Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Sun, 2009-08-30 at 14:29 -0600, Jason Gunthorpe wrote: The kerberos setup is pretty easy.. 'net ads join' your server, go into the adsi editor and provide a imap and smtp SPN for the host, use 'net ads keytab' to put the imap and smtp SPNs in the system keytab, and then you are good to go. I test it with mutt first as the error messages are somewhat better. Ouch, can you go a little more slowly, please? I think I've joined the domain OK: ccimap:~# net ads testjoin Join is OK ccimap:~# net ads info LDAP server: 10.6.1.245 LDAP server name: orwell.ad.laterooms.com [...] But I have no idea how / where you add a service principal with ADSIEdit - can you point me in the right direction? Kerberos is still mainly a mystery to me (and I'm sure many others!) gdh
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Mon, Aug 31, 2009 at 07:23:22PM +0100, Gavin Hamill wrote:
On Sun, 2009-08-30 at 14:29 -0600, Jason Gunthorpe wrote:
The kerberos setup is pretty easy.. 'net ads join' your server, go
into the adsi editor and provide a imap and smtp SPN for the host, use
'net ads keytab' to put the imap and smtp SPNs in the system keytab,
and then you are good to go. I test it with mutt first as the error
messages are somewhat better.
Ouch, can you go a little more slowly, please? I think I've joined the
domain OK:
Sure..
ccimap:~# net ads testjoin
Join is OK
ccimap:~# net ads info
LDAP server: 10.6.1.245
LDAP server name: orwell.ad.laterooms.com
[...]
Yah, thats good
You also want kerberos and LDAP to work easily on your server machine:
# kinit 'your AD user'
# klist
# ldapsearch uid='your AD user'
SASL/GSSAPI authentication started
[..]
For ldap stick the information from 'net ads info' in /etc/ldap/ldap.conf:
URI ldap://orwell.ad.laterooms.com
BASE dc=
kinit should work if you got this far with samba, but if you have
troubles ensure that /etc/krb5.conf has at least:
[libdefaults]
default_realm = AD.LATEROOMS.COM # guessing
dns_lookup_realm = true
dns_lookup_kdc = true
Once the above two are working your basic stuff is OK. (You can skip
the ldap, but I find it is helpful)
Also verify that 'hostname -f' returns what you want. Very important.
But I have no idea how / where you add a service principal with ADSIEdit
- can you point me in the right direction? Kerberos is still mainly a
mystery to me (and I'm sure many others!)
Hmm. So upon reviewing this, it seems samba has changed, in some ways
it is better, others worse.. Hmm. (I'm using 3.3.2)
Just do this:
ccimap:~# net ads keytab add imap
Then:
ccimap:~ klist -k
And verify you have imap/ entries
Then verify kerberos is working with:
ccimap:~# kvno imap/ccimap.ad.laterooms.com
imap/ccimap.ad.laterooms@ad.laterooms.com: kvno = 2
ccimap:~# ldapsearch CN=ccimap servicePrincipalName
SASL/GSSAPI authentication started
[..]
servicePrincipalName: imap/ccimap.ad.laterooms.com
Unfortunately 'net ads keytab add' can only add SPNs without a
hostname qualifier, so you cannot add another alias. This is bad if
you have multiple names for your host. I can't think of an easy way to
make that work with the new samba behavior. I'd probably patch samba
to fix that..
Since samba now does the adsiedit part on its own you probably don't
need to worry about it, but here is a posting explaining it:
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx
Please note that Windows and Linux use different methods to resolve
the SPN. If your reverse IP and SSL hostname are different you'll need
extra help to make this work, as samba cannot do it by itself!!
Easiest plan is to Not Do That.
That should do the trick for both native GSSAPI and for winbind
GSSAPI. The key part is that the kvno works.
Make sure dovecot is setup with the:
auth_gssapi_hostname = $ALL
option, and turn on the 'gssapi' mechanism.
Those steps should give you working kerberos and gssapi in dovecot.
I like to start simple and test with mutt. 'kinit' a ticket for that
user, setup mutt, and then give it a try. Then try thunderbird on
linux then thunderbird on windows.
The .muttrc config is simple:
set spoolfile=imap://u...@ccimap.ad.laterooms.com/INBOX
set folder=imap://u...@ccimap.ad.laterooms.com/
And 'kinit user' before hand.
