[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Rowland penny rpenny at samba.org
Mon Jul 4 20:43:46 UTC 2016 

On 04/07/16 21:21, Mark Foley wrote:
>> To: samba at lists.samba.org
>> From: Achim Gottinger <achim at ag-web.biz>
>> Date: Mon, 4 Jul 2016 09:29:02 +0200
>> Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot
>>
>> Am 04.07.2016 um 01:34 schrieb Mark Foley:
>>> After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with
>>> Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his
>>> patience in working this through with me.  Although my purpose was for Dovecot to authenticate
>>> mail clients, the configuration settings needed were on the Samba side.  I hope these
>>> instructions can eventually make it into:
>>>
>>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
>>>
>>> as those instruction contain nothing about the required `samba-tool spn add` and samba-tool domain
>>> exportkeytab` settings, without which it is impossible to get Dovecot (and presumably other
>>> local authenticators needing GSSAPI/Kerberos) to authenticate.
>>>
>>> You need kerberos as the Samba built-in kerberos does not have needed commands like `klist`.
>>>
>>> My distro (Slackware 14.1) does not come with kerberos, but is easily found at:
>>>
>>> https://slackbuilds.org/repository/14.1/network/krb5/
>>>
>>> Per the samba docs, copy the krb5.conf template created when provisioned:
>>>
>>> $ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
>>>
>>> (Note: the actual docs advise symlinking:
>>>
>>>     ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf
>>>
>>> but I prefer making a copy in case I need to modify things).
>>>
>>> I've set The /etc/krb5.conf file to world readable.  It's default contents are (and these do
>>> not need to be changed):
>>>
>>> [libdefaults]
>>>           default_realm = HPRS.LOCAL
>>>           dns_lookup_realm = false
>>>           dns_lookup_kdc = true
>>>
>>> where HPRS.LOCAL is my realm, of course use your own.
>>>
>>> Now, we need a samba user in order to create the necessary SPNs (Server Principal Names):
>>>
>>> $ samba-tool user create dovecot
>>> New Password:
>>> Retype Password:
>>> User 'dovecot' created successfully
>>>
>>> Next, add the SPN(s), and create the keytab:
>>>
>>> $ samba-tool spn add imap/mail.hprs.local dovecot
>>> $ samba-tool domain exportkeytab --principal imap/mail.hprs.local dovecot.keytab
>>>
>>> Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, but if it did I'd have to
>>> create another SPN for smtp:
>>>
>>> $ samba-tool spn add smtp/mail.hprs.local dovecot
>>> $ samba-tool domain exportkeytab --principal smtp/mail.hprs.local dovecot.keytab
>>>
>>> Dovecot needs to be able to read the keytab file:
>>>
>>> $ chgrp dovecot /etc/dovecot/dovecot.keytab
>>> $ chmod g+r /etc/dovecot/dovecot.keytab
>>>
>>> my new keytab:
>>>
>>> $ klist -Kek /etc/dovecot/dovecot.keytab
>>> Keytab name: FILE:/etc/dovecot/dovecot.keytab
>>> KVNO Principal
>>> ---- --------------------------------------------------------------------------
>>>      1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
>>>      1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
>>>      1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)  (0x9dae89a221dc374a39f560833352f60f)
>>> (and if I also created the spn for smtp I would also have these:)
>>>      1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
>>>      1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
>>>      1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)  (0x9dae89a221dc374a39f560833352f60f)
>>>
>>> DOVECOT SETTINGS:
>>>
>>> Of crucial importance is to buld dovecot with GSSAPI! That is NOT one of the default settings.
>>> In the build directory:
>>>
>>> ./configure --with-gssapi=yes
>>>
>>> Otherwise, settings are pretty simple. Add the following 3 settings to 10-auth.conf:
>>>
>>> auth_gssapi_hostname = "$ALL"
>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
>>> auth_mechanisms = plain login gssapi
>>>
>>> The auth_gssapi_hostname is supposedly not required according to dovecotList comments, but my
>>> 10-auth.conf template implies differently, so it can't hurt.
>>>
>>> I couldn't get any of this working until I rebooted the Samba AD/DC-Dovecot server, but that
>>> just may have been me not stopping/starting Samba and Dovecot in the right sequence (or, I
>>> needed a Samba upgrade to 4.2!).
>>>
>>> In my WIN7 and Ubuntu Thunderbird clients I selected gssapi/kerberos for the IMAP authenticate
>>> method and it works!
>>>
>>> Again, thanks to Achim for his critical help.
>>>
>>> Someone please put at least the required samba-tool commands into the wiki for other poor
>>> schmucks like me.
>>>
>>> --Mark
>>>
>>>
>> Glad you finaly got it working! Have you tried it without
>> 'auth_gssapi_hostname = "$ALL"'? In my tests with those principals it
>> worked without it.
>> With Samba 4.4.3 there are also aes 128/256 versions of the keys in the
>> exported keytab.
>> On Windows 7 kinit shows what encryption was used. With arcfour-hmac it
>> shows rc4-hmac.
>>
>> achim~
>>
>>
> Thanks Achim, no haven't tried without the auth_gssapi_hostname settings, though it probably
> will work. The dovecot people seemed to think so. I'm giving this a rest to let my brain cool
> down. Perhaps I'll try it later.
>
> Please weight in on Rowland's comment about restricting documentation on kerberos
> authentication to domain members.  I've posted a dissenting view, but maybe I'm alone in my
> opinion that there should be no issue running a mail server on the same box as the AD/DC.
> Perhaps few people do that, but my feeling is that most people do that.  Feedback by you and
> others as to real-world use could be valuable.
>
> --Mark
>

Perhaps this info would be better on the Dovecot wiki ?
I have no real problem with putting the info on the Samba wiki, but as I 
said, stuff like this used to be on the wiki and it was removed during 
Marc's clean up.

If Marc gives the go ahead, I will add it, if he says no, then I won't, 
there is no point in adding something that Marc is just going to remove.

Rowland

More information about the samba mailing list