[Samba] Where is krb5.keytab or equivalent?
Achim Gottinger
achim at ag-web.biz
Fri Jul 1 21:29:35 UTC 2016
Here's the test (I must run mutt not telnet like i mentioned earlier to
get the imap tickets).
root at server:~# kinit achim
Password for achim at DOMAIN.LOCAL:
[I enter my password]
MAIL=imap://achim@server.domain.local/ mutt
[Mutt asks about the cert i select accept once and i endup on my INBOX.
I leave mutt by entring q+ENTER]
root at server:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: achim at DOMAIN.LOCAL
Valid starting Expires Service principal
01.07.2016 23:16:30 02.07.2016 09:16:30 krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
renew until 02.07.2016 23:16:28
01.07.2016 23:17:04 02.07.2016 09:16:30 imap/server.domain.local@
renew until 02.07.2016 23:16:28
01.07.2016 23:17:04 02.07.2016 09:16:30
imap/server.domain.local at DOMAIN.LOCAL
renew until 02.07.2016 23:16:28
root at server:~# samba-tool spn list dovecot
dovecot
User CN=dovecot,CN=Users,DC=domain,DC=local has the following
servicePrincipalName:
smtp/server.domain.local at DOMAIN.LOCAL
imap/server.domain.local at DOMAIN.LOCAL
imap/server.domain.local
root at server:~#cat /etc/hosts
127.0.0.1 localhost
192.168.100.102 server.domain.local server
Excerpt from /var/log/mail.log ( On debian mail.log contains the debug
info).
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
Jul 1 23:17:01 server dovecot: auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libmech_gssapi.so
Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
Jul 1 23:17:01 server dovecot: auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Jul 1 23:17:01 server dovecot: auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
Jul 1 23:17:01 server dovecot: auth: Debug: passwd-file
/etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
Jul 1 23:17:01 server dovecot: auth: Debug: auth client connected
(pid=21490)
Jul 1 23:17:04 server dovecot: auth: Debug: client in:
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
Jul 1 23:17:04 server dovecot: auth: Debug:
gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
Jul 1 23:17:04 server dovecot: auth: Debug:
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state
completed.
Jul 1 23:17:04 server dovecot: auth: Debug: client passdb out:
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
Jul 1 23:17:04 server dovecot: auth: Debug:
gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer
Jul 1 23:17:04 server dovecot: auth: Debug: client passdb out:
XXXXXXXXXXXXXXXXXXXXXXXXX
Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
........
Jul 1 23:17:04 server dovecot: imap-login: Login: user=<achim>,
method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
session=<ldMkgpk2dAB/AAAB>
Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
> I'm sure it will not work till you get that module build. :-)
>
>
> Am 01.07.2016 um 20:53 schrieb Mark Foley:
>> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at domain.biz>
>> wrote:
>>
>>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe
>>> at an
>>> different location. On debian this comes with the dovecot-gssapi
>>> package.
>> That module is nowhere on my system.
>>
>> --Mark
>>
>
>
More information about the samba
mailing list