Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On 07/04/2016 03:58 PM, Mark Foley wrote: Brendan - yes, go ahead and send that doc directly to my email address. I've got Maildir folders going, but not nfs; and I'm curious about your load balance. THX --Mark -Original Message- Date: Mon, 04 Jul 2016 10:40:06 -0400 From: Brendan Kearney <bpk...@gmail.com> To: dovecot@dovecot.org Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] On 07/04/2016 03:30 AM, Mark Foley wrote: Actually, I see that you used host.domain.name further down. That's a good substitute for mail.hprs.local. Also, not to be a literary critic, but it might not hurt to show an example keytab beneath your "Make sure your keytab has entry for ...". Just in case people don't exactly know how to "make sure: $ klist -Kek /etc/dovecot/dovecot.keytab Keytab name: FILE:/etc/dovecot/dovecot.keytab KVNO Principal -- 1 imap/host.domain.name@MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (arcfour-hmac) (0x9dae89a221dc374a39f560833 --Mark -Original Message- From: Mark Foley <mfo...@ohprs.org> Date: Mon, 04 Jul 2016 03:23:30 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote: http://wiki2.dovecot.org/Authentication/Kerberos It has been now updated. Excellent! That was quick! Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, no one can get to that, but it might be clearer to those of us who uncomprehendingly monkey-type things from wiki's when we don't fully understand. Perhaps something more generic would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that. Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local. I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. I have to set up some kind of test environment to find out why it bugs. I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll check back with the list to see if you've come up with anything. Aki Again, thanks for all your help. --Mark -Original Message- Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] To: dovecot@dovecot.org From: Aki Tuomi <aki.tu...@dovecot.fi> Organization: Dovecot Oy Date: Mon, 4 Jul 2016 08:54:27 +0300 On 04.07.2016 07:44, Mark Foley wrote: After a over a year and a half struggling to get Dovecot to do either NTLM or GSSAPI authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all those in this list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey especially Aki Tuomi; and infinite thanks to Achim Gottinger on the SambaList for his patience in working this through with me. Although my purpose was for Dovecot to authenticate mail clients, the configuration settings needed were on the Samba side. I hope a variation of these instructions can eventually make it into: http://wiki2.dovecot.org/Authentication/Kerberos It has been now updated. I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. I have to set up some kind of test environment to find out why it bugs. Aki i have a document that i had written, recording each of the changes needed to each of the files to be modified, in order to have dovecot authenticate against kerberos and authorize against ldap. in addition, the use of nfs for maildir mailboxes and load balanced nuances are covered. the doc is in odt format (libre office writer), and i have attempted to post it to this mailing list, but it was quarantined. if there is any interest in the doc, reach out to me. i welcome input and feedback on it. brendan replied off list as my doc is quarantined for size. having re-read the doc, nfs is not specifically mentioned. the default storage dir (or the one i specified), /var/spool/dovecot, is automounted to a nas share i have. my export on the nas looks like the below: /export/dovecot server[1-2].bpk2.com(rw,sync) mail.bpk2.com(rw,sync) i normally run sec=krb5p in addition to the rw,sync options, but i do not believe a way exists to have the maildir mounted with a credential set. the mount on the mailserver looks like the below: nas.bpk2.com:/export/dovecot on /var/spool/dovecot type nfs (rw,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.88.3,mountvers=3,mountport=20048,mountproto=udp,local_lock=none,addr=192.168.88.3) with the nas exporting the nfs share, and sssd managing the automount, the fact that th
Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On 07/04/2016 02:40 PM, Aki Tuomi wrote: On 04.07.2016 17:40, Brendan Kearney wrote: On 07/04/2016 03:30 AM, Mark Foley wrote: Actually, I see that you used host.domain.name further down. That's a good substitute for mail.hprs.local. Also, not to be a literary critic, but it might not hurt to show an example keytab beneath your "Make sure your keytab has entry for ...". Just in case people don't exactly know how to "make sure: $ klist -Kek /etc/dovecot/dovecot.keytab Keytab name: FILE:/etc/dovecot/dovecot.keytab KVNO Principal -- 1 imap/host.domain.name@MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (arcfour-hmac) (0x9dae89a221dc374a39f560833 --Mark -Original Message- From: Mark Foley <mfo...@ohprs.org> Date: Mon, 04 Jul 2016 03:23:30 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote: http://wiki2.dovecot.org/Authentication/Kerberos It has been now updated. Excellent! That was quick! Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, no one can get to that, but it might be clearer to those of us who uncomprehendingly monkey-type things from wiki's when we don't fully understand. Perhaps something more generic would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that. Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local. I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. I have to set up some kind of test environment to find out why it bugs. I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll check back with the list to see if you've come up with anything. Aki Again, thanks for all your help. --Mark -Original Message----- Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] To: dovecot@dovecot.org From: Aki Tuomi <aki.tu...@dovecot.fi> Organization: Dovecot Oy Date: Mon, 4 Jul 2016 08:54:27 +0300 On 04.07.2016 07:44, Mark Foley wrote: After a over a year and a half struggling to get Dovecot to do either NTLM or GSSAPI authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all those in this list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey especially Aki Tuomi; and infinite thanks to Achim Gottinger on the SambaList for his patience in working this through with me. Although my purpose was for Dovecot to authenticate mail clients, the configuration settings needed were on the Samba side. I hope a variation of these instructions can eventually make it into: http://wiki2.dovecot.org/Authentication/Kerberos It has been now updated. I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. I have to set up some kind of test environment to find out why it bugs. Aki i have a document that i had written, recording each of the changes needed to each of the files to be modified, in order to have dovecot authenticate against kerberos and authorize against ldap. in addition, the use of nfs for maildir mailboxes and load balanced nuances are covered. the doc is in odt format (libre office writer), and i have attempted to post it to this mailing list, but it was quarantined. if there is any interest in the doc, reach out to me. i welcome input and feedback on it. brendan I would very much like to have a copy, please. Aki replied off list, as my doc is quarantined due to size.
Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
Am 04.07.2016 um 09:30 schrieb Mark Foley: Actually, I see that you used host.domain.name further down. That's a good substitute for mail.hprs.local. Also, not to be a literary critic, but it might not hurt to show an example keytab beneath your "Make sure your keytab has entry for ...". Just in case people don't exactly know how to "make sure: $ klist -Kek /etc/dovecot/dovecot.keytab Keytab name: FILE:/etc/dovecot/dovecot.keytab KVNO Principal -- 1 imap/host.domain.name@MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (arcfour-hmac) (0x9dae89a221dc374a39f560833 --Mark -Original Message- From: Mark Foley <mfo...@ohprs.org> Date: Mon, 04 Jul 2016 03:23:30 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote: http://wiki2.dovecot.org/Authentication/Kerberos It has been now updated. Excellent! That was quick! Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, no one can get to that, but it might be clearer to those of us who uncomprehendingly monkey-type things from wiki's when we don't fully understand. Perhaps something more generic would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that. Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local. I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. I have to set up some kind of test environment to find out why it bugs. I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll check back with the list to see if you've come up with anything. Aki Again, thanks for all your help. --Mark -Original Message----- Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] To: dovecot@dovecot.org From: Aki Tuomi <aki.tu...@dovecot.fi> Organization: Dovecot Oy Date: Mon, 4 Jul 2016 08:54:27 +0300 On 04.07.2016 07:44, Mark Foley wrote: After a over a year and a half struggling to get Dovecot to do either NTLM or GSSAPI authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all those in this list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey especially Aki Tuomi; and infinite thanks to Achim Gottinger on the SambaList for his patience in working this through with me. Although my purpose was for Dovecot to authenticate mail clients, the configuration settings needed were on the Samba side. I hope a variation of these instructions can eventually make it into: http://wiki2.dovecot.org/Authentication/Kerberos It has been now updated. I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. I have to set up some kind of test environment to find out why it bugs. Aki Thanks for updating the kerberos docs. Usually it is also an good idea to disable password expiry for the service accounts. samba-tool user setexpiry dovecot --noexpiry achim~
Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
