[Samba] Where is krb5.keytab or equivalent?
Mark Foley
mfoley at ohprs.org
Fri Jul 1 18:47:12 UTC 2016
On Fri, 1 Jul 2016 10:37:51 +0200 Achim Gottinger <achim at ag-web.biz> wrote:
> It's getting abit offtopic for the samba list :-)
Maybe, but I am concurrently talking to people on the Dovecot list who seem to be able to do
Kerberos authentication, but none are using Samba4. They are also suggesting different
principles for the keytab file and other divergences from your suggestions.
I've dealt with a whole universe of OS's, networks and system over my long and checkered
career, but this Kerberos stuff is the most esoteric bag of Voodoo I've run across. I am
totally lost with what all these settings do or mean. Anyway ...
> Look at the testing section in
> http://wiki2.dovecot.org/Authentication/Kerberos do what is mentioned
> below "Test that the server can access the keytab".
My results from that:
--------BEGIN---------
$ telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI] Dovecot ready.
$ openssl s_client -connect localhost:993
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, CN = mail.ohprs.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = mail.ohprs.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, CN = mail.ohprs.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=mail.ohprs.org
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
[deleted - lots more stuff]
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI] Dovecot ready.
a capability
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI
a OK Pre-login capabilities listed, post-login capabilities have more.
a authenticate GSSAPI
+
--------END---------
The telnet test seemed to work. I got the "OK Dovecot ready" message. The openssl test does
have the "CONNECTED(00000003)" at the beginning and "OK ... Dovecot Ready" at the end, but
disconcerting stuff in the middle ("unable to get local issuer certificate", "certificate not
trusted", etc.)
The 'a' commands returned the GSSAPI capability and the positive for the "authenticate GSSAPI".
All that I think is good.
Now, "The Test", as that page puts it ... unfortunately, as with much documentation, there is
a lot of assumed knowledge on the part of the author who is all too familiar with his topic (to
be fair, the testing section of this page does day "this section required cleanup"). So ... the
test instructions (if you're tired of reading at this point, skip to my IMAP/HOSTNAME comments):
"Setup mutt in /etc/Muttrc to use kerberos using gssapi and imap configuration
this is done with set imap_authenticators="gssapi"
Did that, although my mutt doesn't seem to use it. I have to do '-F /etc/Muttrc' to use that
config.
"run kinit (type in password for kerb)
run command mutt
If you get error No Authentication Method"
Who/what is 'kerb'? This is not mentioned at all in the document up to this point. I assume it
is supposed to be a user account. I ran all these tests as root, but root does not have an IMAP
account. My "test" worked for root (but it is not IMAP), when I ran
MAIL=imap://mark@mail.ohprs.org/ mutt -F /tmp/testMuttrc
I did get "No authenticators available", same as yesterday. (mark at HPRS.LOCAL is in the klist).
The instructions go on:
"run command klist (list all kerberos keys) should show imap/HOSTNAME
/etc/hosts has to be set properly so that kerberos can find server."
This is now the 3rd variation on the klist settings I've gotten from various sources. I
currently have:
smtp/mail.hprs.local at HPRS.LOCAL
imap/mail.hprs.local at HPRS.LOCAL
The dovecotListers are suggesting (I think, needs more clarification)
IMAP/mail at HPRS.LOCAL
i.e. IMAP must be capitalized and hostname only, no FDQN. This webpage we are looking at
appears to be suggesting
imap/MAIL
with "imap" in lowercase, hostname only in uppercase, no FDQN, no realm. That doesn't really
look right to me and is perhaps part of the "required cleanup" bit -- on the other hand, I know
nothing about any of this. The comment on "/etc/hosts has to be set properly" is a
space-waster without defining what "properly" means.
Like I said, Voodoo.
I will continue to experiment with these various suggestions, but I'm growing more skeptical
that Samba4/kerberos/Dovecot can work together. Rowland Penny set me up with with single sign
on authentication from a Ubuntu client which apparently uses kerberos, but that is
Samba-to-Samba, not Dovecot-Samba.
