Aki, To review your 5 points:
On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote: > 1. Functional AD or Kerberos environment > 2. Time synced against your KDC (which is your Domain Controller on Windows) > 3. /etc/krb5.conf configured > 4. Both forward / reverse DNS names correct for clients and servers. > Reverse is only mandatory for servers, but having them right will work > wonders. Most kerberos problems are about DNS problems. > 5. You need a keytab. This keytab needs to hold entries like > IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate > these on any Windows DC server (at least). I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit and klist according to the instructions at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos As to the the keytab (#5) I did the following: $ samba-tool domain exportkeytab /etc/krb5.keytab which created the file. I made this owned and readable by group dovecot, per instructions at http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me configuration listing all the users and computers in the domain, mostly in triplicate. A partial list: Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, but am assuming it is OK. > setspn -q is helpful here, also setspn command in general. I have no such command in my system. Is that a Windows thing? As to the /etc/krb5.conf, the default one generated by samba is: [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true I'd like to modify that to your suggestions, but I need more help. You have (with my questions): > Here is a *SAMPLE* configuration: > > [libdefaults] > default_realm = YOUR.REALM > dns_lookup_kdc = true > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: krb5_config = /etc/krb5.conf Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > fcc-mit-ticketflags = true > > [realms] > YOUR.REALM = { > default_domain = your.domain.name > auth_to_local_names = { > Administrator = root > } > } I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD server: mail.hprs.local, or is it just hprs.local? (or something else!) > [domain_realm] > your.domain.name = YOUR.REALM > # this is not a mistake > .your.domain.name = YOUR.REALM > [login] > krb4_convert = true > krb4_get_tickets = false Likewise here a question on the whole krb4 versus krb5 thing. Your closing comment: > Also, note that kerberos can only act as AUTHENTICATION system. It > cannot act as USER DATABASE. For that you need to configure LDAP or > something else. With Active Directory LDAP is probably a damn good idea. I have the following doveconf -n: # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in any case I still have all but this test workstation NOT using gssapi, so I still need to accomodate them. Thanks, --Mark
