[Samba] Where is krb5.keytab or equivalent?
Mark Foley
mfoley at ohprs.org
Sun Jul 3 18:51:36 UTC 2016
Hold the presses!!! I think it might be working!
I upgraded from Samba 4.1.23 to 4.2.12 over the weekend (in fact, did an overall system update)
and rebooted and voila! I went into my Tbird on the WIN7 workstations to simply remove the
GSSAPI authentication in the process of giving up hope, and new messages arrived in my inbox.
I don't know whether it was something about the new version of Samba, or the reboot, but
something finally kicked in.
Seems to be working!
My outgoing SMTP server/MTA is sendmail, which does only [encrypted]password authentication or
no authentication. I set this to "no authentication", but that's OK for outgoing.
I will experiment more with this today, then post all the various Samba settings we worked on
to get to this point.
Thanks!!! --Mark
(btw the mutt experiment still doesn't work -- it's still looking at the mail.ohprs.org cert.
But I think that doesn't matter at this point)
-----Original Message-----
> To: samba at lists.samba.org
> From: Achim Gottinger <achim at ag-web.biz>
> Date: Sun, 3 Jul 2016 19:56:28 +0200
>
> Debug log output please!
> I think you still miss the gssapi module for dovecot.
>
> Am 03.07.2016 um 19:42 schrieb Mark Foley:
> > Achim,
> >
> > This is my most recent effort. If I cannot make progress from here I'm going to give this idea a rest.
> >
> > I used easy-rsa to create a cert. Files are:
> >
> > /etc/ssl/certs/OHPRS/easyrsa/ca.crt
> > /etc/ssl/certs/OHPRS/easyrsa/reqs/MAIL.req
> > /etc/ssl/certs/OHPRS/easyrsa/reqs/dovecot.req
> > /etc/ssl/certs/OHPRS/easyrsa/private/ca.key
> > /etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
> > /etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
> >
> > $ openssl x509 -text -in /etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
> >
> > Certificate:
> > Data:
> > Version: 3 (0x2)
> > Serial Number: 1 (0x1)
> > Signature Algorithm: sha256WithRSAEncryption
> > Issuer: CN=mail.hprs.local
> > Validity
> > Not Before: Jul 2 05:54:26 2016 GMT
> > Not After : Jun 30 05:54:26 2026 GMT
> > Subject: CN=mail.hprs.local
> > Subject Public Key Info:
> > Public Key Algorithm: rsaEncryption
> > Public-Key: (2048 bit)
> >
> > Now, how do I point Samba and/or Dovecot and/or kerberos and/or mutt to this cert? (dovecot.crt)
> >
> > I tried in /etc/Muttrc:
> >
> > set certificate_file=/etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
> >
> > mutt seemed to ignored that as the usual GoDaddy cert was used (and failed).
> >
> > I tried in 10-ssl.conf:
> >
> > ssl_key = </etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key
> > ssl_cert = </etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt
> >
> > mutt gave the message, "Connection to mail.hprs.local closed".
> >
> > I've got no more guesses.
> >
> > On the bright side, the debug log seems to be working now.
> >
> > Thanks, --Mark
> >
> > -----Original Message-----
> > From: Mark Foley <mfoley at ohprs.org>
> > Date: Fri, 01 Jul 2016 22:15:05 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: samba at lists.samba.org
> > Subject: Re: [Samba] Where is krb5.keytab or equivalent?
> >
> > Akim wrote:
> >
> >> Yes I created an self signed cert (with the easy-rsa scripts froom
> >> openvpn).
> > Alright, I'll try that after this message and post back. In anticipation of "problems", where
> > do I put the path to that new cert? my 10-ssl.conf has:
> >
> > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> >
> > Which is the key mutt keeps showing. I don't suppose I put the path there?
> >
> >> Does mutt let you accept the cert anyway? On an earlier test
> >> you got past the cert state and had to enter an password or got an no
> >> auth failure.
> > Mutt lets me accept, but I get "No authenticators available", and the mutt screen is blank.
> > When it asked me for a password previously it was because it fell back to PLAIN authentication,
> > which worked. Now my /etc/Muttrc has
> >
> > set imap_authenticators="gssapi"
> >
> > to prevent that.
> >
> >> Also figure out where dovecot auth debug log entries get written (here
> >> dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
> >> up in mail.log).
> > My /etc/dovecot.conf has
> >
> > # debug_log_path = /var/log/Dovecot/dovecot_debug.log
> >
> > commented. I'll uncomment that before the next test. Otherwise, I see nothing in maillog or
> > dovecot_info (info_log_path).
