:16:28
renew until 02.07.2016 23:16:28
01.07.2016 23:17:04 02.07.2016 09:16:30
renew until 02.07.2016 23:16:28
dovecot
User CN=dovecot,CN=Users,DC=domain,DC=local has the following
imap/server.domain.local
127.0.0.1 localhost
192.168.100.102 server.domain.local server
Excerpt from /var/log/mail.log ( On debian mail.log contains the debug
info).
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
/usr/lib/dovecot/modules/auth/libmech_gssapi.so
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
/usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Jul 1 23:17:01 server dovecot: auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
Jul 1 23:17:01 server dovecot: auth: Debug: passwd-file
/etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
Jul 1 23:17:01 server dovecot: auth: Debug: auth client connected
(pid=21490)
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state
completed.
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
........
Jul 1 23:17:04 server dovecot: imap-login: Login: user=<achim>,
method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
session=<ldMkgpk2dAB/AAAB>
Post by Achim Gottinger
I'm sure it will not work till you get that module build. :-)
Post by Mark Foley
Post by Achim Gottinger
Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an
different location. On debian this comes with the dovecot-gssapi package.
That module is nowhere on my system.
--Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2016-07-03 17:42:05 UTC
Permalink
Achim,

This is my most recent effort. If I cannot make progress from here I'm going to give this idea a rest.

I used easy-rsa to create a cert. Files are:

/etc/ssl/certs/OHPRS/easyrsa/ca.crt
/etc/ssl/certs/OHPRS/easyrsa/reqs/MAIL.req
/etc/ssl/certs/OHPRS/easyrsa/reqs/dovecot.req
/etc/ssl/certs/OHPRS/easyrsa/private/ca.key
/etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
/etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt

$ openssl x509 -text -in /etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=mail.hprs.local
Validity
Not Before: Jul 2 05:54:26 2016 GMT
Not After : Jun 30 05:54:26 2026 GMT
Subject: CN=mail.hprs.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)

Now, how do I point Samba and/or Dovecot and/or kerberos and/or mutt to this cert? (dovecot.crt)

I tried in /etc/Muttrc:

set certificate_file=/etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt

mutt seemed to ignored that as the usual GoDaddy cert was used (and failed).

I tried in 10-ssl.conf:

ssl_key = </etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
ssl_cert = </etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt

mutt gave the message, "Connection to mail.hprs.local closed".

I've got no more guesses.

On the bright side, the debug log seems to be working now.

Thanks, --Mark

-----Original Message-----
From: Mark Foley <***@ohprs.org>
Date: Fri, 01 Jul 2016 22:15:05 -0400
Organization: Ohio Highway Patrol Retirement System
To: ***@lists.samba.org
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Post by Achim Gottinger
Yes I created an self signed cert (with the easy-rsa scripts froom
openvpn).
Alright, I'll try that after this message and post back. In anticipation of "problems", where
do I put the path to that new cert? my 10-ssl.conf has:

ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key

Which is the key mutt keeps showing. I don't suppose I put the path there?
Post by Achim Gottinger
Does mutt let you accept the cert anyway? On an earlier test
you got past the cert state and had to enter an password or got an no
auth failure.
Mutt lets me accept, but I get "No authenticators available", and the mutt screen is blank.
When it asked me for a password previously it was because it fell back to PLAIN authentication,
which worked. Now my /etc/Muttrc has

set imap_authenticators="gssapi"

to prevent that.
Post by Achim Gottinger
Also figure out where dovecot auth debug log entries get written (here
dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
up in mail.log).
My /etc/dovecot.conf has

# debug_log_path = /var/log/Dovecot/dovecot_debug.log

commented. I'll uncomment that before the next test. Otherwise, I see nothing in maillog or
dovecot_info (info_log_path).

