Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki - comments interspersed below ... --Mark -Original Message- > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > To: dovecot@dovecot.org > From: Aki Tuomi <aki.tu...@dovecot.fi> > Organization: Dovecot Oy > Date: Fri, 1 Jul 2016 10:10:43 +0300 > > The distinction is that kerberos principals are in form > > /@ > > the hostname bit *must* match to the host you are connecting to, exactly > and verbatim. It can differ in case, I guess. > > The service is what service you are connecting to. These have special > meanings and can be case sensitive (like http won't always work, it has > to be HTTP). The current IMAP "Principle" in my keytab is: imap/mail.hprs.local@HPRS.LOCAL Explicitly, are you saying it needs to look like: IMAP/mail@HPRS.LOCAL Meaning, capitalized "IMAP" and just hostname, no FDQN? > host/ is always needed in at least system keytab. Not sure if it's > needed now in the service tab. But I suspect that you need to have IMAP > and not imap. Also make sure and double-check that the hostname is correct. Confused. What do you mean by "host/"? Can you give an example using my host and domain names? I don't know where "host/" goes. I assume this is not a synonym for "/"? This is the first I've head of a system keytab versus a service tab. What are they? Do I need both? > Once you've done the keytab you'll want to grab a cup of coffee and > local newspaper or something and read it thru before trying, because it > might take some time for it to work. Really? I can reboot this evening. > Also, your client *and* host needs to be able to access KDC (all of > them) on 88/tcp. There should be no problem with the intra-LAN firewall. Everything is permitted, but I'll double-check on the WIN7 workstation I'm testing from. Is there a way to know for sure my dovecot is enabled for gssapi? > Aki > > On 01.07.2016 09:42, Mark Foley wrote: > > My keytab now has: > > > > ktutil: read_kt /etc/dovecot/dovecot.keytab > > ktutil: list > > slot KVNO Principal > > > > - > >11 smtp/mail.hprs.local@HPRS.LOCAL > >21 imap/mail.hprs.local@HPRS.LOCAL > > > > I added these in ktutil with: > > > > addent -password -p smtp/mail.hprs.local@HPRS.LOCAL -k 1 -e arcfour-hmac > > > > Aki wrote: > > > >> I think the problem still is that your keytab file has no entry > >> imap/hostname@DOMAIN and IMAP/hostname@DOMAIN > >> you also have no host/hostname@DOMAIN > > Not sure how to interpret your template. Are you suggesting I should ... > > > > addent -password -p IMAP/mail@HPRS.LOCAL -k 1 -e arcfour-hmac > > addent -password -p imap/mail@HPRS.LOCAL -k 1 -e arcfour-hmac > > > > (one IMAP uppercase and one lowercase?) > > > > I don't get your distinction between host and hostname in your 3rd example: > > host/hostname@DOMAIN > > > > Meanwhile ... > > > > Tried a bunch of things. No go so far. In fact, I'm questioning if gssapi > > is enabled in my > > dovecot. I did rebuild and reinstall using `./configure > > --with-gssapi=yes`, but if I only > > enable gssapi authentication, I get "No authenticators available" (mail > > client). How can I > > verify gssapi is really available? dovecot --build-options shows: > > > > Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 > > Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail > > SQL drivers: > > Passdb: checkpassword passwd passwd-file shadow > > Userdb: checkpassword nss passwd prefetch passwd-file > > > > should I see authentication methods there? > > > > --Mark > > > > -Original Message- > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config > > example] > > To: dovecot@dovecot.org > > From: Aki Tuomi <aki.tu...@dovecot.fi> > > Organization: Dovecot Oy > > Date: Thu, 30 Jun 2016 09:58:14 +0300 > > > > I think the problem still is that your keytab file has no entry > > imap/hostname@DOMAIN and IMAP/hostname@DOMAIN > > > > you also have no host/hostname@DOMAIN > > > > Aki > > > > On 29.06.2016 18:40, Mark Foley wrote: > >> Yes, I think that's exactly correct. I just made a similar reply to Edgar > >> Pettijohn about that. > >> The Thunderbird message is: > >> > >> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server > >> m
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
The distinction is that kerberos principals are in form /@ the hostname bit *must* match to the host you are connecting to, exactly and verbatim. It can differ in case, I guess. The service is what service you are connecting to. These have special meanings and can be case sensitive (like http won't always work, it has to be HTTP). host/ is always needed in at least system keytab. Not sure if it's needed now in the service tab. But I suspect that you need to have IMAP and not imap. Also make sure and double-check that the hostname is correct. Once you've done the keytab you'll want to grab a cup of coffee and local newspaper or something and read it thru before trying, because it might take some time for it to work. Also, your client *and* host needs to be able to access KDC (all of them) on 88/tcp. Aki On 01.07.2016 09:42, Mark Foley wrote: > My keytab now has: > > ktutil: read_kt /etc/dovecot/dovecot.keytab > ktutil: list > slot KVNO Principal > > - >11 smtp/mail.hprs.local@HPRS.LOCAL >21 imap/mail.hprs.local@HPRS.LOCAL > > I added these in ktutil with: > > addent -password -p smtp/mail.hprs.local@HPRS.LOCAL -k 1 -e arcfour-hmac > > Aki wrote: > >> I think the problem still is that your keytab file has no entry >> imap/hostname@DOMAIN and IMAP/hostname@DOMAIN >> you also have no host/hostname@DOMAIN > Not sure how to interpret your template. Are you suggesting I should ... > > addent -password -p IMAP/mail@HPRS.LOCAL -k 1 -e arcfour-hmac > addent -password -p imap/mail@HPRS.LOCAL -k 1 -e arcfour-hmac > > (one IMAP uppercase and one lowercase?) > > I don't get your distinction between host and hostname in your 3rd example: > host/hostname@DOMAIN > > Meanwhile ... > > Tried a bunch of things. No go so far. In fact, I'm questioning if gssapi > is enabled in my > dovecot. I did rebuild and reinstall using `./configure --with-gssapi=yes`, > but if I only > enable gssapi authentication, I get "No authenticators available" (mail > client). How can I > verify gssapi is really available? dovecot --build-options shows: > > Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 > Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail > SQL drivers: > Passdb: checkpassword passwd passwd-file shadow > Userdb: checkpassword nss passwd prefetch passwd-file > > should I see authentication methods there? > > --Mark > > -Original Message- > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > To: dovecot@dovecot.org > From: Aki Tuomi <aki.tu...@dovecot.fi> > Organization: Dovecot Oy > Date: Thu, 30 Jun 2016 09:58:14 +0300 > > I think the problem still is that your keytab file has no entry > imap/hostname@DOMAIN and IMAP/hostname@DOMAIN > > you also have no host/hostname@DOMAIN > > Aki > > On 29.06.2016 18:40, Mark Foley wrote: >> Yes, I think that's exactly correct. I just made a similar reply to Edgar >> Pettijohn about that. >> The Thunderbird message is: >> >> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server >> m...@ohprs.org. Please check >> that you are logged in to the Kerberos/GSSAPI realm." >> >> I made further comments in that message that I won't clutter the list by >> repeating here. Check >> out that message and see what you think could be wrong. >> >> Thanks for your help! I'm sure this is solvable! >> >> --Mark >> >> -Original Message- >>> Date: Wed, 29 Jun 2016 08:03:14 -0400 >>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config >>> example] >>> From: brendan kearney <bpk...@gmail.com> >>> To: Mark Foley <mfo...@ohprs.org> >>> Cc: dovecot@dovecot.org >>> >>> The last log line shows "user=<>". This indicates no credentials were >>> presented. If the rip field matches the client ip you tested from, I would >>> bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not >>> pulled for the authentication. >>> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfo...@ohprs.org> wrote: >> [deleted]
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
