[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Mark Foley mfoley at ohprs.org
Sun Jul 3 23:34:20 UTC 2016


After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with
Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his
patience in working this through with me.  Although my purpose was for Dovecot to authenticate
mail clients, the configuration settings needed were on the Samba side.  I hope these
instructions can eventually make it into:

https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos

as those instruction contain nothing about the required `samba-tool spn add` and samba-tool domain
exportkeytab` settings, without which it is impossible to get Dovecot (and presumably other
local authenticators needing GSSAPI/Kerberos) to authenticate.

You need kerberos as the Samba built-in kerberos does not have needed commands like `klist`.

My distro (Slackware 14.1) does not come with kerberos, but is easily found at:

https://slackbuilds.org/repository/14.1/network/krb5/

Per the samba docs, copy the krb5.conf template created when provisioned:

$ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf

(Note: the actual docs advise symlinking:

  ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf

but I prefer making a copy in case I need to modify things).

I've set The /etc/krb5.conf file to world readable.  It's default contents are (and these do
not need to be changed):

[libdefaults]
        default_realm = HPRS.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true

where HPRS.LOCAL is my realm, of course use your own.

Now, we need a samba user in order to create the necessary SPNs (Server Principal Names):

$ samba-tool user create dovecot
New Password:
Retype Password:
User 'dovecot' created successfully

Next, add the SPN(s), and create the keytab:

$ samba-tool spn add imap/mail.hprs.local dovecot
$ samba-tool domain exportkeytab --principal imap/mail.hprs.local dovecot.keytab

Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, but if it did I'd have to
create another SPN for smtp:

$ samba-tool spn add smtp/mail.hprs.local dovecot
$ samba-tool domain exportkeytab --principal smtp/mail.hprs.local dovecot.keytab

Dovecot needs to be able to read the keytab file:

$ chgrp dovecot /etc/dovecot/dovecot.keytab
$ chmod g+r /etc/dovecot/dovecot.keytab

my new keytab:

$ klist -Kek /etc/dovecot/dovecot.keytab
Keytab name: FILE:/etc/dovecot/dovecot.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
   1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
   1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)  (0x9dae89a221dc374a39f560833352f60f)
(and if I also created the spn for smtp I would also have these:) 
   1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
   1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
   1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)  (0x9dae89a221dc374a39f560833352f60f)

DOVECOT SETTINGS:

Of crucial importance is to buld dovecot with GSSAPI! That is NOT one of the default settings. 
In the build directory:

./configure --with-gssapi=yes

Otherwise, settings are pretty simple. Add the following 3 settings to 10-auth.conf:

auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi

The auth_gssapi_hostname is supposedly not required according to dovecotList comments, but my
10-auth.conf template implies differently, so it can't hurt.

I couldn't get any of this working until I rebooted the Samba AD/DC-Dovecot server, but that
just may have been me not stopping/starting Samba and Dovecot in the right sequence (or, I
needed a Samba upgrade to 4.2!). 

In my WIN7 and Ubuntu Thunderbird clients I selected gssapi/kerberos for the IMAP authenticate
method and it works!

Again, thanks to Achim for his critical help.

Someone please put at least the required samba-tool commands into the wiki for other poor
schmucks like me.

--Mark




More information about the samba mailing list