--Mark

-----Original Message-----
Post by Achim Gottinger
Date: Sat, 2 Jul 2016 03:39:42 +0200
Yes I created an self signed cert (with the easy-rsa scripts froom
openvpn). Does mutt let you accept the cert anyway? On an earlier test
you got past the cert state and had to enter an password or got an no
auth failure.
Also figure out where dovecot auth debug log entries get written (here
dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
up in mail.log).
Post by Mark Foley
Post by Achim Gottinger
Here's the test (I must run mutt not telnet like i mentioned earlier to
get the imap tickets).
[I enter my password]
$ kinit mark
[I enter my password]
I get the mutt message, "Certificate host check failed: certificate owner does not mathc
hosthame mail.hprs.local".
-----BEGIN------
mail.ohprs.org
Unknown
Unknown
Domain Control Validated
Unknown
Go Daddy Secure Certificate Authority - G2
Unknown
GoDaddy.com, Inc.
Scottsdale
This certificate is valid
from Aug 14 21:38:38 2015 GMT
to Aug 15 17:49:32 2016 GMT
Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
-----END-------
Post by Achim Gottinger
Ticket cache: FILE:/tmp/krb5cc_0
[etc ...]
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
renew until 07/02/2016 20:57:52
Clearly, I am misconfigured at some level. From my mouse-eye-view, the certificate is for
mail.ohprs.org, not mail.hprs.local. What about you? You must have a certificate for
server.domain.local as well as your public domain, yes? Did you at some point create a
self-signed certificate?
What do you suggest?
--Mark
-----Original Message-----
Post by Achim Gottinger
Date: Fri, 1 Jul 2016 23:29:35 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Here's the test (I must run mutt not telnet like i mentioned earlier to
get the imap tickets).
[I enter my password]
[Mutt asks about the cert i select accept once and i endup on my INBOX.
I leave mutt by entring q+ENTER]
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
renew until 02.07.2016 23:16:28
renew until 02.07.2016 23:16:28
01.07.2016 23:17:04 02.07.2016 09:16:30
renew until 02.07.2016 23:16:28
dovecot
User CN=dovecot,CN=Users,DC=domain,DC=local has the following
imap/server.domain.local
127.0.0.1 localhost
192.168.100.102 server.domain.local server
Excerpt from /var/log/mail.log ( On debian mail.log contains the debug
info).
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
/usr/lib/dovecot/modules/auth/libmech_gssapi.so
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
/usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Jul 1 23:17:01 server dovecot: auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
Jul 1 23:17:01 server dovecot: auth: Debug: passwd-file
/etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
Jul 1 23:17:01 server dovecot: auth: Debug: auth client connected
(pid=21490)
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state
completed.
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
........
Jul 1 23:17:04 server dovecot: imap-login: Login: user=<achim>,
method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
session=<ldMkgpk2dAB/AAAB>
Post by Achim Gottinger
I'm sure it will not work till you get that module build. :-)
Post by Mark Foley
Post by Achim Gottinger
Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an
different location. On debian this comes with the dovecot-gssapi package.
That module is nowhere on my system.
--Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-03 17:56:28 UTC
Permalink
Debug log output please!
I think you still miss the gssapi module for dovecot.
Post by Mark Foley
Achim,
This is my most recent effort. If I cannot make progress from here I'm going to give this idea a rest.
/etc/ssl/certs/OHPRS/easyrsa/ca.crt
/etc/ssl/certs/OHPRS/easyrsa/reqs/MAIL.req
/etc/ssl/certs/OHPRS/easyrsa/reqs/dovecot.req
/etc/ssl/certs/OHPRS/easyrsa/private/ca.key
/etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
/etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
$ openssl x509 -text -in /etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=mail.hprs.local
Validity
Not Before: Jul 2 05:54:26 2016 GMT
Not After : Jun 30 05:54:26 2026 GMT
Subject: CN=mail.hprs.local
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Now, how do I point Samba and/or Dovecot and/or kerberos and/or mutt to this cert? (dovecot.crt)
set certificate_file=/etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
mutt seemed to ignored that as the usual GoDaddy cert was used (and failed).
ssl_key = </etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
ssl_cert = </etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
mutt gave the message, "Connection to mail.hprs.local closed".
I've got no more guesses.
On the bright side, the debug log seems to be working now.
Thanks, --Mark
-----Original Message-----
Date: Fri, 01 Jul 2016 22:15:05 -0400
Organization: Ohio Highway Patrol Retirement System
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Post by Achim Gottinger
Yes I created an self signed cert (with the easy-rsa scripts froom
openvpn).
Alright, I'll try that after this message and post back. In anticipation of "problems", where
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
Which is the key mutt keeps showing. I don't suppose I put the path there?
Post by Achim Gottinger
Does mutt let you accept the cert anyway? On an earlier test
you got past the cert state and had to enter an password or got an no
auth failure.
Mutt lets me accept, but I get "No authenticators available", and the mutt screen is blank.
When it asked me for a password previously it was because it fell back to PLAIN authentication,
which worked. Now my /etc/Muttrc has
set imap_authenticators="gssapi"
to prevent that.
Post by Achim Gottinger
Also figure out where dovecot auth debug log entries get written (here
dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
up in mail.log).
My /etc/dovecot.conf has
# debug_log_path = /var/log/Dovecot/dovecot_debug.log
commented. I'll uncomment that before the next test. Otherwise, I see nothing in maillog or
dovecot_info (info_log_path).
--Mark
-----Original Message-----
Post by Achim Gottinger
Date: Sat, 2 Jul 2016 03:39:42 +0200
Yes I created an self signed cert (with the easy-rsa scripts froom
openvpn). Does mutt let you accept the cert anyway? On an earlier test
you got past the cert state and had to enter an password or got an no
auth failure.
Also figure out where dovecot auth debug log entries get written (here
dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
up in mail.log).
Post by Mark Foley
Post by Achim Gottinger
Here's the test (I must run mutt not telnet like i mentioned earlier to
get the imap tickets).
[I enter my password]
$ kinit mark
[I enter my password]
I get the mutt message, "Certificate host check failed: certificate owner does not mathc
hosthame mail.hprs.local".
-----BEGIN------
mail.ohprs.org
Unknown
Unknown
Domain Control Validated
Unknown
Go Daddy Secure Certificate Authority - G2
Unknown
GoDaddy.com, Inc.
Scottsdale
This certificate is valid
from Aug 14 21:38:38 2015 GMT
to Aug 15 17:49:32 2016 GMT
Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
-----END-------
Post by Achim Gottinger
Ticket cache: FILE:/tmp/krb5cc_0
[etc ...]
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
renew until 07/02/2016 20:57:52
Clearly, I am misconfigured at some level. From my mouse-eye-view, the certificate is for
mail.ohprs.org, not mail.hprs.local. What about you? You must have a certificate for
server.domain.local as well as your public domain, yes? Did you at some point create a
self-signed certificate?
What do you suggest?
--Mark
-----Original Message-----
Post by Achim Gottinger
Date: Fri, 1 Jul 2016 23:29:35 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Here's the test (I must run mutt not telnet like i mentioned earlier to
get the imap tickets).
[I enter my password]
[Mutt asks about the cert i select accept once and i endup on my INBOX.
I leave mutt by entring q+ENTER]
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
renew until 02.07.2016 23:16:28
renew until 02.07.2016 23:16:28
01.07.2016 23:17:04 02.07.2016 09:16:30
renew until 02.07.2016 23:16:28
dovecot
User CN=dovecot,CN=Users,DC=domain,DC=local has the following
imap/server.domain.local
127.0.0.1 localhost
192.168.100.102 server.domain.local server
Excerpt from /var/log/mail.log ( On debian mail.log contains the debug
info).
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
/usr/lib/dovecot/modules/auth/libmech_gssapi.so
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
/usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Jul 1 23:17:01 server dovecot: auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
Jul 1 23:17:01 server dovecot: auth: Debug: passwd-file
/etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
Jul 1 23:17:01 server dovecot: auth: Debug: auth client connected
(pid=21490)
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state
completed.
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
........
Jul 1 23:17:04 server dovecot: imap-login: Login: user=<achim>,
method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
session=<ldMkgpk2dAB/AAAB>
Post by Achim Gottinger
I'm sure it will not work till you get that module build. :-)
Post by Mark Foley
Post by Achim Gottinger
Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an
different location. On debian this comes with the dovecot-gssapi package.
That module is nowhere on my system.
--Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2016-07-03 18:51:36 UTC
Permalink
Hold the presses!!! I think it might be working!

I upgraded from Samba 4.1.23 to 4.2.12 over the weekend (in fact, did an overall system update)
and rebooted and voila! I went into my Tbird on the WIN7 workstations to simply remove the
GSSAPI authentication in the process of giving up hope, and new messages arrived in my inbox.
I don't know whether it was something about the new version of Samba, or the reboot, but
something finally kicked in.

Seems to be working!

My outgoing SMTP server/MTA is sendmail, which does only [encrypted]password authentication or
no authentication. I set this to "no authentication", but that's OK for outgoing.

I will experiment more with this today, then post all the various Samba settings we worked on
to get to this point.