> >
> > --Mark
> >
> > -----Original Message-----
> >> To: samba at lists.samba.org
> >> From: Achim Gottinger <achim at ag-web.biz>
> >> Date: Sat, 2 Jul 2016 03:39:42 +0200
> >>
> >> Yes I created an self signed cert (with the easy-rsa scripts froom
> >> openvpn). Does mutt let you accept the cert anyway? On an earlier test
> >> you got past the cert state and had to enter an password or got an no
> >> auth failure.
> >>
> >> Also figure out where dovecot auth debug log entries get written (here
> >> dovecot writes logs to mail.info, mail.error, mail.log, debug only ends
> >> up in mail.log).
> >>
> >> Am 02.07.2016 um 03:15 schrieb Mark Foley:
> >>> OK, let me go through exactly what you did:
> >>>
> >>> you:
> >>>> Here's the test (I must run mutt not telnet like i mentioned earlier to
> >>>> get the imap tickets).
> >>>>
> >>>> root at server:~# kinit achim
> >>>> Password for achim at DOMAIN.LOCAL:
> >>>> [I enter my password]
> >>> As root on AD/DC mail.hprs.local:
> >>>
> >>> me:
> >>> $ kinit mark
> >>> Password for mark at HPRS.LOCAL:
> >>> [I enter my password]
> >>>
> >>> you:
> >>>> MAIL=imap://achim@server.domain.local/ mutt
> >>> me:
> >>> $ MAIL=imap://mark@server.domain.local/ mutt -F /etc/Muttrc
> >>>
> >>> I get the mutt message, "Certificate host check failed: certificate owner does not mathc
> >>> hosthame mail.hprs.local".
> >>>
> >>> After that, in the mutt screen, I get:
> >>>
> >>> -----BEGIN------
> >>> This certificate belongs to:
> >>> mail.ohprs.org
> >>> Unknown
> >>> Unknown
> >>> Domain Control Validated
> >>> Unknown
> >>>
> >>> This certificate was issued by:
> >>> Go Daddy Secure Certificate Authority - G2
> >>> Unknown
> >>> GoDaddy.com, Inc.
> >>> http:
> >>> Scottsdale
> >>>
> >>> This certificate is valid
> >>> from Aug 14 21:38:38 2015 GMT
> >>> to Aug 15 17:49:32 2016 GMT
> >>>
> >>> Fingerprint: B3B3 98E9 5675 0CEB 95D4 9146 9D1C 9064
> >>> -----END-------
> >>>
> >>> you:
> >>>> root at server:~# klist
> >>>> Ticket cache: FILE:/tmp/krb5cc_0
> >>>> Default principal: achim at DOMAIN.LOCAL
> >>> [etc ...]
> >>>
> >>> me:
> >>> Ticket cache: FILE:/tmp/krb5cc_0
> >>> Default principal: mark at HPRS.LOCAL
> >>>
> >>> Valid starting Expires Service principal
> >>> 07/01/2016 20:57:56 07/02/2016 06:57:56 krbtgt/HPRS.LOCAL at HPRS.LOCAL
> >>> renew until 07/02/2016 20:57:52
> >>>
> >>> Clearly, I am misconfigured at some level. From my mouse-eye-view, the certificate is for
> >>> mail.ohprs.org, not mail.hprs.local. What about you? You must have a certificate for
> >>> server.domain.local as well as your public domain, yes? Did you at some point create a
> >>> self-signed certificate?
> >>>
> >>> What do you suggest?
> >>>
> >>> --Mark
> >>>
> >>> -----Original Message-----
> >>>> To: samba at lists.samba.org
> >>>> From: Achim Gottinger <achim at ag-web.biz>
> >>>> Date: Fri, 1 Jul 2016 23:29:35 +0200
> >>>> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
> >>>>
> >>>> Here's the test (I must run mutt not telnet like i mentioned earlier to
> >>>> get the imap tickets).
> >>>>
> >>>> root at server:~# kinit achim
> >>>> Password for achim at DOMAIN.LOCAL:
> >>>> [I enter my password]
> >>>> MAIL=imap://achim@server.domain.local/ mutt
> >>>> [Mutt asks about the cert i select accept once and i endup on my INBOX.
