> On Aug 22, 2018, at 1:05 PM, Kacper <kac...@kacper.se> wrote:
>
> I know I should have the keytab in /etc/dovecot but I don't think it
> makes any difference right now, seeing how GSSAPI for imap using
> dovecot works.
Using which keytab file? What kerberos/GSSAPI-related settings do
you have in the dovecot configuration? If you want help you need
to make it possible for others to see sufficient details of your
configuration.
> I'm using Thunderbird 59.9.1 on Windows 7 and Samba 4.8.3 as an AD DC/KDC.
And what does "klist" report on Windows (for relevant service principals)?
What hostname is Thunderbird configured to use? Is this name an alias?
> #ls -la /etc/dovecot/dovecot.keytab
> -rw-rw-rw-. 1 root root 762 Aug 22 16:44 /etc/dovecot/dovecot.keytab
You really should have this working mode 0600 with IMAP, and the keytab
file not owned by root.
> I have the permission set so broad jus to rule out any permission problems.
Some libraries don't like insecure permissions, though if this works for
IMAP, it should (all else being equal) work equally well for SMTP.
> I retested it all and added more enctypes. Some result. It's puzzling
> though why IMAP works via GSSAPI but SMTP refuses to.
Perhaps you're not looking at the right keytab file, or the client
has stale tickets, or is using a different hostname, ...
> # klist -ek /etc/dovecot/dovecot.keytab
> Keytab name: FILE:/etc/dovecot/dovecot.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 2 smtp/srv.mydomain.t...@mydomain.test (aes256-cts-hmac-sha1-96)
> 2 smtp/srv.mydomain.t...@mydomain.test (aes128-cts-hmac-sha1-96)
> 2 smtp/srv.mydomain.t...@mydomain.test (arcfour-hmac)
> 2 smtp/srv.mydomain.t...@mydomain.test (des-cbc-md5)
> 2 smtp/srv.mydomain.t...@mydomain.test (des-cbc-crc)
> 2 imap/srv.mydomain.t...@mydomain.test (aes256-cts-hmac-sha1-96)
> 2 imap/srv.mydomain.t...@mydomain.test (aes128-cts-hmac-sha1-96)
> 2 imap/srv.mydomain.t...@mydomain.test (arcfour-hmac)
> 2 imap/srv.mydomain.t...@mydomain.test (des-cbc-md5)
> 2 imap/srv.mydomain.t...@mydomain.test (des-cbc-crc)
I see new enctypes here, but the same "kvno" (2) as before. Normally,
when keys are changed to add new enctypes the "kvno" changes. I'd
have expected "kvno = 3" here. Are the AES keys new, or were they
present all along?
Change the IMAP and the SMTP keys in the KDC, drop the DES keys and
re-create the keytab file. Does IMAP still work? If SMTP does not,
is Postfix still using Dovecot authentication? If dovecot still
logs GSSAPI errors, perhaps the problem is on the client side,
run "klist purge" (Windows-specific) and retry after all the changes
above.
--
Viktor.
