[Samba] Where is krb5.keytab or equivalent?

Mark Foley mfoley at ohprs.org
Sat Jul 2 01:32:53 UTC 2016 

Following your example for 2nd test ...

you:
> ~# samba-tool user create dovecot
> [Assign password]
> ~# samba-tool spn add imap/server.domain.local dovecot
> ~# samba-tool domain exportkeytab --principal dovecot at DOMAIN.LOCAL 
> dovecot.keytab
> ~# cp dovecot.keytab /etc/dovecot/dovecot.keytab
> ~#chgrp dovecot /etc/dovecot/dovecot.keytab
> ~#chmod g+r /etc/dovecot/dovecot.keytab


me:
root at mail > samba-tool user delete dovecot  # to get rid of previous defs.
Deleted user dovecot

root at mail > samba-tool user create dovecot
New Password:
Retype Password:
User 'dovecot' created successfully

root at mail > samba-tool domain exportkeytab --principal dovecot at HPRS.LOCAL dovecot.keytab
root at mail > cp dovecot.keytab /etc/dovecot/dovecot.keytab
root at mail > chgrp dovecot /etc/dovecot//dovecot.keytab
root at mail > chmod g+r /etc/dovecot/dovecot.keytab
root at mail > dovecot reload

> As a side note. I test on an different server now and above and the mutt 
> test from my other mail only works with
> auth_gssapi_hostname = "$ALL"
> defined in dovecot config.

I added that back in before reloading dovecot.  Some commentor had me remove it during previous
testing. 

Re-ran mutt, sadly same result as previous test, "Certificate host check failed: certificate
owner does not match hostname mail.hprs.local". 

Nothing in maillog.

I think certificate is fooped.

--Mark

-----Original Message-----
> To: samba at lists.samba.org
> From: Achim Gottinger <achim at ag-web.biz>
> Date: Fri, 1 Jul 2016 23:52:53 +0200
> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>
> Here is an simpler way to create an user with the imap principal and the 
> dovecot keymap
>
> ~# samba-tool user create dovecot
> [Assign password]
> ~# samba-tool spn add imap/server.domain.local dovecot
> ~# samba-tool domain exportkeytab --principal dovecot at DOMAIN.LOCAL 
> dovecot.keytab
> ~# cp dovecot.keytab /etc/dovecot/dovecot.keytab
> ~#chgrp dovecot /etc/dovecot/dovecot.keytab
> ~#chmod g+r /etc/dovecot/dovecot.keytab
>
> As a side note. I test on an different server now and above and the mutt 
> test from my other mail only works with
> auth_gssapi_hostname = "$ALL"
> defined in dovecot config.
>
> Otherwise I get these errors
>
> Jul  1 23:47:29 server dovecot: auth: Debug: 
> gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): Obtaining credentials for imap@
> Jul  1 23:47:33 server dovecot: auth: 
> gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): While acquiring service 
> credentials: Unspecified GSS failure.  Minor code may provide more 
> information
>
>
> Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
> > I'm sure it will not work till you get that module build. :-)
> >
> >
> > Am 01.07.2016 um 20:53 schrieb Mark Foley:
> >> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at ag-web.biz> 
> >> wrote:
> >>
> >>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe 
> >>> at an
> >>> different location. On debian this comes with the dovecot-gssapi 
> >>> package.
> >> That module is nowhere on my system.
> >>
> >> --Mark
> >>
> >
> >
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list