[Samba] Where is krb5.keytab or equivalent?
Achim Gottinger
achim at ag-web.biz
Thu Jun 30 23:38:15 UTC 2016
Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
required with dovecot (2.2.13 here).
Add "auth_debug=yes" to your dovecor config.
192.168.100.1 is my clients ip 192.168.100.101 is the servers
ag is the domain account username I use to login to windows and also the
username configured in thunderbird.
On my debian system an package named libsasl2-modules-gssapi-mit must be
installed.
To test kerberos against dovecot from the command line install "mutt".
I assume your windows account name is "mark"
~#kinit mark
~#MAIL=imap://mark@mail.hprs.local/ mutt
An successfull login with mutt looks like this in the mail logfile:
Debug: auth client connected (pid=22585)
logon-zor dovecot: auth: Debug: client in:
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=p/ahQ4c2/wB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=44287#011resp=<hidden>
logon-zor dovecot: auth: Debug: gssapi(?,127.0.0.1,<p/ahQ4c2/wB/AAAB>):
Obtaining credentials for imap@
logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>):
security context state completed.
logon-zor dovecot: auth: Debug: client passdb out:
CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXAIZT4a2p58/+ylPphtphYA6sTnK4QCyRkHRm1VTnvrfjxc3Ya2ui9IHsBGnPggzjLVNScFx6aHJi99VCDG7s07zNUF8d4WHuNZz7el5gwK4Quy3AeUX8zVa7xkIECuTtT5W7BjpsBThhMc=
logon-zor dovecot: auth: Debug: client in: CONT<hidden>
logon-zor dovecot: auth: Debug: gssapi(ag,127.0.0.1,<p/ahQ4c2/wB/AAAB>):
Negotiated security layer
logon-zor dovecot: auth: Debug: client passdb out:
CONT#0111#011BQQF/wAMAAAAAAAAKxVA5AH///8b1puThszycYxSFvE=
logon-zor dovecot: auth: Debug: client in: CONT<hidden>
imap-login: Login: user=<ag>, method=GSSAPI, rip=127.0.0.1,
lip=127.0.0.1, mpid=19022, TLS, session=<CdYH6IY2oADAwAw9>
Also take a look at this page
http://wiki2.dovecot.org/Authentication/Kerberos
Looking at my spn's you may also need
samba-tool spn add imap/mail.hprs.local dovecot
Am 01.07.2016 um 00:46 schrieb Mark Foley:
> Achim,
>
> I deleted the keytab file and did the following:
>
> $ samba-tool user delete dovecot
> $ samba-tool user add dovecot
>
> # again, that asked for a password and I assigned one.
>
> $ samba-tool spn add smpt/mail.hprs.local at HPRS.LOCAL dovecot
> $ samba-tool spn add imap/mail.hprs.local at HPRS.LOCAL dovecot
>
> $ ktutil
> ktutil: addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac
> Password for smtp/mail.hprs.local at HPRS.LOCAL:
> ktutil: addent -password -p imap/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac
> Password for imap/mail.hprs.local at HPRS.LOCAL:
> ktutil: wkt /etc/dovecot/dovecot.keytab
> ktutil: quit
>
> $ ktutil
> ktutil: read_kt /etc/dovecot/dovecot.keytab
> ktutil: list
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
> 1 1 smtp/mail.hprs.local at HPRS.LOCAL
> 2 1 imap/mail.hprs.local at HPRS.LOCAL
>
> So, much better. Duh for me not noticing that I had to change fqdn and domain to my own.
>
> Rloaded dovecot and tried again. Same error :(
>
> Jun 30 18:36:10 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<OTQqf4Y2SgDAqAA6>
>
> You wrote:
>
>> It must be possible for Thunderbird to use plain authentification with your windows account
>> username. Can be you must configure userdb and passdb to do ldap lookups against active
>> directory.
> Yes, Thunderbird (and Outlook, iPhone/Andriod, roundCube) all do plain text auth to dovecot. I will
> continue to need this for non-domain email clients. According to the dovecot folks, the passwd
> as userdb should work OK for gssapi. The passdb is ignored for gssapi. Besides, LDAP
> authentication is another one (along with NTLM) that I haven't been able to get working with
> Dovecot. The only ones I've been able to get working are PLAIN and, believe it or not,
> checkpassword - which is basically a passdb driver for PLAIN.
