[Samba] Where is krb5.keytab or equivalent?

Mark Foley mfoley at ohprs.org
Fri Jul 1 04:09:29 UTC 2016


Achim - per your instructions ...

> Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer 
> required with dovecot (2.2.13 here).

My dovecot is 2.2.15 and the 10-auth.conf (from the template) has the comment:

# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.

But, I've commented that out per your suggestion.

> Add "auth_debug=yes" to your dovecor config.

I already have:

auth_debug_passwords = yes

but I've added the auth_debug per your suggestion.

> 192.168.100.1 is my clients ip 192.168.100.101 is the servers

My WIN7/Thunderbird client is 192.168.0.58 and AD/DC/Dovecot server is 192.168.0.2

> ag is the domain account username I use to login to windows and also the 
> username configured in thunderbird.

For me the dmain and Tbird account is 'mark'

> On my debian system an package named libsasl2-modules-gssapi-mit must be 
> installed.

I did install mit krb5. I am using Slackware which has a different package name, but it did
install and compile OK, so I don't think I'm missing anything (but who knows?).

> To test kerberos against dovecot from the command line install "mutt".

I have mutt

> I assume your windows account name is "mark"

yes

> ~#kinit mark

I did the above ... as root (should I have been 'mark'?) on the AD/DC server.

----------
$ kinit mark
Password for mark at HPRS.LOCAL:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mark at HPRS.LOCAL

Valid starting       Expires              Service principal
06/30/2016 23:41:31  07/01/2016 09:41:31  krbtgt/HPRS.LOCAL at HPRS.LOCAL
        renew until 07/01/2016 23:41:27
---------

> ~#MAIL=imap://mark@mail.hprs.local/ mutt

Did that. A message quickly flashed: "Certificate host check failed: certificate owner does
not match hosthame mail.hprs.org".

Then a (presumably) mutt edit window came up with:

-------
This certificate belongs to:
   mail.ohprs.org
   Unknown
   Unknown
   Domain Control Validated
   Unknown

This certificate was issued by:
   Go Daddy Secure Certificate Authority - G2
   Unknown
   GoDaddy.com, Inc.
   http:
   Scottsdale

This certificate is valid
   from Aug 14 21:38:38 2015 GMT
     to Aug 15 17:49:32 2016 GMT

Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064

(r)eject, accept (o)nce, (a)ccept always
------

I did (r), then quit. I also tried

MAIL=imap://mark@ohprs.org/ mutt

to no better results.

> An successfull login with mutt looks like this in the mail logfile:
>
[deleted]

Nothing at all in maillog. Dovecot log had:

Jun 30 23:53:28 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [98.102.63.107]
Jun 30 23:53:43 imap-login: Debug: SSL alert: close notify [98.102.63.107]
Jun 30 23:53:43 imap-login: Info: Disconnected (no auth attempts in 15 secs): user=<>, rip=98.102.63.107, lip=98.102.63.107, TLS: Disconnected, session=<TD7I7oo2gQBiZj9r>

> Also take a look at this page
> http://wiki2.dovecot.org/Authentication/Kerberos

Been to that page dozens of times :) A couple of things different on that page from our config
thus far:

1) "... you will need to install a service ticket of the form imap/hostname at REALM."

We added 'imap/mail.hprs.local dovecot', i.e. the fdqn, not just the hostname. Could this be a
clue?

2) "Enable plaintext authentication to use Kerberos
This is needed when some of your clients don't support GSSAPI and you still want them to
authenticate against Kerberos."

It then shows an /etc/pam.d/dovecot config, but I don't care about clients who do not support
GSSAPI, so I don't think I need this.

> Looking at my spn's you may also need
> samba-tool spn add imap/mail.hprs.local dovecot

I added that, didn't make any differece.

does the "Certificate host check failed" message and the mutt output tell you anything?

