[Samba] Where is krb5.keytab or equivalent?
Achim Gottinger
achim at ag-web.biz
Fri Jul 1 09:55:20 UTC 2016
Am 01.07.2016 um 10:37 schrieb Achim Gottinger:
> It's getting abit offtopic for the samba list :-)
>
> Look at the testing section in
> http://wiki2.dovecot.org/Authentication/Kerberos do what is mentioned
> below "Test that the server can access the keytab".
>
> If i run the telnet authenticated test and klist afterwards contains
> the imap keys.
>
> Am 01.07.2016 um 08:21 schrieb Mark Foley:
>> More info ...
>>
>> when I do
>>
>> MAIL=imap://mark@mail.ohprs.org/ mutt
>>
>> (using the domain of the registered certificate). I do not get the
>> message "Certificate host
>> check failed: certificate owner does not match hosthame ..."
>>
>> I do get the same (mutt?) edit screen shown below with the "(r)eject,
>> accept (o)nce, (a)ccept
>> always" action at the bottom. If I "accept (o)nce", I am asked for
>> the 'mark' password and put
>> into what must be the mutt mail interface showing my
>> imap://mark@mail.ohprs.org/INBOX.
>>
>> Nothing in maillog, but dovecot log show a successful PLAIN
>> authentication. If I configure
>> dovecot for only gssapi and run mutt it again, I get the messge "No
>> authenticators available".
>>
>> I then created /tmp/testMuttrc with:
>>
>> set imap_authenticators="gssapi"
>>
>> and ran
>>
>> MAIL=imap://mark@mail.ohprs.org/ mutt -F /tmp/testMuttrc
>>
>> same: "No authenticators available"
>>
>> It's as if dovecot knows nothing about gssapi, so I did:
>>
>> $ dovecot --build-options
>> Build options: ioloop=epoll notify=inotify ipv6 openssl
>> io_block_size=8192
>> Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw
>> fail
>> SQL drivers:
>> Passdb: checkpassword passwd passwd-file shadow
>> Userdb: checkpassword nss passwd prefetch passwd-file
>>
>> Should gssapi show up here? I did just rebuild dovecot with
>> `./configure ----with-gssapi=yes`
>> and the config log shows it:
>>
>> #define HAVE_GSSAPI_GSSAPI_H /**/
>> #define HAVE_GSSAPI_H /**/
>> #define HAVE_GSSAPI /**/
>> #define HAVE_GSSAPI_GSSAPI_EXT_H 1
>> #define HAVE_GSSAPI_GSSAPI_KRB5_H 1
>> #define HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY 1
>> #define HAVE_GSSAPI_SPNEGO /**/
>> #define BUILTIN_GSSAPI /**/
>>
>> Maybe I need to ask the dovecot people how to confirm that I have
>> gssapi.
>>
Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe at an
different location. On debian this comes with the dovecot-gssapi package.
>> --Mark
>>
>> -----Original Message-----
>> From: Mark Foley <mfoley at ohprs.org>
>> Date: Fri, 01 Jul 2016 00:09:29 -0400
>> Organization: Ohio Highway Patrol Retirement System
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>>
>> Achim - per your instructions ...
>>
>>> Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
>>> required with dovecot (2.2.13 here).
>> My dovecot is 2.2.15 and the 10-auth.conf (from the template) has the
>> comment:
>>
>> # Host name to use in GSSAPI principal names. The default is to use the
>> # name returned by gethostname(). Use "$ALL" (with quotes) to allow
>> all keytab
>> # entries.
>>
>> But, I've commented that out per your suggestion.
>>
>>> Add "auth_debug=yes" to your dovecor config.
>> I already have:
>>
>> auth_debug_passwords = yes
>>
>> but I've added the auth_debug per your suggestion.