My keytab now has: ktutil: read_kt /etc/dovecot/dovecot.keytab ktutil: list slot KVNO Principal - 11 smtp/mail.hprs.local@HPRS.LOCAL 21 imap/mail.hprs.local@HPRS.LOCAL I added these in ktutil with: addent -password -p smtp/mail.hprs.local@HPRS.LOCAL -k 1 -e arcfour-hmac Aki wrote: > I think the problem still is that your keytab file has no entry > imap/hostname@DOMAIN and IMAP/hostname@DOMAIN > you also have no host/hostname@DOMAIN Not sure how to interpret your template. Are you suggesting I should ... addent -password -p IMAP/mail@HPRS.LOCAL -k 1 -e arcfour-hmac addent -password -p imap/mail@HPRS.LOCAL -k 1 -e arcfour-hmac (one IMAP uppercase and one lowercase?) I don't get your distinction between host and hostname in your 3rd example: host/hostname@DOMAIN Meanwhile ... Tried a bunch of things. No go so far. In fact, I'm questioning if gssapi is enabled in my dovecot. I did rebuild and reinstall using `./configure --with-gssapi=yes`, but if I only enable gssapi authentication, I get "No authenticators available" (mail client). How can I verify gssapi is really available? dovecot --build-options shows: Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail SQL drivers: Passdb: checkpassword passwd passwd-file shadow Userdb: checkpassword nss passwd prefetch passwd-file should I see authentication methods there? --Mark -Original Message- Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] To: dovecot@dovecot.org From: Aki Tuomi <aki.tu...@dovecot.fi> Organization: Dovecot Oy Date: Thu, 30 Jun 2016 09:58:14 +0300 I think the problem still is that your keytab file has no entry imap/hostname@DOMAIN and IMAP/hostname@DOMAIN you also have no host/hostname@DOMAIN Aki On 29.06.2016 18:40, Mark Foley wrote: > Yes, I think that's exactly correct. I just made a similar reply to Edgar > Pettijohn about that. > The Thunderbird message is: > > "The Kerberos/GSSAPI ticket was not accepted by the IMAP server > m...@ohprs.org. Please check > that you are logged in to the Kerberos/GSSAPI realm." > > I made further comments in that message that I won't clutter the list by > repeating here. Check > out that message and see what you think could be wrong. > > Thanks for your help! I'm sure this is solvable! > > --Mark > > -Original Message----- >> Date: Wed, 29 Jun 2016 08:03:14 -0400 >> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >> From: brendan kearney <bpk...@gmail.com> >> To: Mark Foley <mfo...@ohprs.org> >> Cc: dovecot@dovecot.org >> >> The last log line shows "user=<>". This indicates no credentials were >> presented. If the rip field matches the client ip you tested from, I would >> bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not >> pulled for the authentication. >> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfo...@ohprs.org> wrote: > [deleted]
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
I think the problem still is that your keytab file has no entry imap/hostname@DOMAIN and IMAP/hostname@DOMAIN you also have no host/hostname@DOMAIN Aki On 29.06.2016 18:40, Mark Foley wrote: > Yes, I think that's exactly correct. I just made a similar reply to Edgar > Pettijohn about that. > The Thunderbird message is: > > "The Kerberos/GSSAPI ticket was not accepted by the IMAP server > m...@ohprs.org. Please check > that you are logged in to the Kerberos/GSSAPI realm." > > I made further comments in that message that I won't clutter the list by > repeating here. Check > out that message and see what you think could be wrong. > > Thanks for your help! I'm sure this is solvable! > > --Mark > > -Original Message- >> Date: Wed, 29 Jun 2016 08:03:14 -0400 >> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >> From: brendan kearney <bpk...@gmail.com> >> To: Mark Foley <mfo...@ohprs.org> >> Cc: dovecot@dovecot.org >> >> The last log line shows "user=<>". This indicates no credentials were >> presented. If the rip field matches the client ip you tested from, I would >> bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not >> pulled for the authentication. >> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfo...@ohprs.org> wrote: > [deleted]
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> On Jun 29, 2016, at 10:32 AM, Mark Foley <mfo...@ohprs.org> wrote: > >> On Tue, 28 Jun 2016 22:52:25 -0500 Edgar Pettijohn <ed...@pettijohn-web.com> >> wrote: >> >> What does thunderbird tell you? > > Good question. I saw Tbird's message after sending my last email. When > Tbird starts I get a > message box in the lower right saying: > > "The Kerberos/GSSAPI ticket was not accepted by the IMAP server > m...@ohprs.org. Please check > that you are logged in to the Kerberos/GSSAPI realm." > > The interesting bit, to me, is that the IMAP server's hostname is not > m...@ohprs.org. It should > be mail.ohprs.org, or I would rather expect it to be mail.hprs.local using > the actual local > domain/realm name, not the public FQDN. I'm suspecting there is something > wrong with the > kerberos config. > > To further confuse. There *is* a WIN7 workstation 'mark' in the domain, > though not the > workstation from which this testing is being done (this workstation is named > 'common') and host > 'mark' is not reachable as m...@ohprs.org. Furthermore, the Thunderbird > account/user for this > testing is also 'mark', not to be confused with the host 'mark' (though I > think that's exactly > what's being confused). > > Where is this m...@ohprs.org coming from? The Thunderbird Account Name is > m...@ohprs.org, which > is this user's email address. > > Perhaps Thunderbird simply has a badly worded error message and didn't really > mean "IMAP server > m...@ohprs.org", or perhapd kerberos is not configured correctly. My > /etc/krb5.conf is shown > below. Any ideas on what might be wrong? It's doubtful it's a thunderbird issue unless you've given it bad information. Unfortunately I don't use ldap or gssapi so I'm afraid I can't offer much help. > >>>>> [libdefaults] >>>>> default_realm = HPRS.LOCAL >>>>> dns_lookup_realm = false >>>>> dns_lookup_kdc = true >>>>> >>>>> [libdefaults] >>>>> default_realm = HPRS.LOCAL >>>>> dns_lookup_kdc = true >>>>> kdc_timesync = 1 >>>>> ccache_type = 4 >>>>> forwardable = true >>>>> proxiable = true >>>>> fcc-mit-ticketflags = true >>>>> >>>>> [realms] >>>>> HPRS.LOCAL = { >>>>> default_domain = hprs.local >>>>> auth_to_local_names = { >>>>> Administrator = root >>>>> } >>>>> } >>>>> >>>>> [domain_realm] >>>>> hprs.local = HPRS.LOCAL >>>>> # this is not a mistake >>>>> .hprs.local = HPRS.LOCAL > > Thanks, --Mark > > -Original Message- >> From: Edgar Pettijohn <ed...@pettijohn-web.com> >> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >> Date: Tue, 28 Jun 2016 22:52:25 -0500 >> To: Mark Foley <mfo...@ohprs.org> >> >> >> >>> On Jun 28, 2016, at 10:32 PM, Mark Foley <mfo...@ohprs.org> wrote: >>> >>> Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, >>> and restarted. Now I >>> don't get that "Unknown authentication mechanism 'gssapi'" message in >>> maillog, and mail is >>> delivered successfully to the other domain users having PLAIN >>> authentication. That's a big >>> step. In examining my original config.log output I apparently did not have >>> --with-gssapi enabled. >>> >>> HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still >>> cannot correctly >>> authenticate and retrieve mail. Here is the dovecot log for that host: >> What does thunderbird tell you? >> >> >>> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be >>> used for ECDH and ECDHE key exchanges >>> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be >>> used for ECDH and ECDHE key exchanges >>> Jun 28 22:44:05 auth: Debug: Loading modules from directory: >>> /usr/local/lib/dovecot/auth >>> Jun 28 22:44:05 auth: Debug: Read auth token secret from >>> /usr/local/var/run/dovecot/auth-token-secret.dat >>> Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept >>> initialization [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Yes, I think that's exactly correct. I just made a similar reply to Edgar Pettijohn about that. The Thunderbird message is: "The Kerberos/GSSAPI ticket was not accepted by the IMAP server m...@ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm." I made further comments in that message that I won't clutter the list by repeating here. Check out that message and see what you think could be wrong. Thanks for your help! I'm sure this is solvable! --Mark -Original Message- > Date: Wed, 29 Jun 2016 08:03:14 -0400 > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > From: brendan kearney <bpk...@gmail.com> > To: Mark Foley <mfo...@ohprs.org> > Cc: dovecot@dovecot.org > > The last log line shows "user=<>". This indicates no credentials were > presented. If the rip field matches the client ip you tested from, I would > bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not > pulled for the authentication. > On Jun 28, 2016 11:33 PM, "Mark Foley" <mfo...@ohprs.org> wrote: [deleted]
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
