Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Aki - comments interspersed below ...

--Mark

-Original Message-
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> To: dovecot@dovecot.org
> From: Aki Tuomi <aki.tu...@dovecot.fi>
> Organization: Dovecot Oy
> Date: Fri, 1 Jul 2016 10:10:43 +0300
>
> The distinction is that kerberos principals are in form
>
> /@
>
> the hostname bit *must* match to the host you are connecting to, exactly
> and verbatim. It can differ in case, I guess.
>
> The service is what service you are connecting to. These have special
> meanings and can be case sensitive (like http won't always work, it has
> to be HTTP).

The current IMAP "Principle" in my keytab is:

imap/mail.hprs.local@HPRS.LOCAL

Explicitly, are you saying it needs to look like:

IMAP/mail@HPRS.LOCAL

Meaning, capitalized "IMAP" and just hostname, no FDQN?

> host/ is always needed in at least system keytab. Not sure if it's
> needed now in the service tab. But I suspect that you need to have IMAP
> and not imap. Also make sure and double-check that the hostname is correct.

Confused.  What do you mean by "host/"? Can you give an example using my host 
and domain names?
I don't know where "host/" goes.  I assume this is not a synonym for 
"/"?

This is the first I've head of a system keytab versus a service tab. What are 
they? Do I need
both?

> Once you've done the keytab you'll want to grab a cup of coffee and
> local newspaper or something and read it thru before trying, because it
> might take some time for it to work.

Really? I can reboot this evening.

> Also, your client *and* host needs to be able to access KDC (all of
> them) on 88/tcp.

There should be no problem with the intra-LAN firewall. Everything is 
permitted, but I'll
double-check on the WIN7 workstation I'm testing from.

Is there a way to know for sure my dovecot is enabled for gssapi?

> Aki
>
> On 01.07.2016 09:42, Mark Foley wrote:
> > My keytab now has:
> >
> > ktutil:  read_kt /etc/dovecot/dovecot.keytab
> > ktutil:  list
> > slot KVNO Principal
> >   
> > -
> >11  smtp/mail.hprs.local@HPRS.LOCAL
> >21  imap/mail.hprs.local@HPRS.LOCAL
> >
> > I added these in ktutil with:
> >
> > addent -password -p smtp/mail.hprs.local@HPRS.LOCAL -k 1 -e arcfour-hmac
> >
> > Aki wrote:
> >
> >> I think the problem still is that your keytab file has no entry
> >> imap/hostname@DOMAIN and IMAP/hostname@DOMAIN
> >> you also have no host/hostname@DOMAIN
> > Not sure how to interpret your template. Are you suggesting I should ...
> >
> > addent -password -p IMAP/mail@HPRS.LOCAL -k 1 -e arcfour-hmac
> > addent -password -p imap/mail@HPRS.LOCAL -k 1 -e arcfour-hmac
> >
> > (one IMAP uppercase and one lowercase?)
> >
> > I don't get your distinction between host and hostname in your 3rd example: 
> > host/hostname@DOMAIN
> >
> > Meanwhile ...
> >
> > Tried a bunch of things.  No go so far.  In fact, I'm questioning if gssapi 
> > is enabled in my
> > dovecot.  I did rebuild and reinstall using `./configure 
> > --with-gssapi=yes`, but if I only
> > enable gssapi authentication, I get "No authenticators available" (mail 
> > client).  How can I
> > verify gssapi is really available? dovecot --build-options shows:
> >
> > Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192
> > Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail
> > SQL drivers:
> > Passdb: checkpassword passwd passwd-file shadow
> > Userdb: checkpassword nss passwd prefetch passwd-file
> >
> > should I see authentication methods there?
> >
> > --Mark
> >
> > -Original Message-
> > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config 
> > example]
> > To: dovecot@dovecot.org
> > From: Aki Tuomi <aki.tu...@dovecot.fi>
> > Organization: Dovecot Oy
> > Date: Thu, 30 Jun 2016 09:58:14 +0300
> >
> > I think the problem still is that your keytab file has no entry
> > imap/hostname@DOMAIN and IMAP/hostname@DOMAIN
> >
> > you also have no host/hostname@DOMAIN
> >
> > Aki
> >
> > On 29.06.2016 18:40, Mark Foley wrote:
> >> Yes, I think that's exactly correct. I just made a similar reply to Edgar 
> >> Pettijohn about that.
> >> The Thunderbird message is:
> >>
> >> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server 
> >> m

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Aki Tuomi]

The distinction is that kerberos principals are in form

/@

the hostname bit *must* match to the host you are connecting to, exactly
and verbatim. It can differ in case, I guess.

