[Samba] Where is krb5.keytab or equivalent?
Achim Gottinger
achim at ag-web.biz
Fri Jul 1 08:37:51 UTC 2016
It's getting abit offtopic for the samba list :-)
Look at the testing section in
http://wiki2.dovecot.org/Authentication/Kerberos do what is mentioned
below "Test that the server can access the keytab".
If i run the telnet authenticated test and klist afterwards contains the
imap keys.
Am 01.07.2016 um 08:21 schrieb Mark Foley:
> More info ...
>
> when I do
>
> MAIL=imap://mark@mail.ohprs.org/ mutt
>
> (using the domain of the registered certificate). I do not get the message "Certificate host
> check failed: certificate owner does not match hosthame ..."
>
> I do get the same (mutt?) edit screen shown below with the "(r)eject, accept (o)nce, (a)ccept
> always" action at the bottom. If I "accept (o)nce", I am asked for the 'mark' password and put
> into what must be the mutt mail interface showing my imap://mark@mail.ohprs.org/INBOX.
>
> Nothing in maillog, but dovecot log show a successful PLAIN authentication. If I configure
> dovecot for only gssapi and run mutt it again, I get the messge "No authenticators available".
>
> I then created /tmp/testMuttrc with:
>
> set imap_authenticators="gssapi"
>
> and ran
>
> MAIL=imap://mark@mail.ohprs.org/ mutt -F /tmp/testMuttrc
>
> same: "No authenticators available"
>
> It's as if dovecot knows nothing about gssapi, so I did:
>
> $ dovecot --build-options
> Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192
> Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail
> SQL drivers:
> Passdb: checkpassword passwd passwd-file shadow
> Userdb: checkpassword nss passwd prefetch passwd-file
>
> Should gssapi show up here? I did just rebuild dovecot with `./configure ----with-gssapi=yes`
> and the config log shows it:
>
> #define HAVE_GSSAPI_GSSAPI_H /**/
> #define HAVE_GSSAPI_H /**/
> #define HAVE_GSSAPI /**/
> #define HAVE_GSSAPI_GSSAPI_EXT_H 1
> #define HAVE_GSSAPI_GSSAPI_KRB5_H 1
> #define HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY 1
> #define HAVE_GSSAPI_SPNEGO /**/
> #define BUILTIN_GSSAPI /**/
>
> Maybe I need to ask the dovecot people how to confirm that I have gssapi.
>
> --Mark
>
> -----Original Message-----
> From: Mark Foley <mfoley at ohprs.org>
> Date: Fri, 01 Jul 2016 00:09:29 -0400
> Organization: Ohio Highway Patrol Retirement System
> To: samba at lists.samba.org
> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>
> Achim - per your instructions ...
>
>> Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
>> required with dovecot (2.2.13 here).
> My dovecot is 2.2.15 and the 10-auth.conf (from the template) has the comment:
>
> # Host name to use in GSSAPI principal names. The default is to use the
> # name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
> # entries.
>
> But, I've commented that out per your suggestion.
>
>> Add "auth_debug=yes" to your dovecor config.
> I already have:
>
> auth_debug_passwords = yes
>
> but I've added the auth_debug per your suggestion.
>
>> 192.168.100.1 is my clients ip 192.168.100.101 is the servers
> My WIN7/Thunderbird client is 192.168.0.58 and AD/DC/Dovecot server is 192.168.0.2
>
>> ag is the domain account username I use to login to windows and also the
>> username configured in thunderbird.
> For me the dmain and Tbird account is 'mark'
>
>> On my debian system an package named libsasl2-modules-gssapi-mit must be
>> installed.
> I did install mit krb5. I am using Slackware which has a different package name, but it did
> install and compile OK, so I don't think I'm missing anything (but who knows?).
>
>> To test kerberos against dovecot from the command line install "mutt".
> I have mutt
>
>> I assume your windows account name is "mark"
> yes
>
>> ~#kinit mark
> I did the above ... as root (should I have been 'mark'?) on the AD/DC server.
>
> ----------
> $ kinit mark
> Password for mark at HPRS.LOCAL:
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: mark at HPRS.LOCAL
>
> Valid starting Expires Service principal
> 06/30/2016 23:41:31 07/01/2016 09:41:31 krbtgt/HPRS.LOCAL at HPRS.LOCAL
> renew until 07/01/2016 23:41:27
> ---------
>
>> ~#MAIL=imap://mark@mail.hprs.local/ mutt
> Did that. A message quickly flashed: "Certificate host check failed: certificate owner does
> not match hosthame mail.hprs.org".
