On 28.06.2016 09:27, Mark Foley wrote:
Aki,
To review your 5 points:
On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote:
1. Functional AD or Kerberos environment
2. Time synced against your KDC (which is your Domain Controller on Windows)
3. /etc/krb5.conf configured
4. Both forward / reverse DNS names correct for clients and servers.
Reverse is only mandatory for servers, but having them right will work
wonders. Most kerberos problems are about DNS problems.
5. You need a keytab. This keytab needs to hold entries like
IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate
these on any Windows DC server (at least).
I believe I am good on 1,2 and 4. I downloaded and installed kerberos and
tested it with kinit
and klist according to the instructions at
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
As to the the keytab (#5) I did the following:
$ samba-tool domain exportkeytab /etc/krb5.keytab
which created the file. I made this owned and readable by group dovecot, per
instructions at
http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k
/etc/krb5.keytab` shows me
configuration listing all the users and computers in the domain, mostly in
triplicate. A
partial list:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
18 COMMON$@HPRS.LOCAL
18 COMMON$@HPRS.LOCAL
18 COMMON$@HPRS.LOCAL
1 MAIL$@HPRS.LOCAL
1 MAIL$@HPRS.LOCAL
1 MAIL$@HPRS.LOCAL
1 charmaine@HPRS.LOCAL
1 charmaine@HPRS.LOCAL
1 charmaine@HPRS.LOCAL
where COMMON and MAIL are hosts and charmaine is a user. I don't really
understand the listing,
but am assuming it is OK.
Strange that you do not have any host/ entries. Maybe it works without.
setspn -q is helpful here, also setspn command in general.
I have no such command in my system. Is that a Windows thing?
Yes, but you can do those kind of things in Samba too.
As to the /etc/krb5.conf, the default one generated by samba is:
[libdefaults]
default_realm = HPRS.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
I'd like to modify that to your suggestions, but I need more help. You have
(with my questions):
Here is a *SAMPLE* configuration:
[libdefaults]
default_realm = YOUR.REALM
dns_lookup_kdc = true
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I
rather have:
You can remove the krb4_ stuff
krb5_config = /etc/krb5.conf
Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in
there?
You don't necessarely require that.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[realms]
YOUR.REALM = {
default_domain = your.domain.name
auth_to_local_names = {
Administrator = root
}
}
I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my
FQDN for my AD
server: mail.hprs.local, or is it just hprs.local? (or something else!)
HPRS.LOCAL is your REALM, hprs.local is your domain name.
[domain_realm]
your.domain.name = YOUR.REALM
# this is not a mistake
.your.domain.name = YOUR.REALM
[login]
krb4_convert = true
krb4_get_tickets = false
Likewise here a question on the whole krb4 versus krb5 thing.
Your closing comment:
Also, note that kerberos can only act as AUTHENTICATION system. It
cannot act as USER DATABASE. For that you need to configure LDAP or
something else. With Active Directory LDAP is probably a damn good idea.
I have the following doveconf -n:
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
I assume the passwd driver for the userdb is OK? Seems to me it should work
with gssapi, but in
any case I still have all but this test workstation NOT using gssapi, so I
still need to
accomodate them.
Thanks, --Mark
passwd driver is fine, yes, if you ensure that users can be found.
Aki
