[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
Andrew Bartlett
abartlet at samba.org
Thu Jul 14 20:52:00 UTC 2016
On Sun, 2016-07-03 at 19:34 -0400, Mark Foley wrote:
> After a nearly 2-year struggle to get Dovecot to do either NTLM or
> GSSAPI authentication with
> Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim
> Gottinger for his
> patience in working this through with me. Although my purpose was
> for Dovecot to authenticate
> mail clients, the configuration settings needed were on the Samba
> side. I hope these
> instructions can eventually make it into:
>
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domai
> n_Controller#Configure_Kerberos
>
> as those instruction contain nothing about the required `samba-tool
> spn add` and samba-tool domain
> exportkeytab` settings, without which it is impossible to get Dovecot
> (and presumably other
> local authenticators needing GSSAPI/Kerberos) to authenticate.
>
> You need kerberos as the Samba built-in kerberos does not have needed
> commands like `klist`.
>
> My distro (Slackware 14.1) does not come with kerberos, but is easily
> found at:
>
> https://slackbuilds.org/repository/14.1/network/krb5/
>
> Per the samba docs, copy the krb5.conf template created when
> provisioned:
>
> $ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
>
> (Note: the actual docs advise symlinking:
>
> ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf
>
> but I prefer making a copy in case I need to modify things).
>
> I've set The /etc/krb5.conf file to world readable. It's default
> contents are (and these do
> not need to be changed):
>
> [libdefaults]
> default_realm = HPRS.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> where HPRS.LOCAL is my realm, of course use your own.
>
> Now, we need a samba user in order to create the necessary SPNs
> (Server Principal Names):
>
> $ samba-tool user create dovecot
> New Password:
> Retype Password:
> User 'dovecot' created successfully
>
> Next, add the SPN(s), and create the keytab:
>
> $ samba-tool spn add imap/mail.hprs.local dovecot
> $ samba-tool domain exportkeytab --principal imap/mail.hprs.local
> dovecot.keytab
>
> Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP,
> but if it did I'd have to
> create another SPN for smtp:
>
> $ samba-tool spn add smtp/mail.hprs.local dovecot
> $ samba-tool domain exportkeytab --principal smtp/mail.hprs.local
> dovecot.keytab
>
> Dovecot needs to be able to read the keytab file:
>
> $ chgrp dovecot /etc/dovecot/dovecot.keytab
> $ chmod g+r /etc/dovecot/dovecot.keytab
>
> my new keytab:
>
> $ klist -Kek /etc/dovecot/dovecot.keytab
> Keytab name: FILE:/etc/dovecot/dovecot.keytab
> KVNO Principal
> ---- ----------------------------------------------------------------
> ----------
> 1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)
> (0x232616c2a4fd08f7)
> 1 imap/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)
> (0x232616c2a4fd08f7)
> 1 imap/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)
> (0x9dae89a221dc374a39f560833352f60f)
> (and if I also created the spn for smtp I would also have these:)
> 1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-crc)
> (0x232616c2a4fd08f7)
> 1 smtp/mail.hprs.local at HPRS.LOCAL (des-cbc-md5)
> (0x232616c2a4fd08f7)
> 1 smtp/mail.hprs.local at HPRS.LOCAL (arcfour-hmac)
> (0x9dae89a221dc374a39f560833352f60f)
>
> DOVECOT SETTINGS:
>
> Of crucial importance is to buld dovecot with GSSAPI! That is NOT one
> of the default settings.
> In the build directory:
>
> ./configure --with-gssapi=yes
>
> Otherwise, settings are pretty simple. Add the following 3 settings
> to 10-auth.conf:
>
> auth_gssapi_hostname = "$ALL"
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = plain login gssapi
>
> The auth_gssapi_hostname is supposedly not required according to
> dovecotList comments, but my
> 10-auth.conf template implies differently, so it can't hurt.
>
> I couldn't get any of this working until I rebooted the Samba AD/DC
> -Dovecot server, but that
> just may have been me not stopping/starting Samba and Dovecot in the
> right sequence (or, I
> needed a Samba upgrade to 4.2!).
>
> In my WIN7 and Ubuntu Thunderbird clients I selected gssapi/kerberos
> for the IMAP authenticate
> method and it works!
>
> Again, thanks to Achim for his critical help.
>
> Someone please put at least the required samba-tool commands into the
> wiki for other poor
> schmucks like me.
This looks really great. I'm glad it worked out for you, and that we had the tools you needed.
In particular, I can confirm this is the recomended approach for additional services, be they on the DC or (more usually) another server.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list