Thanks!!! --Mark

(btw the mutt experiment still doesn't work -- it's still looking at the mail.ohprs.org cert.
But I think that doesn't matter at this point)

-----Original Message-----
Date: Sun, 3 Jul 2016 19:56:28 +0200
Debug log output please!
I think you still miss the gssapi module for dovecot.
Post by Mark Foley
Achim,
This is my most recent effort. If I cannot make progress from here I'm going to give this idea a rest.
/etc/ssl/certs/OHPRS/easyrsa/ca.crt
/etc/ssl/certs/OHPRS/easyrsa/reqs/MAIL.req
/etc/ssl/certs/OHPRS/easyrsa/reqs/dovecot.req
/etc/ssl/certs/OHPRS/easyrsa/private/ca.key
/etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
/etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
$ openssl x509 -text -in /etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=mail.hprs.local
Validity
Not Before: Jul 2 05:54:26 2016 GMT
Not After : Jun 30 05:54:26 2026 GMT
Subject: CN=mail.hprs.local
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Now, how do I point Samba and/or Dovecot and/or kerberos and/or mutt to this cert? (dovecot.crt)
set certificate_file=/etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
mutt seemed to ignored that as the usual GoDaddy cert was used (and failed).
ssl_key = </etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
ssl_cert = </etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
mutt gave the message, "Connection to mail.hprs.local closed".
I've got no more guesses.
On the bright side, the debug log seems to be working now.
Thanks, --Mark
-----Original Message-----
Date: Fri, 01 Jul 2016 22:15:05 -0400
Organization: Ohio Highway Patrol Retirement System
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Post by Achim Gottinger
Yes I created an self signed cert (with the easy-rsa scripts froom
openvpn).
Alright, I'll try that after this message and post back. In anticipation of "problems", where
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
Which is the key mutt keeps showing. I don't suppose I put the path there?
Post by Achim Gottinger
Does mutt let you accept the cert anyway? On an earlier test
you got past the cert state and had to enter an password or got an no
auth failure.
Mutt lets me accept, but I get "No authenticators available", and the mutt screen is blank.
When it asked me for a password previously it was because it fell back to PLAIN authentication,
which worked. Now my /etc/Muttrc has
set imap_authenticators="gssapi"
to prevent that.
Post by Achim Gottinger
Also figure out where dovecot auth debug log entries get written (here
dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
up in mail.log).
My /etc/dovecot.conf has
# debug_log_path = /var/log/Dovecot/dovecot_debug.log
commented. I'll uncomment that before the next test. Otherwise, I see nothing in maillog or
dovecot_info (info_log_path).
--Mark
-----Original Message-----
Post by Achim Gottinger
Date: Sat, 2 Jul 2016 03:39:42 +0200
Yes I created an self signed cert (with the easy-rsa scripts froom
openvpn). Does mutt let you accept the cert anyway? On an earlier test
you got past the cert state and had to enter an password or got an no
auth failure.
Also figure out where dovecot auth debug log entries get written (here
dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
up in mail.log).
Post by Mark Foley
Post by Achim Gottinger
Here's the test (I must run mutt not telnet like i mentioned earlier to
get the imap tickets).
[I enter my password]
$ kinit mark
[I enter my password]
I get the mutt message, "Certificate host check failed: certificate owner does not mathc
hosthame mail.hprs.local".
-----BEGIN------
mail.ohprs.org
Unknown
Unknown
Domain Control Validated
Unknown
Go Daddy Secure Certificate Authority - G2
Unknown
GoDaddy.com, Inc.
Scottsdale
This certificate is valid
from Aug 14 21:38:38 2015 GMT
to Aug 15 17:49:32 2016 GMT
Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
-----END-------
Post by Achim Gottinger
Ticket cache: FILE:/tmp/krb5cc_0
[etc ...]
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
renew until 07/02/2016 20:57:52
Clearly, I am misconfigured at some level. From my mouse-eye-view, the certificate is for
mail.ohprs.org, not mail.hprs.local. What about you? You must have a certificate for
server.domain.local as well as your public domain, yes? Did you at some point create a
self-signed certificate?
What do you suggest?
--Mark
-----Original Message-----
Post by Achim Gottinger
Date: Fri, 1 Jul 2016 23:29:35 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Here's the test (I must run mutt not telnet like i mentioned earlier to
get the imap tickets).
[I enter my password]
[Mutt asks about the cert i select accept once and i endup on my INBOX.
I leave mutt by entring q+ENTER]
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
renew until 02.07.2016 23:16:28
renew until 02.07.2016 23:16:28
01.07.2016 23:17:04 02.07.2016 09:16:30
renew until 02.07.2016 23:16:28
dovecot
User CN=dovecot,CN=Users,DC=domain,DC=local has the following
imap/server.domain.local
127.0.0.1 localhost
192.168.100.102 server.domain.local server
Excerpt from /var/log/mail.log ( On debian mail.log contains the debug
info).
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
/usr/lib/dovecot/modules/auth/libmech_gssapi.so
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
/usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Jul 1 23:17:01 server dovecot: auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
Jul 1 23:17:01 server dovecot: auth: Debug: passwd-file
/etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
Jul 1 23:17:01 server dovecot: auth: Debug: auth client connected
(pid=21490)
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state
completed.
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
........
Jul 1 23:17:04 server dovecot: imap-login: Login: user=<achim>,
method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
session=<ldMkgpk2dAB/AAAB>
Post by Achim Gottinger
I'm sure it will not work till you get that module build. :-)
Post by Mark Foley
Post by Achim Gottinger
Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an
different location. On debian this comes with the dovecot-gssapi package.
That module is nowhere on my system.
--Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-01 21:52:53 UTC
Permalink
Here is an simpler way to create an user with the imap principal and the
dovecot keymap

~# samba-tool user create dovecot
[Assign password]
~# samba-tool spn add imap/server.domain.local dovecot
~# samba-tool domain exportkeytab --principal ***@DOMAIN.LOCAL
dovecot.keytab
~# cp dovecot.keytab /etc/dovecot/dovecot.keytab
~#chgrp dovecot /etc/dovecot/dovecot.keytab
~#chmod g+r /etc/dovecot/dovecot.keytab

As a side note. I test on an different server now and above and the mutt
test from my other mail only works with
auth_gssapi_hostname = "$ALL"
defined in dovecot config.

Otherwise I get these errors

Jul 1 23:47:29 server dovecot: auth: Debug:
gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): Obtaining credentials for imap@
Jul 1 23:47:33 server dovecot: auth:
gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): While acquiring service
credentials: Unspecified GSS failure. Minor code may provide more
information
Post by Achim Gottinger
I'm sure it will not work till you get that module build. :-)
Post by Mark Foley
Post by Achim Gottinger
Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an
different location. On debian this comes with the dovecot-gssapi package.
That module is nowhere on my system.
--Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
achim
2016-07-01 23:02:29 UTC
Permalink
Post by Achim Gottinger
Here is an simpler way to create an user with the imap principal and
the dovecot keymap
~# samba-tool user create dovecot
[Assign password]
~# samba-tool spn add imap/server.domain.local dovecot
dovecot.keytab
If above line is replaced by
~# samba-tool domain exportkeytab --principal imap/server.domain.local
dovecot.keytab
It is working without auth_gssapi_hostname = "$ALL" again.
To add the principal for smtp execute
~# samba-tool spn add smtp/server.domain.local dovecot
~# samba-tool domain exportkeytab --principal smtp/server.domain.local
dovecot.keytab

The keytab now has the follwoing content
~# klist -Kek /etc/dovecot/dovecot.conf
Keytab name: FILE:dovecot.keytab
KVNO Principal
----
--------------------------------------------------------------------------
3 imap/***@DOMAIN.LOCAL (des-cbc-crc) (0x......)
3 imap/***@DOMAIN.LOCAL (des-cbc-md5) (0x......)
3 imap/***@DOMAIN.LOCAL (arcfour-hmac)
(0x.................)
3 smtp/***@DOMAIN.LOCAL (des-cbc-crc) (0x......)
3 smtp/***@DOMAIN.LOCAL (des-cbc-md5) (0x......)
3 smtp/***@DOMAIN.LOCAL (arcfour-hmac)
(0x.................)