Brendan - yes, go ahead and send that doc directly to my email address. I've got Maildir folders going, but not nfs; and I'm curious about your load balance. THX --Mark -Original Message- > Date: Mon, 04 Jul 2016 10:40:06 -0400 > From: Brendan Kearney <bpk...@gmail.com> > To: dovecot@dovecot.org > Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI > config] > > On 07/04/2016 03:30 AM, Mark Foley wrote: > > Actually, I see that you used host.domain.name further down. That's a good > > substitute for mail.hprs.local. > > > > Also, not to be a literary critic, but it might not hurt to show an example > > keytab beneath your > > "Make sure your keytab has entry for ...". Just in case people don't > > exactly know how to "make sure: > > > > $ klist -Kek /etc/dovecot/dovecot.keytab > > Keytab name: FILE:/etc/dovecot/dovecot.keytab > > KVNO Principal > > > > -- > > 1 imap/host.domain.name@MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) > > 1 imap/host.domain.name@MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) > > 1 imap/host.domain.name@MYREALM (arcfour-hmac) > > (0x9dae89a221dc374a39f560833 > > > > --Mark > > > > -Original Message- > > From: Mark Foley <mfo...@ohprs.org> > > Date: Mon, 04 Jul 2016 03:23:30 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot@dovecot.org > > Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI > > config] > > > > On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > > >>> http://wiki2.dovecot.org/Authentication/Kerberos > >> It has been now updated. > > Excellent! That was quick! > > > > Although, you used my actual local domain in your example: mail.hprs.local. > > Not that I care, > > no one can get to that, but it might be clearer to those of us who > > uncomprehendingly > > monkey-type things from wiki's when we don't fully understand. Perhaps > > something more generic > > would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- > > something like that. > > Not sure what is best; just don't want to imply that they HAVE TO use > > mail.hprs.local. > > > >> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > >> I have to set up some kind of test environment to find out why it bugs. > > I'm going to give my brain a rest for a bit before I resume tilting at the > > NTML windmill! I'll > > check back with the list to see if you've come up with anything. > > > >> Aki > > Again, thanks for all your help. > > > > --Mark > > > > -Original Message- > >> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI > >> config] > >> To: dovecot@dovecot.org > >> From: Aki Tuomi <aki.tu...@dovecot.fi> > >> Organization: Dovecot Oy > >> Date: Mon, 4 Jul 2016 08:54:27 +0300 > >> On 04.07.2016 07:44, Mark Foley wrote: > >>> After a over a year and a half struggling to get Dovecot to do either > >>> NTLM or GSSAPI > >>> authentication with Samba4 AD/DC, I believe I've finally got it! Thanks > >>> to all those in this > >>> list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey > >>> especially Aki Tuomi; > >>> and infinite thanks to Achim Gottinger on the SambaList for his patience > >>> in working this > >>> through with me. Although my purpose was for Dovecot to authenticate > >>> mail clients, the > >>> configuration settings needed were on the Samba side. I hope a variation > >>> of these instructions > >>> can eventually make it into: > >>> > >>> http://wiki2.dovecot.org/Authentication/Kerberos > >>> > >>> > >> It has been now updated. > >> > >> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > >> I have to set up some kind of test environment to find out why it bugs. > >> > >> Aki > >> > i have a document that i had written, recording each of the changes > needed to each of the files to be modified, in order to have dovecot > authenticate against kerberos and authorize against ldap. in addition, > the use of nfs for maildir mailboxes and load balanced nuances are > covered. the doc is in odt format (libre office writer), and i have > attempted to post it to this mailing list, but it was quarantined. > > if there is any interest in the doc, reach out to me. i welcome input > and feedback on it. > > brendan >
Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On 04.07.2016 17:40, Brendan Kearney wrote: On 07/04/2016 03:30 AM, Mark Foley wrote: Actually, I see that you used host.domain.name further down. That's a good substitute for mail.hprs.local. Also, not to be a literary critic, but it might not hurt to show an example keytab beneath your "Make sure your keytab has entry for ...". Just in case people don't exactly know how to "make sure: $ klist -Kek /etc/dovecot/dovecot.keytab Keytab name: FILE:/etc/dovecot/dovecot.keytab KVNO Principal -- 1 imap/host.domain.name@MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (arcfour-hmac) (0x9dae89a221dc374a39f560833 --Mark -Original Message- From: Mark Foley <mfo...@ohprs.org> Date: Mon, 04 Jul 2016 03:23:30 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote: http://wiki2.dovecot.org/Authentication/Kerberos It has been now updated. Excellent! That was quick! Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, no one can get to that, but it might be clearer to those of us who uncomprehendingly monkey-type things from wiki's when we don't fully understand. Perhaps something more generic would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that. Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local. I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. I have to set up some kind of test environment to find out why it bugs. I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll check back with the list to see if you've come up with anything. Aki Again, thanks for all your help. --Mark -Original Message----- Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] To: dovecot@dovecot.org From: Aki Tuomi <aki.tu...@dovecot.fi> Organization: Dovecot Oy Date: Mon, 4 Jul 2016 08:54:27 +0300 On 04.07.2016 07:44, Mark Foley wrote: After a over a year and a half struggling to get Dovecot to do either NTLM or GSSAPI authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all those in this list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey especially Aki Tuomi; and infinite thanks to Achim Gottinger on the SambaList for his patience in working this through with me. Although my purpose was for Dovecot to authenticate mail clients, the configuration settings needed were on the Samba side. I hope a variation of these instructions can eventually make it into: http://wiki2.dovecot.org/Authentication/Kerberos It has been now updated. I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. I have to set up some kind of test environment to find out why it bugs. Aki i have a document that i had written, recording each of the changes needed to each of the files to be modified, in order to have dovecot authenticate against kerberos and authorize against ldap. in addition, the use of nfs for maildir mailboxes and load balanced nuances are covered. the doc is in odt format (libre office writer), and i have attempted to post it to this mailing list, but it was quarantined. if there is any interest in the doc, reach out to me. i welcome input and feedback on it. brendan I would very much like to have a copy, please. Aki
Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On 07/04/2016 03:30 AM, Mark Foley wrote: Actually, I see that you used host.domain.name further down. That's a good substitute for mail.hprs.local. Also, not to be a literary critic, but it might not hurt to show an example keytab beneath your "Make sure your keytab has entry for ...". Just in case people don't exactly know how to "make sure: $ klist -Kek /etc/dovecot/dovecot.keytab Keytab name: FILE:/etc/dovecot/dovecot.keytab KVNO Principal -- 1 imap/host.domain.name@MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (arcfour-hmac) (0x9dae89a221dc374a39f560833 --Mark -Original Message- From: Mark Foley <mfo...@ohprs.org> Date: Mon, 04 Jul 2016 03:23:30 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote: http://wiki2.dovecot.org/Authentication/Kerberos It has been now updated. Excellent! That was quick! Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, no one can get to that, but it might be clearer to those of us who uncomprehendingly monkey-type things from wiki's when we don't fully understand. Perhaps something more generic would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that. Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local. I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. I have to set up some kind of test environment to find out why it bugs. I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll check back with the list to see if you've come up with anything. Aki Again, thanks for all your help. --Mark -Original Message----- Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] To: dovecot@dovecot.org From: Aki Tuomi <aki.tu...@dovecot.fi> Organization: Dovecot Oy Date: Mon, 4 Jul 2016 08:54:27 +0300 On 04.07.2016 07:44, Mark Foley wrote: After a over a year and a half struggling to get Dovecot to do either NTLM or GSSAPI authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all those in this list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey especially Aki Tuomi; and infinite thanks to Achim Gottinger on the SambaList for his patience in working this through with me. Although my purpose was for Dovecot to authenticate mail clients, the configuration settings needed were on the Samba side. I hope a variation of these instructions can eventually make it into: http://wiki2.dovecot.org/Authentication/Kerberos It has been now updated. I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. I have to set up some kind of test environment to find out why it bugs. Aki i have a document that i had written, recording each of the changes needed to each of the files to be modified, in order to have dovecot authenticate against kerberos and authorize against ldap. in addition, the use of nfs for maildir mailboxes and load balanced nuances are covered. the doc is in odt format (libre office writer), and i have attempted to post it to this mailing list, but it was quarantined. if there is any interest in the doc, reach out to me. i welcome input and feedback on it. brendan
Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
Actually, I see that you used host.domain.name further down. That's a good substitute for mail.hprs.local. Also, not to be a literary critic, but it might not hurt to show an example keytab beneath your "Make sure your keytab has entry for ...". Just in case people don't exactly know how to "make sure: $ klist -Kek /etc/dovecot/dovecot.keytab Keytab name: FILE:/etc/dovecot/dovecot.keytab KVNO Principal -- 1 imap/host.domain.name@MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (arcfour-hmac) (0x9dae89a221dc374a39f560833 --Mark -Original Message- From: Mark Foley <mfo...@ohprs.org> Date: Mon, 04 Jul 2016 03:23:30 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > http://wiki2.dovecot.org/Authentication/Kerberos > > It has been now updated. Excellent! That was quick! Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, no one can get to that, but it might be clearer to those of us who uncomprehendingly monkey-type things from wiki's when we don't fully understand. Perhaps something more generic would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that. Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local. > I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > I have to set up some kind of test environment to find out why it bugs. I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll check back with the list to see if you've come up with anything. > Aki Again, thanks for all your help. --Mark -----Original Message----- > Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI > config] > To: dovecot@dovecot.org > From: Aki Tuomi <aki.tu...@dovecot.fi> > Organization: Dovecot Oy > Date: Mon, 4 Jul 2016 08:54:27 +0300 > > On 04.07.2016 07:44, Mark Foley wrote: > > After a over a year and a half struggling to get Dovecot to do either NTLM > > or GSSAPI > > authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to > > all those in this > > list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey > > especially Aki Tuomi; > > and infinite thanks to Achim Gottinger on the SambaList for his patience in > > working this > > through with me. Although my purpose was for Dovecot to authenticate mail > > clients, the > > configuration settings needed were on the Samba side. I hope a variation > > of these instructions > > can eventually make it into: > > > > http://wiki2.dovecot.org/Authentication/Kerberos > > > > > > It has been now updated. > > I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > I have to set up some kind of test environment to find out why it bugs. > > Aki >
Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > http://wiki2.dovecot.org/Authentication/Kerberos > > It has been now updated. Excellent! That was quick! Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, no one can get to that, but it might be clearer to those of us who uncomprehendingly monkey-type things from wiki's when we don't fully understand. Perhaps something more generic would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that. Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local. > I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > I have to set up some kind of test environment to find out why it bugs. I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll check back with the list to see if you've come up with anything. > Aki Again, thanks for all your help. --Mark -Original Message----- > Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI > config] > To: dovecot@dovecot.org > From: Aki Tuomi <aki.tu...@dovecot.fi> > Organization: Dovecot Oy > Date: Mon, 4 Jul 2016 08:54:27 +0300 > > On 04.07.2016 07:44, Mark Foley wrote: > > After a over a year and a half struggling to get Dovecot to do either NTLM > > or GSSAPI > > authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to > > all those in this > > list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey > > especially Aki Tuomi; > > and infinite thanks to Achim Gottinger on the SambaList for his patience in > > working this > > through with me. Although my purpose was for Dovecot to authenticate mail > > clients, the > > configuration settings needed were on the Samba side. I hope a variation > > of these instructions > > can eventually make it into: > > > > http://wiki2.dovecot.org/Authentication/Kerberos > > > > > > It has been now updated. > > I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > I have to set up some kind of test environment to find out why it bugs. > > Aki >
Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On 04.07.2016 07:44, Mark Foley wrote: > After a over a year and a half struggling to get Dovecot to do either NTLM or > GSSAPI > authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to > all those in this > list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey > especially Aki Tuomi; > and infinite thanks to Achim Gottinger on the SambaList for his patience in > working this > through with me. Although my purpose was for Dovecot to authenticate mail > clients, the > configuration settings needed were on the Samba side. I hope a variation of > these instructions > can eventually make it into: > > http://wiki2.dovecot.org/Authentication/Kerberos > > It has been now updated. I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. I have to set up some kind of test environment to find out why it bugs. Aki
Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
After a over a year and a half struggling to get Dovecot to do either NTLM or GSSAPI authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all those in this list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey especially Aki Tuomi; and infinite thanks to Achim Gottinger on the SambaList for his patience in working this through with me. Although my purpose was for Dovecot to authenticate mail clients, the configuration settings needed were on the Samba side. I hope a variation of these instructions can eventually make it into: http://wiki2.dovecot.org/Authentication/Kerberos What is essentially missing from the wiki is how to set up the proper Service Principal Names and the subsequent creation of a dovecot useable kerberos keytab file. The wiki comment on "k5principals passdb" was not helpful and largely unintelligble to me. Perhaps like many of you, I have switched from Microsoft SBS and Exchange to Samaba4 and Dovecot/IMAP. The transition was completely transparent to my users, except they needed a separate password for email authentication in the absence of NTLM or GSSAPI working with Dovecot. A mild inconvenience, but I have been on a "quest" to fill that gap. This solution finally takes care of that last piece. The following describes how to create the SPNs and krb5 keytab files using Samba4 which has its own built-in (Heimdal) kerberos. The procedures are probably similar for other facilities such as setspn for Windows, but I've not used those so I won't attempt to discuss those mechanism here. You do need kerberos as the Samba built-in kerberos does not have needed commands like `klist`. My distro (Slackware 14.1) does not come with kerberos (nor, I think, does Ubuntu), but is easily found at: https://slackbuilds.org/repository/14.1/network/krb5/ Ubuntu/Debian: apt-get install krb5-config libpam-krb5 krb5-user ssh-krb5 (perhaps more) After provisioning Samba4, copy the krb5.conf template to /etc/krb5.conf. (Note: the actual docs advise symlinking: ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf but I prefer making a copy in case I need to modify things). I've set The /etc/krb5.conf file to world readable. It's default contents are (and these do not need to be changed): [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true where HPRS.LOCAL is my realm, of course use your own. Now, we need a samba user in order to create the necessary SPNs (Server Principal Names): $ samba-tool user create dovecot New Password: Retype Password: User 'dovecot' created successfully Next, add the SPN(s), and create the keytab: $ samba-tool spn add imap/mail.hprs.local dovecot $ samba-tool domain exportkeytab --principal imap/mail.hprs.local /etc/dovecot/dovecot.keytab Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, but if it did I'd have to create another SPN for smtp: $ samba-tool spn add smtp/mail.hprs.local dovecot $ samba-tool domain exportkeytab --principal smtp/mail.hprs.local /etc/dovecot/dovecot.keytab Dovecot needs to be able to read the keytab file: $ chgrp dovecot /etc/dovecot/dovecot.keytab $ chmod g+r /etc/dovecot/dovecot.keytab my new keytab: $ klist -Kek /etc/dovecot/dovecot.keytab Keytab name: FILE:/etc/dovecot/dovecot.keytab KVNO Principal -- 1 imap/mail.hprs.local@HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7) 1 imap/mail.hprs.local@HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7) 1 imap/mail.hprs.local@HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f) (and if I also created the spn for smtp I would also have these:) 1 smtp/mail.hprs.local@HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7) 1 smtp/mail.hprs.local@HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7) 1 smtp/mail.hprs.local@HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f) DOVECOT SETTINGS: My version: 2.2.15 Of crucial importance is to build dovecot with GSSAPI! That is NOT one of the default settings. In the dovecot build directory: ./configure --with-gssapi=yes Other than that serious build gotcha, settings are pretty simple. Add the following 3 settings to 10-auth.conf: auth_gssapi_hostname = "$ALL" auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi The auth_gssapi_hostname is supposedly not required according to some of the above-listed commentors, but my 10-auth.conf template implies differently, so it can't hurt. gssapi does not require a passdb. Use whatever userdb you want. The dovecot wiki doc has some suggestions, not of which I've tried. I use the 'driver = passwd' for my userdb for unrelated reasons. I couldn't get any of this working until I rebooted the Samba AD/DC-Dovecot server, but that just may have been me not stopping/starting Samba and Dovecot in the right sequence (or,
