Jan, thanks for your helpful reply. You wrote: > With Dovecot I got the SSO working with Kerberos, and this part is > working great. Other parts (shared mailboxes, that sort of stuff) aren't > working for me yet. ...
I'm the opposite. My mailbox setup has been working great for a year and a half, though I've not bothered with shared mailboxes yet. I've attempted to follow your instructions, but still having problems. First, my errors: Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 01:04:49 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 01:04:49 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 01:04:49 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<Zg2Nk082LgDAqAA6> Now, your instructions: > One of the tricky bits is you need a kerberos keytab with two services. > I used ktutil: > # ktutil > ktutil: read_kt mail-imap.keytab > ktutil: read_kt mail-smtp.keytab > ktutil: write_kt mail.keytab > ktutil: quit > > I'm using a windows 2003 r2 server as domain controller, to create a > keytab file you need the windows 2003 support tools. > > ktpass.exe -princ imap/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL > -mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 > -ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab > > ktpass.exe -princ smtp/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL > -mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234 > -ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab I ran ktutil, but the commands "read_kt mail-imap.keytab" and "read_kt mail-smtp.keytab" returned: No such file or directory while reading keytab "mail-imap.keytab" Perhaps your subsequent ktpass commands are meant to create those. I do not have a ktpass command. I therefore do not have these files. I suppose that could be part of my problem. Can you share the actual contents of these file? I could create them by-hand. Does Dovecot and/or kerberos know where to look for these? > On the dovecot server I had to install a kerberos package: Likewise, I installed kerberos for slackware. It tested OK. I was able to do a kinit and klist per the instruction at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > My kerberos configuration: > # vi /etc/krb5.conf > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log I added the [logging] section. Of note, these log file do not exists after multiple attempts with my gssapi connection. Probably a bad sign. > [libdefaults] > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > rdns = false > default_realm = GCECAD-SERVICE.LOCAL > default_keytab_file = /etc/krb5.keytab > default_ccache_name = KEYRING:persistent:%{uid} > allow_weak_crypto = true > default_tkt_enctypes = arcfour-hmac-md5 > default_tgs_enctypes = arcfour-hmac-md5 > permitted_enctypes = arcfour-hmac-md5 I added all these as well, changing your GCECAD-SERVICE.LOCAL to my HPRS.LOCAL > [appdefaults] > pam = { > debug = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > krb4_convert = false > } I also added this [appdefaults] section. > > [realms] > GCECAD-SERVICE.LOCAL = { > kdc = this.is.the.dns.name.of.your.kdc > admin_server = this.is.the.dns.name.of.your.kdc > } I tried with and without this section. Not sure what this.is.the.dns.name.of.your.kdc is supposed to be. I changed mine to the domain FDQN of the server: [realms] HPRS.LOCAL = { kdc = mail.hprs.local admin_server = mail.hprs.local } > > [domain_realm] > .gcecad-service.local = GCECAD-SERVICE.LOCAL > gcecad-service.local = GCECAD-SERVICE.LOCAL > .gcecad-service.nl = GCECAD-SERVICE.LOCAL > gcecad-service.nl = GCECAD-SERVICE.LOCAL > I also tried with and without this section. Again, not sure what should go there. I tried: [domain_realm] .hprs.local = HPRS.LOCAL hprs.local = HPRS.LOCAL .hprs.nl = HPRS.LOCAL hprs.nl = HPRS.LOCAL I'm a bit skeptical on the above as .nl your public top level domain. In fact, after adding these sections I got no error logged in dovecot_log, but did get a message pop up on Thunderbird saying, "Could not connect to mail server m...@ohprs.org; the connection was refused." > Dovecot config, the needed parts: > In /etc/dovecot/conf.d/10-auth.conf : > auth_krb5_keytab = /etc/dovecot/mail.keytab > auth_mechanisms = plain gssapi I added those. > In /etc/dovecot/conf.d/auth-system.conf.ext : > passdb { > driver = pam > } > userdb { > driver = static > args = uid=2000 gid=2000 home=/var/vmail/%Ln allow_all_users=yes > } I used my same userdb and passdb settings (although I understand that passdb is not used by gssapi?) passdb { driver = shadow } userdb { driver = passwd } > In /etc/pam.d/dovecot : > #%PAM-1.0 > auth sufficient pam_krb5.so no_user_check validate > account sufficient pam_permit.so The /etc/pam.d directory did not exist so I created it and added the dovecot file as shown. The permissions are a+r. So, no go so far, but I am encouraged that you have it working. Perhaps you can point out what I might have missing or am otherwise done wrong? THX --Mark
