[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Mark Foley mfoley at ohprs.org
Mon Jul 4 20:21:20 UTC 2016


> To: samba at lists.samba.org
> From: Achim Gottinger <achim at ag-web.biz>
> Date: Mon, 4 Jul 2016 09:29:02 +0200
> Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot
>
> Am 04.07.2016 um 01:34 schrieb Mark Foley:
> > After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with
> > Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his
> > patience in working this through with me.  Although my purpose was for Dovecot to authenticate
> > mail clients, the configuration settings needed were on the Samba side.  I hope these
> > instructions can eventually make it into:
> >
> > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> >
> > as those instruction contain nothing about the required `samba-tool spn add` and samba-tool domain
> > exportkeytab` settings, without which it is impossible to get Dovecot (and presumably other
> > local authenticators needing GSSAPI/Kerberos) to authenticate.
> >
> > You need kerberos as the Samba built-in kerberos does not have needed commands like `klist`.
> >
> > My distro (Slackware 14.1) does not come with kerberos, but is easily found at:
> >
> > https://slackbuilds.org/repository/14.1/network/krb5/
> >
> > Per the samba docs, copy the krb5.conf template created when provisioned:
> >
> > $ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
> >
> > (Note: the actual docs advise symlinking:
> >
> >    ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf
> >
> > but I prefer making a copy in case I need to modify things).
> >
> > I've set The /etc/krb5.conf file to world readable.  It's default contents are (and these do
> > not need to be changed):
> >
> > [libdefaults]
> >          default_realm = HPRS.LOCAL
> >          dns_lookup_realm = false
> >          dns_lookup_kdc = true
> >
> > where HPRS.LOCAL is my realm, of course use your own.
> >
> > Now, we need a samba user in order to create the necessary SPNs (Server Principal Names):
> >
> > $ samba-tool user create dovecot
> > New Password:
> > Retype Password:
> > User 'dovecot' created successfully
> >
> > Next, add the SPN(s), and create the keytab:
> >
> > $ samba-tool spn add imap/mail.hprs.local dovecot
> > $ samba-tool domain exportkeytab --principal imap/mail.hprs.local dovecot.keytab
> >
> > Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, but if it did I'd have to
> > create another SPN for smtp:
> >
> > $ samba-tool spn add smtp/mail.hprs.local dovecot
> > $ samba-tool domain exportkeytab --principal smtp/mail.hprs.local dovecot.keytab
> >
> > Dovecot needs to be able to read the keytab file:
> >
> > $ chgrp dovecot /etc/dovecot/dovecot.keytab
> > $ chmod g+r /etc/dovecot/dovecot.keytab
> >
> > my new keytab:
> >
> > $ klist -Kek /etc/dovecot/dovecot.keytab
> > Keytab name: FILE:/etc/dovecot/dovecot.keytab
> > KVNO Principal
> > ---- --------------------------------------------------------------------------
> >     1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
> >     1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
> >     1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)  (0x9dae89a221dc374a39f560833352f60f)
> > (and if I also created the spn for smtp I would also have these:)
> >     1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
> >     1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
> >     1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)  (0x9dae89a221dc374a39f560833352f60f)
> >
> > DOVECOT SETTINGS:
> >
> > Of crucial importance is to buld dovecot with GSSAPI! That is NOT one of the default settings.
> > In the build directory:
> >
> > ./configure --with-gssapi=yes
> >
> > Otherwise, settings are pretty simple. Add the following 3 settings to 10-auth.conf:
> >
> > auth_gssapi_hostname = "$ALL"
> > auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> > auth_mechanisms = plain login gssapi
> >
> > The auth_gssapi_hostname is supposedly not required according to dovecotList comments, but my
> > 10-auth.conf template implies differently, so it can't hurt.
> >
> > I couldn't get any of this working until I rebooted the Samba AD/DC-Dovecot server, but that
> > just may have been me not stopping/starting Samba and Dovecot in the right sequence (or, I
> > needed a Samba upgrade to 4.2!).
> >
> > In my WIN7 and Ubuntu Thunderbird clients I selected gssapi/kerberos for the IMAP authenticate
> > method and it works!
> >
> > Again, thanks to Achim for his critical help.
> >
> > Someone please put at least the required samba-tool commands into the wiki for other poor
> > schmucks like me.
> >
> > --Mark
> >
> >
> Glad you finaly got it working! Have you tried it without 
> 'auth_gssapi_hostname = "$ALL"'? In my tests with those principals it 
> worked without it.
> With Samba 4.4.3 there are also aes 128/256 versions of the keys in the 
> exported keytab.
> On Windows 7 kinit shows what encryption was used. With arcfour-hmac it 
> shows rc4-hmac.
>
> achim~
>
>

Thanks Achim, no haven't tried without the auth_gssapi_hostname settings, though it probably
will work. The dovecot people seemed to think so. I'm giving this a rest to let my brain cool
down. Perhaps I'll try it later.

Please weight in on Rowland's comment about restricting documentation on kerberos
authentication to domain members.  I've posted a dissenting view, but maybe I'm alone in my
opinion that there should be no issue running a mail server on the same box as the AD/DC. 
Perhaps few people do that, but my feeling is that most people do that.  Feedback by you and
others as to real-world use could be valuable.

--Mark



More information about the samba mailing list