Another part of this could be confusion as to what FDQN I should be using. The local LAN is
hprs.local, which is how I have keytab configured, but the cert it checks against is ohprs.org.
Which should I be using?
> If i run the telnet authenticated test and klist afterwards contains the
> imap keys.
Could you post your klist so I can see what format you have?
Thanks, --Mark
-----Original Message-----
> To: samba at lists.samba.org
> From: Achim Gottinger <achim at ag-web.biz>
> Date: Fri, 1 Jul 2016 10:37:51 +0200
> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>
> It's getting abit offtopic for the samba list :-)
>
> Look at the testing section in
> http://wiki2.dovecot.org/Authentication/Kerberos do what is mentioned
> below "Test that the server can access the keytab".
>
> If i run the telnet authenticated test and klist afterwards contains the
> imap keys.
>
> Am 01.07.2016 um 08:21 schrieb Mark Foley:
> > More info ...
> >
> > when I do
> >
> > MAIL=imap://mark@mail.ohprs.org/ mutt
> >
> > (using the domain of the registered certificate). I do not get the message "Certificate host
> > check failed: certificate owner does not match hosthame ..."
> >
> > I do get the same (mutt?) edit screen shown below with the "(r)eject, accept (o)nce, (a)ccept
> > always" action at the bottom. If I "accept (o)nce", I am asked for the 'mark' password and put
> > into what must be the mutt mail interface showing my imap://mark@mail.ohprs.org/INBOX.
> >
> > Nothing in maillog, but dovecot log show a successful PLAIN authentication. If I configure
> > dovecot for only gssapi and run mutt it again, I get the messge "No authenticators available".
> >
> > I then created /tmp/testMuttrc with:
> >
> > set imap_authenticators="gssapi"
> >
> > and ran
> >
> > MAIL=imap://mark@mail.ohprs.org/ mutt -F /tmp/testMuttrc
> >
> > same: "No authenticators available"
> >
> > It's as if dovecot knows nothing about gssapi, so I did:
> >
> > $ dovecot --build-options
> > Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192
> > Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail
> > SQL drivers:
> > Passdb: checkpassword passwd passwd-file shadow
> > Userdb: checkpassword nss passwd prefetch passwd-file
> >
> > Should gssapi show up here? I did just rebuild dovecot with `./configure ----with-gssapi=yes`
> > and the config log shows it:
> >
> > #define HAVE_GSSAPI_GSSAPI_H /**/
> > #define HAVE_GSSAPI_H /**/
> > #define HAVE_GSSAPI /**/
> > #define HAVE_GSSAPI_GSSAPI_EXT_H 1
> > #define HAVE_GSSAPI_GSSAPI_KRB5_H 1
> > #define HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY 1
> > #define HAVE_GSSAPI_SPNEGO /**/
> > #define BUILTIN_GSSAPI /**/
> >
> > Maybe I need to ask the dovecot people how to confirm that I have gssapi.
> >
> > --Mark
> >
> > -----Original Message-----
> > From: Mark Foley <mfoley at ohprs.org>
> > Date: Fri, 01 Jul 2016 00:09:29 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: samba at lists.samba.org
> > Subject: Re: [Samba] Where is krb5.keytab or equivalent?
> >
> > Achim - per your instructions ...
> >
> >> Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
> >> required with dovecot (2.2.13 here).
> > My dovecot is 2.2.15 and the 10-auth.conf (from the template) has the comment:
> >
> > # Host name to use in GSSAPI principal names. The default is to use the
> > # name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
> > # entries.
> >
> > But, I've commented that out per your suggestion.
> >
> >> Add "auth_debug=yes" to your dovecor config.
> > I already have:
> >
> > auth_debug_passwords = yes
> >
> > but I've added the auth_debug per your suggestion.
> >
> >> 192.168.100.1 is my clients ip 192.168.100.101 is the servers
> > My WIN7/Thunderbird client is 192.168.0.58 and AD/DC/Dovecot server is 192.168.0.2
> >
> >> ag is the domain account username I use to login to windows and also the
> >> username configured in thunderbird.