>>
>>> 192.168.100.1 is my clients ip 192.168.100.101 is the servers
>> My WIN7/Thunderbird client is 192.168.0.58 and AD/DC/Dovecot server
>> is 192.168.0.2
>>
>>> ag is the domain account username I use to login to windows and also
>>> the
>>> username configured in thunderbird.
>> For me the dmain and Tbird account is 'mark'
>>
>>> On my debian system an package named libsasl2-modules-gssapi-mit
>>> must be
>>> installed.
>> I did install mit krb5. I am using Slackware which has a different
>> package name, but it did
>> install and compile OK, so I don't think I'm missing anything (but
>> who knows?).
>>
>>> To test kerberos against dovecot from the command line install "mutt".
>> I have mutt
>>
>>> I assume your windows account name is "mark"
>> yes
>>
>>> ~#kinit mark
>> I did the above ... as root (should I have been 'mark'?) on the AD/DC
>> server.
>>
>> ----------
>> $ kinit mark
>> Password for mark at HPRS.LOCAL:
>> $ klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: mark at HPRS.LOCAL
>>
>> Valid starting Expires Service principal
>> 06/30/2016 23:41:31 07/01/2016 09:41:31 krbtgt/HPRS.LOCAL at HPRS.LOCAL
>> renew until 07/01/2016 23:41:27
>> ---------
>>
>>> ~#MAIL=imap://mark@mail.hprs.local/ mutt
>> Did that. A message quickly flashed: "Certificate host check failed:
>> certificate owner does
>> not match hosthame mail.hprs.org".
>>
>> Then a (presumably) mutt edit window came up with:
>>
>> -------
>> This certificate belongs to:
>> mail.ohprs.org
>> Unknown
>> Unknown
>> Domain Control Validated
>> Unknown
>>
>> This certificate was issued by:
>> Go Daddy Secure Certificate Authority - G2
>> Unknown
>> GoDaddy.com, Inc.
>> http:
>> Scottsdale
>>
>> This certificate is valid
>> from Aug 14 21:38:38 2015 GMT
>> to Aug 15 17:49:32 2016 GMT
>>
>> Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
>>
>> (r)eject, accept (o)nce, (a)ccept always
>> ------
>>
>> I did (r), then quit. I also tried
>>
>> MAIL=imap://mark@ohprs.org/ mutt
>>
>> to no better results.
>>
>>> An successfull login with mutt looks like this in the mail logfile:
>>>
>> [deleted]
>>
>> Nothing at all in maillog. Dovecot log had:
>>
>> Jun 30 23:53:28 imap-login: Debug: SSL: where=0x2002, ret=1: SSL
>> negotiation finished successfully [98.102.63.107]
>> Jun 30 23:53:43 imap-login: Debug: SSL alert: close notify
>> [98.102.63.107]
>> Jun 30 23:53:43 imap-login: Info: Disconnected (no auth attempts in
>> 15 secs): user=<>, rip=98.102.63.107, lip=98.102.63.107, TLS:
>> Disconnected, session=<TD7I7oo2gQBiZj9r>
>>
>>> Also take a look at this page
>>> http://wiki2.dovecot.org/Authentication/Kerberos
>> Been to that page dozens of times :) A couple of things different on
>> that page from our config
>> thus far:
>>
>> 1) "... you will need to install a service ticket of the form
>> imap/hostname at REALM."
>>
>> We added 'imap/mail.hprs.local dovecot', i.e. the fdqn, not just the
>> hostname. Could this be a
>> clue?
>>
>> 2) "Enable plaintext authentication to use Kerberos
>> This is needed when some of your clients don't support GSSAPI and you
>> still want them to
>> authenticate against Kerberos."
>>
>> It then shows an /etc/pam.d/dovecot config, but I don't care about
>> clients who do not support
>> GSSAPI, so I don't think I need this.
>>
>>> Looking at my spn's you may also need
>>> samba-tool spn add imap/mail.hprs.local dovecot
>> I added that, didn't make any differece.
>>
>> does the "Certificate host check failed" message and the mutt output
>> tell you anything?