The spn's are
~# samba-tool spn list dovecot
dovecot
User CN=dovecot,CN=Users,DC=domain,DC=local has the following
servicePrincipalName:
imap/server.domain.local
smtp/server.domain.local

I tried it with the hostname without zthe domain part and that did not work.
Also it did not work using
~# samba-tool spn add imap/***@DOMAIN.LOCAL dovecot
The SPN should not contain the realm like below
~# samba-tool spn add imap/server.domain.local dovecot

But you really need that gssapi method library first. Check auth debug
log there should be an line like
Jul 1 23:17:01 server dovecot: auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libmech_gssapi.so
Post by Achim Gottinger
~# cp dovecot.keytab /etc/dovecot/dovecot.keytab
~#chgrp dovecot /etc/dovecot/dovecot.keytab
~#chmod g+r /etc/dovecot/dovecot.keytab
As a side note. I test on an different server now and above and the
mutt test from my other mail only works with
auth_gssapi_hostname = "$ALL"
defined in dovecot config.
Otherwise I get these errors
gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): While acquiring service
credentials: Unspecified GSS failure. Minor code may provide more
information
Post by Achim Gottinger
I'm sure it will not work till you get that module build. :-)
Post by Mark Foley
Post by Achim Gottinger
Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an
different location. On debian this comes with the dovecot-gssapi package.
That module is nowhere on my system.
--Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2016-07-02 02:03:08 UTC
Permalink
Perhaps yet another source of misconfiguration.
Post by achim
The keytab now has the follwoing content
~# klist -Kek /etc/dovecot/dovecot.conf
First of all, I have no /etc/dovecot/dovecot.conf. I have /etc/krb5.conf created when I
initially provisioned Samba per the provisioning instructions, "A Kerberos configuration
suitable for Samba 4 has been generated at /etc/samba/private/krb5.conf", and following the
instruction on the samba wiki at
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos

ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf

Although I copied the file rather than link it as I expected to make changes. That file
currenly contains:

[libdefaults]
default_realm = HPRS.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true

I tried your klist command on that file:

***@mail > klist -Kek /etc/krb5.conf
Keytab name: FILE:/etc/krb5.conf
klist: Unsupported key table format version number while starting keytab scan

Now, let's assume you mistyped dovecot.conf and meant dovecot.keytab ...

***@mail > samba-tool user delete dovecot
Deleted user dovecot

***@mail > rm dovecot.keytab

***@mail > samba-tool user create dovecot
New Password:
Retype Password:
User 'dovecot' created successfully

***@mail > samba-tool spn add imap/mail.hprs.local dovecot
***@mail > samba-tool domain exportkeytab --principal imap/mail.hprs.local dovecot.keytab
***@mail > samba-tool spn add smtp/mail.hprs.local dovecot
***@mail > samba-tool domain exportkeytab --principal smtp/mail.hprs.local dovecot.keytab
***@mail > cp dovecot.keytab /etc/dovecot/dovecot.keytab
***@mail > chgrp dovecot /etc/dovecot/dovecot.keytab
***@mail > chmod g+r /etc/dovecot/dovecot.keytab
***@mail > dovecot reload

my new keytab:

***@mail > klist -Kek dovecot.keytab
Keytab name: FILE:dovecot.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 imap/***@HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7)
1 imap/***@HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7)
1 imap/***@HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f)
1 smtp/***@HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7)
1 smtp/***@HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7)
1 smtp/***@HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f)

When trying mutt, sadly, again "Certificate host check failed: certificate owner does not
match hostname mail.hprs.local".

--Mark

-----Original Message-----
Post by achim
Date: Sat, 2 Jul 2016 01:02:29 +0200
Post by Achim Gottinger
Here is an simpler way to create an user with the imap principal and
the dovecot keymap
~# samba-tool user create dovecot
[Assign password]
~# samba-tool spn add imap/server.domain.local dovecot
dovecot.keytab
If above line is replaced by
~# samba-tool domain exportkeytab --principal imap/server.domain.local
dovecot.keytab
It is working without auth_gssapi_hostname = "$ALL" again.
To add the principal for smtp execute
~# samba-tool spn add smtp/server.domain.local dovecot
~# samba-tool domain exportkeytab --principal smtp/server.domain.local
dovecot.keytab
The keytab now has the follwoing content
~# klist -Kek /etc/dovecot/dovecot.conf
Keytab name: FILE:dovecot.keytab
KVNO Principal
----
--------------------------------------------------------------------------
(0x.................)
(0x.................)
The spn's are
~# samba-tool spn list dovecot
dovecot
User CN=dovecot,CN=Users,DC=domain,DC=local has the following
imap/server.domain.local
smtp/server.domain.local
I tried it with the hostname without zthe domain part and that did not work.
Also it did not work using
The SPN should not contain the realm like below
~# samba-tool spn add imap/server.domain.local dovecot
But you really need that gssapi method library first. Check auth debug
log there should be an line like
/usr/lib/dovecot/modules/auth/libmech_gssapi.so
Post by Achim Gottinger
~# cp dovecot.keytab /etc/dovecot/dovecot.keytab
~#chgrp dovecot /etc/dovecot/dovecot.keytab
~#chmod g+r /etc/dovecot/dovecot.keytab
As a side note. I test on an different server now and above and the
mutt test from my other mail only works with
auth_gssapi_hostname = "$ALL"
defined in dovecot config.
Otherwise I get these errors
gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): While acquiring service
credentials: Unspecified GSS failure. Minor code may provide more
information
Post by Achim Gottinger
I'm sure it will not work till you get that module build. :-)
Post by Mark Foley
Post by Achim Gottinger
Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an
different location. On debian this comes with the dovecot-gssapi package.
That module is nowhere on my system.
--Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2016-07-02 01:32:53 UTC
Permalink
Following your example for 2nd test ...
Post by Achim Gottinger
~# samba-tool user create dovecot
[Assign password]
~# samba-tool spn add imap/server.domain.local dovecot
dovecot.keytab
~# cp dovecot.keytab /etc/dovecot/dovecot.keytab
~#chgrp dovecot /etc/dovecot/dovecot.keytab
~#chmod g+r /etc/dovecot/dovecot.keytab
me:
***@mail > samba-tool user delete dovecot # to get rid of previous defs.
Deleted user dovecot

***@mail > samba-tool user create dovecot
New Password:
Retype Password:
User 'dovecot' created successfully
Post by Achim Gottinger
As a side note. I test on an different server now and above and the mutt
test from my other mail only works with
auth_gssapi_hostname = "$ALL"
defined in dovecot config.
I added that back in before reloading dovecot. Some commentor had me remove it during previous
testing.