On Tue, 28 Jun 2016 22:52:25 -0500 Edgar Pettijohn <ed...@pettijohn-web.com> wrote: > What does thunderbird tell you? Good question. I saw Tbird's message after sending my last email. When Tbird starts I get a message box in the lower right saying: "The Kerberos/GSSAPI ticket was not accepted by the IMAP server m...@ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm." The interesting bit, to me, is that the IMAP server's hostname is not m...@ohprs.org. It should be mail.ohprs.org, or I would rather expect it to be mail.hprs.local using the actual local domain/realm name, not the public FQDN. I'm suspecting there is something wrong with the kerberos config. To further confuse. There *is* a WIN7 workstation 'mark' in the domain, though not the workstation from which this testing is being done (this workstation is named 'common') and host 'mark' is not reachable as m...@ohprs.org. Furthermore, the Thunderbird account/user for this testing is also 'mark', not to be confused with the host 'mark' (though I think that's exactly what's being confused). Where is this m...@ohprs.org coming from? The Thunderbird Account Name is m...@ohprs.org, which is this user's email address. Perhaps Thunderbird simply has a badly worded error message and didn't really mean "IMAP server m...@ohprs.org", or perhapd kerberos is not configured correctly. My /etc/krb5.conf is shown below. Any ideas on what might be wrong? > >>> [libdefaults] > >>> default_realm = HPRS.LOCAL > >>> dns_lookup_realm = false > >>> dns_lookup_kdc = true > >>> > >>> [libdefaults] > >>> default_realm = HPRS.LOCAL > >>> dns_lookup_kdc = true > >>> kdc_timesync = 1 > >>> ccache_type = 4 > >>> forwardable = true > >>> proxiable = true > >>> fcc-mit-ticketflags = true > >>> > >>> [realms] > >>> HPRS.LOCAL = { > >>>default_domain = hprs.local > >>>auth_to_local_names = { > >>>Administrator = root > >>> } > >>> } > >>> > >>> [domain_realm] > >>>hprs.local = HPRS.LOCAL > >>> # this is not a mistake > >>>.hprs.local = HPRS.LOCAL Thanks, --Mark -Original Message- > From: Edgar Pettijohn <ed...@pettijohn-web.com> > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > Date: Tue, 28 Jun 2016 22:52:25 -0500 > To: Mark Foley <mfo...@ohprs.org> > > > > > On Jun 28, 2016, at 10:32 PM, Mark Foley <mfo...@ohprs.org> wrote: > > > > Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, > > and restarted. Now I > > don't get that "Unknown authentication mechanism 'gssapi'" message in > > maillog, and mail is > > delivered successfully to the other domain users having PLAIN > > authentication. That's a big > > step. In examining my original config.log output I apparently did not have > > --with-gssapi enabled. > > > > HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still > > cannot correctly > > authenticate and retrieve mail. Here is the dovecot log for that host: > > > What does thunderbird tell you? > > > > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Jun 28 22:44:05 auth: Debug: Loading modules from directory: > > /usr/local/lib/dovecot/auth > > Jun 28 22:44:05 auth: Debug: Read auth token secret from > > /usr/local/var/run/dovecot/auth-token-secret.dat > > Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept > > initialization [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept > > initialization [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read > > client hello A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > > client hello A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > > server hello A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > > certificate A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > > key exchange A [192.168.0.58] >
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
The last log line shows "user=<>". This indicates no credentials were presented. If the rip field matches the client ip you tested from, I would bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not pulled for the authentication. On Jun 28, 2016 11:33 PM, "Mark Foley" <mfo...@ohprs.org> wrote: > Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, > and restarted. Now I > don't get that "Unknown authentication mechanism 'gssapi'" message in > maillog, and mail is > delivered successfully to the other domain users having PLAIN > authentication. That's a big > step. In examining my original config.log output I apparently did not have > --with-gssapi enabled. > > HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still > cannot correctly > authenticate and retrieve mail. Here is the dovecot log for that host: > > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be > used for ECDH and ECDHE key exchanges > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be > used for ECDH and ECDHE key exchanges > Jun 28 22:44:05 auth: Debug: Loading modules from directory: > /usr/local/lib/dovecot/auth > Jun 28 22:44:05 auth: Debug: Read auth token secret from > /usr/local/var/run/dovecot/auth-token-secret.dat > Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept > initialization [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept > initialization [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 > read client hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > client hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > server hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > key exchange A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > server done A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush > data [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read > client certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read > client certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > client key exchange A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > certificate verify A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > finished A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > session ticket A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > change cipher spec A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > finished A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush > data [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation > finished successfully [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL > negotiation finished successfully [192.168.0.58] > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 > secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, > session= > > Does this tell you anything? `doveconf -n` and krb5.conf are configured as > shown in previous > messages below. > > Closer! --Mark > > -Original Message- > From: Mark Foley <mfo...@ohprs.org> > Date: Tue, 28 Jun 2016 22:04:42 -0400 > To: dovecot@dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config > example] > > Aki, you wrote: > > > Doh. Seems your dovecot isn't compiled with gssapi support? Can you > compile it yourself? > > > > I'll try to check status of NTLM this week. > > I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. > > I do have the Dovecot sources and will peruse the possible options after I > send this. I am on > version 2.2.15 and I see that the current downloadable version is 2.2.24. > Should I upgrade? Do &
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> On Jun 28, 2016, at 10:32 PM, Mark Foley <mfo...@ohprs.org> wrote: > > Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and > restarted. Now I > don't get that "Unknown authentication mechanism 'gssapi'" message in > maillog, and mail is > delivered successfully to the other domain users having PLAIN authentication. > That's a big > step. In examining my original config.log output I apparently did not have > --with-gssapi enabled. > > HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still > cannot correctly > authenticate and retrieve mail. Here is the dovecot log for that host: > What does thunderbird tell you? > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used > for ECDH and ECDHE key exchanges > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used > for ECDH and ECDHE key exchanges > Jun 28 22:44:05 auth: Debug: Loading modules from directory: > /usr/local/lib/dovecot/auth > Jun 28 22:44:05 auth: Debug: Read auth token secret from > /usr/local/var/run/dovecot/auth-token-secret.dat > Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept > initialization [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept > initialization [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read > client hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > client hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > server hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key > exchange A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > server done A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data > [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read > client certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read > client certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > client key exchange A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > certificate verify A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > finished A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > session ticket A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > change cipher spec A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > finished A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data > [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation > finished successfully [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation > finished successfully [192.168.0.58] > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): > user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session= > > Does this tell you anything? `doveconf -n` and krb5.conf are configured as > shown in previous > messages below. > > Closer! --Mark > > -Original Message- > From: Mark Foley <mfo...