>>
>> Thanks for your patience --Mark
>>
>> -----Original Message-----
>>> To: samba at lists.samba.org
>>> From: Achim Gottinger <achim at ag-web.biz>
>>> Date: Fri, 1 Jul 2016 01:38:15 +0200
>>>
>>> Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
>>> required with dovecot (2.2.13 here).
>>>
>>> Add "auth_debug=yes" to your dovecor config.
>>>
>>> 192.168.100.1 is my clients ip 192.168.100.101 is the servers
>>>
>>> ag is the domain account username I use to login to windows and also
>>> the
>>> username configured in thunderbird.
>>>
>>> On my debian system an package named libsasl2-modules-gssapi-mit
>>> must be
>>> installed.
>>>
>>> To test kerberos against dovecot from the command line install "mutt".
>>>
>>> I assume your windows account name is "mark"
>>>
>>> ~#kinit mark
>>> ~#MAIL=imap://mark@mail.hprs.local/ mutt
>>>
>>> An successfull login with mutt looks like this in the mail logfile:
>>>
>>> Debug: auth client connected (pid=22585)
>>> logon-zor dovecot: auth: Debug: client in:
>>> AUTH#0111#011GSSAPI#011service=imap#011secured#011session=p/ahQ4c2/wB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=44287#011resp=<hidden>
>>>
>>> logon-zor dovecot: auth: Debug: gssapi(?,127.0.0.1,<p/ahQ4c2/wB/AAAB>):
>>> Obtaining credentials for imap@
>>> logon-zor dovecot: auth: Debug:
>>> gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>):
>>> security context state completed.
>>> logon-zor dovecot: auth: Debug: client passdb out:
>>> CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXAIZT4a2p58/+ylPphtphYA6sTnK4QCyRkHRm1VTnvrfjxc3Ya2ui9IHsBGnPggzjLVNScFx6aHJi99VCDG7s07zNUF8d4WHuNZz7el5gwK4Quy3AeUX8zVa7xkIECuTtT5W7BjpsBThhMc=
>>>
>>> logon-zor dovecot: auth: Debug: client in: CONT<hidden>
>>> logon-zor dovecot: auth: Debug:
>>> gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>):
>>> Negotiated security layer
>>> logon-zor dovecot: auth: Debug: client passdb out:
>>> CONT#0111#011BQQF/wAMAAAAAAAAKxVA5AH///8b1puThszycYxSFvE=
>>> logon-zor dovecot: auth: Debug: client in: CONT<hidden>
>>>
>>> imap-login: Login: user=<ag>, method=GSSAPI, rip=127.0.0.1,
>>> lip=127.0.0.1, mpid=19022, TLS, session=<CdYH6IY2oADAwAw9>
>>>
>>>
>>> Also take a look at this page
>>> http://wiki2.dovecot.org/Authentication/Kerberos
>>>
>>> Looking at my spn's you may also need
>>>
>>> samba-tool spn add imap/mail.hprs.local dovecot
>>>
>>>
>>>
>>> Am 01.07.2016 um 00:46 schrieb Mark Foley:
>>>> Achim,
>>>>
>>>> I deleted the keytab file and did the following:
>>>>
>>>> $ samba-tool user delete dovecot
>>>> $ samba-tool user add dovecot
>>>>
>>>> # again, that asked for a password and I assigned one.
