[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Andrew Bartlett abartlet at samba.org
Thu Jul 14 20:52:00 UTC 2016 

On Sun, 2016-07-03 at 19:34 -0400, Mark Foley wrote:
> After a nearly 2-year struggle to get Dovecot to do either NTLM or
> GSSAPI authentication with
> Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim
> Gottinger for his
> patience in working this through with me.  Although my purpose was
> for Dovecot to authenticate
> mail clients, the configuration settings needed were on the Samba
> side.  I hope these
> instructions can eventually make it into:
> 
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domai
> n_Controller#Configure_Kerberos
> 
> as those instruction contain nothing about the required `samba-tool
> spn add` and samba-tool domain
> exportkeytab` settings, without which it is impossible to get Dovecot
> (and presumably other
> local authenticators needing GSSAPI/Kerberos) to authenticate.
> 
> You need kerberos as the Samba built-in kerberos does not have needed
> commands like `klist`.
> 
> My distro (Slackware 14.1) does not come with kerberos, but is easily
> found at:
> 
> https://slackbuilds.org/repository/14.1/network/krb5/
> 
> Per the samba docs, copy the krb5.conf template created when
> provisioned:
> 
> $ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
> 
> (Note: the actual docs advise symlinking:
> 
>   ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf
> 
> but I prefer making a copy in case I need to modify things).
> 
> I've set The /etc/krb5.conf file to world readable.  It's default
> contents are (and these do
> not need to be changed):
> 
> [libdefaults]
>         default_realm = HPRS.LOCAL
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 
> where HPRS.LOCAL is my realm, of course use your own.
> 
> Now, we need a samba user in order to create the necessary SPNs
> (Server Principal Names):
> 
> $ samba-tool user create dovecot
> New Password:
> Retype Password:
> User 'dovecot' created successfully
> 
> Next, add the SPN(s), and create the keytab:
> 
> $ samba-tool spn add imap/mail.hprs.local dovecot
> $ samba-tool domain exportkeytab --principal imap/mail.hprs.local
> dovecot.keytab
> 
> Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP,
> but if it did I'd have to
> create another SPN for smtp:
> 
> $ samba-tool spn add smtp/mail.hprs.local dovecot
> $ samba-tool domain exportkeytab --principal smtp/mail.hprs.local
> dovecot.keytab
> 
> Dovecot needs to be able to read the keytab file:
> 
> $ chgrp dovecot /etc/dovecot/dovecot.keytab
> $ chmod g+r /etc/dovecot/dovecot.keytab
> 
> my new keytab:
> 
> $ klist -Kek /etc/dovecot/dovecot.keytab
> Keytab name: FILE:/etc/dovecot/dovecot.keytab
> KVNO Principal
> ---- ----------------------------------------------------------------
> ----------
>    1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) 
>  (0x232616c2a4fd08f7)
>    1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) 
>  (0x232616c2a4fd08f7)
>    1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) 
>  (0x9dae89a221dc374a39f560833352f60f)
> (and if I also created the spn for smtp I would also have these:) 
>    1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc) 
>  (0x232616c2a4fd08f7)
>    1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5) 
>  (0x232616c2a4fd08f7)
>    1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac) 
>  (0x9dae89a221dc374a39f560833352f60f)
> 
> DOVECOT SETTINGS:
> 
> Of crucial importance is to buld dovecot with GSSAPI! That is NOT one
> of the default settings. 
> In the build directory:
> 
> ./configure --with-gssapi=yes
> 
> Otherwise, settings are pretty simple. Add the following 3 settings
> to 10-auth.conf:
> 
> auth_gssapi_hostname = "$ALL"
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = plain login gssapi
> 
> The auth_gssapi_hostname is supposedly not required according to
> dovecotList comments, but my
> 10-auth.conf template implies differently, so it can't hurt.
> 
> I couldn't get any of this working until I rebooted the Samba AD/DC
> -Dovecot server, but that
> just may have been me not stopping/starting Samba and Dovecot in the
> right sequence (or, I
> needed a Samba upgrade to 4.2!). 
> 
> In my WIN7 and Ubuntu Thunderbird clients I selected gssapi/kerberos
> for the IMAP authenticate
> method and it works!
> 
> Again, thanks to Achim for his critical help.
> 
> Someone please put at least the required samba-tool commands into the
> wiki for other poor
> schmucks like me.

This looks really great.  I'm glad it worked out for you, and that we had the tools you needed.

In particular, I can confirm this is the recomended approach for additional services, be they on the DC or (more usually) another server.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list