>
> Then a (presumably) mutt edit window came up with:
>
> -------
> This certificate belongs to:
> mail.ohprs.org
> Unknown
> Unknown
> Domain Control Validated
> Unknown
>
> This certificate was issued by:
> Go Daddy Secure Certificate Authority - G2
> Unknown
> GoDaddy.com, Inc.
> http:
> Scottsdale
>
> This certificate is valid
> from Aug 14 21:38:38 2015 GMT
> to Aug 15 17:49:32 2016 GMT
>
> Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
>
> (r)eject, accept (o)nce, (a)ccept always
> ------
>
> I did (r), then quit. I also tried
>
> MAIL=imap://mark@ohprs.org/ mutt
>
> to no better results.
>
>> An successfull login with mutt looks like this in the mail logfile:
>>
> [deleted]
>
> Nothing at all in maillog. Dovecot log had:
>
> Jun 30 23:53:28 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [98.102.63.107]
> Jun 30 23:53:43 imap-login: Debug: SSL alert: close notify [98.102.63.107]
> Jun 30 23:53:43 imap-login: Info: Disconnected (no auth attempts in 15 secs): user=<>, rip=98.102.63.107, lip=98.102.63.107, TLS: Disconnected, session=<TD7I7oo2gQBiZj9r>
>
>> Also take a look at this page
>> http://wiki2.dovecot.org/Authentication/Kerberos
> Been to that page dozens of times :) A couple of things different on that page from our config
> thus far:
>
> 1) "... you will need to install a service ticket of the form imap/hostname at REALM."
>
> We added 'imap/mail.hprs.local dovecot', i.e. the fdqn, not just the hostname. Could this be a
> clue?
>
> 2) "Enable plaintext authentication to use Kerberos
> This is needed when some of your clients don't support GSSAPI and you still want them to
> authenticate against Kerberos."
>
> It then shows an /etc/pam.d/dovecot config, but I don't care about clients who do not support
> GSSAPI, so I don't think I need this.
>
>> Looking at my spn's you may also need
>> samba-tool spn add imap/mail.hprs.local dovecot
> I added that, didn't make any differece.
>
> does the "Certificate host check failed" message and the mutt output tell you anything?
>
> Thanks for your patience --Mark
>
> -----Original Message-----
>> To: samba at lists.samba.org
>> From: Achim Gottinger <achim at ag-web.biz>
>> Date: Fri, 1 Jul 2016 01:38:15 +0200
>>
>> Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
>> required with dovecot (2.2.13 here).
>>
>> Add "auth_debug=yes" to your dovecor config.
>>
>> 192.168.100.1 is my clients ip 192.168.100.101 is the servers
>>
>> ag is the domain account username I use to login to windows and also the
>> username configured in thunderbird.
>>
>> On my debian system an package named libsasl2-modules-gssapi-mit must be
>> installed.
>>
>> To test kerberos against dovecot from the command line install "mutt".
>>
>> I assume your windows account name is "mark"
>>
>> ~#kinit mark
>> ~#MAIL=imap://mark@mail.hprs.local/ mutt
>>
>> An successfull login with mutt looks like this in the mail logfile:
>>
>> Debug: auth client connected (pid=22585)
>> logon-zor dovecot: auth: Debug: client in:
>> AUTH#0111#011GSSAPI#011service=imap#011secured#011session=p/ahQ4c2/wB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=44287#011resp=<hidden>
>> logon-zor dovecot: auth: Debug: gssapi(?,127.0.0.1,<p/ahQ4c2/wB/AAAB>):
>> Obtaining credentials for imap@
>> logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>):
>> security context state completed.