Re-ran mutt, sadly same result as previous test, "Certificate host check failed: certificate
owner does not match hostname mail.hprs.local".

Nothing in maillog.

I think certificate is fooped.

--Mark

-----Original Message-----
Post by Achim Gottinger
Date: Fri, 1 Jul 2016 23:52:53 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Here is an simpler way to create an user with the imap principal and the
dovecot keymap
~# samba-tool user create dovecot
[Assign password]
~# samba-tool spn add imap/server.domain.local dovecot
dovecot.keytab
~# cp dovecot.keytab /etc/dovecot/dovecot.keytab
~#chgrp dovecot /etc/dovecot/dovecot.keytab
~#chmod g+r /etc/dovecot/dovecot.keytab
As a side note. I test on an different server now and above and the mutt
test from my other mail only works with
auth_gssapi_hostname = "$ALL"
defined in dovecot config.
Otherwise I get these errors
gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): While acquiring service
credentials: Unspecified GSS failure. Minor code may provide more
information
Post by Achim Gottinger
I'm sure it will not work till you get that module build. :-)
Post by Mark Foley
Post by Achim Gottinger
Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an
different location. On debian this comes with the dovecot-gssapi package.
That module is nowhere on my system.
--Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2016-07-01 18:47:12 UTC
Permalink
Post by Achim Gottinger
It's getting abit offtopic for the samba list :-)
Maybe, but I am concurrently talking to people on the Dovecot list who seem to be able to do
Kerberos authentication, but none are using Samba4. They are also suggesting different
principles for the keytab file and other divergences from your suggestions.

I've dealt with a whole universe of OS's, networks and system over my long and checkered
career, but this Kerberos stuff is the most esoteric bag of Voodoo I've run across. I am
totally lost with what all these settings do or mean. Anyway ...
Post by Achim Gottinger
Look at the testing section in
http://wiki2.dovecot.org/Authentication/Kerberos do what is mentioned
below "Test that the server can access the keytab".
My results from that:

--------BEGIN---------
$ telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI] Dovecot ready.

$ openssl s_client -connect localhost:993
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, CN = mail.ohprs.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = mail.ohprs.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, CN = mail.ohprs.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=mail.ohprs.org
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
Server certificate
-----BEGIN CERTIFICATE-----

[deleted - lots more stuff]

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI] Dovecot ready.

a capability
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI
a OK Pre-login capabilities listed, post-login capabilities have more.

a authenticate GSSAPI
+
--------END---------

The telnet test seemed to work. I got the "OK Dovecot ready" message. The openssl test does
have the "CONNECTED(00000003)" at the beginning and "OK ... Dovecot Ready" at the end, but
disconcerting stuff in the middle ("unable to get local issuer certificate", "certificate not
trusted", etc.)

The 'a' commands returned the GSSAPI capability and the positive for the "authenticate GSSAPI".
All that I think is good.

Now, "The Test", as that page puts it ... unfortunately, as with much documentation, there is
a lot of assumed knowledge on the part of the author who is all too familiar with his topic (to
be fair, the testing section of this page does day "this section required cleanup"). So ... the
test instructions (if you're tired of reading at this point, skip to my IMAP/HOSTNAME comments):

"Setup mutt in /etc/Muttrc to use kerberos using gssapi and imap configuration
this is done with set imap_authenticators="gssapi"

Did that, although my mutt doesn't seem to use it. I have to do '-F /etc/Muttrc' to use that
config.

"run kinit (type in password for kerb)
run command mutt
If you get error No Authentication Method"

Who/what is 'kerb'? This is not mentioned at all in the document up to this point. I assume it
is supposed to be a user account. I ran all these tests as root, but root does not have an IMAP
account. My "test" worked for root (but it is not IMAP), when I ran

MAIL=imap://***@mail.ohprs.org/ mutt -F /tmp/testMuttrc

I did get "No authenticators available", same as yesterday. (***@HPRS.LOCAL is in the klist).
The instructions go on:

"run command klist (list all kerberos keys) should show imap/HOSTNAME
/etc/hosts has to be set properly so that kerberos can find server."

This is now the 3rd variation on the klist settings I've gotten from various sources. I
currently have:

smtp/***@HPRS.LOCAL
imap/***@HPRS.LOCAL

The dovecotListers are suggesting (I think, needs more clarification)

IMAP/***@HPRS.LOCAL

i.e. IMAP must be capitalized and hostname only, no FDQN. This webpage we are looking at
appears to be suggesting

imap/MAIL

with "imap" in lowercase, hostname only in uppercase, no FDQN, no realm. That doesn't really
look right to me and is perhaps part of the "required cleanup" bit -- on the other hand, I know
nothing about any of this. The comment on "/etc/hosts has to be set properly" is a
space-waster without defining what "properly" means.

Like I said, Voodoo.

I will continue to experiment with these various suggestions, but I'm growing more skeptical
that Samba4/kerberos/Dovecot can work together. Rowland Penny set me up with with single sign
on authentication from a Ubuntu client which apparently uses kerberos, but that is
Samba-to-Samba, not Dovecot-Samba.

Another part of this could be confusion as to what FDQN I should be using. The local LAN is
hprs.local, which is how I have keytab configured, but the cert it checks against is ohprs.org.
Which should I be using?
Post by Achim Gottinger
If i run the telnet authenticated test and klist afterwards contains the
imap keys.
Could you post your klist so I can see what format you have?