> >>>> I leave mutt by entring q+ENTER]
> >>>> root at server:~# klist
> >>>> Ticket cache: FILE:/tmp/krb5cc_0
> >>>> Default principal: achim at DOMAIN.LOCAL
> >>>>
> >>>> Valid starting Expires Service principal
> >>>> 01.07.2016 23:16:30 02.07.2016 09:16:30 krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
> >>>> renew until 02.07.2016 23:16:28
> >>>> 01.07.2016 23:17:04 02.07.2016 09:16:30 imap/server.domain.local@
> >>>> renew until 02.07.2016 23:16:28
> >>>> 01.07.2016 23:17:04 02.07.2016 09:16:30
> >>>> imap/server.domain.local at DOMAIN.LOCAL
> >>>> renew until 02.07.2016 23:16:28
> >>>>
> >>>> root at server:~# samba-tool spn list dovecot
> >>>> dovecot
> >>>> User CN=dovecot,CN=Users,DC=domain,DC=local has the following
> >>>> servicePrincipalName:
> >>>> smtp/server.domain.local at DOMAIN.LOCAL
> >>>> imap/server.domain.local at DOMAIN.LOCAL
> >>>> imap/server.domain.local
> >>>>
> >>>> root at server:~#cat /etc/hosts
> >>>> 127.0.0.1 localhost
> >>>> 192.168.100.102 server.domain.local server
> >>>>
> >>>> Excerpt from /var/log/mail.log ( On debian mail.log contains the debug
> >>>> info).
> >>>>
> >>>> Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
> >>>> directory: /usr/lib/dovecot/modules/auth
> >>>> Jul 1 23:17:01 server dovecot: auth: Debug: Module loaded:
> >>>> /usr/lib/dovecot/modules/auth/libmech_gssapi.so
> >>>> Jul 1 23:17:01 server dovecot: auth: Debug: Loading modules from
> >>>> directory: /usr/lib/dovecot/modules/auth
> >>>> Jul 1 23:17:01 server dovecot: auth: Debug: Module loaded:
> >>>> /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
> >>>> Jul 1 23:17:01 server dovecot: auth: Debug: Read auth token secret from
> >>>> /var/run/dovecot/auth-token-secret.dat
> >>>> Jul 1 23:17:01 server dovecot: auth: Debug: passwd-file
> >>>> /etc/dovecot/passwd.masterusers: Read 0 users in 0 secs
> >>>> Jul 1 23:17:01 server dovecot: auth: Debug: auth client connected
> >>>> (pid=21490)
> >>>> Jul 1 23:17:04 server dovecot: auth: Debug: client in:
> >>>> AUTH#0111#011GSSAPI#011service=imap#011secured#011session=ldMkgpk2dAB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39796#011resp=<hidden>
> >>>> Jul 1 23:17:04 server dovecot: auth: Debug:
> >>>> gssapi(?,127.0.0.1,<ldMkgpk2dAB/AAAB>): Using all keytab entries
> >>>> Jul 1 23:17:04 server dovecot: auth: Debug:
> >>>> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): security context state
> >>>> completed.
> >>>> Jul 1 23:17:04 server dovecot: auth: Debug: client passdb out:
> >>>> XXXXXXXXXXXXXXXXXXXXXXXXX
> >>>> Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
> >>>> Jul 1 23:17:04 server dovecot: auth: Debug:
> >>>> gssapi(achim,127.0.0.1,<ldMkgpk2dAB/AAAB>): Negotiated security layer
> >>>> Jul 1 23:17:04 server dovecot: auth: Debug: client passdb out:
> >>>> XXXXXXXXXXXXXXXXXXXXXXXXX
> >>>> Jul 1 23:17:04 server dovecot: auth: Debug: client in: CONT<hidden>
> >>>> ........
> >>>> Jul 1 23:17:04 server dovecot: imap-login: Login: user=<achim>,
> >>>> method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=21496, TLS,
> >>>> session=<ldMkgpk2dAB/AAAB>
> >>>>
> >>>> Am 01.07.2016 um 22:40 schrieb Achim Gottinger:
> >>>>> I'm sure it will not work till you get that module build. :-)
> >>>>>
> >>>>>
> >>>>> Am 01.07.2016 um 20:53 schrieb Mark Foley:
> >>>>>> On Fri, 1 Jul 2016 11:55:20 +0200 Achim Gottinger <achim at domain.biz>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> Do you have /usr/lib/dovecot/modules/auth/libmech_gssapi.so? Maybe
> >>>>>>> at an
> >>>>>>> different location. On debian this comes with the dovecot-gssapi
> >>>>>>> package.
> >>>>>> That module is nowhere on my system.
> >>>>>>
> >>>>>> --Mark
> >>>>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list