@ohprs.org> > Date: Tue, 28 Jun 2016 22:04:42 -0400 > To: dovecot@dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > Aki, you wrote: > >> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile >> it yourself? >> >> I'll try to check status of NTLM this week. > > I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. > > I do have the Dovecot sources and will peruse the possible options after I > send this. I am on > version 2.2.15 and I see that the current downloadable version is 2.2.24. > Should I upgrade? Do > you think that would help? (a perusal of the changes since 2.2.15 shows > nothing obvious > realated to gssapi) > > --Mark > > -Original Message- >> Date: Tue, 28 Jun
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and restarted. Now I don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, and mail is delivered successfully to the other domain users having PLAIN authentication. That's a big step. In examining my original config.log output I apparently did not have --with-gssapi enabled. HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still cannot correctly authenticate and retrieve mail. Here is the dovecot log for that host: Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 22:44:05 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 22:44:05 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.58] Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session= Does this tell you anything? `doveconf -n` and krb5.conf are configured as shown in previous messages below. Closer! --Mark -Original Message- From: Mark Foley <mfo...@ohprs.org> Date: Tue, 28 Jun 2016 22:04:42 -0400 To: dovecot@dovecot.org Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] Aki, you wrote: > Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile > it yourself? > > I'll try to check status of NTLM this week. I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. I do have the Dovecot sources and will peruse the possible options after I send this. I am on version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious realated to gssapi) --Mark -Original Message- > Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) > From: aki.tu...@dovecot.fi > To: dovecot@dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > On June 28, 2016 at 5:17 PM Mark Foley <mfo...@ohprs.org> wrote: > > > > > > Aki - made your suggested changes, but no joy :( > > > > My /etc/krb5.conf: > > > > --SNIP > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > [libdefaults] > > default_realm =
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki, you wrote: > Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile > it yourself? > > I'll try to check status of NTLM this week. I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. I do have the Dovecot sources and will peruse the possible options after I send this. I am on version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious realated to gssapi) --Mark -Original Message- > Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) > From: aki.tu...@dovecot.fi > To: dovecot@dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > On June 28, 2016 at 5:17 PM Mark Foley <mfo...@ohprs.org> wrote: > > > > > > Aki - made your suggested changes, but no joy :( > > > > My /etc/krb5.conf: > > > > --SNIP > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_kdc = true > > kdc_timesync = 1 > > ccache_type = 4 > > forwardable = true > > proxiable = true > > fcc-mit-ticketflags = true > > > > [realms] > > HPRS.LOCAL = { > > default_domain = hprs.local > > auth_to_local_names = { > > Administrator = root > > } > > } > > > > [domain_realm] > > hprs.local = HPRS.LOCAL > > # this is not a mistake > > .hprs.local = HPRS.LOCAL > > --PINS--- > > > > you wrote: > > > You can remove the krb4_ stuff > > > > I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] > > section altogether. > > Question on [realms]Administrator: should that really be root or should it > > be my AD Administrator? > > > > my doveconf -n is exactly the same as posted below, but in particular: > > > > auth_krb5_keytab = /etc/krb5.keytab > > auth_mechanisms = plain login gssapi > > > > When I reloaded dovecot no mail was delivered to anyone (even though > > everyone was still using > > plain/ssl, no one yet configured for gssapi). > > > > In /var/log/maillog I got (repeatedly): > > > > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not > > responding, delayed sending initial response (greeting): user=<>, > > rip=192.168.0.54, lip=192.168.0.2, session= > > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism > > 'gssapi' > > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup > > failed, throttling for 60 secs > > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not > > responding, delayed sending initial response (greeting): user=<>, > > rip=166.170.27.161, lip=98.102.63.107, TLS, session= > > > > This looks pretty bad right off. Why "Unknown authentication mechanism > > 'gssapi'"? > > > > Do you have any idea from the configs I've posted? I'm rather depressed > > about this. I thought I'd > > finally able to get AD authentication going for Dovecot. Not ready to give > > up though! > > > > Suggestions? > > > > THX -- Mark > > > > -original Message- > > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config > > > example] > > > To: dovecot@dovecot.org > > > From: Aki Tuomi <aki.tu...@dovecot.fi> > > > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > > > > > On 28.06.2016 09:27, Mark Foley wrote: > > > > Aki, > > > > > > > > To review your 5 points: > > > > > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tu...@dovecot.fi> > > > > wrote: > > > > > > > >> 1. Functional AD or Kerberos environment > > > >> 2. Time synced against your KDC (which is your Domain Controller on > > > >> Windows) > > > >> 3. /etc/krb5.conf configured > > > >> 4. Both forward / reverse DNS names correct for clients and servers. > > > >> Reverse is only mandatory for servers, but having them right will work > > > >> wonders. Most kerberos problems are about DNS problems. > > > >> 5. You need a keytab. This keytab needs to hold entries like > > > >> IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> On June 28, 2016 at 5:17 PM Mark Foley <mfo...@ohprs.org> wrote: > > > Aki - made your suggested changes, but no joy :( > > My /etc/krb5.conf: > > --SNIP > [libdefaults] > default_realm = HPRS.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > [libdefaults] > default_realm = HPRS.LOCAL > dns_lookup_kdc = true > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > fcc-mit-ticketflags = true > > [realms] > HPRS.LOCAL = { > default_domain = hprs.local > auth_to_local_names = { > Administrator = root > } > } > > [domain_realm] > hprs.local = HPRS.LOCAL > # this is not a mistake > .hprs.local = HPRS.LOCAL > --PINS--- > > you wrote: > > You can remove the krb4_ stuff > > I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] > section altogether. > Question on [realms]Administrator: should that really be root or should it be > my AD Administrator? > > my doveconf -n is exactly the same as posted below, but in particular: > > auth_krb5_keytab = /etc/krb5.keytab > auth_mechanisms = plain login gssapi > > When I reloaded dovecot no mail was delivered to anyone (even though everyone > was still using > plain/ssl, no one yet configured for gssapi). > > In /var/log/maillog I got (repeatedly): > > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not > responding, delayed sending initial response (greeting): user=<>, > rip=192.168.0.54, lip=192.168.0.2, session= > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism > 'gssapi' > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup > failed, throttling for 60 secs > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not > responding, delayed sending initial response (greeting): user=<>, > rip=166.170.27.161, lip=98.102.63.107, TLS, session= > > This looks pretty bad right off. Why "Unknown authentication mechanism > 'gssapi'"? > > Do you have any idea from the configs I've posted? I'm rather depressed about > this. I thought I'd > finally able to get AD authentication going for Dovecot. Not ready to give up > though! > > Suggestions? > > THX -- Mark > > -original Message- > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config > > example] > > To: dovecot@dovecot.org > > From: Aki Tuomi <aki.tu...