Use winbind to process ntlm messages. Setup winbind in smb.conf and
test the authentication function:
wbinfo -D AD.LATEROOMS.COM
wbinfo -K user%pass
wbinfo -a user%pass
Then turn it on in dovecot
I run plain password authentication for dovecot through pam. Right now
I use pam_krb5.so, but pam_winbind.so is a better choice with a modern
samba.
exim piggy backs off dovecot-auth:
dovecot_ntlm:
driver = dovecot
public_name = NTLM
server_socket = /var/run/dovecot/auth-client
server_set_id=NTLM-${quote:$auth1}
dovecot_gssapi:
driver = dovecot
public_name = GSSAPI
server_socket = /var/run/dovecot/auth-client
server_set_id=GSSAPI-${quote:$auth1}
dovecot_gssapi_spnego:
driver = dovecot
public_name = GSS-SPNEGO
server_socket = /var/run/dovecot/auth-client
server_set_id=GSS-SPNEGO-${quote:$auth1}
I also drive all the Linux directory services through winbind and the
rfc2307 LDAP scheme AD supports, so all my Linux users get kerberos
tickets on logon, and SSO for everything. Windows is the same.
Jason
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Mon, 2009-08-31 at 13:24 -0600, Jason Gunthorpe wrote: Ouch, can you go a little more slowly, please? I think I've joined the domain OK: Sure.. Many thanks for taking the time on this - it is appreciated. Also verify that 'hostname -f' returns what you want. Very important. Yep, 'ccimap.ad.laterooms.com' - forward + reverse DNS are correct in AD Just do this: ccimap:~# net ads keytab add imap Then: ccimap:~ klist -k And verify you have imap/ entries Then verify kerberos is working with: ccimap:~# kvno imap/ccimap.ad.laterooms.com imap/ccimap.ad.laterooms@ad.laterooms.com: kvno = 2 I get ccimap:/etc# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 7 imap/ccimap.ad.laterooms@ad.laterooms.com 7 imap/ccimap.ad.laterooms@ad.laterooms.com 7 imap/ccimap.ad.laterooms@ad.laterooms.com 7 imap/cci...@ad.laterooms.com 7 imap/cci...@ad.laterooms.com 7 imap/cci...@ad.laterooms.com ccimap:/etc# kvno imap/ccimap.ad.laterooms.com kvno: Server not found in Kerberos database while getting credentials for imap/ccimap.ad.laterooms@ad.laterooms.com However, before I received your message I had been following the 'old-school' ktpass.exe method and I think I have poisoned the 'imap' name as a result: http://nfsworld.blogspot.com/2005/06/using-active-directory-as-your-kdc-for.html Is 'imap' a magic hardcoded name that Thunderbird will use? If so, should creating 'pop3' using 'net ads keytab add' also do the business? I'd rather try that and get a basic working auth than try to unpick my AD problems just yet. I ask because if I do a random name 'net ads keytab add purmle' and then 'kvno purmle/ccimap.ad.laterooms.com' then I get sensible output: purmle/ccimap.ad.laterooms@ad.laterooms.com: kvno = 7 I just don't want to type anything else in cause I poison 'pop3' too :) Cheers, Gavin
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Mon, Aug 31, 2009 at 10:21:47PM +0100, Gavin Hamill wrote: On Mon, 2009-08-31 at 13:24 -0600, Jason Gunthorpe wrote: Ouch, can you go a little more slowly, please? I think I've joined the domain OK: Sure.. Many thanks for taking the time on this - it is appreciated. NP, if you have success consider making a HOWTO for the dovcot wikki :) Also verify that 'hostname -f' returns what you want. Very important. Yep, 'ccimap.ad.laterooms.com' - forward + reverse DNS are correct in AD Good ccimap:~# net ads keytab add imap Then: ccimap:~ klist -k And verify you have imap/ entries Then verify kerberos is working with: ccimap:~# kvno imap/ccimap.ad.laterooms.com imap/ccimap.ad.laterooms@ad.laterooms.com: kvno = 2 I get ccimap:/etc# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal 7 imap/ccimap.ad.laterooms@ad.laterooms.com 7 imap/ccimap.ad.laterooms@ad.laterooms.com 7 imap/ccimap.ad.laterooms@ad.laterooms.com 7 imap/cci...@ad.laterooms.com 7 imap/cci...@ad.laterooms.com 7 imap/cci...