[Samba] Where is krb5.keytab or equivalent?
Mark Foley
mfoley at ohprs.org
Sat Jul 2 01:15:58 UTC 2016
OK, let me go through exactly what you did:
you:
> Here's the test (I must run mutt not telnet like i mentioned earlier to
> get the imap tickets).
>
> root at server:~# kinit achim
> Password for achim at DOMAIN.LOCAL:
> [I enter my password]
As root on AD/DC mail.hprs.local:
me:
$ kinit mark
Password for mark at HPRS.LOCAL:
[I enter my password]
you:
> MAIL=imap://achim@server.domain.local/ mutt
me:
$ MAIL=imap://mark@server.domain.local/ mutt -F /etc/Muttrc
I get the mutt message, "Certificate host check failed: certificate owner does not mathc
hosthame mail.hprs.local".
After that, in the mutt screen, I get:
-----BEGIN------
This certificate belongs to:
mail.ohprs.org
Unknown
Unknown
Domain Control Validated
Unknown
This certificate was issued by:
Go Daddy Secure Certificate Authority - G2
Unknown
GoDaddy.com, Inc.
http:
Scottsdale
This certificate is valid
from Aug 14 21:38:38 2015 GMT
to Aug 15 17:49:32 2016 GMT
Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
-----END-------
you:
> root at server:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: achim at DOMAIN.LOCAL
[etc ...]
me:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mark at HPRS.LOCAL
Valid starting Expires Service principal
07/01/2016 20:57:56 07/02/2016 06:57:56 krbtgt/HPRS.LOCAL at HPRS.LOCAL
renew until 07/02/2016 20:57:52
Clearly, I am misconfigured at some level. From my mouse-eye-view, the certificate is for
mail.ohprs.org, not mail.hprs.local. What about you? You must have a certificate for
server.domain.local as well as your public domain, yes? Did you at some point create a
self-signed certificate?
What do you suggest?
--Mark
-----Original Message-----
> To: samba at lists.samba.org
> From: Achim Gottinger <achim at ag-web.biz>
> Date: Fri, 1 Jul 2016 23:29:35 +0200
> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>
> Here's the test (I must run mutt not telnet like i mentioned earlier to
> get the imap tickets).
>
> root at server:~# kinit achim
> Password for achim at DOMAIN.LOCAL:
> [I enter my password]
> MAIL=imap://achim@server.domain.local/ mutt
> [Mutt asks about the cert i select accept once and i endup on my INBOX.
> I leave mutt by entring q+ENTER]
> root at server:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: achim at DOMAIN.LOCAL
>
> Valid starting Expires Service principal
> 01.07.2016 23:16:30 02.07.2016 09:16:30 krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
> renew until 02.07.2016 23:16:28
> 01.07.2016 23:17:04 02.07.2016 09:16:30 imap/server.domain.local@
> renew until 02.07.2016 23:16:28
> 01.07.2016 23:17:04 02.07.2016 09:16:30
> imap/server.domain.local at DOMAIN.LOCAL
> renew until 02.07.2016 23:16:28
>
> root at server:~# samba-tool spn list dovecot
> dovecot
> User CN=dovecot,CN=Users,DC=domain,DC=local has the following
> servicePrincipalName:
> smtp/server.domain.local at DOMAIN.LOCAL
> imap/server.domain.local at DOMAIN.LOCAL
> imap/server.domain.local
>
> root at server:~#cat /etc/hosts
> 127.0.0.1 localhost
> 192.168.100.102 server.domain.local server
>
> Excerpt from /var/log/mail.log ( On debian mail.log contains the debug
> info).
>
> Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
> directory: /usr/lib/dovecot/modules/auth
> Jul 1 23:17:01 server dovecot: auth: Debug: Module loaded:
> /usr/lib/dovecot/modules/auth/libmech_gssapi.so
> Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
> directory: /usr/lib/dovecot/modules/auth
> Jul 1 23:17:01 server dovecot: auth: Debug: Module loaded:
> /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
> Jul 1 23:17:01 server dovecot: auth: Debug: Read auth token secret from
> /var/run/dovecot/auth-token-secret.dat
> Jul 1 23:17:01 server dovecot: auth: Debug: passwd-file
> /etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
> Jul 1 23:17:01 server dovecot: auth: Debug: auth client connected
> (pid=21490)
> Jul 1 23:17:04 server dovecot: auth: Debug: client in:
> AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
> Jul 1 23:17:04 server dovecot: auth: Debug:
> gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
> Jul 1 23:17:04 server dovecot: auth: Debug:
> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state
> completed.
> Jul 1 23:17:04 server dovecot: auth: Debug: client passdb out:
> XXXXXXXXXXXXXXXXXXXXXXXXX
> Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
> Jul 1 23:17:04 server dovecot: auth: Debug:
> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer
> Jul 1 23:17:04 server dovecot: auth: Debug: client passdb out:
> XXXXXXXXXXXXXXXXXXXXXXXXX
> Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
> ........
> Jul 1 23:17:04 server dovecot: imap-login: Login: user=<achim>,
> method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
> session=<ldMkgpk2dAB/AAAB>
>
> Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
> > I'm sure it will not work till you get that module build. :-)
> >
> >
> > Am 01.07.2016 um 20:53 schrieb Mark Foley:
> >> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at domain.biz>
> >> wrote:
> >>
> >>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe
> >>> at an
> >>> different location. On debian this comes with the dovecot-gssapi
> >>> package.
> >> That module is nowhere on my system.
> >>
> >> --Mark
> >>
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list