[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Achim Gottinger achim at ag-web.biz
Mon Jul 4 07:29:02 UTC 2016 


Am 04.07.2016 um 01:34 schrieb Mark Foley:
> After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with
> Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his
> patience in working this through with me.  Although my purpose was for Dovecot to authenticate
> mail clients, the configuration settings needed were on the Samba side.  I hope these
> instructions can eventually make it into:
>
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
>
> as those instruction contain nothing about the required `samba-tool spn add` and samba-tool domain
> exportkeytab` settings, without which it is impossible to get Dovecot (and presumably other
> local authenticators needing GSSAPI/Kerberos) to authenticate.
>
> You need kerberos as the Samba built-in kerberos does not have needed commands like `klist`.
>
> My distro (Slackware 14.1) does not come with kerberos, but is easily found at:
>
> https://slackbuilds.org/repository/14.1/network/krb5/
>
> Per the samba docs, copy the krb5.conf template created when provisioned:
>
> $ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
>
> (Note: the actual docs advise symlinking:
>
>    ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf
>
> but I prefer making a copy in case I need to modify things).
>
> I've set The /etc/krb5.conf file to world readable.  It's default contents are (and these do
> not need to be changed):
>
> [libdefaults]
>          default_realm = HPRS.LOCAL
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>
> where HPRS.LOCAL is my realm, of course use your own.
>
> Now, we need a samba user in order to create the necessary SPNs (Server Principal Names):
>
> $ samba-tool user create dovecot
> New Password:
> Retype Password:
> User 'dovecot' created successfully
>
> Next, add the SPN(s), and create the keytab:
>
> $ samba-tool spn add imap/mail.hprs.local dovecot
> $ samba-tool domain exportkeytab --principal imap/mail.hprs.local dovecot.keytab
>
> Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, but if it did I'd have to
> create another SPN for smtp:
>
> $ samba-tool spn add smtp/mail.hprs.local dovecot
> $ samba-tool domain exportkeytab --principal smtp/mail.hprs.local dovecot.keytab
>
> Dovecot needs to be able to read the keytab file:
>
> $ chgrp dovecot /etc/dovecot/dovecot.keytab
> $ chmod g+r /etc/dovecot/dovecot.keytab
>
> my new keytab:
>
> $ klist -Kek /etc/dovecot/dovecot.keytab
> Keytab name: FILE:/etc/dovecot/dovecot.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>     1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
>     1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
>     1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)  (0x9dae89a221dc374a39f560833352f60f)
> (and if I also created the spn for smtp I would also have these:)
>     1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
>     1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
>     1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)  (0x9dae89a221dc374a39f560833352f60f)
>
> DOVECOT SETTINGS:
>
> Of crucial importance is to buld dovecot with GSSAPI! That is NOT one of the default settings.
> In the build directory:
>
> ./configure --with-gssapi=yes
>
> Otherwise, settings are pretty simple. Add the following 3 settings to 10-auth.conf:
>
> auth_gssapi_hostname = "$ALL"
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = plain login gssapi
>
> The auth_gssapi_hostname is supposedly not required according to dovecotList comments, but my
> 10-auth.conf template implies differently, so it can't hurt.
>
> I couldn't get any of this working until I rebooted the Samba AD/DC-Dovecot server, but that
> just may have been me not stopping/starting Samba and Dovecot in the right sequence (or, I
> needed a Samba upgrade to 4.2!).
>
> In my WIN7 and Ubuntu Thunderbird clients I selected gssapi/kerberos for the IMAP authenticate
> method and it works!
>
> Again, thanks to Achim for his critical help.
>
> Someone please put at least the required samba-tool commands into the wiki for other poor
> schmucks like me.
>
> --Mark
>
>
Glad you finaly got it working! Have you tried it without 
'auth_gssapi_hostname = "$ALL"'? In my tests with those principals it 
worked without it.
With Samba 4.4.3 there are also aes 128/256 versions of the keys in the 
exported keytab.
On Windows 7 kinit shows what encryption was used. With arcfour-hmac it 
shows rc4-hmac.

achim~

More information about the samba mailing list