[Samba] Where is krb5.keytab or equivalent?

achim achim at ag-web.biz
Fri Jul 1 23:02:29 UTC 2016 


Am 01.07.2016 um 23:52 schrieb Achim Gottinger:
> Here is an simpler way to create an user with the imap principal and 
> the dovecot keymap
>
> ~# samba-tool user create dovecot
> [Assign password]
> ~# samba-tool spn add imap/server.domain.local dovecot
> ~# samba-tool domain exportkeytab --principal dovecot at DOMAIN.LOCAL 
> dovecot.keytab
If above line is replaced by
~# samba-tool domain exportkeytab --principal imap/server.domain.local 
dovecot.keytab
It is working without auth_gssapi_hostname = "$ALL" again.
To add the principal for smtp execute
~# samba-tool spn add smtp/server.domain.local dovecot
~# samba-tool domain exportkeytab --principal smtp/server.domain.local 
dovecot.keytab

The keytab now has the follwoing content
~# klist -Kek /etc/dovecot/dovecot.conf
Keytab name: FILE:dovecot.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    3 imap/server.domain.local at DOMAIN.LOCAL (des-cbc-crc)  (0x......)
    3 imap/server.domain.local at DOMAIN.LOCAL (des-cbc-md5)  (0x......)
    3 imap/server.domain.local at DOMAIN.LOCAL (arcfour-hmac) 
(0x.................)
    3 smtp/server.domain.local at DOMAIN.LOCAL (des-cbc-crc)  (0x......)
    3 smtp/server.domain.local at DOMAIN.LOCAL (des-cbc-md5)  (0x......)
    3 smtp/server.domain.local at DOMAIN.LOCAL (arcfour-hmac) 
(0x.................)

The spn's are
~# samba-tool spn list dovecot
dovecot
User CN=dovecot,CN=Users,DC=domain,DC=local has the following 
servicePrincipalName:
          imap/server.domain.local
          smtp/server.domain.local

I tried it with the hostname without zthe domain part and that did not work.
Also it did not work using
~# samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot
The SPN should not contain the realm like below
~# samba-tool spn add imap/server.domain.local dovecot

But you really need that gssapi method library first. Check auth debug 
log there should be an line like
Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded: 
/usr/lib/dovecot/modules/auth/libmech_gssapi.so
> ~# cp dovecot.keytab /etc/dovecot/dovecot.keytab
> ~#chgrp dovecot /etc/dovecot/dovecot.keytab
> ~#chmod g+r /etc/dovecot/dovecot.keytab
>
> As a side note. I test on an different server now and above and the 
> mutt test from my other mail only works with
> auth_gssapi_hostname = "$ALL"
> defined in dovecot config.
>
> Otherwise I get these errors
>
> Jul  1 23:47:29 server dovecot: auth: Debug: 
> gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): Obtaining credentials for imap@
> Jul  1 23:47:33 server dovecot: auth: 
> gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): While acquiring service 
> credentials: Unspecified GSS failure.  Minor code may provide more 
> information
>
>
> Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
>> I'm sure it will not work till you get that module build. :-)
>>
>>
>> Am 01.07.2016 um 20:53 schrieb Mark Foley:
>>> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at ag-web.biz> 
>>> wrote:
>>>
>>>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe 
>>>> at an
>>>> different location. On debian this comes with the dovecot-gssapi 
>>>> package.
>>> That module is nowhere on my system.
>>>
>>> --Mark
>>>
>>
>>
>
>

More information about the samba mailing list