> > For me the dmain and Tbird account is 'mark'
> >
> >> On my debian system an package named libsasl2-modules-gssapi-mit must be
> >> installed.
> > I did install mit krb5. I am using Slackware which has a different package name, but it did
> > install and compile OK, so I don't think I'm missing anything (but who knows?).
> >
> >> To test kerberos against dovecot from the command line install "mutt".
> > I have mutt
> >
> >> I assume your windows account name is "mark"
> > yes
> >
> >> ~#kinit mark
> > I did the above ... as root (should I have been 'mark'?) on the AD/DC server.
> >
> > ----------
> > $ kinit mark
> > Password for mark at HPRS.LOCAL:
> > $ klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: mark at HPRS.LOCAL
> >
> > Valid starting Expires Service principal
> > 06/30/2016 23:41:31 07/01/2016 09:41:31 krbtgt/HPRS.LOCAL at HPRS.LOCAL
> > renew until 07/01/2016 23:41:27
> > ---------
> >
> >> ~#MAIL=imap://mark@mail.hprs.local/ mutt
> > Did that. A message quickly flashed: "Certificate host check failed: certificate owner does
> > not match hosthame mail.hprs.org".
> >
> > Then a (presumably) mutt edit window came up with:
> >
> > -------
> > This certificate belongs to:
> > mail.ohprs.org
> > Unknown
> > Unknown
> > Domain Control Validated
> > Unknown
> >
> > This certificate was issued by:
> > Go Daddy Secure Certificate Authority - G2
> > Unknown
> > GoDaddy.com, Inc.
> > http:
> > Scottsdale
> >
> > This certificate is valid
> > from Aug 14 21:38:38 2015 GMT
> > to Aug 15 17:49:32 2016 GMT
> >
> > Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
> >
> > (r)eject, accept (o)nce, (a)ccept always
> > ------
> >
> > I did (r), then quit. I also tried
> >
> > MAIL=imap://mark@ohprs.org/ mutt
> >
> > to no better results.
> >
> >> An successfull login with mutt looks like this in the mail logfile:
> >>
> > [deleted]
> >
> > Nothing at all in maillog. Dovecot log had:
> >
> > Jun 30 23:53:28 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [98.102.63.107]
> > Jun 30 23:53:43 imap-login: Debug: SSL alert: close notify [98.102.63.107]
> > Jun 30 23:53:43 imap-login: Info: Disconnected (no auth attempts in 15 secs): user=<>, rip=98.102.63.107, lip=98.102.63.107, TLS: Disconnected, session=<TD7I7oo2gQBiZj9r>
> >
> >> Also take a look at this page
> >> http://wiki2.dovecot.org/Authentication/Kerberos
> > Been to that page dozens of times :) A couple of things different on that page from our config
> > thus far:
> >
> > 1) "... you will need to install a service ticket of the form imap/hostname at REALM."
> >
> > We added 'imap/mail.hprs.local dovecot', i.e. the fdqn, not just the hostname. Could this be a
> > clue?
> >
> > 2) "Enable plaintext authentication to use Kerberos
> > This is needed when some of your clients don't support GSSAPI and you still want them to
> > authenticate against Kerberos."
> >
> > It then shows an /etc/pam.d/dovecot config, but I don't care about clients who do not support
> > GSSAPI, so I don't think I need this.
> >
> >> Looking at my spn's you may also need
> >> samba-tool spn add imap/mail.hprs.local dovecot
> > I added that, didn't make any differece.
> >
> > does the "Certificate host check failed" message and the mutt output tell you anything?
> >
> > Thanks for your patience --Mark
> >
> > -----Original Message-----
> >> To: samba at lists.samba.org
> >> From: Achim Gottinger <achim at ag-web.biz>
> >> Date: Fri, 1 Jul 2016 01:38:15 +0200
> >>
> >> Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
> >> required with dovecot (2.2.13 here).