>> logon-zor dovecot: auth: Debug: client passdb out:
>> CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXAIZT4a2p58/+ylPphtphYA6sTnK4QCyRkHRm1VTnvrfjxc3Ya2ui9IHsBGnPggzjLVNScFx6aHJi99VCDG7s07zNUF8d4WHuNZz7el5gwK4Quy3AeUX8zVa7xkIECuTtT5W7BjpsBThhMc=
>> logon-zor dovecot: auth: Debug: client in: CONT<hidden>
>> logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>):
>> Negotiated security layer
>> logon-zor dovecot: auth: Debug: client passdb out:
>> CONT#0111#011BQQF/wAMAAAAAAAAKxVA5AH///8b1puThszycYxSFvE=
>> logon-zor dovecot: auth: Debug: client in: CONT<hidden>
>>
>> imap-login: Login: user=<ag>, method=GSSAPI, rip=127.0.0.1,
>> lip=127.0.0.1, mpid=19022, TLS, session=<CdYH6IY2oADAwAw9>
>>
>>
>> Also take a look at this page
>> http://wiki2.dovecot.org/Authentication/Kerberos
>>
>> Looking at my spn's you may also need
>>
>> samba-tool spn add imap/mail.hprs.local dovecot
>>
>>
>>
>> Am 01.07.2016 um 00:46 schrieb Mark Foley:
>>> Achim,
>>>
>>> I deleted the keytab file and did the following:
>>>
>>> $ samba-tool user delete dovecot
>>> $ samba-tool user add dovecot
>>>
>>> # again, that asked for a password and I assigned one.
>>>
>>> $ samba-tool spn add smpt/mail.hprs.local at HPRS.LOCAL dovecot
>>> $ samba-tool spn add imap/mail.hprs.local at HPRS.LOCAL dovecot
>>>
>>> $ ktutil
>>> ktutil: addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac
>>> Password for smtp/mail.hprs.local at HPRS.LOCAL:
>>> ktutil: addent -password -p imap/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac
>>> Password for imap/mail.hprs.local at HPRS.LOCAL:
>>> ktutil: wkt /etc/dovecot/dovecot.keytab
>>> ktutil: quit
>>>
>>> $ ktutil
>>> ktutil: read_kt /etc/dovecot/dovecot.keytab
>>> ktutil: list
>>> slot KVNO Principal
>>> ---- ---- ---------------------------------------------------------------------
>>> 1 1 smtp/mail.hprs.local at HPRS.LOCAL
>>> 2 1 imap/mail.hprs.local at HPRS.LOCAL
>>>
>>> So, much better. Duh for me not noticing that I had to change fqdn and domain to my own.
>>>
>>> Rloaded dovecot and tried again. Same error :(
>>>
>>> Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<OTQqf4Y2SgDAqAA6>
>>>
>>> You wrote:
>>>
>>>> It must be possible for Thunderbird to use plain authentification with your windows account
>>>> username. Can be you must configure userdb and passdb to do ldap lookups against active
>>>> directory.
>>> Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do plain text auth to dovecot. I will
>>> continue to need this for non-domain email clients. According to the dovecot folks, the passwd
>>> as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP
>>> authentication is another one (along with NTLM) that I haven't been able to get working with
>>> Dovecot. The only ones I've been able to get working are PLAIN and, believe it or not,
>>> checkpassword - which is basically a passdb driver for PLAIN.
>>>
>>> Perhaps there is some samba setting I'm missing? Here's my AD/DC smb.conf, do you seen anything
>>> missing I need? :
>>>
>>> [global]
>>> workgroup = HPRS
>>> realm = hprs.local
>>> netbios name = MAIL
>>> interfaces = lo, eth1
>>> bind interfaces only = Yes
>>> server role = active directory domain controller
>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
>>> idmap_ldb:use rfc2307 = yes
>>>
>>> winbind use default domain = yes
>>>
>>> load printers = no
>>> printing = bsd
>>> printcap name = /dev/null
>>> disable spoolss = yes
>>>
>>> log level = 2 passdb:5 auth:10 winbind:2 lanman:10
>>> max log size = 1000
>>>
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/hprs.local/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>
>>> [Users]
>>> path = /redirectedFolders/Users
>>> comment = user folders for redirection
>>> read only = No
>>>
>>> [share]
>>> path = /var/lib/samba/share
>>> comment = Shared folder
>>> read only = No
>>>
>>> Thanks --Mark
>>>
>>> -----Original Message-----
>>>> To: samba at lists.samba.org
>>>> From: Achim Gottinger <achim at ag-web.biz>
>>>> Date: Thu, 30 Jun 2016 23:44:17 +0200
>>>> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>>>>
>>>> Am 30.06.2016 um 23:16 schrieb Mark Foley:
>>>>> Achim, thanks a lot! A couple of questions on your suggested settings:
>>>>>
>>>>>> 1. Create an user
>>>>>> samba-tool create user dovcot
>>>>> I did this (actually `samba-tool user create dovecot`), but it asked for a password. I
>>>>> entered one. You didn't mention that, so I hope it's OK.
