[Samba] Where is krb5.keytab or equivalent?
Achim Gottinger
achim at ag-web.biz
Sat Jul 2 10:44:00 UTC 2016
Hi Mark,
I'll keep replying to the list.
You must create an signed server certificate for your FQDN.
~# ./build-key-server mail.hprs.local
Then point to public and privat part in your dovecot config.
ssl_cert = </etc/easy-rsa/keys/reqs/mail.hprs.local.req
ssl_key = </etc/easy-rsa/keys/private/mail.hprs.local.key
But all that should not interfere with kerberos because you can accept
the invalid cert.
What does show up in the auth debug log if you make the kinit/mutt test now?
achim~
Am 02.07.2016 um 08:43 schrieb Mark Foley:
> Achim,
>
> I'm sending this message directly to you to spare the sambalist from my certificate trials.
> I'm hoping you'll still hang in there a bit longer, though I'm close to giving up on this
> whole thing myself.
>
> I used easy-rsa to create a cert. Files are:
>
> /etc/ssl/certs/OHPRS/easyrsa/ca.crt
> /etc/ssl/certs/OHPRS/easyrsa/reqs/MAIL.req
> /etc/ssl/certs/OHPRS/easyrsa/reqs/dovecot.req
> /etc/ssl/certs/OHPRS/easyrsa/private/ca.key
> /etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
> /etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
>
> $ openssl x509 -text -in /etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 1 (0x1)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: CN=mail.hprs.local
> Validity
> Not Before: Jul 2 05:54:26 2016 GMT
> Not After : Jun 30 05:54:26 2026 GMT
> Subject: CN=mail.hprs.local
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
>
> Now, how do I point Samba and/or Dovecot and/or kerberos and/or mutt to this cert? (dovecot.crt)
>
> I tried in /etc/Muttrc:
>
> set certificate_file=/etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
>
> mutt seemed to ignored that as the usual GoDaddy cert was used (and failed).
>
> I tried in 10-ssl.conf:
>
> ssl_key = </etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
> ssl_cert = </etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
>
> mutt gave the message, "Connection to mail.hprs.local closed".
>
> I've got no more guesses.
>
> On the bright side, the debug log seems to be working now.
>
> Thanks, --Mark
>
> -----Original Message-----
> From: Mark Foley <mfoley at ohprs.org>
> Date: Fri, 01 Jul 2016 22:15:05 -0400
> To: samba at lists.samba.org
> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>
> Akim wrote:
>
>> Yes I created an self signed cert (with the easy-rsa scripts froom
>> openvpn).
> Alright, I'll try that after this message and post back. In anticipation of "problems", where
> do I put the path to that new cert? my 10-ssl.conf has:
>
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>
> Which is the key mutt keeps showing. I don't suppose I put the path there?
>
>> Does mutt let you accept the cert anyway? On an earlier test
>> you got past the cert state and had to enter an password or got an no
>> auth failure.
> Mutt lets me accept, but I get "No authenticators available", and the mutt screen is blank.
> When it asked me for a password previously it was because it fell back to PLAIN authentication,
> which worked. Now my /etc/Muttrc has
>
> set imap_authenticators="gssapi"
>
> to prevent that.
>
>> Also figure out where dovecot auth debug log entries get written (here
>> dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
>> up in mail.log).
> My /etc/dovecot.conf has
>
> # debug_log_path = /var/log/Dovecot/dovecot_debug.log
>
> commented. I'll uncomment that before the next test. Otherwise, I see nothing in maillog or
> dovecot_info (info_log_path).
>
> --Mark
>
> -----Original Message-----
>> To: samba at lists.samba.org
>> From: Achim Gottinger <achim at ag-web.biz>
>> Date: Sat, 2 Jul 2016 03:39:42 +0200
>>
>> Yes I created an self signed cert (with the easy-rsa scripts froom
>> openvpn). Does mutt let you accept the cert anyway? On an earlier test
>> you got past the cert state and had to enter an password or got an no
>> auth failure.
>>
>> Also figure out where dovecot auth debug log entries get written (here
>> dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
>> up in mail.log).
>>
>> Am 02.07.2016 um 03:15 schrieb Mark Foley:
>>> OK, let me go through exactly what you did:
>>>
>>> you:
>>>> Here's the test (I must run mutt not telnet like i mentioned earlier to
>>>> get the imap tickets).
>>>>
>>>> root at server:~# kinit achim
>>>> Password for achim at DOMAIN.LOCAL:
>>>> [I enter my password]
>>> As root on AD/DC mail.hprs.local:
>>>
>>> me:
>>> $ kinit mark
>>> Password for mark at HPRS.LOCAL:
>>> [I enter my password]
>>>
>>> you:
>>>> MAIL=imap://achim@server.domain.local/ mutt
>>> me:
>>> $ MAIL=imap://mark@server.domain.local/ mutt -F /etc/Muttrc
>>>
>>> I get the mutt message, "Certificate host check failed: certificate owner does not mathc
>>> hosthame mail.hprs.local".
>>>
>>> After that, in the mutt screen, I get:
>>>
>>> -----BEGIN------
>>> This certificate belongs to:
>>> mail.ohprs.org
>>> Unknown
>>> Unknown
>>> Domain Control Validated
>>> Unknown
>>>
>>> This certificate was issued by:
>>> Go Daddy Secure Certificate Authority - G2
>>> Unknown
>>> GoDaddy.com, Inc.
