[Samba] Where is krb5.keytab or equivalent?
Mark Foley
mfoley at ohprs.org
Sat Jul 2 02:03:08 UTC 2016
Perhaps yet another source of misconfiguration.
You have:
> The keytab now has the follwoing content
> ~# klist -Kek /etc/dovecot/dovecot.conf
First of all, I have no /etc/dovecot/dovecot.conf. I have /etc/krb5.conf created when I
initially provisioned Samba per the provisioning instructions, "A Kerberos configuration
suitable for Samba 4 has been generated at /etc/samba/private/krb5.conf", and following the
instruction on the samba wiki at
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf
Although I copied the file rather than link it as I expected to make changes. That file
currenly contains:
[libdefaults]
default_realm = HPRS.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
I tried your klist command on that file:
root at mail > klist -Kek /etc/krb5.conf
Keytab name: FILE:/etc/krb5.conf
klist: Unsupported key table format version number while starting keytab scan
Now, let's assume you mistyped dovecot.conf and meant dovecot.keytab ...
root at mail > samba-tool user delete dovecot
Deleted user dovecot
root at mail > rm dovecot.keytab
root at mail > samba-tool user create dovecot
New Password:
Retype Password:
User 'dovecot' created successfully
root at mail > samba-tool spn add imap/mail.hprs.local dovecot
root at mail > samba-tool domain exportkeytab --principal imap/mail.hprs.local dovecot.keytab
root at mail > samba-tool spn add smtp/mail.hprs.local dovecot
root at mail > samba-tool domain exportkeytab --principal smtp/mail.hprs.local dovecot.keytab
root at mail > cp dovecot.keytab /etc/dovecot/dovecot.keytab
root at mail > chgrp dovecot /etc/dovecot/dovecot.keytab
root at mail > chmod g+r /etc/dovecot/dovecot.keytab
root at mail > dovecot reload
my new keytab:
root at mail > klist -Kek dovecot.keytab
Keytab name: FILE:dovecot.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7)
1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7)
1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f)
1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7)
1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7)
1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f)
When trying mutt, sadly, again "Certificate host check failed: certificate owner does not
match hostname mail.hprs.local".
--Mark
-----Original Message-----
> To: samba at lists.samba.org
> From: achim <achim at ag-web.biz>
> Date: Sat, 2 Jul 2016 01:02:29 +0200
>
>
>
> Am 01.07.2016 um 23:52 schrieb Achim Gottinger:
> > Here is an simpler way to create an user with the imap principal and
> > the dovecot keymap
> >
> > ~# samba-tool user create dovecot
> > [Assign password]
> > ~# samba-tool spn add imap/server.domain.local dovecot
> > ~# samba-tool domain exportkeytab --principal dovecot at DOMAIN.LOCAL
> > dovecot.keytab
> If above line is replaced by
> ~# samba-tool domain exportkeytab --principal imap/server.domain.local
> dovecot.keytab
> It is working without auth_gssapi_hostname = "$ALL" again.
> To add the principal for smtp execute
> ~# samba-tool spn add smtp/server.domain.local dovecot
> ~# samba-tool domain exportkeytab --principal smtp/server.domain.local
> dovecot.keytab
>
> The keytab now has the follwoing content
> ~# klist -Kek /etc/dovecot/dovecot.conf
> Keytab name: FILE:dovecot.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 3 imap/server.domain.local at DOMAIN.LOCAL (des-cbc-crc) (0x......)
> 3 imap/server.domain.local at DOMAIN.LOCAL (des-cbc-md5) (0x......)
> 3 imap/server.domain.local at DOMAIN.LOCAL (arcfour-hmac)
> (0x.................)
> 3 smtp/server.domain.local at DOMAIN.LOCAL (des-cbc-crc) (0x......)
> 3 smtp/server.domain.local at DOMAIN.LOCAL (des-cbc-md5) (0x......)
> 3 smtp/server.domain.local at DOMAIN.LOCAL (arcfour-hmac)
> (0x.................)
>
> The spn's are
> ~# samba-tool spn list dovecot
> dovecot
> User CN=dovecot,CN=Users,DC=domain,DC=local has the following
> servicePrincipalName:
> imap/server.domain.local
> smtp/server.domain.local
>
> I tried it with the hostname without zthe domain part and that did not work.
> Also it did not work using
> ~# samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot
> The SPN should not contain the realm like below
> ~# samba-tool spn add imap/server.domain.local dovecot
>
> But you really need that gssapi method library first. Check auth debug
> log there should be an line like
> Jul 1 23:17:01 server dovecot: auth: Debug: Module loaded:
> /usr/lib/dovecot/modules/auth/libmech_gssapi.so
> > ~# cp dovecot.keytab /etc/dovecot/dovecot.keytab
> > ~#chgrp dovecot /etc/dovecot/dovecot.keytab
> > ~#chmod g+r /etc/dovecot/dovecot.keytab
> >
> > As a side note. I test on an different server now and above and the
> > mutt test from my other mail only works with
> > auth_gssapi_hostname = "$ALL"
> > defined in dovecot config.
> >
> > Otherwise I get these errors
> >
> > Jul 1 23:47:29 server dovecot: auth: Debug:
> > gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): Obtaining credentials for imap@
> > Jul 1 23:47:33 server dovecot: auth:
> > gssapi(?,127.0.0.1,<55Rq7pk24gB/AAAB>): While acquiring service
> > credentials: Unspecified GSS failure. Minor code may provide more
> > information
> >
> >
> > Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
> >> I'm sure it will not work till you get that module build. :-)
> >>
> >>
> >> Am 01.07.2016 um 20:53 schrieb Mark Foley:
> >>> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at ag-web.biz>
> >>> wrote:
> >>>
> >>>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe
> >>>> at an
> >>>> different location. On debian this comes with the dovecot-gssapi
> >>>> package.
> >>> That module is nowhere on my system.
> >>>
> >>> --Mark
> >>>
> >>
> >>
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list