[Samba] Where is krb5.keytab or equivalent?

Achim Gottinger achim at ag-web.biz
Fri Jul 1 21:29:35 UTC 2016 

Here's the test (I must run mutt not telnet like i mentioned earlier to 
get the imap tickets).

root at server:~# kinit achim
Password for achim at DOMAIN.LOCAL:
[I enter my password]
MAIL=imap://achim@server.domain.local/ mutt
[Mutt asks about the cert i select accept once and i endup on my INBOX. 
I leave mutt by entring q+ENTER]
root at server:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: achim at DOMAIN.LOCAL

Valid starting       Expires              Service principal
01.07.2016 23:16:30  02.07.2016 09:16:30 krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
         renew until 02.07.2016 23:16:28
01.07.2016 23:17:04  02.07.2016 09:16:30  imap/server.domain.local@
         renew until 02.07.2016 23:16:28
01.07.2016 23:17:04  02.07.2016 09:16:30 
imap/server.domain.local at DOMAIN.LOCAL
         renew until 02.07.2016 23:16:28

root at server:~# samba-tool spn list dovecot
dovecot
User CN=dovecot,CN=Users,DC=domain,DC=local has the following 
servicePrincipalName:
          smtp/server.domain.local at DOMAIN.LOCAL
          imap/server.domain.local at DOMAIN.LOCAL
          imap/server.domain.local

root at server:~#cat /etc/hosts
127.0.0.1       localhost
192.168.100.102 server.domain.local server

Excerpt from /var/log/mail.log ( On debian mail.log contains the debug 
info).

Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules from 
directory: /usr/lib/dovecot/modules/auth
Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded: 
/usr/lib/dovecot/modules/auth/libmech_gssapi.so
Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules from 
directory: /usr/lib/dovecot/modules/auth
Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded: 
/usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Jul  1 23:17:01 server dovecot: auth: Debug: Read auth token secret from 
/var/run/dovecot/auth-token-secret.dat
Jul  1 23:17:01 server dovecot: auth: Debug: passwd-file 
/etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
Jul  1 23:17:01 server dovecot: auth: Debug: auth client connected 
(pid=21490)
Jul  1 23:17:04 server dovecot: auth: Debug: client in: 
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
Jul  1 23:17:04 server dovecot: auth: Debug: 
gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
Jul  1 23:17:04 server dovecot: auth: Debug: 
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state 
completed.
Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out: 
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul  1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
Jul  1 23:17:04 server dovecot: auth: Debug: 
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer
Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out: 
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul  1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
........
Jul  1 23:17:04 server dovecot: imap-login: Login: user=<achim>, 
method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS, 
session=<ldMkgpk2dAB/AAAB>

Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
> I'm sure it will not work till you get that module build. :-)
>
>
> Am 01.07.2016 um 20:53 schrieb Mark Foley:
>> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at domain.biz> 
>> wrote:
>>
>>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe 
>>> at an
>>> different location. On debian this comes with the dovecot-gssapi 
>>> package.
>> That module is nowhere on my system.
>>
>> --Mark
>>
>
>

More information about the samba mailing list