Thanks for your patience --Mark

-----Original Message-----
> To: samba at lists.samba.org
> From: Achim Gottinger <achim at ag-web.biz>
> Date: Fri, 1 Jul 2016 01:38:15 +0200
>
> Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer 
> required with dovecot (2.2.13 here).
>
> Add "auth_debug=yes" to your dovecor config.
>
> 192.168.100.1 is my clients ip 192.168.100.101 is the servers
>
> ag is the domain account username I use to login to windows and also the 
> username configured in thunderbird.
>
> On my debian system an package named libsasl2-modules-gssapi-mit must be 
> installed.
>
> To test kerberos against dovecot from the command line install "mutt".
>
> I assume your windows account name is "mark"
>
> ~#kinit mark
> ~#MAIL=imap://mark@mail.hprs.local/ mutt
>
> An successfull login with mutt looks like this in the mail logfile:
>
> Debug: auth client connected (pid=22585)
> logon-zor dovecot: auth: Debug: client in: 
> AUTH#0111#011GSSAPI#011service=imap#011secured#011session=p/ahQ4c2/wB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=44287#011resp=<hidden>
> logon-zor dovecot: auth: Debug: gssapi(?,127.0.0.1,<p/ahQ4c2/wB/AAAB>): 
> Obtaining credentials for imap@
> logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>): 
> security context state completed.
> logon-zor dovecot: auth: Debug: client passdb out: 
> CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXAIZT4a2p58/+ylPphtphYA6sTnK4QCyRkHRm1VTnvrfjxc3Ya2ui9IHsBGnPggzjLVNScFx6aHJi99VCDG7s07zNUF8d4WHuNZz7el5gwK4Quy3AeUX8zVa7xkIECuTtT5W7BjpsBThhMc=
> logon-zor dovecot: auth: Debug: client in: CONT<hidden>
> logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>): 
> Negotiated security layer
> logon-zor dovecot: auth: Debug: client passdb out: 
> CONT#0111#011BQQF/wAMAAAAAAAAKxVA5AH///8b1puThszycYxSFvE=
> logon-zor dovecot: auth: Debug: client in: CONT<hidden>
>
> imap-login: Login: user=<ag>, method=GSSAPI, rip=127.0.0.1, 
> lip=127.0.0.1, mpid=19022, TLS, session=<CdYH6IY2oADAwAw9>
>
>
> Also take a look at this page
> http://wiki2.dovecot.org/Authentication/Kerberos
>
> Looking at my spn's you may also need
>
> samba-tool spn add imap/mail.hprs.local dovecot
>
>
>
> Am 01.07.2016 um 00:46 schrieb Mark Foley:
> > Achim,
> >
> > I deleted the keytab file and did the following:
> >
> > $ samba-tool user delete dovecot
> > $ samba-tool user add dovecot
> >
> > # again, that asked for a password and I assigned one.
> >
> > $ samba-tool spn add smpt/mail.hprs.local at HPRS.LOCAL dovecot
> > $ samba-tool spn add imap/mail.hprs.local at HPRS.LOCAL dovecot
> >
> > $ ktutil
> > ktutil:  addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac
> > Password for smtp/mail.hprs.local at HPRS.LOCAL:
> > ktutil:  addent -password -p imap/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac
> > Password for imap/mail.hprs.local at HPRS.LOCAL:
> > ktutil:  wkt /etc/dovecot/dovecot.keytab
> > ktutil:  quit
> >
> > $ ktutil
> > ktutil:  read_kt /etc/dovecot/dovecot.keytab
> > ktutil:  list
> > slot KVNO Principal
> > ---- ---- ---------------------------------------------------------------------
> >     1    1          smtp/mail.hprs.local at HPRS.LOCAL
> >     2    1          imap/mail.hprs.local at HPRS.LOCAL
> >
> > So, much better. Duh for me not noticing that I had to change fqdn and domain to my own.
> >
> > Rloaded dovecot and tried again. Same error :(
> >
> > Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<OTQqf4Y2SgDAqAA6>
> >
> > You wrote:
> >
> >> It must be possible for Thunderbird to use plain authentification with your windows account
> >> username.  Can be you must configure userdb and passdb to do ldap lookups against active
> >> directory.
> > Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do plain text auth to dovecot. I will
> > continue to need this for non-domain email clients. According to the dovecot folks, the passwd
> > as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP
> > authentication is another one (along with NTLM) that I haven't been able to get working with
> > Dovecot. The only ones I've been able to get working are PLAIN and, believe it or not,
> > checkpassword - which is basically a passdb driver for PLAIN.
> >
> > Perhaps there is some samba setting I'm missing? Here's my AD/DC smb.conf, do you seen anything
> > missing I need? :
> >
> > [global]
> >          workgroup = HPRS
> >          realm = hprs.local
> >          netbios name = MAIL
> >          interfaces = lo, eth1
> >          bind interfaces only = Yes
> >          server role = active directory domain controller
> >          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
> >          idmap_ldb:use rfc2307 = yes
> >
> >      winbind use default domain = yes
> >
> >      load printers = no
> >      printing = bsd
> >      printcap name = /dev/null
> >      disable spoolss = yes
> >
> >      log level = 2 passdb:5 auth:10 winbind:2 lanman:10
