[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Jules Houantonon juleshoueto at gmail.com
Mon Jul 4 21:11:58 UTC 2016 

Thank you for sharing this Informations.

Good job !
Le 4 juil. 2016 12:39 AM, "Mark Foley" <mfoley at ohprs.org> a écrit :

> After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI
> authentication with
> Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim
> Gottinger for his
> patience in working this through with me.  Although my purpose was for
> Dovecot to authenticate
> mail clients, the configuration settings needed were on the Samba side.  I
> hope these
> instructions can eventually make it into:
>
>
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
>
> as those instruction contain nothing about the required `samba-tool spn
> add` and samba-tool domain
> exportkeytab` settings, without which it is impossible to get Dovecot (and
> presumably other
> local authenticators needing GSSAPI/Kerberos) to authenticate.
>
> You need kerberos as the Samba built-in kerberos does not have needed
> commands like `klist`.
>
> My distro (Slackware 14.1) does not come with kerberos, but is easily
> found at:
>
> https://slackbuilds.org/repository/14.1/network/krb5/
>
> Per the samba docs, copy the krb5.conf template created when provisioned:
>
> $ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
>
> (Note: the actual docs advise symlinking:
>
>   ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf
>
> but I prefer making a copy in case I need to modify things).
>
> I've set The /etc/krb5.conf file to world readable.  It's default contents
> are (and these do
> not need to be changed):
>
> [libdefaults]
>         default_realm = HPRS.LOCAL
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
> where HPRS.LOCAL is my realm, of course use your own.
>
> Now, we need a samba user in order to create the necessary SPNs (Server
> Principal Names):
>
> $ samba-tool user create dovecot
> New Password:
> Retype Password:
> User 'dovecot' created successfully
>
> Next, add the SPN(s), and create the keytab:
>
> $ samba-tool spn add imap/mail.hprs.local dovecot
> $ samba-tool domain exportkeytab --principal imap/mail.hprs.local
> dovecot.keytab
>
> Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, but
> if it did I'd have to
> create another SPN for smtp:
>
> $ samba-tool spn add smtp/mail.hprs.local dovecot
> $ samba-tool domain exportkeytab --principal smtp/mail.hprs.local
> dovecot.keytab
>
> Dovecot needs to be able to read the keytab file:
>
> $ chgrp dovecot /etc/dovecot/dovecot.keytab
> $ chmod g+r /etc/dovecot/dovecot.keytab
>
> my new keytab:
>
> $ klist -Kek /etc/dovecot/dovecot.keytab
> Keytab name: FILE:/etc/dovecot/dovecot.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
>    1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
>    1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)
> (0x9dae89a221dc374a39f560833352f60f)
> (and if I also created the spn for smtp I would also have these:)
>    1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
>    1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
>    1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)
> (0x9dae89a221dc374a39f560833352f60f)
>
> DOVECOT SETTINGS:
>
> Of crucial importance is to buld dovecot with GSSAPI! That is NOT one of
> the default settings.
> In the build directory:
>
> ./configure --with-gssapi=yes
>
> Otherwise, settings are pretty simple. Add the following 3 settings to
> 10-auth.conf:
>
> auth_gssapi_hostname = "$ALL"
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = plain login gssapi
>
> The auth_gssapi_hostname is supposedly not required according to
> dovecotList comments, but my
> 10-auth.conf template implies differently, so it can't hurt.
>
> I couldn't get any of this working until I rebooted the Samba
> AD/DC-Dovecot server, but that
> just may have been me not stopping/starting Samba and Dovecot in the right
> sequence (or, I
> needed a Samba upgrade to 4.2!).
>
> In my WIN7 and Ubuntu Thunderbird clients I selected gssapi/kerberos for
> the IMAP authenticate
> method and it works!
>
> Again, thanks to Achim for his critical help.
>
> Someone please put at least the required samba-tool commands into the wiki
> for other poor
> schmucks like me.
>
> --Mark
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list