The service is what service you are connecting to. These have special
meanings and can be case sensitive (like http won't always work, it has
to be HTTP).

host/ is always needed in at least system keytab. Not sure if it's
needed now in the service tab. But I suspect that you need to have IMAP
and not imap. Also make sure and double-check that the hostname is correct.

Once you've done the keytab you'll want to grab a cup of coffee and
local newspaper or something and read it thru before trying, because it
might take some time for it to work.

Also, your client *and* host needs to be able to access KDC (all of
them) on 88/tcp.

Aki

On 01.07.2016 09:42, Mark Foley wrote:
> My keytab now has:
>
> ktutil:  read_kt /etc/dovecot/dovecot.keytab
> ktutil:  list
> slot KVNO Principal
>   
> -
>11  smtp/mail.hprs.local@HPRS.LOCAL
>21  imap/mail.hprs.local@HPRS.LOCAL
>
> I added these in ktutil with:
>
> addent -password -p smtp/mail.hprs.local@HPRS.LOCAL -k 1 -e arcfour-hmac
>
> Aki wrote:
>
>> I think the problem still is that your keytab file has no entry
>> imap/hostname@DOMAIN and IMAP/hostname@DOMAIN
>> you also have no host/hostname@DOMAIN
> Not sure how to interpret your template. Are you suggesting I should ...
>
> addent -password -p IMAP/mail@HPRS.LOCAL -k 1 -e arcfour-hmac
> addent -password -p imap/mail@HPRS.LOCAL -k 1 -e arcfour-hmac
>
> (one IMAP uppercase and one lowercase?)
>
> I don't get your distinction between host and hostname in your 3rd example: 
> host/hostname@DOMAIN
>
> Meanwhile ...
>
> Tried a bunch of things.  No go so far.  In fact, I'm questioning if gssapi 
> is enabled in my
> dovecot.  I did rebuild and reinstall using `./configure --with-gssapi=yes`, 
> but if I only
> enable gssapi authentication, I get "No authenticators available" (mail 
> client).  How can I
> verify gssapi is really available? dovecot --build-options shows:
>
> Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192
> Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail
> SQL drivers:
> Passdb: checkpassword passwd passwd-file shadow
> Userdb: checkpassword nss passwd prefetch passwd-file
>
> should I see authentication methods there?
>
> --Mark
>
> -Original Message-
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> To: dovecot@dovecot.org
> From: Aki Tuomi <aki.tu...@dovecot.fi>
> Organization: Dovecot Oy
> Date: Thu, 30 Jun 2016 09:58:14 +0300
>
> I think the problem still is that your keytab file has no entry
> imap/hostname@DOMAIN and IMAP/hostname@DOMAIN
>
> you also have no host/hostname@DOMAIN
>
> Aki
>
> On 29.06.2016 18:40, Mark Foley wrote:
>> Yes, I think that's exactly correct. I just made a similar reply to Edgar 
>> Pettijohn about that.
>> The Thunderbird message is:
>>
>> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server 
>> m...@ohprs.org. Please check
>> that you are logged in to the Kerberos/GSSAPI realm."
>>
>> I made further comments in that message that I won't clutter the list by 
>> repeating here. Check
>> out that message and see what you think could be wrong.
>>
>> Thanks for your help! I'm sure this is solvable!
>>
>> --Mark
>>
>> -Original Message-
>>> Date: Wed, 29 Jun 2016 08:03:14 -0400
>>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config 
>>> example]
>>> From: brendan kearney <bpk...@gmail.com>
>>> To: Mark Foley <mfo...@ohprs.org>
>>> Cc: dovecot@dovecot.org
>>>
>>> The last log line shows "user=<>".  This indicates no credentials were
>>> presented.  If the rip field matches the client ip you tested from, I would
>>> bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not
>>> pulled for the authentication.
>>> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfo...@ohprs.org> wrote:
>> [deleted]

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

My keytab now has:

ktutil:  read_kt /etc/dovecot/dovecot.keytab
ktutil:  list
slot KVNO Principal
  -
   11  smtp/mail.hprs.local@HPRS.LOCAL
   21  imap/mail.hprs.local@HPRS.LOCAL

I added these in ktutil with:

addent -password -p smtp/mail.hprs.local@HPRS.LOCAL -k 1 -e arcfour-hmac

Aki wrote:

> I think the problem still is that your keytab file has no entry
> imap/hostname@DOMAIN and IMAP/hostname@DOMAIN
> you also have no host/hostname@DOMAIN

Not sure how to interpret your template. Are you suggesting I should ...

addent -password -p IMAP/mail@HPRS.LOCAL -k 1 -e arcfour-hmac
addent -password -p imap/mail@HPRS.LOCAL -k 1 -e arcfour-hmac

(one IMAP uppercase and one lowercase?)

I don't get your distinction between host and hostname in your 3rd example: 
host/hostname@DOMAIN

Meanwhile ...