>>>>
>>>> $ samba-tool spn add smpt/mail.hprs.local at HPRS.LOCAL dovecot
>>>> $ samba-tool spn add imap/mail.hprs.local at HPRS.LOCAL dovecot
>>>>
>>>> $ ktutil
>>>> ktutil: addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1
>>>> -e arcfour-hmac
>>>> Password for smtp/mail.hprs.local at HPRS.LOCAL:
>>>> ktutil: addent -password -p imap/mail.hprs.local at HPRS.LOCAL -k 1
>>>> -e arcfour-hmac
>>>> Password for imap/mail.hprs.local at HPRS.LOCAL:
>>>> ktutil: wkt /etc/dovecot/dovecot.keytab
>>>> ktutil: quit
>>>>
>>>> $ ktutil
>>>> ktutil: read_kt /etc/dovecot/dovecot.keytab
>>>> ktutil: list
>>>> slot KVNO Principal
>>>> ---- ----
>>>> ---------------------------------------------------------------------
>>>> 1 1 smtp/mail.hprs.local at HPRS.LOCAL
>>>> 2 1 imap/mail.hprs.local at HPRS.LOCAL
>>>>
>>>> So, much better. Duh for me not noticing that I had to change fqdn
>>>> and domain to my own.
>>>>
>>>> Rloaded dovecot and tried again. Same error :(
>>>>
>>>> Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in
>>>> 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS,
>>>> session=<OTQqf4Y2SgDAqAA6>
>>>>
>>>> You wrote:
>>>>
>>>>> It must be possible for Thunderbird to use plain authentification
>>>>> with your windows account
>>>>> username. Can be you must configure userdb and passdb to do ldap
>>>>> lookups against active
>>>>> directory.
>>>> Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do
>>>> plain text auth to dovecot. I will
>>>> continue to need this for non-domain email clients. According to
>>>> the dovecot folks, the passwd
>>>> as userdb should work OK for gssapi. The passdb is ignored for
>>>> gssapi. Besides, LDAP
>>>> authentication is another one (along with NTLM) that I haven't been
>>>> able to get working with
>>>> Dovecot. The only ones I've been able to get working are PLAIN and,
>>>> believe it or not,
>>>> checkpassword - which is basically a passdb driver for PLAIN.
>>>>
>>>> Perhaps there is some samba setting I'm missing? Here's my AD/DC
>>>> smb.conf, do you seen anything
>>>> missing I need? :
>>>>
>>>> [global]
>>>> workgroup = HPRS
>>>> realm = hprs.local
>>>> netbios name = MAIL
>>>> interfaces = lo, eth1
>>>> bind interfaces only = Yes
>>>> server role = active directory domain controller
>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>>>> kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
>>>> idmap_ldb:use rfc2307 = yes
>>>>
>>>> winbind use default domain = yes
>>>>
>>>> load printers = no
>>>> printing = bsd
>>>> printcap name = /dev/null
>>>> disable spoolss = yes
>>>>
>>>> log level = 2 passdb:5 auth:10 winbind:2 lanman:10
>>>> max log size = 1000
>>>>
>>>> [netlogon]
>>>> path = /var/lib/samba/sysvol/hprs.local/scripts
>>>> read only = No
>>>>
>>>> [sysvol]
>>>> path = /var/lib/samba/sysvol
>>>> read only = No
>>>>
>>>> [Users]
>>>> path = /redirectedFolders/Users
>>>> comment = user folders for redirection
>>>> read only = No
>>>>
>>>> [share]
>>>> path = /var/lib/samba/share
>>>> comment = Shared folder
>>>> read only = No
>>>>
>>>> Thanks --Mark
>>>>
>>>> -----Original Message-----
>>>>> To: samba at lists.samba.org
>>>>> From: Achim Gottinger <achim at ag-web.biz>
>>>>> Date: Thu, 30 Jun 2016 23:44:17 +0200
>>>>> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>>>>>
>>>>> Am 30.06.2016 um 23:16 schrieb Mark Foley:
>>>>>> Achim, thanks a lot! A couple of questions on your suggested
>>>>>> settings:
>>>>>>
>>>>>>> 1. Create an user
>>>>>>> samba-tool create user dovcot
>>>>>> I did this (actually `samba-tool user create dovecot`), but it
>>>>>> asked for a password. I
>>>>>> entered one. You didn't mention that, so I hope it's OK.