@ad.laterooms.com Ok.. this is not too good, you should have many other entries too, several starting with host/ and CCIMAP$. What version of samba is this? does 'net ads keytab create' fix it up? Check that you have use kerberos keytab = true In smb.conf ccimap:/etc# kvno imap/ccimap.ad.laterooms.com kvno: Server not found in Kerberos database while getting credentials for imap/ccimap.ad.laterooms@ad.laterooms.com This is fatal. If ldapsearch indicates that SPN exists then you are probably right that something has become damaged in AD. Otherwise you are just having wacky samba problems. However, before I received your message I had been following the 'old-school' ktpass.exe method and I think I have poisoned the 'imap' name as a result: Possibly, it would be good to start again. Go into AD, and delete the ccimap computer account, then re-do 'net ads join'. That should clean everything out. The ktpass.exe method has so many problems, don't use it. Samba can generate all the keys directly itself now, there is no need for ktpass. Is 'imap' a magic hardcoded name that Thunderbird will use? If so, should creating 'pop3' using 'net ads keytab add' also do the business? I'd rather try that and get a basic working auth than try to unpick my AD problems just yet. The SPN service name is hardwired based on the protocol, imap, smtp and something for pop. I'm not sure what. :) I ask because if I do a random name 'net ads keytab add purmle' and then 'kvno purmle/ccimap.ad.laterooms.com' then I get sensible output: purmle/ccimap.ad.laterooms@ad.laterooms.com: kvno = 7 Hmm. You do need the '-U Administrator' or similarly privileged account for the keytab add. Otherwise I noticed that samba silently fails to update LDAP when it gets permission denied from ADS. The true test that it worked is the ldapsearch command I gave, or adsi edit. Jason
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Mon, 2009-08-31 at 15:35 -0600, Jason Gunthorpe wrote: NP, if you have success consider making a HOWTO for the dovcot wikki :) For sure. Ok.. this is not too good, you should have many other entries too, several starting with host/ and CCIMAP$. The suggestion to remove the computer object (and the 'imapCcimap' user I bound the SPN to using ktpass) and 'net ads join' worked like a charm - I have lots more output in 'net ads keytab list' and kvno imap/ccimap.ad.laterooms.com works now. Check that you have use kerberos keytab = true Yep, it's there. Possibly, it would be good to start again. Go into AD, and delete the ccimap computer account, then re-do 'net ads join'. That should clean everything out. Bingo :) Freakin' awesome.. the damn thing actually works! Aug 31 23:13:02 ccimap dovecot: auth(default): client in: AUTH#0111#011GSSAPI#011service=imap#011lip=10.6.1.82#011rip=10.6.1.81#011lport=143#011rport=2807 Aug 31 23:13:02 ccimap dovecot: auth(default): gssapi(?,10.6.1.81): Obtaining credentials for i...@ccimap.ad.laterooms.com Aug 31 23:13:02 ccimap dovecot: auth(default): client out: CONT#0111#011 Aug 31 23:13:02 ccimap dovecot: auth(default): client in: CONT#0111#011YIIExAYJKoZIhv (tons of stuff..) Aug 31 23:13:02 ccimap dovecot: auth(default): gssapi(?,10.6.1.81): security context state completed. Aug 31 23:13:02 ccimap dovecot: auth(default): client out: CONT#0111#011YIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWhtquLoCp5Nm03quJPTFS+yuNrBo3PWH+dP4RZPcsYxMDJHklCAQ84LGmQWUftFgKiryc9ZK0mZI07tNVyE4Oath4fCg2dxu+RPZvpbqIr7BIteHeg2MGPeHMg== Aug 31 23:13:02 ccimap dovecot: auth(default): client in: CONT#0111#011 Aug 31 23:13:02 ccimap dovecot: auth(default): gssapi(?,10.6.1.81): Negotiated security layer Aug 31 23:13:02 ccimap dovecot: auth(default): client out: CONT#0111#011YDAGCSqGSIb3EgECAgIBEQD/nXVwtOl9PTyrmeUqTZZLq61UowgQVqMIAf///wE= Aug 31 23:13:02 ccimap dovecot: auth(default): client in: CONT#0111#011YDYGCSqGSIb3EgECAgIBEQD/4AbCCa3SFaSVtGEbd6teOPapNaUhDQFFAQAAAG1qaWdncwE= Aug 31 23:13:02 ccimap dovecot: auth(default): client out: OK#0111#011user=mjiggs Aug 31 23:13:02 ccimap dovecot: auth(default): master in: REQUEST#0111#0115968#0111 Aug 31 23:13:02 ccimap dovecot: auth(default): passwd(mjiggs,10.6.1.81): lookup Aug 31 23:13:02 ccimap dovecot: auth(default): master out: USER#0111#011mjiggs#011system_user=mjiggs#011uid=10416#011gid=1#011home=/home/AD/mjiggs Aug 31 23:13:02 ccimap dovecot: imap-login: Login: user=mjiggs, method=GSSAPI, rip=10.6.1.81, lip=10.6.1.82 The 'auth_gssapi_hostname = $ALL' was confusing so I commented that out and let it do a gethostname() instead - now it works :) Thank you! :D Cheers Gavin.
