[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Mark Foley mfoley at ohprs.org
Thu Jul 14 14:53:14 UTC 2016 

> To: samba at lists.samba.org
> From: Rowland penny <rpenny at samba.org>
> Date: Mon, 4 Jul 2016 21:43:46 +0100
> Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot
>  [formerly Where is krb5.keytab or equivalent?]
>
> On 04/07/16 21:21, Mark Foley wrote:
> >> To: samba at lists.samba.org
> >> From: Achim Gottinger <achim at ag-web.biz>
> >> Date: Mon, 4 Jul 2016 09:29:02 +0200
> >> Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot
> >>
> >> Am 04.07.2016 um 01:34 schrieb Mark Foley:
> >>> After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with
> >>> Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his
> >>> patience in working this through with me.  Although my purpose was for Dovecot to authenticate
> >>> mail clients, the configuration settings needed were on the Samba side.  I hope these
> >>> instructions can eventually make it into:
> >>>
> >>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> >>>
> >>> as those instruction contain nothing about the required `samba-tool spn add` and samba-tool domain
> >>> exportkeytab` settings, without which it is impossible to get Dovecot (and presumably other
> >>> local authenticators needing GSSAPI/Kerberos) to authenticate.
> >>>
> >>> You need kerberos as the Samba built-in kerberos does not have needed commands like `klist`.
> >>>
> >>> My distro (Slackware 14.1) does not come with kerberos, but is easily found at:
> >>>
> >>> https://slackbuilds.org/repository/14.1/network/krb5/
> >>>
> >>> Per the samba docs, copy the krb5.conf template created when provisioned:
> >>>
> >>> $ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
> >>>
> >>> (Note: the actual docs advise symlinking:
> >>>
> >>>     ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf
> >>>
> >>> but I prefer making a copy in case I need to modify things).
> >>>
> >>> I've set The /etc/krb5.conf file to world readable.  It's default contents are (and these do
> >>> not need to be changed):
> >>>
> >>> [libdefaults]
> >>>           default_realm = HPRS.LOCAL
> >>>           dns_lookup_realm = false
> >>>           dns_lookup_kdc = true
> >>>
> >>> where HPRS.LOCAL is my realm, of course use your own.
> >>>
> >>> Now, we need a samba user in order to create the necessary SPNs (Server Principal Names):
> >>>
> >>> $ samba-tool user create dovecot
> >>> New Password:
> >>> Retype Password:
> >>> User 'dovecot' created successfully
> >>>
> >>> Next, add the SPN(s), and create the keytab:
> >>>
> >>> $ samba-tool spn add imap/mail.hprs.local dovecot
> >>> $ samba-tool domain exportkeytab --principal imap/mail.hprs.local dovecot.keytab
> >>>
> >>> Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, but if it did I'd have to
> >>> create another SPN for smtp:
> >>>
> >>> $ samba-tool spn add smtp/mail.hprs.local dovecot
> >>> $ samba-tool domain exportkeytab --principal smtp/mail.hprs.local dovecot.keytab
> >>>
> >>> Dovecot needs to be able to read the keytab file:
> >>>
> >>> $ chgrp dovecot /etc/dovecot/dovecot.keytab
> >>> $ chmod g+r /etc/dovecot/dovecot.keytab
> >>>
> >>> my new keytab:
> >>>
> >>> $ klist -Kek /etc/dovecot/dovecot.keytab
> >>> Keytab name: FILE:/etc/dovecot/dovecot.keytab
> >>> KVNO Principal
> >>> ---- --------------------------------------------------------------------------
> >>>      1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
> >>>      1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
> >>>      1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)  (0x9dae89a221dc374a39f560833352f60f)
> >>> (and if I also created the spn for smtp I would also have these:)
> >>>      1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
> >>>      1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
> >>>      1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)  (0x9dae89a221dc374a39f560833352f60f)
> >>>
> >>> DOVECOT SETTINGS:
> >>>
> >>> Of crucial importance is to buld dovecot with GSSAPI! That is NOT one of the default settings.
> >>> In the build directory:
> >>>
> >>> ./configure --with-gssapi=yes
> >>>
> >>> Otherwise, settings are pretty simple. Add the following 3 settings to 10-auth.conf:
> >>>
> >>> auth_gssapi_hostname = "$ALL"
> >>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> >>> auth_mechanisms = plain login gssapi
> >>>
> >>> The auth_gssapi_hostname is supposedly not required according to dovecotList comments, but my
> >>> 10-auth.conf template implies differently, so it can't hurt.
> >>>
> >>> I couldn't get any of this working until I rebooted the Samba AD/DC-Dovecot server, but that
> >>> just may have been me not stopping/starting Samba and Dovecot in the right sequence (or, I
> >>> needed a Samba upgrade to 4.2!).
> >>>
> >>> In my WIN7 and Ubuntu Thunderbird clients I selected gssapi/kerberos for the IMAP authenticate
> >>> method and it works!
> >>>
> >>> Again, thanks to Achim for his critical help.
> >>>
> >>> Someone please put at least the required samba-tool commands into the wiki for other poor
> >>> schmucks like me.
> >>>
> >>> --Mark
> >>>
> >>>
> >> Glad you finaly got it working! Have you tried it without
> >> 'auth_gssapi_hostname = "$ALL"'? In my tests with those principals it
> >> worked without it.
> >> With Samba 4.4.3 there are also aes 128/256 versions of the keys in the
> >> exported keytab.
> >> On Windows 7 kinit shows what encryption was used. With arcfour-hmac it
> >> shows rc4-hmac.
> >>
> >> achim~
> >>
> >>
> > Thanks Achim, no haven't tried without the auth_gssapi_hostname settings, though it probably
> > will work. The dovecot people seemed to think so. I'm giving this a rest to let my brain cool
> > down. Perhaps I'll try it later.
> >
> > Please weight in on Rowland's comment about restricting documentation on kerberos
> > authentication to domain members.  I've posted a dissenting view, but maybe I'm alone in my
> > opinion that there should be no issue running a mail server on the same box as the AD/DC.
> > Perhaps few people do that, but my feeling is that most people do that.  Feedback by you and
> > others as to real-world use could be valuable.
> >
> > --Mark
> >
>
> Perhaps this info would be better on the Dovecot wiki ?
> I have no real problem with putting the info on the Samba wiki, but as I 
> said, stuff like this used to be on the wiki and it was removed during 
> Marc's clean up.
>
> If Marc gives the go ahead, I will add it, if he says no, then I won't, 
> there is no point in adding something that Marc is just going to remove.
>
> Rowland
>

Yes, they did add it to the dovecot wiki: http://wiki2.dovecot.org/Authentication/Kerberos

Certainly, check with Marc. I wouldn't advocate doing things against policy (but changing the
policy a bit?) Even though this is about dovecot specifically, in general, one should be able
to authenticate locally, as you mention in your email of July 4, 21:30:

"Samba only recommends using the DC for authentication, ... I never said that [kerberos
authentication is restricted to domain members], you can have kerberos authentication on a DC,"

The instructions on letting dovecot authenticate on the DC is a paradigm example. Users could
easily extrapolate that to other tools that need to authenticate. Perhaps the instructions
could be generalized and leaving of the dovecot config stuff, and changing the domain user and
keytab name to something not specifically saying "dovecot".

Thanks for all you help!

--Mark

More information about the samba mailing list