>>>>> Yes
>>>>>>
>>>>>>> 2. Add the spn
>>>>>>> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot
>>>>>>> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot
>>>>>> Did that too. No issue there.
>>>>> Well you must substitute server.domain.local with your mailserver
>>>>> fqdn
>>>>> and DOMAIN.LOCAL with HPRS.LOCAL.
>>>>>>> 3. Create the keytab file
>>>>>>> ktutil
>>>>>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e
>>>>>>> arcfour-hmac
>>>>>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e
>>>>>>> arcfour-hmac
>>>>>>> wkt /etc/dovecot/dovecot.keytab
>>>>>> As you can see, your text wrapped, but from the error message I
>>>>>> got I assumed the -e [enctype]
>>>>>> should hve been the arcfour-hmac on the next line. So I did:
>>>>>>
>>>>>> $ ktutil
>>>>>> ktutil: addent -password -p smtp/server.domain.local at DOMAIN.LOCAL
>>>>>> -k 1 -e arcfour-hmac
>>>>>> ktutil: addent -password -p imap/server.domain.local at DOMAIN.LOCAL
>>>>>> -k 1 -e arcfour-hmac
>>>>> Same here substitute like above and as you said arcfour-hmac
>>>>> belongs in
>>>>> the same line.
>>>>>> Of course, that will probably also wrap when you get this
>>>>>> message, but basically I put the
>>>>>> arcfour-hmac on the same line as the addent. Each time, these
>>>>>> commands also asked for a
>>>>>> password. Again, you didn't mention that, but I used the same
>>>>>> password I used for the
>>>>>> `samab-tool user create` command above.
>>>>>>
>>>>>> I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I
>>>>>> got, "Unknown request "wtk".
>>>>>> Type '?' for a request list." In looking at the "?" list I saw
>>>>>> 'wkt', so I assumed you simply
>>>>>> transposed the letters. I tried it and it took.
>>>>> Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab
>>>>> does
>>>>> not yet exist.
>>>>> Only the two keys you just added are required to get kerberos
>>>>> working.
>>>>> The system keytab you generated with samba-tool domain
>>>>> exportkeytab is
>>>>> not required.
>>>>>>
>>>>>>> 4. Add this to your dovecot config
>>>>>>>
>>>>>>> # Kerberos
>>>>>>> auth_gssapi_hostname = "$ALL"
>>>>>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
>>>>>> Did that. In addition, I set the keytab file's group to dovecot
>>>>>> and made the file group
>>>>>> readable, as suggested by
>>>>>> http://wiki2.dovecot.org/Authentication/Kerberos. I also tried
>>>>>> making it world readable. Now, after doing all that and
>>>>>> restarting dovecot I still get the
>>>>>> same dovecot error:
>>>>>>
>>>>>> Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts
>>>>>> in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS,
>>>>>> session=<3hLnJoU2vgDAqAA6>
>>>>>>
>>>>>> and still the same error in Thunderbird: "The Kerberos/DSSAPI
>>>>>> ticket was not accepted by the
>>>>>> IMAP server mark at ohprs.org. Please check that you are logged in
>>>>>> to the Kerberos/GSSAPI realm."
>>>>>>
>>>>>> As I've mentioned before, "mark at ohprs.org" is not a server. It is
>>>>>> the email address of the
>>>>>> Thunderbird account (running on WIN7).
>>>>>>
>>>>>> Here is my doveconf -n (gssapi marked with *):
>>>>>>
>>>>>> auth_debug_passwords = yes
>>>>>> * auth_gssapi_hostname = $ALL
>>>>>> * auth_krb5_keytab = /etc/krb5.keytab
>>>>>> * auth_mechanisms = plain login gssapi
>>>>>> auth_verbose = yes
>>>>>> auth_verbose_passwords = plain
>>>>>> disable_plaintext_auth = no
>>>>>> info_log_path = /var/log/dovecot_info
>>>>>> mail_location = maildir:~/Maildir
>>>>>> passdb {
>>>>>> driver = shadow
>>>>>> }
>>>>>> protocols = imap
>>>>>> ssl_cert =
>>>>>> </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
>>>>>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>>>>>> userdb {
>>>>>> driver = passwd
>>>>>> }
>>>>>> verbose_ssl = yes
>>>>>>
>>>>>> (yes, I put the keytab file in /etc/krb5.keytab, not in
>>>>>> etc/dovecot. Should be OK, right?)