> >>
> >> Add "auth_debug=yes" to your dovecor config.
> >>
> >> 192.168.100.1 is my clients ip 192.168.100.101 is the servers
> >>
> >> ag is the domain account username I use to login to windows and also the
> >> username configured in thunderbird.
> >>
> >> On my debian system an package named libsasl2-modules-gssapi-mit must be
> >> installed.
> >>
> >> To test kerberos against dovecot from the command line install "mutt".
> >>
> >> I assume your windows account name is "mark"
> >>
> >> ~#kinit mark
> >> ~#MAIL=imap://mark@mail.hprs.local/ mutt
> >>
> >> An successfull login with mutt looks like this in the mail logfile:
> >>
> >> Debug: auth client connected (pid=22585)
> >> logon-zor dovecot: auth: Debug: client in:
> >> AUTH#0111#011GSSAPI#011service=imap#011secured#011session=p/ahQ4c2/wB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=44287#011resp=<hidden>
> >> logon-zor dovecot: auth: Debug: gssapi(?,127.0.0.1,<p/ahQ4c2/wB/AAAB>):
> >> Obtaining credentials for imap@
> >> logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>):
> >> security context state completed.
> >> logon-zor dovecot: auth: Debug: client passdb out:
> >> CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXAIZT4a2p58/+ylPphtphYA6sTnK4QCyRkHRm1VTnvrfjxc3Ya2ui9IHsBGnPggzjLVNScFx6aHJi99VCDG7s07zNUF8d4WHuNZz7el5gwK4Quy3AeUX8zVa7xkIECuTtT5W7BjpsBThhMc=
> >> logon-zor dovecot: auth: Debug: client in: CONT<hidden>
> >> logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>):
> >> Negotiated security layer
> >> logon-zor dovecot: auth: Debug: client passdb out:
> >> CONT#0111#011BQQF/wAMAAAAAAAAKxVA5AH///8b1puThszycYxSFvE=
> >> logon-zor dovecot: auth: Debug: client in: CONT<hidden>
> >>
> >> imap-login: Login: user=<ag>, method=GSSAPI, rip=127.0.0.1,
> >> lip=127.0.0.1, mpid=19022, TLS, session=<CdYH6IY2oADAwAw9>
> >>
> >>
> >> Also take a look at this page
> >> http://wiki2.dovecot.org/Authentication/Kerberos
> >>
> >> Looking at my spn's you may also need
> >>
> >> samba-tool spn add imap/mail.hprs.local dovecot
> >>
> >>
> >>
> >> Am 01.07.2016 um 00:46 schrieb Mark Foley:
> >>> Achim,
> >>>
> >>> I deleted the keytab file and did the following:
> >>>
> >>> $ samba-tool user delete dovecot
> >>> $ samba-tool user add dovecot
> >>>
> >>> # again, that asked for a password and I assigned one.
> >>>
> >>> $ samba-tool spn add smpt/mail.hprs.local at HPRS.LOCAL dovecot
> >>> $ samba-tool spn add imap/mail.hprs.local at HPRS.LOCAL dovecot
> >>>
> >>> $ ktutil
> >>> ktutil: addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac
> >>> Password for smtp/mail.hprs.local at HPRS.LOCAL:
> >>> ktutil: addent -password -p imap/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac
> >>> Password for imap/mail.hprs.local at HPRS.LOCAL:
> >>> ktutil: wkt /etc/dovecot/dovecot.keytab
> >>> ktutil: quit
> >>>
> >>> $ ktutil
> >>> ktutil: read_kt /etc/dovecot/dovecot.keytab
> >>> ktutil: list
> >>> slot KVNO Principal
> >>> ---- ---- ---------------------------------------------------------------------
> >>> 1 1 smtp/mail.hprs.local at HPRS.LOCAL
> >>> 2 1 imap/mail.hprs.local at HPRS.LOCAL
> >>>
> >>> So, much better. Duh for me not noticing that I had to change fqdn and domain to my own.
