[Samba] Where is krb5.keytab or equivalent?

Mark Foley mfoley at ohprs.org
Sat Jul 2 02:15:05 UTC 2016


Akim wrote:

> Yes I created an self signed cert (with the easy-rsa scripts froom 
> openvpn). 

Alright, I'll try that after this message and post back. In anticipation of "problems", where
do I put the path to that new cert? my 10-ssl.conf has:

ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key

Which is the key mutt keeps showing. I don't suppose I put the path there?

> Does mutt let you accept the cert anyway? On an earlier test 
> you got past the cert state and had to enter an password or got an  no 
> auth failure.

Mutt lets me accept, but I get "No authenticators available", and the mutt screen is blank. 
When it asked me for a password previously it was because it fell back to PLAIN authentication,
which worked.  Now my /etc/Muttrc has

set imap_authenticators="gssapi"

to prevent that.

> Also figure out where dovecot auth debug log entries get written (here 
> dovecot writes logs to mail.info, mail.error, mail.log, debug only ends 
> up in mail.log).

My /etc/dovecot.conf has 

# debug_log_path = /var/log/Dovecot/dovecot_debug.log

commented. I'll uncomment that before the next test. Otherwise, I see nothing in maillog or
dovecot_info (info_log_path).

--Mark

-----Original Message-----
> To: samba at lists.samba.org
> From: Achim Gottinger <achim at ag-web.biz>
> Date: Sat, 2 Jul 2016 03:39:42 +0200
>
> Yes I created an self signed cert (with the easy-rsa scripts froom 
> openvpn). Does mutt let you accept the cert anyway? On an earlier test 
> you got past the cert state and had to enter an password or got an  no 
> auth failure.
>
> Also figure out where dovecot auth debug log entries get written (here 
> dovecot writes logs to mail.info, mail.error, mail.log, debug only ends 
> up in mail.log).
>
> Am 02.07.2016 um 03:15 schrieb Mark Foley:
> > OK, let me go through exactly what you did:
> >
> > you:
> >> Here's the test (I must run mutt not telnet like i mentioned earlier to
> >> get the imap tickets).
> >>
> >> root at server:~# kinit achim
> >> Password for achim at DOMAIN.LOCAL:
> >> [I enter my password]
> > As root on AD/DC mail.hprs.local:
> >
> > me:
> > $ kinit mark
> > Password for mark at HPRS.LOCAL:
> > [I enter my password]
> >
> > you:
> >> MAIL=imap://achim@server.domain.local/ mutt
> > me:
> > $ MAIL=imap://mark@server.domain.local/ mutt -F /etc/Muttrc
> >
> > I get the mutt message, "Certificate host check failed: certificate owner does not mathc
> > hosthame mail.hprs.local".
> >
> > After that, in the mutt screen, I get:
> >
> > -----BEGIN------
> > This certificate belongs to:
> >     mail.ohprs.org
> >     Unknown
> >     Unknown
> >     Domain Control Validated
> >     Unknown
> >
> > This certificate was issued by:
> >     Go Daddy Secure Certificate Authority - G2
> >     Unknown
> >     GoDaddy.com, Inc.
> >     http:
> >     Scottsdale
> >
> > This certificate is valid
> >     from Aug 14 21:38:38 2015 GMT
> >       to Aug 15 17:49:32 2016 GMT
> >
> > Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
> > -----END-------
> >
> > you:
> >> root at server:~# klist
> >> Ticket cache: FILE:/tmp/krb5cc_0
> >> Default principal: achim at DOMAIN.LOCAL
> > [etc ...]
> >
> > me:
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: mark at HPRS.LOCAL
> >
> > Valid starting       Expires              Service principal
> > 07/01/2016 20:57:56  07/02/2016 06:57:56  krbtgt/HPRS.LOCAL at HPRS.LOCAL
> >          renew until 07/02/2016 20:57:52
> >
> > Clearly, I am misconfigured at some level.  From my mouse-eye-view, the certificate is for
> > mail.ohprs.org, not mail.hprs.local.  What about you? You must have a certificate for
> > server.domain.local as well as your public domain, yes? Did you at some point create a
> > self-signed certificate?
> >
> > What do you suggest?
> >
> > --Mark
> >
> > -----Original Message-----
> >> To: samba at lists.samba.org
> >> From: Achim Gottinger <achim at ag-web.biz>