>>>>>>
>>>>>> Here is my keytab list (partial); note that every entry appears
>>>>>> in triplicate. I don't see
>>>>>> 'dovecot' in there at all; maybe that's OK:
>>>>>>
>>>>>> ktutil: list
>>>>>> slot KVNO Principal
>>>>>> ---- ----
>>>>>> ---------------------------------------------------------------------
>>>>>>
>>>>>> 1 18 COMMON$@HPRS.LOCAL
>>>>>> 2 18 COMMON$@HPRS.LOCAL
>>>>>> 3 18 COMMON$@HPRS.LOCAL
>>>>>> 4 1 MAIL$@HPRS.LOCAL
>>>>>> 5 1 MAIL$@HPRS.LOCAL
>>>>>> 6 1 MAIL$@HPRS.LOCAL
>>>>>> 7 1 charmaine at HPRS.LOCAL
>>>>>> 8 1 charmaine at HPRS.LOCAL
>>>>>> 9 1 charmaine at HPRS.LOCAL
>>>>>> :
>>>>>> 19 1 Administrator at HPRS.LOCAL
>>>>>> 20 1 Administrator at HPRS.LOCAL
>>>>>> 21 1 Administrator at HPRS.LOCAL
>>>>>> :
>>>>>> 91 1 krbtgt at HPRS.LOCAL
>>>>>> 92 1 krbtgt at HPRS.LOCAL
>>>>>> 93 1 krbtgt at HPRS.LOCAL
>>>>>> :
>>>>>> 97 1 smtp/server.domain.local at DOMAIN.LOCAL
>>>>>> 98 1 imap/server.domain.local at DOMAIN.LOCAL
>>>>>>
>>>>>> Can you tell from any of this why I'm still not able to
>>>>>> authenticate?
>>>>> You only need the lines 97 and 98 and substitude fqdn and realm
>>>>> like i
>>>>> mentioned above.
>>>>> It must be possible for Thunderbird to use plain authentification
>>>>> with
>>>>> your windows account username.
>>>>> Can be you must configure userdb and passdb to do ldap lookups
>>>>> against
>>>>> active directory.
>>>>>> Thanks, --Mark
>>>>>>
>>>>>> -----Original Message-----
>>>>>>> To: samba at lists.samba.org
>>>>>>> From: Achim Gottinger <achim at ag-web.biz>
>>>>>>> Date: Thu, 30 Jun 2016 11:51:34 +0200
>>>>>>>
>>>>>>> Am 30.06.2016 um 10:45 schrieb Mark Foley:
>>>>>>>> To revisit my problem: I have Dovecot running on the same host
>>>>>>>> as Samba4 AD/DC. I've set
>>>>>>>> Thunderbird to authenticate with GSSAPI on a domain
>>>>>>>> workstation. I have an /etc/krb5.keytab
>>>>>>>> file as required by Dovecot. I've also downloaded and installed
>>>>>>>> Kerberos for access to
>>>>>>>> the k* commands (ktutil, kinit, klist, ...).
>>>>>>>>
>>>>>>>> In my current setup, the Thunderbird client (WIN7 workstation)
>>>>>>>> is not connecting. The WIN7
>>>>>>>> workstation is a domain member and works fine otherwise with
>>>>>>>> Samba4 for AD user authentication,
>>>>>>>> etc. Thunderbird gives the following error:
>>>>>>>>
>>>>>>>> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server
>>>>>>>> mark at ohprs.org. Please check
>>>>>>>> that you are logged in to the Kerberos/GSSAPI realm."