> >>>
> >>> Rloaded dovecot and tried again. Same error :(
> >>>
> >>> Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<OTQqf4Y2SgDAqAA6>
> >>>
> >>> You wrote:
> >>>
> >>>> It must be possible for Thunderbird to use plain authentification with your windows account
> >>>> username. Can be you must configure userdb and passdb to do ldap lookups against active
> >>>> directory.
> >>> Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do plain text auth to dovecot. I will
> >>> continue to need this for non-domain email clients. According to the dovecot folks, the passwd
> >>> as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP
> >>> authentication is another one (along with NTLM) that I haven't been able to get working with
> >>> Dovecot. The only ones I've been able to get working are PLAIN and, believe it or not,
> >>> checkpassword - which is basically a passdb driver for PLAIN.
> >>>
> >>> Perhaps there is some samba setting I'm missing? Here's my AD/DC smb.conf, do you seen anything
> >>> missing I need? :
> >>>
> >>> [global]
> >>> workgroup = HPRS
> >>> realm = hprs.local
> >>> netbios name = MAIL
> >>> interfaces = lo, eth1
> >>> bind interfaces only = Yes
> >>> server role = active directory domain controller
> >>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
> >>> idmap_ldb:use rfc2307 = yes
> >>>
> >>> winbind use default domain = yes
> >>>
> >>> load printers = no
> >>> printing = bsd
> >>> printcap name = /dev/null
> >>> disable spoolss = yes
> >>>
> >>> log level = 2 passdb:5 auth:10 winbind:2 lanman:10
> >>> max log size = 1000
> >>>
> >>> [netlogon]
> >>> path = /var/lib/samba/sysvol/hprs.local/scripts
> >>> read only = No
> >>>
> >>> [sysvol]
> >>> path = /var/lib/samba/sysvol
> >>> read only = No
> >>>
> >>> [Users]
> >>> path = /redirectedFolders/Users
> >>> comment = user folders for redirection
> >>> read only = No
> >>>
> >>> [share]
> >>> path = /var/lib/samba/share
> >>> comment = Shared folder
> >>> read only = No
> >>>
> >>> Thanks --Mark
> >>>
> >>> -----Original Message-----
> >>>> To: samba at lists.samba.org
> >>>> From: Achim Gottinger <achim at ag-web.biz>
> >>>> Date: Thu, 30 Jun 2016 23:44:17 +0200
> >>>> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
> >>>>
> >>>> Am 30.06.2016 um 23:16 schrieb Mark Foley:
> >>>>> Achim, thanks a lot! A couple of questions on your suggested settings:
> >>>>>
> >>>>>> 1. Create an user
> >>>>>> samba-tool create user dovcot
> >>>>> I did this (actually `samba-tool user create dovecot`), but it asked for a password. I
> >>>>> entered one. You didn't mention that, so I hope it's OK.
> >>>> Yes
> >>>>>
> >>>>>
> >>>>>> 2. Add the spn
> >>>>>> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot
> >>>>>> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot
> >>>>> Did that too. No issue there.
> >>>> Well you must substitute server.domain.local with your mailserver fqdn
> >>>> and DOMAIN.LOCAL with HPRS.LOCAL.
> >>>>>> 3. Create the keytab file
> >>>>>> ktutil
> >>>>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e
> >>>>>> arcfour-hmac
> >>>>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e
> >>>>>> arcfour-hmac
> >>>>>> wkt /etc/dovecot/dovecot.keytab
> >>>>> As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype]
> >>>>> should hve been the arcfour-hmac on the next line. So I did:
> >>>>>
> >>>>> $ ktutil
> >>>>> ktutil: addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac
> >>>>> ktutil: addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac
> >>>> Same here substitute like above and as you said arcfour-hmac belongs in
> >>>> the same line.
> >>>>> Of course, that will probably also wrap when you get this message, but basically I put the
> >>>>> arcfour-hmac on the same line as the addent. Each time, these commands also asked for a
> >>>>> password. Again, you didn't mention that, but I used the same password I used for the
> >>>>> `samab-tool user create` command above.
