[Samba] Where is krb5.keytab or equivalent?
Mark Foley
mfoley at ohprs.org
Thu Jun 30 21:16:53 UTC 2016
Achim, thanks a lot! A couple of questions on your suggested settings:
> 1. Create an user
> samba-tool create user dovcot
I did this (actually `samba-tool user create dovecot`), but it asked for a password. I
entered one. You didn't mention that, so I hope it's OK.
> 2. Add the spn
> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot
> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot
Did that too. No issue there.
>
> 3. Create the keytab file
> ktutil
> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e
> arcfour-hmac
> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e
> arcfour-hmac
> wkt /etc/dovecot/dovecot.keytab
As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype]
should hve been the arcfour-hmac on the next line. So I did:
$ ktutil
ktutil: addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac
ktutil: addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac
Of course, that will probably also wrap when you get this message, but basically I put the
arcfour-hmac on the same line as the addent. Each time, these commands also asked for a
password. Again, you didn't mention that, but I used the same password I used for the
`samab-tool user create` command above.
I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk".
Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply
transposed the letters. I tried it and it took.
> 4. Add this to your dovecot config
>
> # Kerberos
> auth_gssapi_hostname = "$ALL"
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Did that. In addition, I set the keytab file's group to dovecot and made the file group
readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos. I also tried
making it world readable. Now, after doing all that and restarting dovecot I still get the
same dovecot error:
Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6>
and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the
IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm."
As I've mentioned before, "mark at ohprs.org" is not a server. It is the email address of the
Thunderbird account (running on WIN7).
Here is my doveconf -n (gssapi marked with *):
auth_debug_passwords = yes
* auth_gssapi_hostname = $ALL
* auth_krb5_keytab = /etc/krb5.keytab
* auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
(yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?)
Here is my keytab list (partial); note that every entry appears in triplicate. I don't see
'dovecot' in there at all; maybe that's OK:
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 18 COMMON$@HPRS.LOCAL
2 18 COMMON$@HPRS.LOCAL
3 18 COMMON$@HPRS.LOCAL
4 1 MAIL$@HPRS.LOCAL
5 1 MAIL$@HPRS.LOCAL
6 1 MAIL$@HPRS.LOCAL
7 1 charmaine at HPRS.LOCAL
8 1 charmaine at HPRS.LOCAL
9 1 charmaine at HPRS.LOCAL
:
19 1 Administrator at HPRS.LOCAL
20 1 Administrator at HPRS.LOCAL
21 1 Administrator at HPRS.LOCAL
:
91 1 krbtgt at HPRS.LOCAL
92 1 krbtgt at HPRS.LOCAL
93 1 krbtgt at HPRS.LOCAL
:
97 1 smtp/server.domain.local at DOMAIN.LOCAL
98 1 imap/server.domain.local at DOMAIN.LOCAL
Can you tell from any of this why I'm still not able to authenticate?
Thanks, --Mark
-----Original Message-----
> To: samba at lists.samba.org
> From: Achim Gottinger <achim at ag-web.biz>
> Date: Thu, 30 Jun 2016 11:51:34 +0200
>
> Am 30.06.2016 um 10:45 schrieb Mark Foley:
> > To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
> > Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
> > file as required by Dovecot. I've also downloaded and installed Kerberos for access to
> > the k* commands (ktutil, kinit, klist, ...).
> >
> > In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7
> > workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
> > etc. Thunderbird gives the following error:
> >
> > "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check
> > that you are logged in to the Kerberos/GSSAPI realm."
> >
> > One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a
> > server at all, but rather the email address of the Thunderbird account.
> >
> > When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
> > secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
> > Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying:
> >
> > auth_mechanisms = plain login gssapi
> >
> > That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
> >
> > I think the problem is with Samba and handling the authentication. I do not think my Samba4 is
> > configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
> > for single-sign-on using Kerberos. He had me put the following lines into that workstation's
> > smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server:
> >
> > security = ADS
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > winbind nss info = rfc2307
> > winbind trusted domains only = no
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind refresh tickets = Yes
> >
> > I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
> > message, "Samba detected misconfigured 'server role' and exited."
> >
> > He also had me put the following in /etc/nsswitch.conf:
> >
> > passwd: compat winbind
> > group: compat winbind
> >
> > Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
> > for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
> >
> > Need Help! Thanks --Mark
> Hello Mark,
>
> This is what i used in debian wheezy few years back. I assume
> arcfour-hmac is unsafe these days but i did not yet investigate into
> other working encryption methods here.
> If you need smtp (postfix with auth via dovecot) also add the smtp
> spn's. Use the password for user dovecot during keytab creation.
>
> 1. Create an user
> samba-tool create user dovcot
>
> 2. Add the spn
> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot
> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot
>
> 3. Create the keytab file
> ktutil
> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e
> arcfour-hmac
> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e
> arcfour-hmac
> wkt /etc/dovecot/dovecot.keytab
>
> 4. Add this to your dovecot config
>
> # Kerberos
> auth_gssapi_hostname = "$ALL"
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
>
> Hope it helps,
> achim~
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list