On Mon, Aug 31, 2009 at 07:23:22PM +0100, Gavin Hamill wrote:
> On Sun, 2009-08-30 at 14:29 -0600, Jason Gunthorpe wrote:
> > The kerberos setup is pretty easy.. 'net ads join' your server, go
> > into the adsi editor and provide a imap and smtp SPN for the host, use
> > 'net ads keytab' to put the imap and smtp SPNs in the system keytab,
> > and then you are good to go. I test it with mutt first as the error
> > messages are somewhat better.
> Ouch, can you go a little more slowly, please? I think I've joined the
> domain OK:

> ccimap:~# net ads testjoin
> Join is OK
> ccimap:~# net ads info
> LDAP server:
> LDAP server name: orwell.ad.laterooms.com
> [...]

Yah, thats good

You also want kerberos and LDAP to work easily on your server machine:

# kinit 'your AD user'
# klist
# ldapsearch uid='your AD user'
SASL/GSSAPI authentication started

For ldap stick the information from 'net ads info' in /etc/ldap/ldap.conf:

URI ldap://orwell.ad.laterooms.com
BASE dc=....

kinit should work if you got this far with samba, but if you have
troubles ensure that /etc/krb5.conf has at least:

 default_realm = AD.LATEROOMS.COM # guessing
 dns_lookup_realm = true
 dns_lookup_kdc = true

Once the above two are working your basic stuff is OK. (You can skip
the ldap, but I find it is helpful)

Also verify that 'hostname -f' returns what you want. Very important.

> But I have no idea how / where you add a service principal with ADSIEdit
> - can you point me in the right direction? Kerberos is still mainly a
> mystery to me (and I'm sure many others!)

Hmm. So upon reviewing this, it seems samba has changed, in some ways
it is better, others worse.. Hmm. (I'm using 3.3.2)

Just do this:

ccimap:~# net ads keytab add imap

ccimap:~ klist -k

And verify you have imap/ entries

Then verify kerberos is working with:

ccimap:~# kvno imap/ccimap.ad.laterooms.com
imap/ccimap.ad.laterooms....@ad.laterooms.com: kvno = 2
ccimap:~# ldapsearch CN=ccimap servicePrincipalName 
SASL/GSSAPI authentication started
servicePrincipalName: imap/ccimap.ad.laterooms.com

Unfortunately 'net ads keytab add' can only add SPNs without a
hostname qualifier, so you cannot add another alias. This is bad if
you have multiple names for your host. I can't think of an easy way to
make that work with the new samba behavior. I'd probably patch samba
to fix that..

Since samba now does the adsiedit part on its own you probably don't
need to worry about it, but here is a posting explaining it:

Please note that Windows and Linux use different methods to resolve
the SPN. If your reverse IP and SSL hostname are different you'll need
extra help to make this work, as samba cannot do it by itself!!
Easiest plan is to Not Do That.

That should do the trick for both native GSSAPI and for winbind
GSSAPI. The key part is that the kvno works.

Make sure dovecot is setup with the:
 auth_gssapi_hostname = $ALL
option, and turn on the 'gssapi' mechanism.

Those steps should give you working kerberos and gssapi in dovecot.
I like to start simple and test with mutt. 'kinit' a ticket for that
user, setup mutt, and then give it a try. Then try thunderbird on
linux then thunderbird on windows.

The .muttrc config is simple:
set spoolfile=imap://u...@ccimap.ad.laterooms.com/INBOX
set folder=imap://u...@ccimap.ad.laterooms.com/

And 'kinit user' before hand.

Use winbind to process ntlm messages. Setup winbind in smb.conf and
test the authentication function:

wbinfo -K user%pass
wbinfo -a user%pass

Then turn it on in dovecot

I run plain password authentication for dovecot through pam. Right now
I use pam_krb5.so, but pam_winbind.so is a better choice with a modern

exim piggy backs off dovecot-auth:

    driver = dovecot
    public_name = NTLM
    server_socket = /var/run/dovecot/auth-client

    driver = dovecot
    public_name = GSSAPI
    server_socket = /var/run/dovecot/auth-client

    driver = dovecot
    public_name = GSS-SPNEGO
    server_socket = /var/run/dovecot/auth-client

I also drive all the Linux directory services through winbind and the
rfc2307 LDAP scheme AD supports, so all my Linux users get kerberos
tickets on logon, and SSO for everything. Windows is the same.