>>>> Yes
>>>>>
>>>>>
>>>>>> 2. Add the spn
>>>>>> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot
>>>>>> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot
>>>>> Did that too. No issue there.
>>>> Well you must substitute server.domain.local with your mailserver fqdn
>>>> and DOMAIN.LOCAL with HPRS.LOCAL.
>>>>>> 3. Create the keytab file
>>>>>> ktutil
>>>>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e
>>>>>> arcfour-hmac
>>>>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e
>>>>>> arcfour-hmac
>>>>>> wkt /etc/dovecot/dovecot.keytab
>>>>> As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype]
>>>>> should hve been the arcfour-hmac on the next line. So I did:
>>>>>
>>>>> $ ktutil
>>>>> ktutil: addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac
>>>>> ktutil: addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac
>>>> Same here substitute like above and as you said arcfour-hmac belongs in
>>>> the same line.
>>>>> Of course, that will probably also wrap when you get this message, but basically I put the
>>>>> arcfour-hmac on the same line as the addent. Each time, these commands also asked for a
>>>>> password. Again, you didn't mention that, but I used the same password I used for the
>>>>> `samab-tool user create` command above.
>>>>>
>>>>> I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk".
>>>>> Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply
>>>>> transposed the letters. I tried it and it took.
>>>> Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does
>>>> not yet exist.
>>>> Only the two keys you just added are required to get kerberos working.
>>>> The system keytab you generated with samba-tool domain exportkeytab is
>>>> not required.
>>>>>
>>>>>
>>>>>> 4. Add this to your dovecot config
>>>>>>
>>>>>> # Kerberos
>>>>>> auth_gssapi_hostname = "$ALL"
>>>>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
>>>>> Did that. In addition, I set the keytab file's group to dovecot and made the file group
>>>>> readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos. I also tried
>>>>> making it world readable. Now, after doing all that and restarting dovecot I still get the
>>>>> same dovecot error:
>>>>>
>>>>> Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6>
>>>>>
>>>>> and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the
>>>>> IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm."
>>>>>
>>>>> As I've mentioned before, "mark at ohprs.org" is not a server. It is the email address of the
>>>>> Thunderbird account (running on WIN7).
>>>>>
>>>>> Here is my doveconf -n (gssapi marked with *):
>>>>>
>>>>> auth_debug_passwords = yes
>>>>> * auth_gssapi_hostname = $ALL
>>>>> * auth_krb5_keytab = /etc/krb5.keytab
>>>>> * auth_mechanisms = plain login gssapi
>>>>> auth_verbose = yes
>>>>> auth_verbose_passwords = plain
>>>>> disable_plaintext_auth = no
>>>>> info_log_path = /var/log/dovecot_info
>>>>> mail_location = maildir:~/Maildir
>>>>> passdb {
>>>>> driver = shadow
>>>>> }
>>>>> protocols = imap
>>>>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
>>>>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>>>>> userdb {
>>>>> driver = passwd
>>>>> }
>>>>> verbose_ssl = yes
>>>>>
>>>>> (yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?)
>>>>>
>>>>> Here is my keytab list (partial); note that every entry appears in triplicate. I don't see
>>>>> 'dovecot' in there at all; maybe that's OK:
>>>>>
>>>>> ktutil: list
>>>>> slot KVNO Principal
>>>>> ---- ---- ---------------------------------------------------------------------
>>>>> 1 18 COMMON$@HPRS.LOCAL
>>>>> 2 18 COMMON$@HPRS.LOCAL
>>>>> 3 18 COMMON$@HPRS.LOCAL
>>>>> 4 1 MAIL$@HPRS.LOCAL
>>>>> 5 1 MAIL$@HPRS.LOCAL
>>>>> 6 1 MAIL$@HPRS.LOCAL
>>>>> 7 1 charmaine at HPRS.LOCAL
>>>>> 8 1 charmaine at HPRS.LOCAL
>>>>> 9 1 charmaine at HPRS.LOCAL
>>>>> :
>>>>> 19 1 Administrator at HPRS.LOCAL
>>>>> 20 1 Administrator at HPRS.LOCAL
>>>>> 21 1 Administrator at HPRS.LOCAL
>>>>> :
>>>>> 91 1 krbtgt at HPRS.LOCAL
>>>>> 92 1 krbtgt at HPRS.LOCAL
>>>>> 93 1 krbtgt at HPRS.LOCAL
>>>>> :
>>>>> 97 1 smtp/server.domain.local at DOMAIN.LOCAL
>>>>> 98 1 imap/server.domain.local at DOMAIN.LOCAL
>>>>>
>>>>> Can you tell from any of this why I'm still not able to authenticate?