Thanks, --Mark

-----Original Message-----
Post by Achim Gottinger
Date: Fri, 1 Jul 2016 10:37:51 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
It's getting abit offtopic for the samba list :-)
Look at the testing section in
http://wiki2.dovecot.org/Authentication/Kerberos do what is mentioned
below "Test that the server can access the keytab".
If i run the telnet authenticated test and klist afterwards contains the
imap keys.
Post by Mark Foley
More info ...
when I do
(using the domain of the registered certificate). I do not get the message "Certificate host
check failed: certificate owner does not match hosthame ..."
I do get the same (mutt?) edit screen shown below with the "(r)eject, accept (o)nce, (a)ccept
always" action at the bottom. If I "accept (o)nce", I am asked for the 'mark' password and put
Nothing in maillog, but dovecot log show a successful PLAIN authentication. If I configure
dovecot for only gssapi and run mutt it again, I get the messge "No authenticators available".
set imap_authenticators="gssapi"
and ran
same: "No authenticators available"
$ dovecot --build-options
Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192
Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail
Passdb: checkpassword passwd passwd-file shadow
Userdb: checkpassword nss passwd prefetch passwd-file
Should gssapi show up here? I did just rebuild dovecot with `./configure ----with-gssapi=yes`
#define HAVE_GSSAPI_GSSAPI_H /**/
#define HAVE_GSSAPI_H /**/
#define HAVE_GSSAPI /**/
#define HAVE_GSSAPI_GSSAPI_EXT_H 1
#define HAVE_GSSAPI_GSSAPI_KRB5_H 1
#define HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY 1
#define HAVE_GSSAPI_SPNEGO /**/
#define BUILTIN_GSSAPI /**/
Maybe I need to ask the dovecot people how to confirm that I have gssapi.
--Mark
-----Original Message-----
Date: Fri, 01 Jul 2016 00:09:29 -0400
Organization: Ohio Highway Patrol Retirement System
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Achim - per your instructions ...
Post by Achim Gottinger
Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
required with dovecot (2.2.13 here).
# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
But, I've commented that out per your suggestion.
Post by Achim Gottinger
Add "auth_debug=yes" to your dovecor config.
auth_debug_passwords = yes
but I've added the auth_debug per your suggestion.
Post by Achim Gottinger
192.168.100.1 is my clients ip 192.168.100.101 is the servers
My WIN7/Thunderbird client is 192.168.0.58 and AD/DC/Dovecot server is 192.168.0.2
Post by Achim Gottinger
ag is the domain account username I use to login to windows and also the
username configured in thunderbird.
For me the dmain and Tbird account is 'mark'
Post by Achim Gottinger
On my debian system an package named libsasl2-modules-gssapi-mit must be
installed.
I did install mit krb5. I am using Slackware which has a different package name, but it did
install and compile OK, so I don't think I'm missing anything (but who knows?).
Post by Achim Gottinger
To test kerberos against dovecot from the command line install "mutt".
I have mutt
Post by Achim Gottinger
I assume your windows account name is "mark"
yes
Post by Achim Gottinger
~#kinit mark
I did the above ... as root (should I have been 'mark'?) on the AD/DC server.
----------
$ kinit mark
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
renew until 07/01/2016 23:41:27
---------
Did that. A message quickly flashed: "Certificate host check failed: certificate owner does
not match hosthame mail.hprs.org".
-------
mail.ohprs.org
Unknown
Unknown
Domain Control Validated
Unknown
Go Daddy Secure Certificate Authority - G2
Unknown
GoDaddy.com, Inc.
Scottsdale
This certificate is valid
from Aug 14 21:38:38 2015 GMT
to Aug 15 17:49:32 2016 GMT
Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
(r)eject, accept (o)nce, (a)ccept always
------
I did (r), then quit. I also tried
to no better results.
[deleted]
Jun 30 23:53:28 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [98.102.63.107]
Jun 30 23:53:43 imap-login: Debug: SSL alert: close notify [98.102.63.107]
Jun 30 23:53:43 imap-login: Info: Disconnected (no auth attempts in 15 secs): user=<>, rip=98.102.63.107, lip=98.102.63.107, TLS: Disconnected, session=<TD7I7oo2gQBiZj9r>
Post by Achim Gottinger
Also take a look at this page
http://wiki2.dovecot.org/Authentication/Kerberos
Been to that page dozens of times :) A couple of things different on that page from our config
We added 'imap/mail.hprs.local dovecot', i.e. the fdqn, not just the hostname. Could this be a
clue?
2) "Enable plaintext authentication to use Kerberos
This is needed when some of your clients don't support GSSAPI and you still want them to
authenticate against Kerberos."
It then shows an /etc/pam.d/dovecot config, but I don't care about clients who do not support
GSSAPI, so I don't think I need this.
Post by Achim Gottinger
Looking at my spn's you may also need
samba-tool spn add imap/mail.hprs.local dovecot
I added that, didn't make any differece.
does the "Certificate host check failed" message and the mutt output tell you anything?
Thanks for your patience --Mark
-----Original Message-----
Post by Achim Gottinger
Date: Fri, 1 Jul 2016 01:38:15 +0200
Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
required with dovecot (2.2.13 here).
Add "auth_debug=yes" to your dovecor config.
192.168.100.1 is my clients ip 192.168.100.101 is the servers
ag is the domain account username I use to login to windows and also the
username configured in thunderbird.
On my debian system an package named libsasl2-modules-gssapi-mit must be
installed.
To test kerberos against dovecot from the command line install "mutt".
I assume your windows account name is "mark"
~#kinit mark
Debug: auth client connected (pid=22585)
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=p/ahQ4c2/wB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=44287#011resp=<hidden>
security context state completed.
CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXAIZT4a2p58/+ylPphtphYA6sTnK4QCyRkHRm1VTnvrfjxc3Ya2ui9IHsBGnPggzjLVNScFx6aHJi99VCDG7s07zNUF8d4WHuNZz7el5gwK4Quy3AeUX8zVa7xkIECuTtT5W7BjpsBThhMc=
logon-zor dovecot: auth: Debug: client in: CONT<hidden>
Negotiated security layer
CONT#0111#011BQQF/wAMAAAAAAAAKxVA5AH///8b1puThszycYxSFvE=
logon-zor dovecot: auth: Debug: client in: CONT<hidden>
imap-login: Login: user=<ag>, method=GSSAPI, rip=127.0.0.1,
lip=127.0.0.1, mpid=19022, TLS, session=<CdYH6IY2oADAwAw9>
Also take a look at this page
http://wiki2.dovecot.org/Authentication/Kerberos
Looking at my spn's you may also need
samba-tool spn add imap/mail.hprs.local dovecot
Post by Mark Foley
Achim,
$ samba-tool user delete dovecot
$ samba-tool user add dovecot
# again, that asked for a password and I assigned one.
$ ktutil
ktutil: wkt /etc/dovecot/dovecot.keytab
ktutil: quit
$ ktutil
ktutil: read_kt /etc/dovecot/dovecot.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
So, much better. Duh for me not noticing that I had to change fqdn and domain to my own.
Rloaded dovecot and tried again. Same error :(
Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<OTQqf4Y2SgDAqAA6>
It must be possible for Thunderbird to use plain authentification with your windows account
username. Can be you must configure userdb and passdb to do ldap lookups against active
directory.
Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do plain text auth to dovecot. I will
continue to need this for non-domain email clients. According to the dovecot folks, the passwd
as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP
authentication is another one (along with NTLM) that I haven't been able to get working with
Dovecot. The only ones I've been able to get working are PLAIN and, believe it or not,
checkpassword - which is basically a passdb driver for PLAIN.
Perhaps there is some samba setting I'm missing? Here's my AD/DC smb.conf, do you seen anything
[global]
workgroup = HPRS
realm = hprs.local
netbios name = MAIL
interfaces = lo, eth1
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
winbind use default domain = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log level = 2 passdb:5 auth:10 winbind:2 lanman:10
max log size = 1000
[netlogon]
path = /var/lib/samba/sysvol/hprs.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[Users]
path = /redirectedFolders/Users
comment = user folders for redirection
read only = No
[share]
path = /var/lib/samba/share
comment = Shared folder
read only = No
Thanks --Mark
-----Original Message-----
Date: Thu, 30 Jun 2016 23:44:17 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Post by Mark Foley
Post by Achim Gottinger
1. Create an user
samba-tool create user dovcot
I did this (actually `samba-tool user create dovecot`), but it asked for a password. I
entered one. You didn't mention that, so I hope it's OK.
Yes
Post by Mark Foley
Post by Achim Gottinger
2. Add the spn
Did that too. No issue there.
Well you must substitute server.domain.local with your mailserver fqdn
and DOMAIN.LOCAL with HPRS.LOCAL.
Post by Mark Foley
Post by Achim Gottinger
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype]
$ ktutil
Same here substitute like above and as you said arcfour-hmac belongs in
the same line.
Post by Mark Foley
Of course, that will probably also wrap when you get this message, but basically I put the
arcfour-hmac on the same line as the addent. Each time, these commands also asked for a
password. Again, you didn't mention that, but I used the same password I used for the
`samab-tool user create` command above.
I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk".
Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply
transposed the letters. I tried it and it took.
Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does
not yet exist.
Only the two keys you just added are required to get kerberos working.
The system keytab you generated with samba-tool domain exportkeytab is
not required.
Post by Mark Foley
Post by Achim Gottinger
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Did that. In addition, I set the keytab file's group to dovecot and made the file group
readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos. I also tried
making it world readable. Now, after doing all that and restarting dovecot I still get the
Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6>
and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the
Thunderbird account (running on WIN7).
auth_debug_passwords = yes
* auth_gssapi_hostname = $ALL
* auth_krb5_keytab = /etc/krb5.keytab
* auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
(yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?)
Here is my keytab list (partial); note that every entry appears in triplicate. I don't see
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
Can you tell from any of this why I'm still not able to authenticate?
You only need the lines 97 and 98 and substitude fqdn and realm like i
mentioned above.
It must be possible for Thunderbird to use plain authentification with
your windows account username.
Can be you must configure userdb and passdb to do ldap lookups against
active directory.
Post by Mark Foley
Thanks, --Mark
-----Original Message-----
Post by Achim Gottinger
Date: Thu, 30 Jun 2016 11:51:34 +0200
Post by Mark Foley
To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
file as required by Dovecot. I've also downloaded and installed Kerberos for access to
the k* commands (ktutil, kinit, klist, ...).
In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7
workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
that you are logged in to the Kerberos/GSSAPI realm."
server at all, but rather the email address of the Thunderbird account.
When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
auth_mechanisms = plain login gssapi
That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
I think the problem is with Samba and handling the authentication. I do not think my Samba4 is
configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
for single-sign-on using Kerberos. He had me put the following lines into that workstation's
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind nss info = rfc2307
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
message, "Samba detected misconfigured 'server role' and exited."
passwd: compat winbind
group: compat winbind
Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
Need Help! Thanks --Mark
Hello Mark,
This is what i used in debian wheezy few years back. I assume
arcfour-hmac is unsafe these days but i did not yet investigate into
other working encryption methods here.
If you need smtp (postfix with auth via dovecot) also add the smtp
spn's. Use the password for user dovecot during keytab creation.
1. Create an user
samba-tool create user dovcot
2. Add the spn
3. Create the keytab file
ktutil
arcfour-hmac
arcfour-hmac
wkt /etc/dovecot/dovecot.keytab
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Hope it helps,
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mueller
2016-07-01 06:01:06 UTC
Permalink
My dovecot-ldap.conf.ext. I use the field mail in ads so my user logins are: ***@tplk.loc and Windows password.