>
> Perhaps there is some samba setting I'm missing? Here's my AD/DC smb.conf, do you seen anything
> missing I need? :
>
> [global]
> workgroup = HPRS
> realm = hprs.local
> netbios name = MAIL
> interfaces = lo, eth1
> bind interfaces only = Yes
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
>
> winbind use default domain = yes
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> log level = 2 passdb:5 auth:10 winbind:2 lanman:10
> max log size = 1000
>
> [netlogon]
> path = /var/lib/samba/sysvol/hprs.local/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [Users]
> path = /redirectedFolders/Users
> comment = user folders for redirection
> read only = No
>
> [share]
> path = /var/lib/samba/share
> comment = Shared folder
> read only = No
>
> Thanks --Mark
>
> -----Original Message-----
>> To: samba at lists.samba.org
>> From: Achim Gottinger <achim at ag-web.biz>
>> Date: Thu, 30 Jun 2016 23:44:17 +0200
>> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>>
>> Am 30.06.2016 um 23:16 schrieb Mark Foley:
>>> Achim, thanks a lot! A couple of questions on your suggested settings:
>>>
>>>> 1. Create an user
>>>> samba-tool create user dovcot
>>> I did this (actually `samba-tool user create dovecot`), but it asked for a password. I
>>> entered one. You didn't mention that, so I hope it's OK.
>> Yes
>>>
>>>
>>>> 2. Add the spn
>>>> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot
>>>> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot
>>> Did that too. No issue there.
>> Well you must substitute server.domain.local with your mailserver fqdn
>> and DOMAIN.LOCAL with HPRS.LOCAL.
>>>> 3. Create the keytab file
>>>> ktutil
>>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e
>>>> arcfour-hmac
>>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e
>>>> arcfour-hmac
>>>> wkt /etc/dovecot/dovecot.keytab
>>> As you can see, your text wrapped, but from the error message I got I assumed the -e [enctype]
>>> should hve been the arcfour-hmac on the next line. So I did:
>>>
>>> $ ktutil
>>> ktutil: addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac
>>> ktutil: addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e arcfour-hmac
>> Same here substitute like above and as you said arcfour-hmac belongs in
>> the same line.
>>> Of course, that will probably also wrap when you get this message, but basically I put the
>>> arcfour-hmac on the same line as the addent. Each time, these commands also asked for a
>>> password. Again, you didn't mention that, but I used the same password I used for the
>>> `samab-tool user create` command above.
>>>
>>> I tried 'wkt /etc/dovecot/dovecot.keytab' while in ktutil, but I got, "Unknown request "wtk".
>>> Type '?' for a request list." In looking at the "?" list I saw 'wkt', so I assumed you simply
>>> transposed the letters. I tried it and it took.
>> Yes wkt is the command, but make sure /etc/dovecot/dovecot.keytab does
>> not yet exist.
>> Only the two keys you just added are required to get kerberos working.
>> The system keytab you generated with samba-tool domain exportkeytab is
>> not required.
>>>
>>>
>>>> 4. Add this to your dovecot config
>>>>
>>>> # Kerberos
>>>> auth_gssapi_hostname = "$ALL"
>>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
>>> Did that. In addition, I set the keytab file's group to dovecot and made the file group
>>> readable, as suggested by http://wiki2.dovecot.org/Authentication/Kerberos. I also tried
>>> making it world readable. Now, after doing all that and restarting dovecot I still get the
>>> same dovecot error:
>>>
>>> Jun 30 16:59:54 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=192.168.0.2, TLS, session=<3hLnJoU2vgDAqAA6>
>>>
>>> and still the same error in Thunderbird: "The Kerberos/DSSAPI ticket was not accepted by the
>>> IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm."
>>>
>>> As I've mentioned before, "mark at ohprs.org" is not a server. It is the email address of the
>>> Thunderbird account (running on WIN7).
>>>
>>> Here is my doveconf -n (gssapi marked with *):
>>>
>>> auth_debug_passwords = yes
>>> * auth_gssapi_hostname = $ALL
>>> * auth_krb5_keytab = /etc/krb5.keytab
>>> * auth_mechanisms = plain login gssapi
>>> auth_verbose = yes
>>> auth_verbose_passwords = plain
>>> disable_plaintext_auth = no
>>> info_log_path = /var/log/dovecot_info
>>> mail_location = maildir:~/Maildir
>>> passdb {
>>> driver = shadow
>>> }
>>> protocols = imap
>>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
>>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>>> userdb {
>>> driver = passwd
>>> }
>>> verbose_ssl = yes
>>>
>>> (yes, I put the keytab file in /etc/krb5.keytab, not in etc/dovecot. Should be OK, right?)
