Aki - made your suggested changes, but no joy :(
My /etc/krb5.conf:
------SNIP--------
[libdefaults]
default_realm = HPRS.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
[libdefaults]
default_realm = HPRS.LOCAL
dns_lookup_kdc = true
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[realms]
HPRS.LOCAL = {
default_domain = hprs.local
auth_to_local_names = {
Administrator = root
}
}
[domain_realm]
hprs.local = HPRS.LOCAL
# this is not a mistake
.hprs.local = HPRS.LOCAL
------PINS-----------
you wrote:
> You can remove the krb4_ stuff
I've remove krb4_ stuff from the [libdefaults] and eliminated the [login]
section altogether.
Question on [realms]Administrator: should that really be root or should it be
my AD Administrator?
my doveconf -n is exactly the same as posted below, but in particular:
auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = plain login gssapi
When I reloaded dovecot no mail was delivered to anyone (even though everyone
was still using
plain/ssl, no one yet configured for gssapi).
In /var/log/maillog I got (repeatedly):
Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding,
delayed sending initial response (greeting): user=<>, rip=192.168.0.54,
lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2>
Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism
'gssapi'
Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup
failed, throttling for 60 secs
Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding,
delayed sending initial response (greeting): user=<>, rip=166.170.27.161,
lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh>
This looks pretty bad right off. Why "Unknown authentication mechanism
'gssapi'"?
Do you have any idea from the configs I've posted? I'm rather depressed about
this. I thought I'd
finally able to get AD authentication going for Dovecot. Not ready to give up
though!
Suggestions?
THX -- Mark
-----original Message-----
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> To: dovecot@dovecot.org
> From: Aki Tuomi <aki.tu...@dovecot.fi>
> Date: Tue, 28 Jun 2016 15:13:11 +0300
>
> On 28.06.2016 09:27, Mark Foley wrote:
> > Aki,
> >
> > To review your 5 points:
> >
> > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote:
> >
> >> 1. Functional AD or Kerberos environment
> >> 2. Time synced against your KDC (which is your Domain Controller on
> >> Windows)
> >> 3. /etc/krb5.conf configured
> >> 4. Both forward / reverse DNS names correct for clients and servers.
> >> Reverse is only mandatory for servers, but having them right will work
> >> wonders. Most kerberos problems are about DNS problems.
> >> 5. You need a keytab. This keytab needs to hold entries like
> >> IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate
> >> these on any Windows DC server (at least).
> > I believe I am good on 1,2 and 4. I downloaded and installed kerberos and
> > tested it with kinit
> > and klist according to the instructions at
> > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> >
> > As to the the keytab (#5) I did the following:
> >
> > $ samba-tool domain exportkeytab /etc/krb5.keytab
> >
> > which created the file. I made this owned and readable by group dovecot,
> > per instructions at
> > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k
> > /etc/krb5.keytab` shows me
> > configuration listing all the users and computers in the domain, mostly in
> > triplicate. A
> > partial list:
> >
> > Keytab name: FILE:/etc/krb5.keytab
> > KVNO Principal
> > ----
> > --------------------------------------------------------------------------
> > 18 COMMON$@HPRS.LOCAL
> > 18 COMMON$@HPRS.LOCAL
> > 18 COMMON$@HPRS.LOCAL
> > 1 MAIL$@HPRS.LOCAL
> > 1 MAIL$@HPRS.LOCAL
> > 1 MAIL$@HPRS.LOCAL
> > 1 charmaine@HPRS.LOCAL
> > 1 charmaine@HPRS.LOCAL
> > 1 charmaine@HPRS.LOCAL
> >
> > where COMMON and MAIL are hosts and charmaine is a user. I don't really
> > understand the listing,
> > but am assuming it is OK.
>
> Strange that you do not have any host/ entries. Maybe it works without.
>
> >> setspn -q is helpful here, also setspn command in general.
> > I have no such command in my system. Is that a Windows thing?
> >
>
> Yes, but you can do those kind of things in Samba too.
>
> > As to the /etc/krb5.conf, the default one generated by samba is:
> >
> > [libdefaults]
> > default_realm = HPRS.LOCAL
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > I'd like to modify that to your suggestions, but I need more help. You have
> > (with my questions):
> >
> >> Here is a *SAMPLE* configuration:
> >>
> >> [libdefaults]
> >> default_realm = YOUR.REALM
> >> dns_lookup_kdc = true
> >> krb4_config = /etc/krb.conf
> >> krb4_realms = /etc/krb.realms
> > Here, you have krb4_*. Do you mean that? My config file is krb5.conf.
> > Should I rather have:
>
> You can remove the krb4_ stuff
>
> > krb5_config = /etc/krb5.conf
> >
> > Also, I have no /etc/krb*.realms file. Do I need this? If so, what should
> > be in there?
> You don't necessarely require that.
>
> >> kdc_timesync = 1
> >> ccache_type = 4
> >> forwardable = true
> >> proxiable = true
> >> fcc-mit-ticketflags = true
> >>
> >> [realms]
> >> YOUR.REALM = {
> >> default_domain = your.domain.name
> >> auth_to_local_names = {
> >> Administrator = root
> >> }
> >> }
> > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my
> > FQDN for my AD
> > server: mail.hprs.local, or is it just hprs.local? (or something else!)
>
> HPRS.LOCAL is your REALM, hprs.local is your domain name.
> >
> >> [domain_realm]
> >> your.domain.name = YOUR.REALM
> >> # this is not a mistake
> >> .your.domain.name = YOUR.REALM
> >> [login]
> >> krb4_convert = true
> >> krb4_get_tickets = false
> > Likewise here a question on the whole krb4 versus krb5 thing.
> >
> > Your closing comment:
> >
> >> Also, note that kerberos can only act as AUTHENTICATION system. It
> >> cannot act as USER DATABASE. For that you need to configure LDAP or
> >> something else. With Active Directory LDAP is probably a damn good idea.
> > I have the following doveconf -n:
> >
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_krb5_keytab = /etc/krb5.keytab
> > auth_mechanisms = plain login gssapi
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> > driver = shadow
> > }
> > protocols = imap
> > ssl_cert =
> > </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> > userdb {
> > driver = passwd
> > }
> > verbose_ssl = yes
> >
> > I assume the passwd driver for the userdb is OK? Seems to me it should work
> > with gssapi, but in
> > any case I still have all but this test workstation NOT using gssapi, so I
> > still need to
> > accomodate them.
> >
> > Thanks, --Mark
> passwd driver is fine, yes, if you ensure that users can be found.
>
> Aki
>