> >>>>>
> >>>>> I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk".
> >>>>> Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply
> >>>>> transposed the letters. I tried it and it took.
> >>>> Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does
> >>>> not yet exist.
> >>>> Only the two keys you just added are required to get kerberos working.
> >>>> The system keytab you generated with samba-tool domain exportkeytab is
> >>>> not required.
> >>>>>
> >>>>>
> >>>>>> 4. Add this to your dovecot config
> >>>>>>
> >>>>>> # Kerberos
> >>>>>> auth_gssapi_hostname = "$ALL"
> >>>>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> >>>>> Did that. In addition, I set the keytab file's group to dovecot and made the file group
> >>>>> readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos. I also tried
> >>>>> making it world readable. Now, after doing all that and restarting dovecot I still get the
> >>>>> same dovecot error:
> >>>>>
> >>>>> Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6>
> >>>>>
> >>>>> and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the
> >>>>> IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm."
> >>>>>
> >>>>> As I've mentioned before, "mark at ohprs.org" is not a server. It is the email address of the
> >>>>> Thunderbird account (running on WIN7).
> >>>>>
> >>>>> Here is my doveconf -n (gssapi marked with *):
> >>>>>
> >>>>> auth_debug_passwords = yes
> >>>>> * auth_gssapi_hostname = $ALL
> >>>>> * auth_krb5_keytab = /etc/krb5.keytab
> >>>>> * auth_mechanisms = plain login gssapi
> >>>>> auth_verbose = yes
> >>>>> auth_verbose_passwords = plain
> >>>>> disable_plaintext_auth = no
> >>>>> info_log_path = /var/log/dovecot_info
> >>>>> mail_location = maildir:~/Maildir
> >>>>> passdb {
> >>>>> driver = shadow
> >>>>> }
> >>>>> protocols = imap
> >>>>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> >>>>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> >>>>> userdb {
> >>>>> driver = passwd
> >>>>> }
> >>>>> verbose_ssl = yes
> >>>>>
> >>>>> (yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?)
> >>>>>
> >>>>> Here is my keytab list (partial); note that every entry appears in triplicate. I don't see
> >>>>> 'dovecot' in there at all; maybe that's OK:
> >>>>>
> >>>>> ktutil: list
> >>>>> slot KVNO Principal
> >>>>> ---- ---- ---------------------------------------------------------------------
> >>>>> 1 18 COMMON$@HPRS.LOCAL
> >>>>> 2 18 COMMON$@HPRS.LOCAL
> >>>>> 3 18 COMMON$@HPRS.LOCAL
> >>>>> 4 1 MAIL$@HPRS.LOCAL
> >>>>> 5 1 MAIL$@HPRS.LOCAL
> >>>>> 6 1 MAIL$@HPRS.LOCAL
> >>>>> 7 1 charmaine at HPRS.LOCAL
> >>>>> 8 1 charmaine at HPRS.LOCAL
> >>>>> 9 1 charmaine at HPRS.LOCAL
> >>>>> :
> >>>>> 19 1 Administrator at HPRS.LOCAL
> >>>>> 20 1 Administrator at HPRS.LOCAL
> >>>>> 21 1 Administrator at HPRS.LOCAL
> >>>>> :
> >>>>> 91 1 krbtgt at HPRS.LOCAL
> >>>>> 92 1 krbtgt at HPRS.LOCAL
> >>>>> 93 1 krbtgt at HPRS.LOCAL
> >>>>> :
> >>>>> 97 1 smtp/server.domain.local at DOMAIN.LOCAL
> >>>>> 98 1 imap/server.domain.local at DOMAIN.LOCAL
> >>>>>
> >>>>> Can you tell from any of this why I'm still not able to authenticate?
> >>>> You only need the lines 97 and 98 and substitude fqdn and realm like i
> >>>> mentioned above.