>>>
>>> Here is my keytab list (partial); note that every entry appears in triplicate. I don't see
>>> 'dovecot' in there at all; maybe that's OK:
>>>
>>> ktutil: list
>>> slot KVNO Principal
>>> ---- ---- ---------------------------------------------------------------------
>>> 1 18 COMMON$@HPRS.LOCAL
>>> 2 18 COMMON$@HPRS.LOCAL
>>> 3 18 COMMON$@HPRS.LOCAL
>>> 4 1 MAIL$@HPRS.LOCAL
>>> 5 1 MAIL$@HPRS.LOCAL
>>> 6 1 MAIL$@HPRS.LOCAL
>>> 7 1 charmaine at HPRS.LOCAL
>>> 8 1 charmaine at HPRS.LOCAL
>>> 9 1 charmaine at HPRS.LOCAL
>>> :
>>> 19 1 Administrator at HPRS.LOCAL
>>> 20 1 Administrator at HPRS.LOCAL
>>> 21 1 Administrator at HPRS.LOCAL
>>> :
>>> 91 1 krbtgt at HPRS.LOCAL
>>> 92 1 krbtgt at HPRS.LOCAL
>>> 93 1 krbtgt at HPRS.LOCAL
>>> :
>>> 97 1 smtp/server.domain.local at DOMAIN.LOCAL
>>> 98 1 imap/server.domain.local at DOMAIN.LOCAL
>>>
>>> Can you tell from any of this why I'm still not able to authenticate?
>> You only need the lines 97 and 98 and substitude fqdn and realm like i
>> mentioned above.
>> It must be possible for Thunderbird to use plain authentification with
>> your windows account username.
>> Can be you must configure userdb and passdb to do ldap lookups against
>> active directory.
>>> Thanks, --Mark
>>>
>>> -----Original Message-----
>>>> To: samba at lists.samba.org
>>>> From: Achim Gottinger <achim at ag-web.biz>
>>>> Date: Thu, 30 Jun 2016 11:51:34 +0200
>>>>
>>>> Am 30.06.2016 um 10:45 schrieb Mark Foley:
>>>>> To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
>>>>> Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
>>>>> file as required by Dovecot. I've also downloaded and installed Kerberos for access to
>>>>> the k* commands (ktutil, kinit, klist, ...).
>>>>>
>>>>> In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7
>>>>> workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
>>>>> etc. Thunderbird gives the following error:
>>>>>
>>>>> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check
>>>>> that you are logged in to the Kerberos/GSSAPI realm."
>>>>>
>>>>> One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a
>>>>> server at all, but rather the email address of the Thunderbird account.
>>>>>
>>>>> When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
>>>>> secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
>>>>> Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying:
>>>>>
>>>>> auth_mechanisms = plain login gssapi
>>>>>
>>>>> That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
>>>>>
>>>>> I think the problem is with Samba and handling the authentication. I do not think my Samba4 is
>>>>> configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
>>>>> for single-sign-on using Kerberos. He had me put the following lines into that workstation's
>>>>> smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server:
>>>>>
>>>>> security = ADS
>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>> kerberos method = secrets and keytab
>>>>> winbind nss info = rfc2307
>>>>> winbind trusted domains only = no
>>>>> winbind enum users = yes
>>>>> winbind enum groups = yes
>>>>> winbind refresh tickets = Yes
>>>>>
>>>>> I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
>>>>> message, "Samba detected misconfigured 'server role' and exited."
>>>>>
>>>>> He also had me put the following in /etc/nsswitch.conf:
>>>>>
>>>>> passwd: compat winbind
>>>>> group: compat winbind
>>>>>
>>>>> Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
>>>>> for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
>>>>>
>>>>> Need Help! Thanks --Mark
>>>> Hello Mark,
>>>>
>>>> This is what i used in debian wheezy few years back. I assume
>>>> arcfour-hmac is unsafe these days but i did not yet investigate into
>>>> other working encryption methods here.
>>>> If you need smtp (postfix with auth via dovecot) also add the smtp
>>>> spn's. Use the password for user dovecot during keytab creation.
>>>>
>>>> 1. Create an user
>>>> samba-tool create user dovcot
>>>>
>>>> 2. Add the spn
>>>> samba-tool spn add smtp/server.domain.local at DOMAIN.LOCAL dovecot
>>>> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot
>>>>
>>>> 3. Create the keytab file
>>>> ktutil
>>>> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e
>>>> arcfour-hmac
>>>> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e
>>>> arcfour-hmac
>>>> wkt /etc/dovecot/dovecot.keytab
>>>>
>>>> 4. Add this to your dovecot config
>>>>
>>>> # Kerberos
>>>> auth_gssapi_hostname = "$ALL"
>>>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
>>>>
>>>> Hope it helps,
>>>> achim~
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
More information about the samba
mailing list