@dovecot.fi> > > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > > > On 28.06.2016 09:27, Mark Foley wrote: > > > Aki, > > > > > > To review your 5 points: > > > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > > > > >> 1. Functional AD or Kerberos environment > > >> 2. Time synced against your KDC (which is your Domain Controller on > > >> Windows) > > >> 3. /etc/krb5.conf configured > > >> 4. Both forward / reverse DNS names correct for clients and servers. > > >> Reverse is only mandatory for servers, but having them right will work > > >> wonders. Most kerberos problems are about DNS problems. > > >> 5. You need a keytab. This keytab needs to hold entries like > > >> IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate > > >> these on any Windows DC server (at least). > > > I believe I am good on 1,2 and 4. I downloaded and installed kerberos > > > and tested it with kinit > > > and klist according to the instructions at > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > > > As to the the keytab (#5) I did the following: > > > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > > > which created the file. I made this owned and readable by group dovecot, > > > per instructions at > > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k > > > /etc/krb5.keytab` shows me > > > configuration listing all the users and computers in the domain, mostly > > > in triplicate. A > > > partial list: > > > > > > Keytab name: FILE:/etc/krb5.keytab > > > KVNO Principal > > > > > > -- > > >18 COMMON$@HPRS.LOCAL > > >18 COMMON$@HPRS.LOCAL > > >18 COMMON$@HPRS.LOCAL > > > 1 MAIL$@HPRS.LOCAL
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki - made your suggested changes, but no joy :( My /etc/krb5.conf: --SNIP [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true [libdefaults] default_realm = HPRS.LOCAL dns_lookup_kdc = true kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true [realms] HPRS.LOCAL = { default_domain = hprs.local auth_to_local_names = { Administrator = root } } [domain_realm] hprs.local = HPRS.LOCAL # this is not a mistake .hprs.local = HPRS.LOCAL --PINS--- you wrote: > You can remove the krb4_ stuff I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. Question on [realms]Administrator: should that really be root or should it be my AD Administrator? my doveconf -n is exactly the same as posted below, but in particular: auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using plain/ssl, no one yet configured for gssapi). In /var/log/maillog I got (repeatedly): Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session= Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session= This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"? Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd finally able to get AD authentication going for Dovecot. Not ready to give up though! Suggestions? THX -- Mark -original Message- > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > To: dovecot@dovecot.org > From: Aki Tuomi <aki.tu...@dovecot.fi> > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > On 28.06.2016 09:27, Mark Foley wrote: > > Aki, > > > > To review your 5 points: > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > > >> 1. Functional AD or Kerberos environment > >> 2. Time synced against your KDC (which is your Domain Controller on > >> Windows) > >> 3. /etc/krb5.conf configured > >> 4. Both forward / reverse DNS names correct for clients and servers. > >> Reverse is only mandatory for servers, but having them right will work > >> wonders. Most kerberos problems are about DNS problems. > >> 5. You need a keytab. This keytab needs to hold entries like > >> IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate > >> these on any Windows DC server (at least). > > I believe I am good on 1,2 and 4. I downloaded and installed kerberos and > > tested it with kinit > > and klist according to the instructions at > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > As to the the keytab (#5) I did the following: > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > which created the file. I made this owned and readable by group dovecot, > > per instructions at > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k > > /etc/krb5.keytab` shows me > > configuration listing all the users and computers in the domain, mostly in > > triplicate. A > > partial list: > > > > Keytab name: FILE:/etc/krb5.keytab > > KVNO Principal > > > > -- > >18 COMMON$@HPRS.LOCAL > >18 COMMON$@HPRS.LOCAL > >18 COMMON$@HPRS.LOCAL > > 1 MAIL$@HPRS.LOCAL > > 1 MAIL$@HPRS.LOCAL > > 1 MAIL$@HPRS.LOCAL > > 1 charmaine@HPRS.LOCAL > > 1 charmaine@HPRS.LOCAL > > 1 charmaine@HPRS.LOCAL > > > > where COMMON and MAIL are hosts and charmaine is a user. I don't really > > understand the listing, > > but am assuming it is OK. > > Strange that you do not have any host/ entries. Maybe it works without. > > >> setspn -q is helpful here, also setspn command in general. > > I have no such command in my system. Is that a Windows thing? > > > > Yes, but you can do those kind of things in Samba too. > > > As to the /etc/krb5.conf, the default one generated by s
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
On 28.06.2016 09:27, Mark Foley wrote: Aki, To review your 5 points: On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomiwrote: 1. Functional AD or Kerberos environment 2. Time synced against your KDC (which is your Domain Controller on Windows) 3. /etc/krb5.conf configured 4. Both forward / reverse DNS names correct for clients and servers. Reverse is only mandatory for servers, but having them right will work wonders. Most kerberos problems are about DNS problems. 5. You need a keytab. This keytab needs to hold entries like IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate these on any Windows DC server (at least). I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit and klist according to the instructions at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos As to the the keytab (#5) I did the following: $ samba-tool domain exportkeytab /etc/krb5.keytab which created the file. I made this owned and readable by group dovecot, per instructions at http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me configuration listing all the users and computers in the domain, mostly in triplicate. A partial list: Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, but am assuming it is OK. Strange that you do not have any host/ entries. Maybe it works without. setspn -q is helpful here, also setspn command in general. I have no such command in my system. Is that a Windows thing? Yes, but you can do those kind of things in Samba too. As to the /etc/krb5.conf, the default one generated by samba is: [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true I'd like to modify that to your suggestions, but I need more help. You have (with my questions): Here is a *SAMPLE* configuration: [libdefaults] default_realm = YOUR.REALM dns_lookup_kdc = true krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: You can remove the krb4_ stuff krb5_config = /etc/krb5.conf Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? You don't necessarely require that. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true [realms] YOUR.REALM = { default_domain = your.domain.name auth_to_local_names = { Administrator = root } } I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD server: mail.hprs.local, or is it just hprs.local? (or something else!) HPRS.LOCAL is your REALM, hprs.local is your domain name. [domain_realm] your.domain.name = YOUR.REALM # this is not a mistake .your.domain.name = YOUR.REALM [login] krb4_convert = true krb4_get_tickets = false Likewise here a question on the whole krb4 versus krb5 thing. Your closing comment: Also, note that kerberos can only act as AUTHENTICATION system. It cannot act as USER DATABASE. For that you need to configure LDAP or something else. With Active Directory LDAP is probably a damn good idea. I have the following doveconf -n: # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = passwd driver is fine, yes, if you ensure that users can be found. Aki
