[Samba] Where is krb5.keytab or equivalent?

Mark Foley mfoley at ohprs.org
Sat Jul 2 02:03:08 UTC 2016 

Perhaps yet another source of misconfiguration.

You have:
> The keytab now has the follwoing content
> ~# klist -Kek /etc/dovecot/dovecot.conf

First of all, I have no /etc/dovecot/dovecot.conf.  I have /etc/krb5.conf created when I
initially provisioned Samba per the provisioning instructions, "A Kerberos configuration
suitable for Samba 4 has been generated at /etc/samba/private/krb5.conf", and following the
instruction on the samba wiki at
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos

  ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf

Although I copied the file rather than link it as I expected to make changes. That file
currenly contains:

[libdefaults]
        default_realm = HPRS.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true

I tried your klist command on that file:

root at mail > klist -Kek /etc/krb5.conf
Keytab name: FILE:/etc/krb5.conf
klist: Unsupported key table format version number while starting keytab scan

Now, let's assume you mistyped dovecot.conf and meant dovecot.keytab ...

root at mail > samba-tool user delete dovecot
Deleted user dovecot

root at mail > rm dovecot.keytab

root at mail > samba-tool user create dovecot
New Password:
Retype Password:
User 'dovecot' created successfully

root at mail > samba-tool spn add imap/mail.hprs.local dovecot
root at mail > samba-tool domain exportkeytab --principal imap/mail.hprs.local dovecot.keytab
root at mail > samba-tool spn add smtp/mail.hprs.local dovecot
root at mail > samba-tool domain exportkeytab --principal smtp/mail.hprs.local dovecot.keytab
root at mail > cp dovecot.keytab /etc/dovecot/dovecot.keytab
root at mail > chgrp dovecot /etc/dovecot/dovecot.keytab
root at mail > chmod g+r /etc/dovecot/dovecot.keytab
root at mail > dovecot reload

my new keytab:

root at mail > klist -Kek dovecot.keytab
Keytab name: FILE:dovecot.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
   1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
   1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)  (0x9dae89a221dc374a39f560833352f60f)
   1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
   1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
   1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)  (0x9dae89a221dc374a39f560833352f60f)

When trying mutt, sadly, again "Certificate host check failed: certificate owner does not
match hostname mail.hprs.local". 

--Mark

-----Original Message-----
> To: samba at lists.samba.org
> From: achim <achim at ag-web.biz>
> Date: Sat, 2 Jul 2016 01:02:29 +0200
>
>
>
> Am 01.07.2016 um 23:52 schrieb Achim Gottinger:
> > Here is an simpler way to create an user with the imap principal and 
> > the dovecot keymap
> >
> > ~# samba-tool user create dovecot
> > [Assign password]
> > ~# samba-tool spn add imap/server.domain.local dovecot
> > ~# samba-tool domain exportkeytab --principal dovecot at DOMAIN.LOCAL 
> > dovecot.keytab
> If above line is replaced by
> ~# samba-tool domain exportkeytab --principal imap/server.domain.local 
> dovecot.keytab
> It is working without auth_gssapi_hostname = "$ALL" again.
> To add the principal for smtp execute
> ~# samba-tool spn add smtp/server.domain.local dovecot
> ~# samba-tool domain exportkeytab --principal smtp/server.domain.local 
> dovecot.keytab
>
> The keytab now has the follwoing content
> ~# klist -Kek /etc/dovecot/dovecot.conf
> Keytab name: FILE:dovecot.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>     3 imap/server.domain.local at DOMAIN.LOCAL (des-cbc-crc)  (0x......)
>     3 imap/server.domain.local at DOMAIN.LOCAL (des-cbc-md5)  (0x......)
>     3 imap/server.domain.local at DOMAIN.LOCAL (arcfour-hmac) 
> (0x.................)
>     3 smtp/server.domain.local at DOMAIN.LOCAL (des-cbc-crc)  (0x......)
>     3 smtp/server.domain.local at DOMAIN.LOCAL (des-cbc-md5)  (0x......)
>     3 smtp/server.domain.local at DOMAIN.LOCAL (arcfour-hmac) 
> (0x.................)
>
> The spn's are
> ~# samba-tool spn list dovecot
> dovecot
> User CN=dovecot,CN=Users,DC=domain,DC=local has the following 
> servicePrincipalName:
>           imap/server.domain.local
>           smtp/server.domain.local
>
> I tried it with the hostname without zthe domain part and that did not work.
> Also it did not work using
> ~# samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot
> The SPN should not contain the realm like below
> ~# samba-tool spn add imap/server.domain.local dovecot
>
> But you really need that gssapi method library first. Check auth debug 
> log there should be an line like
> Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded: 
> /usr/lib/dovecot/modules/auth/libmech_gssapi.so
> > ~# cp dovecot.keytab /etc/dovecot/dovecot.keytab
> > ~#chgrp dovecot /etc/dovecot/dovecot.keytab
> > ~#chmod g+r /etc/dovecot/dovecot.keytab
> >
> > As a side note. I test on an different server now and above and the 
> > mutt test from my other mail only works with
> > auth_gssapi_hostname = "$ALL"
> > defined in dovecot config.
> >
> > Otherwise I get these errors
> >
> > Jul  1 23:47:29 server dovecot: auth: Debug: 
> > gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): Obtaining credentials for imap@
> > Jul  1 23:47:33 server dovecot: auth: 
> > gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): While acquiring service 
> > credentials: Unspecified GSS failure.  Minor code may provide more 
> > information
> >
> >
> > Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
> >> I'm sure it will not work till you get that module build. :-)
> >>
> >>
> >> Am 01.07.2016 um 20:53 schrieb Mark Foley:
> >>> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at ag-web.biz> 
> >>> wrote:
> >>>
> >>>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe 
> >>>> at an
> >>>> different location. On debian this comes with the dovecot-gssapi 
> >>>> package.
> >>> That module is nowhere on my system.
> >>>
> >>> --Mark
> >>>
> >>
> >>
> >
> >
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list