> >      max log size = 1000
> >
> > [netlogon]
> >          path = /var/lib/samba/sysvol/hprs.local/scripts
> >          read only = No
> >
> > [sysvol]
> >          path = /var/lib/samba/sysvol
> >          read only = No
> >
> > [Users]
> >      path = /redirectedFolders/Users
> >      comment = user folders for redirection
> >      read only = No
> >
> > [share]
> >      path = /var/lib/samba/share
> >      comment = Shared folder
> >      read only = No
> >
> > Thanks --Mark
> >
> > -----Original Message-----
> >> To: samba at lists.samba.org
> >> From: Achim Gottinger <achim at ag-web.biz>
> >> Date: Thu, 30 Jun 2016 23:44:17 +0200
> >> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
> >>
> >> Am 30.06.2016 um 23:16 schrieb Mark Foley:
> >>> Achim, thanks a lot! A couple of questions on your suggested settings:
> >>>
> >>>> 1. Create an user
> >>>> samba-tool create user dovcot
> >>> I did this (actually `samba-tool user create dovecot`), but it asked for a password.  I
> >>> entered one.  You didn't mention that, so I hope it's OK.
> >> Yes
> >>>    
> >>>
> >>>> 2. Add the spn
> >>>> samba-tool spn add  smtp/server.domain.local at DOMAIN.LOCAL dovecot
> >>>> samba-tool spn add  imap/server.domain.local at DOMAIN.LOCAL dovecot
> >>> Did that too. No issue there.
> >> Well you must substitute server.domain.local with your mailserver fqdn
> >> and DOMAIN.LOCAL with HPRS.LOCAL.
> >>>> 3. Create the keytab file
> >>>> ktutil
> >>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e
> >>>> arcfour-hmac
> >>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e
> >>>> arcfour-hmac
> >>>> wkt /etc/dovecot/dovecot.keytab
> >>> As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype]
> >>> should hve been the arcfour-hmac on the next line.  So I did:
> >>>
> >>> $ ktutil
> >>> ktutil: addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac
> >>> ktutil: addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac
> >> Same here substitute like above and as you said arcfour-hmac belongs in
> >> the same line.
> >>> Of course, that will probably also wrap when you get this message, but basically I put the
> >>> arcfour-hmac on the same line as the addent. Each time, these commands also asked for a
> >>> password. Again, you didn't mention that, but I used the same password I used for the
> >>> `samab-tool user create` command above.
> >>>
> >>> I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk".
> >>> Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply
> >>> transposed the letters.  I tried it and it took.
> >> Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does
> >> not yet exist.
> >> Only the two keys you just added are required to get kerberos working.
> >> The system keytab you generated with samba-tool domain exportkeytab is
> >> not required.
> >>>    
> >>>
> >>>> 4. Add this to your dovecot config
> >>>>
> >>>> # Kerberos
> >>>> auth_gssapi_hostname = "$ALL"
> >>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> >>> Did that.  In addition, I set the keytab file's group to dovecot and made the file group
> >>> readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos.  I also tried
> >>> making it world readable.  Now, after doing all that and restarting dovecot I still get the
> >>> same dovecot error:
> >>>
> >>> Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6>
> >>>
> >>> and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the
> >>> IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm."
> >>>
> >>> As I've mentioned before, "mark at ohprs.org" is not a server. It is the email address of the
> >>> Thunderbird account (running on WIN7).
> >>>
> >>> Here is my doveconf -n (gssapi marked with *):
> >>>
> >>> auth_debug_passwords = yes
> >>> * auth_gssapi_hostname = $ALL
> >>> * auth_krb5_keytab = /etc/krb5.keytab
> >>> * auth_mechanisms = plain login gssapi
> >>> auth_verbose = yes
> >>> auth_verbose_passwords = plain
> >>> disable_plaintext_auth = no
> >>> info_log_path = /var/log/dovecot_info
> >>> mail_location = maildir:~/Maildir
> >>> passdb {
> >>>     driver = shadow
> >>> }
> >>> protocols = imap
> >>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> >>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> >>> userdb {
> >>>     driver = passwd
> >>> }
> >>> verbose_ssl = yes
> >>>
> >>> (yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?)
> >>>
> >>> Here is my keytab list (partial); note that every entry appears in triplicate. I don't see
> >>> 'dovecot' in there at all; maybe that's OK:
> >>>
> >>> ktutil:  list
> >>> slot KVNO Principal
> >>> ---- ---- ---------------------------------------------------------------------
> >>>      1   18                       COMMON$@HPRS.LOCAL
> >>>      2   18                       COMMON$@HPRS.LOCAL
> >>>      3   18                       COMMON$@HPRS.LOCAL
> >>>      4    1                         MAIL$@HPRS.LOCAL