>>>> You only need the lines 97 and 98 and substitude fqdn and realm like i
>>>> mentioned above.
>>>> It must be possible for Thunderbird to use plain authentification with
>>>> your windows account username.
>>>> Can be you must configure userdb and passdb to do ldap lookups against
>>>> active directory.
>>>>> Thanks, --Mark
>>>>>
>>>>> -----Original Message-----
>>>>>> To: samba at lists.samba.org
>>>>>> From: Achim Gottinger <achim at ag-web.biz>
>>>>>> Date: Thu, 30 Jun 2016 11:51:34 +0200
>>>>>>
>>>>>> Am 30.06.2016 um 10:45 schrieb Mark Foley:
>>>>>>> To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
>>>>>>> Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
>>>>>>> file as required by Dovecot. I've also downloaded and installed Kerberos for access to
>>>>>>> the k* commands (ktutil, kinit, klist, ...).
>>>>>>>
>>>>>>> In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7
>>>>>>> workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
>>>>>>> etc. Thunderbird gives the following error:
>>>>>>>
>>>>>>> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check
>>>>>>> that you are logged in to the Kerberos/GSSAPI realm."
>>>>>>>
>>>>>>> One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a
>>>>>>> server at all, but rather the email address of the Thunderbird account.
>>>>>>>
>>>>>>> When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
>>>>>>> secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
>>>>>>> Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying:
>>>>>>>
>>>>>>> auth_mechanisms = plain login gssapi
>>>>>>>
>>>>>>> That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
>>>>>>>
>>>>>>> I think the problem is with Samba and handling the authentication. I do not think my Samba4 is
>>>>>>> configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
>>>>>>> for single-sign-on using Kerberos. He had me put the following lines into that workstation's
>>>>>>> smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server:
>>>>>>>
>>>>>>> security = ADS
>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>> kerberos method = secrets and keytab
>>>>>>> winbind nss info = rfc2307
>>>>>>> winbind trusted domains only = no
>>>>>>> winbind enum users = yes
>>>>>>> winbind enum groups = yes
>>>>>>> winbind refresh tickets = Yes
>>>>>>>
>>>>>>> I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
>>>>>>> message, "Samba detected misconfigured 'server role' and exited."
>>>>>>>
>>>>>>> He also had me put the following in /etc/nsswitch.conf:
>>>>>>>
>>>>>>> passwd: compat winbind
>>>>>>> group: compat winbind
>>>>>>>
>>>>>>> Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
>>>>>>> for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
>>>>>>>
>>>>>>> Need Help! Thanks --Mark
>>>>>> Hello Mark,
>>>>>>
>>>>>> This is what i used in debian wheezy few years back. I assume
>>>>>> arcfour-hmac is unsafe these days but i did not yet investigate into
>>>>>> other working encryption methods here.
>>>>>> If you need smtp (postfix with auth via dovecot) also add the smtp
>>>>>> spn's. Use the password for user dovecot during keytab creation.
>>>>>>
>>>>>> 1. Create an user
>>>>>> samba-tool create user dovcot
>>>>>>
>>>>>> 2. Add the spn
>>>>>> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot
>>>>>> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot
>>>>>>
>>>>>> 3. Create the keytab file
>>>>>> ktutil
>>>>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e
>>>>>> arcfour-hmac
>>>>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e
>>>>>> arcfour-hmac
>>>>>> wkt /etc/dovecot/dovecot.keytab
>>>>>>
>>>>>> 4. Add this to your dovecot config
>>>>>>
>>>>>> # Kerberos
>>>>>> auth_gssapi_hostname = "$ALL"
>>>>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
>>>>>>
>>>>>> Hope it helps,
>>>>>> achim~
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
More information about the samba
mailing list