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki, To review your 5 points: On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomiwrote: > 1. Functional AD or Kerberos environment > 2. Time synced against your KDC (which is your Domain Controller on Windows) > 3. /etc/krb5.conf configured > 4. Both forward / reverse DNS names correct for clients and servers. > Reverse is only mandatory for servers, but having them right will work > wonders. Most kerberos problems are about DNS problems. > 5. You need a keytab. This keytab needs to hold entries like > IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate > these on any Windows DC server (at least). I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit and klist according to the instructions at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos As to the the keytab (#5) I did the following: $ samba-tool domain exportkeytab /etc/krb5.keytab which created the file. I made this owned and readable by group dovecot, per instructions at http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me configuration listing all the users and computers in the domain, mostly in triplicate. A partial list: Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, but am assuming it is OK. > setspn -q is helpful here, also setspn command in general. I have no such command in my system. Is that a Windows thing? As to the /etc/krb5.conf, the default one generated by samba is: [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true I'd like to modify that to your suggestions, but I need more help. You have (with my questions): > Here is a *SAMPLE* configuration: > > [libdefaults] > default_realm = YOUR.REALM > dns_lookup_kdc = true > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: krb5_config = /etc/krb5.conf Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > fcc-mit-ticketflags = true > > [realms] > YOUR.REALM = { > default_domain = your.domain.name > auth_to_local_names = { > Administrator = root > } > } I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD server: mail.hprs.local, or is it just hprs.local? (or something else!) > [domain_realm] > your.domain.name = YOUR.REALM > # this is not a mistake > .your.domain.name = YOUR.REALM > [login] > krb4_convert = true > krb4_get_tickets = false Likewise here a question on the whole krb4 versus krb5 thing. Your closing comment: > Also, note that kerberos can only act as AUTHENTICATION system. It > cannot act as USER DATABASE. For that you need to configure LDAP or > something else. With Active Directory LDAP is probably a damn good idea. I have the following doveconf -n: # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
aki.tu...@dovecot.fi wrote: > As mentioned before, you can use ldap as userdb instead of static userdb. > Username matching in AD environment should be done against userPrincipalName > attribute. Do you see any problem with my continuing to use: userdb { driver = passwd } ... with gssapi? (providing I get other configs correct) --Mark -Original Message- > Date: Tue, 28 Jun 2016 00:19:45 +0300 (EEST) > From: aki.tu...@dovecot.fi > To: dovecot@dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > On June 28, 2016 at 12:02 AM Jan Jurkus <j.jur...@gcecad-service.nl> wrote: > > > > > > Hi, > > > > I'm not entirely happy with the static userdb, because of the > > limitations with kerberos/pam, but this can of course be changed rather > > easily. The hardest part is to get the SSO working. > > One of the limitiations is stated here: > > http://wiki.dovecot.org/UserDatabase/Static > > > > Postfix SMTP auth is using LMTP, reading from my notes. > > > > I hope you can get a clearer picture with this rather long and chaotic > > reply. > > > > As mentioned before, you can use ldap as userdb instead of static userdb. > Username matching in AD environment should be done against userPrincipalName > attribute. > > This should let you get rid of pam as well. > > --- > Aki Tuomi > Dovecot oy > > > -- > > Jan Jurkus | ICT Beheerder | GCE cad-service B.V. > > Postbus 12, 3220 AA Hellevoetsluis > > Daltonweg 9, 3225 LR Hellevoetsluis > > tel: 0181-336955 | fax: 0181-311899 > > j.jur...@gcecad-service.nl | www.gcecad-service.nl
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Jan, thanks for your helpful reply. You wrote: > With Dovecot I got the SSO working with Kerberos, and this part is > working great. Other parts (shared mailboxes, that sort of stuff) aren't > working for me yet. ... I'm the opposite. My mailbox setup has been working great for a year and a half, though I've not bothered with shared mailboxes yet. I've attempted to follow your instructions, but still having problems. First, my errors: Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 01:04:49 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 01:04:49 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 01:04:49 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session= Now, your instructions: > One of the tricky bits is you need a kerberos keytab with two services. > I used ktutil: > # ktutil >ktutil: read_kt mail-imap.keytab >ktutil: read_kt mail-smtp.keytab >ktutil: write_kt mail.keytab >ktutil: quit > > I'm using a windows 2003 r2 server as domain controller, to create a > keytab file you need the windows 2003 support tools. > > ktpass.exe -princ imap/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL > -mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 > -ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab > > ktpass.exe -princ smtp/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL > -mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234 > -ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab I ran ktutil, but the commands "read_kt mail-imap.keytab" and "read_kt mail-smtp.keytab" returned: No such file or directory while reading keytab "mail-imap.keytab" Perhaps your subsequent ktpass commands are meant to create those. I do not have a ktpass command. I therefore do not have these files. I suppose that could be part of my problem. Can you share the actual contents of these file? I could create them by-hand. Does Dovecot and/or kerberos know where to look for these? > On the dovecot server I had to install a kerberos package: Likewise, I installed kerberos for slackware. It tested OK. I was able to do a kinit and klist per the instruction at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > My kerberos configuration: > # vi /etc/krb5.conf > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log I added the [logging] section. Of note, these log file do not exists after multiple attempts with my gssapi connection. Probably a bad sign. > [libdefaults] > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > rdns = false > default_realm = GCECAD-SERVICE.LOCAL > default_keytab_file = /etc/krb5.keytab > default_ccache_name = KEYRING:persistent:%{uid} > allow_weak_crypto = true > default_tkt_enctypes = arcfour-hmac-md5 > default_tgs_enctypes = arcfour-hmac-md5 > permitted_enctypes = arcfour-hmac-md5 I added all these as well, changing your GCECAD-SERVICE.LOCAL to my HPRS.LOCAL > [appdefaults] > pam = { >debug = false >ticket_lifetime = 24h >renew_lifetime = 7d >forwardable = true >krb4_convert = false > } I also added this [appdefaults] section. > > [realms] > GCECAD-SERVICE.LOCAL = { >kdc = this.is.the.dns.name.of.your.kdc >admin_server = this.is.the.dns.name.of.your.kdc > } I tried with and without this section. Not sure what this.is.the.dns.name.of.your.kdc is supposed to be. I changed mine to the domain FDQN of the server: [realms] HPRS.LOCAL = { kdc = mail.hprs.local admin_server = mail.hprs.local } > > [domain_realm] > .gcecad-service.local = GCECAD-SERVICE.LOCAL > gcecad-service.local = GCECAD-SERVICE.LOCAL > .gcecad-service.nl = GCECAD-SERVICE.LOCAL > gcecad-service.nl = GCECAD-SERVICE.LOCAL > I also tried with and without this section. Again, not sure what should go there. I tried: [domain_realm] .hprs.local = HPRS.LOCAL hprs.local = HPRS.LOCAL .hprs.nl = HPRS.LOCAL hprs.nl = HPRS.LOCAL I'm a bit skeptical on the above as .nl your public top level domain. In fact, after adding these sections I got no error logged in dovecot_log, but did get a message pop up on Thunderbird saying, "Could not connect to mail server m...@ohprs.org; the connection was refused." > Dovecot config, the needed parts: > In /etc/dovecot/conf.d/10-auth.conf : > auth_krb5_keytab = /etc/dovecot/mail.keytab > auth_mechanisms = plain gssapi I added those. > In /etc/dovecot/conf.d/auth-system.conf.ext : > passdb { >driver =