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Mon, Aug 31, 2009 at 11:20:18PM +0100, Gavin Hamill wrote: Ok.. this is not too good, you should have many other entries too, several starting with host/ and CCIMAP$. The suggestion to remove the computer object (and the 'imapCcimap' user I bound the SPN to using ktpass) and 'net ads join' worked like a charm - I have lots more output in 'net ads keytab list' and kvno imap/ccimap.ad.laterooms.com works now. Snazzy Aug 31 23:13:02 ccimap dovecot: imap-login: Login: user=mjiggs, method=GSSAPI, rip=10.6.1.81, lip=10.6.1.82 Yap, that is it The 'auth_gssapi_hostname = $ALL' was confusing so I commented that out and let it do a gethostname() instead - now it works :) I thought Timo included this patch?? You need the $ALL for various cases, including, I think, exim.. All it says it match any entry in the keytab, not just imap/gethostbyname()@REALM. If you have AD and Linux servers it is worth kerberdizing everything (ssh, logins, imap, pop, smtp, apache, etc) the method you just used is basically how to do it for anything. Ie you can now turn on ssh kerberos via its config file, and with kerberdized putty on windows you get SSO ssh logins, etc. Jason
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Sat, 2009-08-29 at 21:55 -0600, Jason Gunthorpe wrote: On Sun, Aug 30, 2009 at 01:50:02AM +0100, Gavin Hamill wrote: Has anyone successfully configured the above to enable Single Sign-On? I would love to move away from Exchange but SSO is a corporate requirement. I looked at this in some detail and concluded that the NTLM support on Outlook 2007 was only for encryption, it was not using SPA. I couldn't find a hidden registry setting or whatnot to switch it. Heh, have just found you here: https://bugzilla.mozilla.org/show_bug.cgi?id=284538 You mention that you managed to get Thunderbird working with SSO; I've not achieved that - I'm still required to provide the password before the NTLM login is successful.. Is there any particular magic needed with Thunderbird 2.0.0.23 ? If you have a corporate support arrangement with MS, maybe ask them? Many people would love an answer. Even a trace of outlook using SPA with Exchange over IMAP would be interesting to see. Alas our MS support arrangement extends to the same 'Google + web forums' that most other places use. gdh
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Sun, Aug 30, 2009 at 08:38:20PM +0100, Gavin Hamill wrote: On Sat, 2009-08-29 at 21:55 -0600, Jason Gunthorpe wrote: On Sun, Aug 30, 2009 at 01:50:02AM +0100, Gavin Hamill wrote: Has anyone successfully configured the above to enable Single Sign-On? I would love to move away from Exchange but SSO is a corporate requirement. I looked at this in some detail and concluded that the NTLM support on Outlook 2007 was only for encryption, it was not using SPA. I couldn't find a hidden registry setting or whatnot to switch it. Heh, have just found you here: https://bugzilla.mozilla.org/show_bug.cgi?id=284538 You mention that you managed to get Thunderbird working with SSO; I've not achieved that - I'm still required to provide the password before the NTLM login is successful.. Is there any particular magic needed with Thunderbird 2.0.0.23 ? Yes, you can't use NTLM in Thunderbird either, you have to use Kerberos (GSSAPI). I run NTLM through winbind and GSSAPI through MIT Kerberos, and then run exim through dovecot-auth. This gives complete SSO using GSSAPI for Thunderbird on all platforms, and secure challenge/response NTLM hashed passwords for roaming users without Kerberos. The kerberos setup is pretty easy.. 'net ads join' your server, go into the adsi editor and provide a imap and smtp SPN for the host, use 'net ads keytab' to put the imap and smtp SPNs in the system keytab, and then you are good to go. I test it with mutt first as the error messages are somewhat better. Apparently if you direct the GSSAPI messages through winbind (like for NTLM) then you can omit the 'net ads keytab' steps and things work a bit smoother, but I have not attempted that configuration. Jason
[Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
Has anyone successfully configured the above to enable Single Sign-On? I would love to move away from Exchange but SSO is a corporate requirement. Outlook Express works fine with it, but not OL2007, and the latteris the only client I can realistically use. Cheers, Gavin.
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Sun, Aug 30, 2009 at 01:50:02AM +0100, Gavin Hamill wrote: Has anyone successfully configured the above to enable Single Sign-On? I would love to move away from Exchange but SSO is a corporate requirement. I looked at this in some detail and concluded that the NTLM support on Outlook 2007 was only for encryption, it was not using SPA. I couldn't find a hidden registry setting or whatnot to switch it. If you have a corporate support arrangement with MS, maybe ask them? Many people would love an answer. Even a trace of outlook using SPA with Exchange over IMAP would be interesting to see. IMHO, clearly Dovecot is setup properly, Outlook Express works, Thunderbird w/ SPA works, etc. I believe MS has deliberately decided not to make SSO work in Outlook over IMAP specifically because that is a must have feature for enterprises, so it only works over MAPI and thus only with Exchange. Jason