>>>>>>>>
>>>>>>>> One disconcerting bit about that message is the named IMAP
>>>>>>>> server "mark at ohprs.org" is not a
>>>>>>>> server at all, but rather the email address of the Thunderbird
>>>>>>>> account.
>>>>>>>>
>>>>>>>> When attempting to connect, the Dovecot log simply has
>>>>>>>> "Disconnected (no auth attempts in 18
>>>>>>>> secs): user=<>". No message at all appears in the samba log
>>>>>>>> although I have auth:10 level set.
>>>>>>>> Dovecot's 'configuration' for GSSAPI consists of nothing more
>>>>>>>> than specifying:
>>>>>>>>
>>>>>>>> auth_mechanisms = plain login gssapi
>>>>>>>>
>>>>>>>> That's it (the other mechanism work just fine, BTW). Not much I
>>>>>>>> can mess with there.
>>>>>>>>
>>>>>>>> I think the problem is with Samba and handling the
>>>>>>>> authentication. I do not think my Samba4 is
>>>>>>>> configured correctly. Over a year ago Rowland Penny helped me
>>>>>>>> configure a Ubuntu workstation
>>>>>>>> for single-sign-on using Kerberos. He had me put the following
>>>>>>>> lines into that workstation's
>>>>>>>> smb.conf file, none of which appear in the provisioned smb.conf
>>>>>>>> on the Samba4 AD/DC server:
>>>>>>>>
>>>>>>>> security = ADS
>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>> kerberos method = secrets and keytab
>>>>>>>> winbind nss info = rfc2307
>>>>>>>> winbind trusted domains only = no
>>>>>>>> winbind enum users = yes
>>>>>>>> winbind enum groups = yes
>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>
>>>>>>>> I've tried sticking all of these in the AD/DC smb.conf and,
>>>>>>>> when restarting Samba, I get a log
>>>>>>>> message, "Samba detected misconfigured 'server role' and exited."
>>>>>>>>
>>>>>>>> He also had me put the following in /etc/nsswitch.conf:
>>>>>>>>
>>>>>>>> passwd: compat winbind
>>>>>>>> group: compat winbind
>>>>>>>>
>>>>>>>> Do I possibly need some of these (or others?) settings in these
>>>>>>>> conf files on the AD/DC server
>>>>>>>> for Dovecot to authenticate? Obviously, blindly throwing them
>>>>>>>> all into smb.conf doesn't work.
>>>>>>>>
>>>>>>>> Need Help! Thanks --Mark
>>>>>>> Hello Mark,
>>>>>>>
>>>>>>> This is what i used in debian wheezy few years back. I assume
>>>>>>> arcfour-hmac is unsafe these days but i did not yet investigate
>>>>>>> into
>>>>>>> other working encryption methods here.
>>>>>>> If you need smtp (postfix with auth via dovecot) also add the smtp
>>>>>>> spn's. Use the password for user dovecot during keytab creation.
>>>>>>>
>>>>>>> 1. Create an user
>>>>>>> samba-tool create user dovcot
>>>>>>>
>>>>>>> 2. Add the spn
>>>>>>> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot
>>>>>>> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot
>>>>>>>
>>>>>>> 3. Create the keytab file
>>>>>>> ktutil
>>>>>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e
>>>>>>> arcfour-hmac
>>>>>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e
>>>>>>> arcfour-hmac
>>>>>>> wkt /etc/dovecot/dovecot.keytab
>>>>>>>
>>>>>>> 4. Add this to your dovecot config
>>>>>>>
>>>>>>> # Kerberos
>>>>>>> auth_gssapi_hostname = "$ALL"
>>>>>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
>>>>>>>
>>>>>>> Hope it helps,
>>>>>>> achim~
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>
>
More information about the samba
mailing list