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> On June 28, 2016 at 12:02 AM Jan Jurkuswrote: > > > Hi, > > I'm not entirely happy with the static userdb, because of the > limitations with kerberos/pam, but this can of course be changed rather > easily. The hardest part is to get the SSO working. > One of the limitiations is stated here: > http://wiki.dovecot.org/UserDatabase/Static > > Postfix SMTP auth is using LMTP, reading from my notes. > > I hope you can get a clearer picture with this rather long and chaotic > reply. > As mentioned before, you can use ldap as userdb instead of static userdb. Username matching in AD environment should be done against userPrincipalName attribute. This should let you get rid of pam as well. --- Aki Tuomi Dovecot oy > -- > Jan Jurkus | ICT Beheerder | GCE cad-service B.V. > Postbus 12, 3220 AA Hellevoetsluis > Daltonweg 9, 3225 LR Hellevoetsluis > tel: 0181-336955 | fax: 0181-311899 > j.jur...@gcecad-service.nl | www.gcecad-service.nl
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Hi, On 27-06-2016 08:58, Mark Foley wrote: > So, I'm apparently lacking in the kerberos stuff. Here's the problem -- > Samba4 uses Heimdal > Kerberos and when I provisioned my domain apparently none of these needed > kerberos files were > set up. I can, however, kerberos authenticate from domain workstations both > WIN7 and Linux. You don't need any Samba4 stuff, to get it working. Samba is great, but can be hard to get right. I tend to steer clear of Samba when I don't really need it. My first experience was with an OTRS helpdesk install, and trying to get it to do SSO. I was helped a great deal by wireshark, and this website: http://www.grolmsnet.de/kerbtut/ On a sidenote: mod_auth_kerb is rather ancient, in computer-terms. You'd be better off with mod_auth_gssapi. In the case of Dovecot we are not using Apache, of course. With Dovecot I got the SSO working with Kerberos, and this part is working great. Other parts (shared mailboxes, that sort of stuff) aren't working for me yet. This is my own fault, not a dovecot one, haven't looked into it enough. Anyway, the SSO is working great. One of the tricky bits is you need a kerberos keytab with two services. I used ktutil: # ktutil ktutil: read_kt mail-imap.keytab ktutil: read_kt mail-smtp.keytab ktutil: write_kt mail.keytab ktutil: quit I'm using a windows 2003 r2 server as domain controller, to create a keytab file you need the windows 2003 support tools. ktpass.exe -princ imap/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL -mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 -ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab ktpass.exe -princ smtp/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL -mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234 -ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab Most instructions on the internet do not quite work out that well. RC4-HMAC-NT crypto is needed if you still have Windows XP machines. It should work with a newer crypto but have not tested that. FYI: Kerberos service names (imap, smtp) are sometimes capitalised, mostly when using HTTP. Great, isn't it? On the dovecot server I had to install a kerberos package: # yum install krb5-workstation (I am using CentOS7, but it should not be too hard to translate this to your own distro) My kerberos configuration: # vi /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = GCECAD-SERVICE.LOCAL default_keytab_file = /etc/krb5.keytab default_ccache_name = KEYRING:persistent:%{uid} allow_weak_crypto = true default_tkt_enctypes = arcfour-hmac-md5 default_tgs_enctypes = arcfour-hmac-md5 permitted_enctypes = arcfour-hmac-md5 [appdefaults] pam = { debug = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true krb4_convert = false } [realms] GCECAD-SERVICE.LOCAL = { kdc = this.is.the.dns.name.of.your.kdc admin_server = this.is.the.dns.name.of.your.kdc } [domain_realm] .gcecad-service.local = GCECAD-SERVICE.LOCAL gcecad-service.local = GCECAD-SERVICE.LOCAL .gcecad-service.nl = GCECAD-SERVICE.LOCAL gcecad-service.nl = GCECAD-SERVICE.LOCAL Dovecot config, the needed parts: In /etc/dovecot/conf.d/10-auth.conf : auth_krb5_keytab = /etc/dovecot/mail.keytab auth_mechanisms = plain gssapi In /etc/dovecot/conf.d/auth-system.conf.ext : passdb { driver = pam } userdb { driver = static args = uid=2000 gid=2000 home=/var/vmail/%Ln allow_all_users=yes } In /etc/pam.d/dovecot : #%PAM-1.0 auth sufficient pam_krb5.so no_user_check validate accountsufficient pam_permit.so I'm not entirely happy with the static userdb, because of the limitations with kerberos/pam, but this can of course be changed rather easily. The hardest part is to get the SSO working. One of the limitiations is stated here: http://wiki.dovecot.org/UserDatabase/Static Postfix SMTP auth is using LMTP, reading from my notes. I hope you can get a clearer picture with this rather long and chaotic reply. -- Jan Jurkus | ICT Beheerder | GCE cad-service B.V. Postbus 12, 3220 AA Hellevoetsluis Daltonweg 9, 3225 LR Hellevoetsluis tel: 0181-336955 | fax: 0181-311899 j.jur...@gcecad-service.nl | www.gcecad-service.nl
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki, again, thanks A LOT for your reply. Concerning your checklist: > 1. Functional AD or Kerberos environment Check! > 2. Time synced against your KDC (which is your Domain Controller on Windows) Check! (needed for AD/DC anyway) > 3. /etc/krb5.conf configured NO > 4. Both forward / reverse DNS names correct for clients and servers. > Reverse is only mandatory for servers, but having them right will work > wonders. Most kerberos problems are about DNS problems. Check! > 5. You need a keytab. This keytab needs to hold entries like > IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate > these on any Windows DC server (at least). NO So, I'm apparently lacking in the kerberos stuff. Here's the problem -- Samba4 uses Heimdal Kerberos and when I provisioned my domain apparently none of these needed kerberos files were set up. I can, however, kerberos authenticate from domain workstations both WIN7 and Linux. I will (and have already) contacted the Samba list to see what needs to be done. I'll post back what I find. Maybe I can finally get to the bottom of this problem. Thanks again -- Mark -Original Message > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > To: dovecot@dovecot.org > From: Aki Tuomi <aki.tu...@dovecot.fi> > Organization: Dovecot Oy > Date: Mon, 27 Jun 2016 09:18:54 +0300 > > On 27.06.2016 07:31, Mark Foley wrote: > > Thanks for the reply. When you say it [NTLM] "should" work, I understand > > you to be implying > > you've not actually tried NTLM yourself, right? I've never gotten a > > response from someone > > saying they have or are actually using it. Your subsequent messages about > > NTLM v[1|2] may be > > the problem, but email clients I've tried (Outlook, Thunderbird) don't > > really give a choice. > > > > That's OK, I'd be glad to try something different that would work!!! I am > > trying your advice > > for gssapi. I've followed the instructions at > > http://wiki2.dovecot.org/Authentication/Kerberos. In my 10-auth.conf I > > changed the > > auth_mechanism line to: > > > > auth_mechanisms = plain login gssapi > > > > Which is only different from before with the addition of "gssapi". That's > > all I've done. I'm > > using the same userdb as before which is /etc/passwd. My doveconf -n is: > > > > --SNIP > >> doveconf -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login gssapi > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = > > > ssl_key = > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > PINS- > > > > I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a > > Slackware 14.1 AD/DC. I > > selected "Kerberos/GSSAPI" as the authentication method on Tbird. When > > trying the connection I > > got the following in my Dovecot log: > > > > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Jun 27 00:04:54 auth: Debug: Loading modules from directory: > > /usr/local/lib/dovecot/auth > > Jun 27 00:04:54 auth: Debug: Loading modules from directory: > > /usr/local/lib/dovecot/auth > > Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken > > (disconnected before auth was ready, waited 0 secs): user=<>, > > rip=192.168.0.99, lip=98.102.63.107, session= > > > > So, any idea why this is not working? I'll say up-front that I do not have > > the auth_krb5_keytab > > configured in 10-auth.conf. I could find no such file on the host running > > Dovecot. Is that file > > needed? If so, I've got a message in to the Samba4 folks asking where it is > > located. > > > > I'm also using Dovecot 2.2.15. Too old? > > > > Do you think auth_krb5_keytab is my problem or something deeper? > > > > THX --Mark > > > > You need to set up keytab. I'll assume you know nothing about kerberos, > so please if you already knew all this, sorry. > > For kerberos to work PROPERLY you nee
