[Samba] Where is krb5.keytab or equivalent?

Achim Gottinger achim at ag-web.biz
Sat Jul 2 01:39:42 UTC 2016 

Yes I created an self signed cert (with the easy-rsa scripts froom 
openvpn). Does mutt let you accept the cert anyway? On an earlier test 
you got past the cert state and had to enter an password or got an  no 
auth failure.

Also figure out where dovecot auth debug log entries get written (here 
dovecot writes logs to mail.info, mail.error, mail.log, debug only ends 
up in mail.log).

Am 02.07.2016 um 03:15 schrieb Mark Foley:
> OK, let me go through exactly what you did:
>
> you:
>> Here's the test (I must run mutt not telnet like i mentioned earlier to
>> get the imap tickets).
>>
>> root at server:~# kinit achim
>> Password for achim at DOMAIN.LOCAL:
>> [I enter my password]
> As root on AD/DC mail.hprs.local:
>
> me:
> $ kinit mark
> Password for mark at HPRS.LOCAL:
> [I enter my password]
>
> you:
>> MAIL=imap://achim@server.domain.local/ mutt
> me:
> $ MAIL=imap://mark@server.domain.local/ mutt -F /etc/Muttrc
>
> I get the mutt message, "Certificate host check failed: certificate owner does not mathc
> hosthame mail.hprs.local".
>
> After that, in the mutt screen, I get:
>
> -----BEGIN------
> This certificate belongs to:
>     mail.ohprs.org
>     Unknown
>     Unknown
>     Domain Control Validated
>     Unknown
>
> This certificate was issued by:
>     Go Daddy Secure Certificate Authority - G2
>     Unknown
>     GoDaddy.com, Inc.
>     http:
>     Scottsdale
>
> This certificate is valid
>     from Aug 14 21:38:38 2015 GMT
>       to Aug 15 17:49:32 2016 GMT
>
> Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
> -----END-------
>
> you:
>> root at server:~# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: achim at DOMAIN.LOCAL
> [etc ...]
>
> me:
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: mark at HPRS.LOCAL
>
> Valid starting       Expires              Service principal
> 07/01/2016 20:57:56  07/02/2016 06:57:56  krbtgt/HPRS.LOCAL at HPRS.LOCAL
>          renew until 07/02/2016 20:57:52
>
> Clearly, I am misconfigured at some level.  From my mouse-eye-view, the certificate is for
> mail.ohprs.org, not mail.hprs.local.  What about you? You must have a certificate for
> server.domain.local as well as your public domain, yes? Did you at some point create a
> self-signed certificate?
>
> What do you suggest?
>
> --Mark
>
> -----Original Message-----
>> To: samba at lists.samba.org
>> From: Achim Gottinger <achim at ag-web.biz>
>> Date: Fri, 1 Jul 2016 23:29:35 +0200
>> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>>
>> Here's the test (I must run mutt not telnet like i mentioned earlier to
>> get the imap tickets).
>>
>> root at server:~# kinit achim
>> Password for achim at DOMAIN.LOCAL:
>> [I enter my password]
>> MAIL=imap://achim@server.domain.local/ mutt
>> [Mutt asks about the cert i select accept once and i endup on my INBOX.
>> I leave mutt by entring q+ENTER]
>> root at server:~# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: achim at DOMAIN.LOCAL
>>
>> Valid starting       Expires              Service principal
>> 01.07.2016 23:16:30  02.07.2016 09:16:30 krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
>>           renew until 02.07.2016 23:16:28
>> 01.07.2016 23:17:04  02.07.2016 09:16:30  imap/server.domain.local@
>>           renew until 02.07.2016 23:16:28
>> 01.07.2016 23:17:04  02.07.2016 09:16:30
>> imap/server.domain.local at DOMAIN.LOCAL
>>           renew until 02.07.2016 23:16:28
>>
>> root at server:~# samba-tool spn list dovecot
>> dovecot
>> User CN=dovecot,CN=Users,DC=domain,DC=local has the following
>> servicePrincipalName:
>>            smtp/server.domain.local at DOMAIN.LOCAL
>>            imap/server.domain.local at DOMAIN.LOCAL
>>            imap/server.domain.local
>>
>> root at server:~#cat /etc/hosts
>> 127.0.0.1       localhost
>> 192.168.100.102 server.domain.local server
>>
>> Excerpt from /var/log/mail.log ( On debian mail.log contains the debug
>> info).
>>
>> Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules from
>> directory: /usr/lib/dovecot/modules/auth
>> Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded:
>> /usr/lib/dovecot/modules/auth/libmech_gssapi.so
>> Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules from
>> directory: /usr/lib/dovecot/modules/auth
>> Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded:
>> /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
>> Jul  1 23:17:01 server dovecot: auth: Debug: Read auth token secret from
>> /var/run/dovecot/auth-token-secret.dat
>> Jul  1 23:17:01 server dovecot: auth: Debug: passwd-file
>> /etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
>> Jul  1 23:17:01 server dovecot: auth: Debug: auth client connected
>> (pid=21490)
>> Jul  1 23:17:04 server dovecot: auth: Debug: client in:
>> AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
>> Jul  1 23:17:04 server dovecot: auth: Debug:
>> gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
>> Jul  1 23:17:04 server dovecot: auth: Debug:
>> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state
>> completed.
>> Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out:
>> XXXXXXXXXXXXXXXXXXXXXXXXX
>> Jul  1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
>> Jul  1 23:17:04 server dovecot: auth: Debug:
>> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer
>> Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out:
>> XXXXXXXXXXXXXXXXXXXXXXXXX
>> Jul  1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
>> ........
>> Jul  1 23:17:04 server dovecot: imap-login: Login: user=<achim>,
>> method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
>> session=<ldMkgpk2dAB/AAAB>
>>
>> Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
>>> I'm sure it will not work till you get that module build. :-)
>>>
>>>
>>> Am 01.07.2016 um 20:53 schrieb Mark Foley:
>>>> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at domain.biz>
>>>> wrote:
>>>>
>>>>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe
>>>>> at an
>>>>> different location. On debian this comes with the dovecot-gssapi
>>>>> package.
>>>> That module is nowhere on my system.
>>>>
>>>> --Mark
>>>>
>>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

More information about the samba mailing list