> >>>> It must be possible for Thunderbird to use plain authentification with
> >>>> your windows account username.
> >>>> Can be you must configure userdb and passdb to do ldap lookups against
> >>>> active directory.
> >>>>> Thanks, --Mark
> >>>>>
> >>>>> -----Original Message-----
> >>>>>> To: samba at lists.samba.org
> >>>>>> From: Achim Gottinger <achim at ag-web.biz>
> >>>>>> Date: Thu, 30 Jun 2016 11:51:34 +0200
> >>>>>>
> >>>>>> Am 30.06.2016 um 10:45 schrieb Mark Foley:
> >>>>>>> To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
> >>>>>>> Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
> >>>>>>> file as required by Dovecot. I've also downloaded and installed Kerberos for access to
> >>>>>>> the k* commands (ktutil, kinit, klist, ...).
> >>>>>>>
> >>>>>>> In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7
> >>>>>>> workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
> >>>>>>> etc. Thunderbird gives the following error:
> >>>>>>>
> >>>>>>> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check
> >>>>>>> that you are logged in to the Kerberos/GSSAPI realm."
> >>>>>>>
> >>>>>>> One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a
> >>>>>>> server at all, but rather the email address of the Thunderbird account.
> >>>>>>>
> >>>>>>> When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
> >>>>>>> secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
> >>>>>>> Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying:
> >>>>>>>
> >>>>>>> auth_mechanisms = plain login gssapi
> >>>>>>>
> >>>>>>> That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
> >>>>>>>
> >>>>>>> I think the problem is with Samba and handling the authentication. I do not think my Samba4 is
> >>>>>>> configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
> >>>>>>> for single-sign-on using Kerberos. He had me put the following lines into that workstation's
> >>>>>>> smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server:
> >>>>>>>
> >>>>>>> security = ADS
> >>>>>>> dedicated keytab file = /etc/krb5.keytab
> >>>>>>> kerberos method = secrets and keytab
> >>>>>>> winbind nss info = rfc2307
> >>>>>>> winbind trusted domains only = no
> >>>>>>> winbind enum users = yes
> >>>>>>> winbind enum groups = yes
> >>>>>>> winbind refresh tickets = Yes
> >>>>>>>
> >>>>>>> I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
> >>>>>>> message, "Samba detected misconfigured 'server role' and exited."
> >>>>>>>
> >>>>>>> He also had me put the following in /etc/nsswitch.conf:
> >>>>>>>
> >>>>>>> passwd: compat winbind
> >>>>>>> group: compat winbind
> >>>>>>>
> >>>>>>> Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
> >>>>>>> for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
> >>>>>>>
> >>>>>>> Need Help! Thanks --Mark
> >>>>>> Hello Mark,
> >>>>>>
> >>>>>> This is what i used in debian wheezy few years back. I assume
> >>>>>> arcfour-hmac is unsafe these days but i did not yet investigate into
> >>>>>> other working encryption methods here.
> >>>>>> If you need smtp (postfix with auth via dovecot) also add the smtp
> >>>>>> spn's. Use the password for user dovecot during keytab creation.
> >>>>>>
> >>>>>> 1. Create an user
> >>>>>> samba-tool create user dovcot
> >>>>>>
> >>>>>> 2. Add the spn
> >>>>>> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot
> >>>>>> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot
> >>>>>>
> >>>>>> 3. Create the keytab file
> >>>>>> ktutil
> >>>>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e
> >>>>>> arcfour-hmac
> >>>>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e
> >>>>>> arcfour-hmac
> >>>>>> wkt /etc/dovecot/dovecot.keytab
> >>>>>>
> >>>>>> 4. Add this to your dovecot config
> >>>>>>
> >>>>>> # Kerberos
> >>>>>> auth_gssapi_hostname = "$ALL"
> >>>>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> >>>>>>
> >>>>>> Hope it helps,
> >>>>>> achim~
> >>>>>> --
> >>>>>> To unsubscribe from this list go to the following URL and read the
> >>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list