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
On 27.06.2016 07:31, Mark Foley wrote: > Thanks for the reply. When you say it [NTLM] "should" work, I understand you > to be implying > you've not actually tried NTLM yourself, right? I've never gotten a response > from someone > saying they have or are actually using it. Your subsequent messages about > NTLM v[1|2] may be > the problem, but email clients I've tried (Outlook, Thunderbird) don't really > give a choice. > > That's OK, I'd be glad to try something different that would work!!! I am > trying your advice > for gssapi. I've followed the instructions at > http://wiki2.dovecot.org/Authentication/Kerberos. In my 10-auth.conf I > changed the > auth_mechanism line to: > > auth_mechanisms = plain login gssapi > > Which is only different from before with the addition of "gssapi". That's > all I've done. I'm > using the same userdb as before which is /etc/passwd. My doveconf -n is: > > --SNIP >> doveconf -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = plain login gssapi > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = > ssl_key = userdb { > driver = passwd > } > verbose_ssl = yes > PINS- > > I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a > Slackware 14.1 AD/DC. I > selected "Kerberos/GSSAPI" as the authentication method on Tbird. When trying > the connection I > got the following in my Dovecot log: > > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used > for ECDH and ECDHE key exchanges > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used > for ECDH and ECDHE key exchanges > Jun 27 00:04:54 auth: Debug: Loading modules from directory: > /usr/local/lib/dovecot/auth > Jun 27 00:04:54 auth: Debug: Loading modules from directory: > /usr/local/lib/dovecot/auth > Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken > (disconnected before auth was ready, waited 0 secs): user=<>, > rip=192.168.0.99, lip=98.102.63.107, session= > > So, any idea why this is not working? I'll say up-front that I do not have > the auth_krb5_keytab > configured in 10-auth.conf. I could find no such file on the host running > Dovecot. Is that file > needed? If so, I've got a message in to the Samba4 folks asking where it is > located. > > I'm also using Dovecot 2.2.15. Too old? > > Do you think auth_krb5_keytab is my problem or something deeper? > > THX --Mark > You need to set up keytab. I'll assume you know nothing about kerberos, so please if you already knew all this, sorry. For kerberos to work PROPERLY you need to have 1. Functional AD or Kerberos environment 2. Time synced against your KDC (which is your Domain Controller on Windows) 3. /etc/krb5.conf configured 4. Both forward / reverse DNS names correct for clients and servers. Reverse is only mandatory for servers, but having them right will work wonders. Most kerberos problems are about DNS problems. 5. You need a keytab. This keytab needs to hold entries like IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate these on any Windows DC server (at least). Only bullet 5. is about Dovecot really, but since this is usually rather hard to gather information, I'll recap these things here: 2. Time sync Install ntpd and configure it to use *your* *ad* *server*. (Not some generic service). 3. /etc/krb5.conf Here is a *SAMPLE* configuration: [libdefaults] default_realm = YOUR.REALM dns_lookup_kdc = true krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true [realms] YOUR.REALM = { default_domain = your.domain.name auth_to_local_names = { Administrator = root } } [domain_realm] your.domain.name = YOUR.REALM # this is not a mistake .your.domain.name = YOUR.REALM [login] krb4_convert = true krb4_get_tickets = false Note that some windows environments require additional configuration to get this working. 4. Forward/reverse DNS. For your *server* this is *absolutely* must. It has to match for your clients and your server. So if your server name is mail.example.org, and it has IP 10.0.2.3, then 10.0.2.3 MUST resolve to mail.example.org. It will give you strange and convoluted errors otherwise. 5. Keytab This is bit tricky to generate, and there are various ways to do this. You can install samba, join it to your domain and use the samba tools to generate a keytab. It's not a bad idea, just remember to add the required spn's
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Thanks for the reply. When you say it [NTLM] "should" work, I understand you to be implying you've not actually tried NTLM yourself, right? I've never gotten a response from someone saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be the problem, but email clients I've tried (Outlook, Thunderbird) don't really give a choice. That's OK, I'd be glad to try something different that would work!!! I am trying your advice for gssapi. I've followed the instructions at http://wiki2.dovecot.org/Authentication/Kerberos. In my 10-auth.conf I changed the auth_mechanism line to: auth_mechanisms = plain login gssapi Which is only different from before with the addition of "gssapi". That's all I've done. I'm using the same userdb as before which is /etc/passwd. My doveconf -n is: --SNIP > doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = , rip=192.168.0.99, lip=98.102.63.107, session= So, any idea why this is not working? I'll say up-front that I do not have the auth_krb5_keytab configured in 10-auth.conf. I could find no such file on the host running Dovecot. Is that file needed? If so, I've got a message in to the Samba4 folks asking where it is located. I'm also using Dovecot 2.2.15. Too old? Do you think auth_krb5_keytab is my problem or something deeper? THX --Mark -Original Message- > Date: Sun, 26 Jun 2016 14:00:49 +0300 (EEST) > From: aki.tu...@dovecot.fi > To: dovecot@dovecot.org > Subject: Re: Looking for NTLM config example > > It should work. Although if you are using linux server you might want to use > gssapi instead. > > > On June 25, 2016 at 7:43 PM Mark Foleywrote: > > > > > > I've asked this several times over the past year with essentially zero > > responses. I'll keep it simple: > > > > Does NTLM authentication work in Dovecot? > > > > I'll post this one last time. If I still have no responses I'll have to > > conclude that no one > > has actually tried this authentication method and it therefore does not > > work. > > > > Thanks, --Mark > > > > -Original Message- > > From: Mark Foley > > Date: Fri, 22 Apr 2016 02:07:24 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot@dovecot.org > > Subject: Looking for NTLM config example > > > > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, > > > I'd like to take > > > another run at setting up NTLM authentication from Thunderbird to my > > > Samba4 AC/DC. > > > > > > With the help of the samba maillist folks I was able to set up NTLM > > > authentication for domain > > > user login. I should be able to do the same for email! > > > > > > But, I need help. I went to > > > http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > > > lost immediately. Are "authenticaion submethods" synonymous with > > > "password schemes"? The 7th > > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and > > > NTLMv2.", but in the > > > referenced link I found no reference to "NTLM password scheme". > > > > > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what > > > the 4 NTLM > > > authentication submethods are, tells you what password schemes are, tells > > > you what the NTLM > > > client/server handshake is, but doesn't actually tell you how to > > > configure dovecot config > > > files. I'm much more interested in the "how to" than in: "NTLMv2: server > > > and client nonce, > > > MITM can't force downgrade" ... whatever that means. > > > > > > Anyway, probably it's my lack of understanding terminology. I don't even > > > know what a "nonce" > > > is. But, I learn well from examples! Can somone please give me a sample > > > 10-auth.conf for NTML > > > and any other supporting settings or configs I need? > > > > > > My current/working dovecot settings, which have been running perfectly > > > for well over a year > > > now, are: > > > > > > $ dovecot -n > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > auth_debug_passwords = yes > > > auth_mechanisms = plain login > > > auth_verbose = yes > > > auth_verbose_passwords = plain > > > disable_plaintext_auth = no > > > info_log_path = /var/log/dovecot_info > > > mail_location = maildir:~/Maildir > > > passdb { > > > driver = shadow > > > } > > > protocols = imap > > > ssl_cert = > > > > > ssl_key = > > userdb { > > > driver = passwd > > > } > > > verbose_ssl = yes > > > > > > > > > Here's what I've