[Samba] GSSAPI/Kerberos authenticate with Dovecot
L.P.H. van Belle
belle at bazuin.nl
Wed Dec 12 15:28:49 UTC 2018
Ah, i think whats going on here.
The wiki example and your are using different setup.
The wiki uses a separate account, and not the computer account like you.
Based on that wiki.
- install server + samba. ( already dont )
- join the domain. ( also done )
Good you said you have share access..
ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf << not needed.
Just use the default /etc/krb5.conf as long you default realm is defined.
Dont use
$ samba-tool spn add imap/host.domain.com dovecot
$ samba-tool domain exportkeytab --principal imap/host.domain.com /etc/dovecot/dovecot.keytab
But on the member use :
net ads keytab add idmap/your.host.tld at REALM
This add the spn to the local keytab file AND the AD.
Here you have 2 options.
Use the system default keytab file or setup a separated.
And you might need to add in the krb5.conf the line
ignore k5login # due to krb5_kuserok() is used to check if access is allowed.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> basti via samba
> Verzonden: woensdag 12 december 2018 16:02
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] GSSAPI/Kerberos authenticate with Dovecot
>
> I have try.
>
> root at dc1:~# samba-tool delegation show dovecot\$
> Account-DN: CN=DOVECOT,CN=Computers,DC=MY,DC=FQDN,DC=COM
> UF_TRUSTED_FOR_DELEGATION: True
> UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: False
> root at dc1:~#
>
> The error is the same.
>
> On 12.12.18 15:51, L.P.H. van Belle via samba wrote:
> > Whats set for the server in its delegation?
> >
> > sudo samba-tool delegation show dovecot\$
> > Run this on the DC, or add the -S YourDC.hostname
> >
> > You need something like this:
> > samba-tool delegation for-any-service dovecot\$ on
> > Or setup for only imap, but cifs/nfs automounts may need this to.
> > After you've set it, i suggest, export the imap keytab again.
> > Not really sure if its needed, but if it does not work, try it.
> > And use stop and start command not restart/reload.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> basti via samba
> >> Verzonden: woensdag 12 december 2018 15:31
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] GSSAPI/Kerberos authenticate with Dovecot
> >>
> >> Hello,
> >>
> >> I try to setup Dovecot with Kerberos/GSSAPI and use this howto:
> >> https://wiki.samba.org/index.php/Authenticating_Dovecot_agains
> >> t_Active_Directory#Create_the_Dovecot_user_and_keytab
> >>
> >> I also try https://wiki.dovecot.org/Authentication/Kerberos
> >>
> >> I can login as windows user on win7 and access shares.
> >> When I open Thunderbird I get the message:
> >>
> >> "kerberos/gssapi ticket was not accepted"
> >>
> >> For debuging I use Kerbtray.
> >>
> >> The Tickets I get are:
> >>
> >> MY.FQDN.COM
> >> |-- cifs/dc1.my.fqdn.com
> >> |-- cifs/files.my.fqdn.com
> >> |-- krbtgt/MY.FQDN.COM
> >> |-- krbtgt/MY.FQDN.COM
> >> |-- LDAP/dc1.my.fqdn.com/my.fqdn.com
> >>
> >> There is *no* imap ticket.
> >>
> >> root at dovecot:~# ktutil
> >> ktutil: rkt /etc/dovecot/dovecot.keytab
> >> ktutil: l
> >> slot KVNO Principal
> >> ---- ----
> >>
> ---------------------------------------------------------------------
> >> 1 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM
> >> 2 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM
> >> 3 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM
> >> ktutil: q
> >> root at dovecot:~#
> >>
> >> Best Regards,
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list