On 07/04/2016 02:40 PM, Aki Tuomi wrote:
On 04.07.2016 17:40, Brendan Kearney wrote:
On 07/04/2016 03:30 AM, Mark Foley wrote:
Actually, I see that you used host.domain.name further down. That's
a good substitute for mail.hprs.local.
Also, not to be a literary critic, but it might not hurt to show an
example keytab beneath your
"Make sure your keytab has entry for ...". Just in case people don't
exactly know how to "make sure:
$ klist -Kek /etc/dovecot/dovecot.keytab
Keytab name: FILE:/etc/dovecot/dovecot.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 imap/host.domain.name@MYREALM (des-cbc-crc) (0x232616c2a4fd08f7)
1 imap/host.domain.name@MYREALM (des-cbc-md5) (0x232616c2a4fd08f7)
1 imap/host.domain.name@MYREALM (arcfour-hmac)
(0x9dae89a221dc374a39f560833
--Mark
-----Original Message-----
From: Mark Foley <mfo...@ohprs.org>
Date: Mon, 04 Jul 2016 03:23:30 -0400
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for
GSSAPI config]
On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tu...@dovecot.fi>
wrote:
http://wiki2.dovecot.org/Authentication/Kerberos
It has been now updated.
Excellent! That was quick!
Although, you used my actual local domain in your example:
mail.hprs.local. Not that I care,
no one can get to that, but it might be clearer to those of us who
uncomprehendingly
monkey-type things from wiki's when we don't fully understand.
Perhaps something more generic
would be clearer: myhost.myrealm, or myhost.mydom.local, or
myLocalFDQN -- something like that.
Not sure what is best; just don't want to imply that they HAVE TO
use mail.hprs.local.
I had a look at the NTLM mechanism, it *should* support SSP and
NTLMv2.
I have to set up some kind of test environment to find out why it
bugs.
I'm going to give my brain a rest for a bit before I resume tilting
at the NTML windmill! I'll
check back with the list to see if you've come up with anything.
Aki
Again, thanks for all your help.
--Mark
-----Original Message-----
Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for
GSSAPI config]
To: dovecot@dovecot.org
From: Aki Tuomi <aki.tu...@dovecot.fi>
Organization: Dovecot Oy
Date: Mon, 4 Jul 2016 08:54:27 +0300
On 04.07.2016 07:44, Mark Foley wrote:
After a over a year and a half struggling to get Dovecot to do
either NTLM or GSSAPI
authentication with Samba4 AD/DC, I believe I've finally got it!
Thanks to all those in this
list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom
Talpey especially Aki Tuomi;
and infinite thanks to Achim Gottinger on the SambaList for his
patience in working this
through with me. Although my purpose was for Dovecot to
authenticate mail clients, the
configuration settings needed were on the Samba side. I hope a
variation of these instructions
can eventually make it into:
http://wiki2.dovecot.org/Authentication/Kerberos
It has been now updated.
I had a look at the NTLM mechanism, it *should* support SSP and
NTLMv2.
I have to set up some kind of test environment to find out why it
bugs.
Aki
i have a document that i had written, recording each of the changes
needed to each of the files to be modified, in order to have dovecot
authenticate against kerberos and authorize against ldap. in
addition, the use of nfs for maildir mailboxes and load balanced
nuances are covered. the doc is in odt format (libre office writer),
and i have attempted to post it to this mailing list, but it was
quarantined.
if there is any interest in the doc, reach out to me. i welcome
input and feedback on it.
brendan
I would very much like to have a copy, please.
Aki
replied off list, as my doc is quarantined due to size.