>>> http:
>>> Scottsdale
>>>
>>> This certificate is valid
>>> from Aug 14 21:38:38 2015 GMT
>>> to Aug 15 17:49:32 2016 GMT
>>>
>>> Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
>>> -----END-------
>>>
>>> you:
>>>> root at server:~# klist
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: achim at DOMAIN.LOCAL
>>> [etc ...]
>>>
>>> me:
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: mark at HPRS.LOCAL
>>>
>>> Valid starting Expires Service principal
>>> 07/01/2016 20:57:56 07/02/2016 06:57:56 krbtgt/HPRS.LOCAL at HPRS.LOCAL
>>> renew until 07/02/2016 20:57:52
>>>
>>> Clearly, I am misconfigured at some level. From my mouse-eye-view, the certificate is for
>>> mail.ohprs.org, not mail.hprs.local. What about you? You must have a certificate for
>>> server.domain.local as well as your public domain, yes? Did you at some point create a
>>> self-signed certificate?
>>>
>>> What do you suggest?
>>>
>>> --Mark
>>>
>>> -----Original Message-----
>>>> To: samba at lists.samba.org
>>>> From: Achim Gottinger <achim at ag-web.biz>
>>>> Date: Fri, 1 Jul 2016 23:29:35 +0200
>>>> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>>>>
>>>> Here's the test (I must run mutt not telnet like i mentioned earlier to
>>>> get the imap tickets).
>>>>
>>>> root at server:~# kinit achim
>>>> Password for achim at DOMAIN.LOCAL:
>>>> [I enter my password]
>>>> MAIL=imap://achim@server.domain.local/ mutt
>>>> [Mutt asks about the cert i select accept once and i endup on my INBOX.
>>>> I leave mutt by entring q+ENTER]
>>>> root at server:~# klist
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: achim at DOMAIN.LOCAL
>>>>
>>>> Valid starting Expires Service principal
>>>> 01.07.2016 23:16:30 02.07.2016 09:16:30 krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
>>>> renew until 02.07.2016 23:16:28
>>>> 01.07.2016 23:17:04 02.07.2016 09:16:30 imap/server.domain.local@
>>>> renew until 02.07.2016 23:16:28
>>>> 01.07.2016 23:17:04 02.07.2016 09:16:30
>>>> imap/server.domain.local at DOMAIN.LOCAL
>>>> renew until 02.07.2016 23:16:28
>>>>
>>>> root at server:~# samba-tool spn list dovecot
>>>> dovecot
>>>> User CN=dovecot,CN=Users,DC=domain,DC=local has the following
>>>> servicePrincipalName:
>>>> smtp/server.domain.local at DOMAIN.LOCAL
>>>> imap/server.domain.local at DOMAIN.LOCAL
>>>> imap/server.domain.local
>>>>
>>>> root at server:~#cat /etc/hosts
>>>> 127.0.0.1 localhost
>>>> 192.168.100.102 server.domain.local server
>>>>
>>>> Excerpt from /var/log/mail.log ( On debian mail.log contains the debug
>>>> info).
>>>>
>>>> Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
>>>> directory: /usr/lib/dovecot/modules/auth
>>>> Jul 1 23:17:01 server dovecot: auth: Debug: Module loaded:
>>>> /usr/lib/dovecot/modules/auth/libmech_gssapi.so
>>>> Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
>>>> directory: /usr/lib/dovecot/modules/auth
>>>> Jul 1 23:17:01 server dovecot: auth: Debug: Module loaded:
>>>> /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
>>>> Jul 1 23:17:01 server dovecot: auth: Debug: Read auth token secret from
>>>> /var/run/dovecot/auth-token-secret.dat
>>>> Jul 1 23:17:01 server dovecot: auth: Debug: passwd-file
>>>> /etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
>>>> Jul 1 23:17:01 server dovecot: auth: Debug: auth client connected
>>>> (pid=21490)
>>>> Jul 1 23:17:04 server dovecot: auth: Debug: client in:
>>>> AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
>>>> Jul 1 23:17:04 server dovecot: auth: Debug:
>>>> gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
>>>> Jul 1 23:17:04 server dovecot: auth: Debug:
>>>> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state
>>>> completed.
>>>> Jul 1 23:17:04 server dovecot: auth: Debug: client passdb out:
>>>> XXXXXXXXXXXXXXXXXXXXXXXXX
>>>> Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
>>>> Jul 1 23:17:04 server dovecot: auth: Debug:
>>>> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer
>>>> Jul 1 23:17:04 server dovecot: auth: Debug: client passdb out:
>>>> XXXXXXXXXXXXXXXXXXXXXXXXX
>>>> Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
>>>> ........
>>>> Jul 1 23:17:04 server dovecot: imap-login: Login: user=<achim>,
>>>> method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
>>>> session=<ldMkgpk2dAB/AAAB>
>>>>
>>>> Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
>>>>> I'm sure it will not work till you get that module build. :-)
>>>>>
>>>>>
>>>>> Am 01.07.2016 um 20:53 schrieb Mark Foley:
>>>>>> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at domain.biz>
>>>>>> wrote:
>>>>>>
>>>>>>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe
>>>>>>> at an
>>>>>>> different location. On debian this comes with the dovecot-gssapi
>>>>>>> package.
>>>>>> That module is nowhere on my system.
>>>>>>
>>>>>> --Mark
>>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
More information about the samba
mailing list