[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Mark Foley mfoley at ohprs.org
Mon Jul 4 20:15:30 UTC 2016 

On Mon, 4 Jul 2016 08:18:11 +0100 Rowland penny <rpenny at samba.org> wrote:

> The problem is that Samba doesn't recommend using the DC as a fileserver 
> etc This is why it isn't mentioned, 

Well, I don't see that the DC is being used as an actual file server simply by hosting an email
server.  There is no share defined in smb.conf to accomodate this.  Furthermore, I think it is
common practice for the AD/DC to also be the mail server.  Certainly that has been my
experience, esp. coming from the Microsoft universe with the typical small business
configuration of SBS and Exchange on the same host; now replaced by Samba4 and Dovecot/IMAP. 
Since Dovecot is only trying to authenticate, I don't see how this could possibly be a NOT
RECOMMENDED configuration. 

> on a correctly set up domain member, the keytab is created during the join.

Probably true for a domain member, but not for the AD/DC. I disagree that you should restrict
kerberos authentication to domain members.

> > Someone please put at least the required samba-tool commands into the wiki for other poor
> > schmucks like me.
> >
> > --Mark

> Will do, but it will be phrased in the context of using a domain member 
> not a DC.

Your the boss, but I don't think that covers the issue.  You helped me set up a domain member
for single-sign-on about a year ago and that required nothing special on the AD/DC.  I think
Samba/Kerberos works for domain members, but not for authentication on the same host running
the DC.  I think it's fallacious to assume the mail server will be on a standalone host/domain
member.  Maybe in the Microsoft world, but Linux certainly has the horsepower to handle AD/DC
and Mailserver on the same box. 

--Mark

-----Original Message-----
> To: samba at lists.samba.org
> From: Rowland penny <rpenny at samba.org>
> Date: Mon, 4 Jul 2016 08:18:11 +0100
> Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot
>
> On 04/07/16 00:34, Mark Foley wrote:
> > After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with
> > Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his
> > patience in working this through with me.  Although my purpose was for Dovecot to authenticate
> > mail clients, the configuration settings needed were on the Samba side.  I hope these
> > instructions can eventually make it into:
> >
> > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> >
> > as those instruction contain nothing about the required `samba-tool spn add` and samba-tool domain
> > exportkeytab` settings, without which it is impossible to get Dovecot (and presumably other
> > local authenticators needing GSSAPI/Kerberos) to authenticate.
>
> The problem is that Samba doesn't recommend using the DC as a fileserver 
> etc This is why it isn't mentioned, on a correctly set up domain member, 
> the keytab is created during the join.
>
> >
> > You need kerberos as the Samba built-in kerberos does not have needed commands like `klist`.
>
> No you don't need kerberos, Samba comes with kerberos, you need the 
> kerberos tools.
>
> >
> > My distro (Slackware 14.1) does not come with kerberos, but is easily found at:
> >
> > https://slackbuilds.org/repository/14.1/network/krb5/
> >
> > Per the samba docs, copy the krb5.conf template created when provisioned:
> >
> > $ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
> >
> > (Note: the actual docs advise symlinking:
> >
> >    ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf
> >
> > but I prefer making a copy in case I need to modify things).
> >
> > I've set The /etc/krb5.conf file to world readable.  It's default contents are (and these do
> > not need to be changed):
> >
> > [libdefaults]
> >          default_realm = HPRS.LOCAL
> >          dns_lookup_realm = false
> >          dns_lookup_kdc = true
> >
> > where HPRS.LOCAL is my realm, of course use your own.
> >
> > Now, we need a samba user in order to create the necessary SPNs (Server Principal Names):
> >
> > $ samba-tool user create dovecot
> > New Password:
> > Retype Password:
> > User 'dovecot' created successfully
> >
> > Next, add the SPN(s), and create the keytab:
> >
> > $ samba-tool spn add imap/mail.hprs.local dovecot
> > $ samba-tool domain exportkeytab --principal imap/mail.hprs.local dovecot.keytab
> >
> > Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, but if it did I'd have to
> > create another SPN for smtp:
> >
> > $ samba-tool spn add smtp/mail.hprs.local dovecot
> > $ samba-tool domain exportkeytab --principal smtp/mail.hprs.local dovecot.keytab
> >
> > Dovecot needs to be able to read the keytab file:
> >
> > $ chgrp dovecot /etc/dovecot/dovecot.keytab
> > $ chmod g+r /etc/dovecot/dovecot.keytab
> >
> > my new keytab:
> >
> > $ klist -Kek /etc/dovecot/dovecot.keytab
> > Keytab name: FILE:/etc/dovecot/dovecot.keytab
> > KVNO Principal
> > ---- --------------------------------------------------------------------------
> >     1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
> >     1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
> >     1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)  (0x9dae89a221dc374a39f560833352f60f)
> > (and if I also created the spn for smtp I would also have these:)
> >     1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
> >     1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
> >     1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)  (0x9dae89a221dc374a39f560833352f60f)
> >
> > DOVECOT SETTINGS:
> >
> > Of crucial importance is to buld dovecot with GSSAPI! That is NOT one of the default settings.
> > In the build directory:
> >
> > ./configure --with-gssapi=yes
> >
> > Otherwise, settings are pretty simple. Add the following 3 settings to 10-auth.conf:
> >
> > auth_gssapi_hostname = "$ALL"
> > auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> > auth_mechanisms = plain login gssapi
> >
> > The auth_gssapi_hostname is supposedly not required according to dovecotList comments, but my
> > 10-auth.conf template implies differently, so it can't hurt.
> >
> > I couldn't get any of this working until I rebooted the Samba AD/DC-Dovecot server, but that
> > just may have been me not stopping/starting Samba and Dovecot in the right sequence (or, I
> > needed a Samba upgrade to 4.2!).
> >
> > In my WIN7 and Ubuntu Thunderbird clients I selected gssapi/kerberos for the IMAP authenticate
> > method and it works!
> >
> > Again, thanks to Achim for his critical help.
> >
> > Someone please put at least the required samba-tool commands into the wiki for other poor
> > schmucks like me.
> >
> > --Mark
> >
> >
>
> Will do, but it will be phrased in the context of using a domain member 
> not a DC.
>
> Rowland
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list