hosts = ip.mysamb.dc:389
dn = cn=myuserfordevecotlogintoads,cn=users,dc=tplk,dc=loc
dnpass = mysecretpassword

auth_bind = yes
ldap_version = 3

base = cn=Users,dc=tplk,dc=loc
scope = subtree
user_filter = (mail=%u)
pass_filter = (mail=%u)
pass_attrs = mail=%u,= userPassword=password


EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
Email: ***@tropenklinik.de
www.tropenklinik.de
www.bauen-sie-mit.tropenklinik.de




-----Ursprüngliche Nachricht-----
Von: Mark Foley [mailto:***@ohprs.org]
Gesendet: Freitag, 1. Juli 2016 00:47
An: ***@lists.samba.org
Betreff: Re: [Samba] Where is krb5.keytab or equivalent?

Achim,

I deleted the keytab file and did the following:

$ samba-tool user delete dovecot
$ samba-tool user add dovecot

# again, that asked for a password and I assigned one.

$ samba-tool spn add smpt/***@HPRS.LOCAL dovecot $ samba-tool spn add imap/***@HPRS.LOCAL dovecot

$ ktutil
ktutil: addent -password -p smtp/***@HPRS.LOCAL -k 1 -e arcfour-hmac Password for smtp/***@HPRS.LOCAL:
ktutil: addent -password -p imap/***@HPRS.LOCAL -k 1 -e arcfour-hmac Password for imap/***@HPRS.LOCAL:
ktutil: wkt /etc/dovecot/dovecot.keytab
ktutil: quit

$ ktutil
ktutil: read_kt /etc/dovecot/dovecot.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 smtp/***@HPRS.LOCAL
2 1 imap/***@HPRS.LOCAL

So, much better. Duh for me not noticing that I had to change fqdn and domain to my own.

Rloaded dovecot and tried again. Same error :(

Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<OTQqf4Y2SgDAqAA6>
Post by Achim Gottinger
It must be possible for Thunderbird to use plain authentification with
your windows account username. Can be you must configure userdb and
passdb to do ldap lookups against active directory.
Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do plain text auth to dovecot. I will continue to need this for non-domain email clients. According to the dovecot folks, the passwd as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP authentication is another one (along with NTLM) that I haven't been able to get working with Dovecot. The only ones I've been able to get working are PLAIN and, believe it or not, checkpassword - which is basically a passdb driver for PLAIN.