> >> Date: Fri, 1 Jul 2016 23:29:35 +0200
> >> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
> >>
> >> Here's the test (I must run mutt not telnet like i mentioned earlier to
> >> get the imap tickets).
> >>
> >> root at server:~# kinit achim
> >> Password for achim at DOMAIN.LOCAL:
> >> [I enter my password]
> >> MAIL=imap://achim@server.domain.local/ mutt
> >> [Mutt asks about the cert i select accept once and i endup on my INBOX.
> >> I leave mutt by entring q+ENTER]
> >> root at server:~# klist
> >> Ticket cache: FILE:/tmp/krb5cc_0
> >> Default principal: achim at DOMAIN.LOCAL
> >>
> >> Valid starting       Expires              Service principal
> >> 01.07.2016 23:16:30  02.07.2016 09:16:30 krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
> >>           renew until 02.07.2016 23:16:28
> >> 01.07.2016 23:17:04  02.07.2016 09:16:30  imap/server.domain.local@
> >>           renew until 02.07.2016 23:16:28
> >> 01.07.2016 23:17:04  02.07.2016 09:16:30
> >> imap/server.domain.local at DOMAIN.LOCAL
> >>           renew until 02.07.2016 23:16:28
> >>
> >> root at server:~# samba-tool spn list dovecot
> >> dovecot
> >> User CN=dovecot,CN=Users,DC=domain,DC=local has the following
> >> servicePrincipalName:
> >>            smtp/server.domain.local at DOMAIN.LOCAL
> >>            imap/server.domain.local at DOMAIN.LOCAL
> >>            imap/server.domain.local
> >>
> >> root at server:~#cat /etc/hosts
> >> 127.0.0.1       localhost
> >> 192.168.100.102 server.domain.local server
> >>
> >> Excerpt from /var/log/mail.log ( On debian mail.log contains the debug
> >> info).
> >>
> >> Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules from
> >> directory: /usr/lib/dovecot/modules/auth
> >> Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded:
> >> /usr/lib/dovecot/modules/auth/libmech_gssapi.so
> >> Jul  1 23:17:01 server dovecot: auth: Debug: Loading modules from
> >> directory: /usr/lib/dovecot/modules/auth
> >> Jul  1 23:17:01 server dovecot: auth: Debug: Module loaded:
> >> /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
> >> Jul  1 23:17:01 server dovecot: auth: Debug: Read auth token secret from
> >> /var/run/dovecot/auth-token-secret.dat
> >> Jul  1 23:17:01 server dovecot: auth: Debug: passwd-file
> >> /etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
> >> Jul  1 23:17:01 server dovecot: auth: Debug: auth client connected
> >> (pid=21490)
> >> Jul  1 23:17:04 server dovecot: auth: Debug: client in:
> >> AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
> >> Jul  1 23:17:04 server dovecot: auth: Debug:
> >> gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
> >> Jul  1 23:17:04 server dovecot: auth: Debug:
> >> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state
> >> completed.
> >> Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out:
> >> XXXXXXXXXXXXXXXXXXXXXXXXX
> >> Jul  1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
> >> Jul  1 23:17:04 server dovecot: auth: Debug:
> >> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer
> >> Jul  1 23:17:04 server dovecot: auth: Debug: client passdb out:
> >> XXXXXXXXXXXXXXXXXXXXXXXXX
> >> Jul  1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
> >> ........
> >> Jul  1 23:17:04 server dovecot: imap-login: Login: user=<achim>,
> >> method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
> >> session=<ldMkgpk2dAB/AAAB>
> >>
> >> Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
> >>> I'm sure it will not work till you get that module build. :-)
> >>>
> >>>
> >>> Am 01.07.2016 um 20:53 schrieb Mark Foley:
> >>>> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at domain.biz>
> >>>> wrote:
> >>>>
> >>>>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe
> >>>>> at an
> >>>>> different location. On debian this comes with the dovecot-gssapi
> >>>>> package.
> >>>> That module is nowhere on my system.
> >>>>
> >>>> --Mark
> >>>>
> >>>
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



More information about the samba mailing list