> >>>      5    1                         MAIL$@HPRS.LOCAL
> >>>      6    1                         MAIL$@HPRS.LOCAL
> >>>      7    1                     charmaine at HPRS.LOCAL
> >>>      8    1                     charmaine at HPRS.LOCAL
> >>>      9    1                     charmaine at HPRS.LOCAL
> >>>      :
> >>>     19    1                 Administrator at HPRS.LOCAL
> >>>     20    1                 Administrator at HPRS.LOCAL
> >>>     21    1                 Administrator at HPRS.LOCAL
> >>>      :
> >>>     91    1                        krbtgt at HPRS.LOCAL
> >>>     92    1                        krbtgt at HPRS.LOCAL
> >>>     93    1                        krbtgt at HPRS.LOCAL
> >>>      :
> >>>     97    1    smtp/server.domain.local at DOMAIN.LOCAL
> >>>     98    1    imap/server.domain.local at DOMAIN.LOCAL
> >>>
> >>> Can you tell from any of this why I'm still not able to authenticate?
> >> You only need the lines 97 and 98 and substitude fqdn and realm like i
> >> mentioned above.
> >> It must be possible for Thunderbird to use plain authentification with
> >> your windows account username.
> >> Can be you must configure userdb and passdb to do ldap lookups against
> >> active directory.
> >>> Thanks, --Mark
> >>>
> >>> -----Original Message-----
> >>>> To: samba at lists.samba.org
> >>>> From: Achim Gottinger <achim at ag-web.biz>
> >>>> Date: Thu, 30 Jun 2016 11:51:34 +0200
> >>>>
> >>>> Am 30.06.2016 um 10:45 schrieb Mark Foley:
> >>>>> To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
> >>>>> Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
> >>>>> file as required by Dovecot. I've also downloaded and installed Kerberos for access to
> >>>>> the k* commands (ktutil, kinit, klist, ...).
> >>>>>
> >>>>> In my current setup, the Thunderbird client (WIN7 workstation) is not connecting.  The WIN7
> >>>>> workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
> >>>>> etc.  Thunderbird gives the following error:
> >>>>>
> >>>>> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check
> >>>>> that you are logged in to the Kerberos/GSSAPI realm."
> >>>>>
> >>>>> One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a
> >>>>> server at all, but rather the email address of the Thunderbird account.
> >>>>>
> >>>>> When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
> >>>>> secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
> >>>>> Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying:
> >>>>>
> >>>>> auth_mechanisms = plain login gssapi
> >>>>>
> >>>>> That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
> >>>>>
> >>>>> I think the problem is with Samba and handling the authentication.  I do not think my Samba4 is
> >>>>> configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
> >>>>> for single-sign-on using Kerberos. He had me put the following lines into that workstation's
> >>>>> smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server:
> >>>>>
> >>>>> security = ADS
> >>>>> dedicated keytab file = /etc/krb5.keytab
> >>>>> kerberos method = secrets and keytab
> >>>>> winbind nss info = rfc2307
> >>>>> winbind trusted domains only = no
> >>>>> winbind enum users = yes
> >>>>> winbind enum groups = yes
> >>>>> winbind refresh tickets = Yes
> >>>>>
> >>>>> I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
> >>>>> message, "Samba detected misconfigured 'server role' and exited."
> >>>>>
> >>>>> He also had me put the following in /etc/nsswitch.conf:
> >>>>>
> >>>>> passwd:         compat winbind
> >>>>> group:          compat winbind
> >>>>>
> >>>>> Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
> >>>>> for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
> >>>>>
> >>>>> Need Help! Thanks --Mark
> >>>> Hello Mark,
> >>>>
> >>>> This is what i used in debian wheezy few years back. I assume
> >>>> arcfour-hmac is unsafe these days but i did not yet investigate into
> >>>> other working encryption methods here.
> >>>> If you need smtp (postfix with auth via dovecot) also add the smtp
> >>>> spn's. Use the password for user dovecot during keytab creation.
> >>>>
> >>>> 1. Create an user
> >>>> samba-tool create user dovcot
> >>>>
> >>>> 2. Add the spn
> >>>> samba-tool spn add  smtp/server.domain.local at DOMAIN.LOCAL dovecot
> >>>> samba-tool spn add  imap/server.domain.local at DOMAIN.LOCAL dovecot
> >>>>
> >>>> 3. Create the keytab file
> >>>> ktutil
> >>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e
> >>>> arcfour-hmac
> >>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e
> >>>> arcfour-hmac
> >>>> wkt /etc/dovecot/dovecot.keytab
> >>>>
> >>>> 4. Add this to your dovecot config
> >>>>
> >>>> # Kerberos
> >>>> auth_gssapi_hostname = "$ALL"
> >>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> >>>>
> >>>> Hope it helps,
> >>>> achim~
> >>>> -- 
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



More information about the samba mailing list