Perhaps there is some samba setting I'm missing? Here's my AD/DC smb.conf, do you seen anything missing I need? :

[global]
workgroup = HPRS
realm = hprs.local
netbios name = MAIL
interfaces = lo, eth1
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes

winbind use default domain = yes

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

log level = 2 passdb:5 auth:10 winbind:2 lanman:10
max log size = 1000

[netlogon]
path = /var/lib/samba/sysvol/hprs.local/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[Users]
path = /redirectedFolders/Users
comment = user folders for redirection
read only = No

[share]
path = /var/lib/samba/share
comment = Shared folder
read only = No

Thanks --Mark

-----Original Message-----
Post by Achim Gottinger
Date: Thu, 30 Jun 2016 23:44:17 +0200
Subject: Re: [Samba] Where is krb5.keytab or equivalent?
Post by Mark Foley
Post by Achim Gottinger
1. Create an user
samba-tool create user dovcot
I did this (actually `samba-tool user create dovecot`), but it asked
for a password. I entered one. You didn't mention that, so I hope it's OK.
Yes
Post by Mark Foley
Post by Achim Gottinger
2. Add the spn
Did that too. No issue there.
Well you must substitute server.domain.local with your mailserver fqdn
and DOMAIN.LOCAL with HPRS.LOCAL.
Post by Mark Foley
Post by Achim Gottinger
3. Create the keytab file
ktutil
arcfour-hmac addent -password -p
/etc/dovecot/dovecot.keytab
As you can see, your text wrapped, but from the error message I got
$ ktutil
Same here substitute like above and as you said arcfour-hmac belongs
in the same line.
Post by Mark Foley
Of course, that will probably also wrap when you get this message,
but basically I put the arcfour-hmac on the same line as the addent.
Each time, these commands also asked for a password. Again, you
didn't mention that, but I used the same password I used for the `samab-tool user create` command above.
I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk".
Type '?' for a request list." In looking at the "?" list I saw
'wkt', so I assumed you simply transposed the letters. I tried it and it took.
Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does
not yet exist.
Only the two keys you just added are required to get kerberos working.
The system keytab you generated with samba-tool domain exportkeytab is
not required.
Post by Mark Foley
Post by Achim Gottinger
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Did that. In addition, I set the keytab file's group to dovecot and
made the file group readable, as suggested by
http://wiki2.dovecot.org/Authentication/Kerberos. I also tried
Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in
6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS,
session=<3hLnJoU2vgDAqAA6>
and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket
the email address of the Thunderbird account (running on WIN7).
auth_debug_passwords = yes
* auth_gssapi_hostname = $ALL
* auth_krb5_keytab = /etc/krb5.keytab
* auth_mechanisms = plain login gssapi auth_verbose = yes
auth_verbose_passwords = plain disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info mail_location =
maildir:~/Maildir passdb {
driver = shadow
}
protocols = imap
ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
(yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot.
Should be OK, right?)
Here is my keytab list (partial); note that every entry appears in
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
Can you tell from any of this why I'm still not able to authenticate?
You only need the lines 97 and 98 and substitude fqdn and realm like i
mentioned above.
It must be possible for Thunderbird to use plain authentification with
your windows account username.
Can be you must configure userdb and passdb to do ldap lookups against
active directory.
Post by Mark Foley
Thanks, --Mark
-----Original Message-----
Post by Achim Gottinger
Date: Thu, 30 Jun 2016 11:51:34 +0200
Post by Mark Foley
To revisit my problem: I have Dovecot running on the same host as
Samba4 AD/DC. I've set Thunderbird to authenticate with GSSAPI on
a domain workstation. I have an /etc/krb5.keytab file as required
by Dovecot. I've also downloaded and installed Kerberos for access to the k* commands (ktutil, kinit, klist, ...).
In my current setup, the Thunderbird client (WIN7 workstation) is
not connecting. The WIN7 workstation is a domain member and works
"The Kerberos/GSSAPI ticket was not accepted by the IMAP server
One disconcerting bit about that message is the named IMAP server
When attempting to connect, the Dovecot log simply has
"Disconnected (no auth attempts in 18
secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
auth_mechanisms = plain login gssapi
That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
I think the problem is with Samba and handling the authentication.
I do not think my Samba4 is configured correctly. Over a year ago
Rowland Penny helped me configure a Ubuntu workstation for
security = ADS
dedicated keytab file = /etc/krb5.keytab kerberos method = secrets
and keytab winbind nss info = rfc2307 winbind trusted domains only
= no winbind enum users = yes winbind enum groups = yes winbind
refresh tickets = Yes
I've tried sticking all of these in the AD/DC smb.conf and, when
restarting Samba, I get a log message, "Samba detected misconfigured 'server role' and exited."
passwd: compat winbind
group: compat winbind
Do I possibly need some of these (or others?) settings in these
conf files on the AD/DC server for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
Need Help! Thanks --Mark
Hello Mark,
This is what i used in debian wheezy few years back. I assume
arcfour-hmac is unsafe these days but i did not yet investigate
into other working encryption methods here.
If you need smtp (postfix with auth via dovecot) also add the smtp
spn's. Use the password for user dovecot during keytab creation.
1. Create an user
samba-tool create user dovcot
2. Add the spn
3. Create the keytab file
ktutil
arcfour-hmac addent -password -p
/etc/dovecot/dovecot.keytab
4. Add this to your dovecot config
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Hope it helps,
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-06-30 09:54:32 UTC
Permalink
Post by Mark Foley
To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
file as required by Dovecot. I've also downloaded and installed Kerberos for access to
the k* commands (ktutil, kinit, klist, ...).
In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7
workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
that you are logged in to the Kerberos/GSSAPI realm."
server at all, but rather the email address of the Thunderbird account.
When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
auth_mechanisms = plain login gssapi
That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
I think the problem is with Samba and handling the authentication. I do not think my Samba4 is
configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
for single-sign-on using Kerberos. He had me put the following lines into that workstation's
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind nss info = rfc2307
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
message, "Samba detected misconfigured 'server role' and exited."
passwd: compat winbind
group: compat winbind
Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
Need Help! Thanks --Mark
Sorry for my first reply, had hit submit by accident.

You may also need this in your dovecot configuration.

# Strip domain part from username
auth_username_format=%n
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2016-06-30 21:20:16 UTC
Permalink
Tried that too. Same error:

Jun 30 17:18:52 imap-login: Info: Disconnected (no auth attempts in 5 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<UHG7aoU23gDAqAA6>

--Mark

-----Original Message-----
Date: Thu, 30 Jun 2016 11:54:32 +0200
You may also need this in your dovecot configuration.
# Strip domain part from username
auth_username_format=%n
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...