Tried a bunch of things.  No go so far.  In fact, I'm questioning if gssapi is 
enabled in my
dovecot.  I did rebuild and reinstall using `./configure --with-gssapi=yes`, 
but if I only
enable gssapi authentication, I get "No authenticators available" (mail 
client).  How can I
verify gssapi is really available? dovecot --build-options shows:

Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192
Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail
SQL drivers:
Passdb: checkpassword passwd passwd-file shadow
Userdb: checkpassword nss passwd prefetch passwd-file

should I see authentication methods there?

--Mark

-Original Message-
Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
To: dovecot@dovecot.org
From: Aki Tuomi <aki.tu...@dovecot.fi>
Organization: Dovecot Oy
Date: Thu, 30 Jun 2016 09:58:14 +0300

I think the problem still is that your keytab file has no entry
imap/hostname@DOMAIN and IMAP/hostname@DOMAIN

you also have no host/hostname@DOMAIN

Aki

On 29.06.2016 18:40, Mark Foley wrote:
> Yes, I think that's exactly correct. I just made a similar reply to Edgar 
> Pettijohn about that.
> The Thunderbird message is:
>
> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server 
> m...@ohprs.org. Please check
> that you are logged in to the Kerberos/GSSAPI realm."
>
> I made further comments in that message that I won't clutter the list by 
> repeating here. Check
> out that message and see what you think could be wrong.
>
> Thanks for your help! I'm sure this is solvable!
>
> --Mark
>
> -Original Message-----
>> Date: Wed, 29 Jun 2016 08:03:14 -0400
>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>> From: brendan kearney <bpk...@gmail.com>
>> To: Mark Foley <mfo...@ohprs.org>
>> Cc: dovecot@dovecot.org
>>
>> The last log line shows "user=<>".  This indicates no credentials were
>> presented.  If the rip field matches the client ip you tested from, I would
>> bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not
>> pulled for the authentication.
>> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfo...@ohprs.org> wrote:
> [deleted]

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Aki Tuomi]

I think the problem still is that your keytab file has no entry
imap/hostname@DOMAIN and IMAP/hostname@DOMAIN

you also have no host/hostname@DOMAIN

Aki

On 29.06.2016 18:40, Mark Foley wrote:
> Yes, I think that's exactly correct. I just made a similar reply to Edgar 
> Pettijohn about that.
> The Thunderbird message is:
>
> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server 
> m...@ohprs.org. Please check
> that you are logged in to the Kerberos/GSSAPI realm."
>
> I made further comments in that message that I won't clutter the list by 
> repeating here. Check
> out that message and see what you think could be wrong.
>
> Thanks for your help! I'm sure this is solvable!
>
> --Mark
>
> -Original Message-
>> Date: Wed, 29 Jun 2016 08:03:14 -0400
>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>> From: brendan kearney <bpk...@gmail.com>
>> To: Mark Foley <mfo...@ohprs.org>
>> Cc: dovecot@dovecot.org
>>
>> The last log line shows "user=<>".  This indicates no credentials were
>> presented.  If the rip field matches the client ip you tested from, I would
>> bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not
>> pulled for the authentication.
>> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfo...@ohprs.org> wrote:
> [deleted]

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Edgar Pettijohn]

> On Jun 29, 2016, at 10:32 AM, Mark Foley <mfo...@ohprs.org> wrote:
> 
>> On Tue, 28 Jun 2016 22:52:25 -0500 Edgar Pettijohn <ed...@pettijohn-web.com> 
>> wrote:
>> 
>> What does thunderbird tell you?
> 
> Good question.  I saw Tbird's message after sending my last email.  When 
> Tbird starts I get a
> message box in the lower right saying:
> 
> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server 
> m...@ohprs.org. Please check
> that you are logged in to the Kerberos/GSSAPI realm."
> 
> The interesting bit, to me, is that the IMAP server's hostname is not 
> m...@ohprs.org. It should
> be mail.ohprs.org, or I would rather expect it to be mail.hprs.local using 
> the actual local
> domain/realm name, not the public FQDN. I'm suspecting there is something 
> wrong with the
> kerberos config.
> 
> To further confuse.  There *is* a WIN7 workstation 'mark' in the domain, 
> though not the
> workstation from which this testing is being done (this workstation is named 
> 'common') and host
> 'mark' is not reachable as m...@ohprs.org.  Furthermore, the Thunderbird 
> account/user for this
> testing is also 'mark', not to be confused with the host 'mark' (though I 
> think that's exactly
> what's being confused). 
> 
> Where is this m...@ohprs.org coming from? The Thunderbird Account Name is 
> m...@ohprs.org, which
> is this user's email address.
> 
> Perhaps Thunderbird simply has a badly worded error message and didn't really 
> mean "IMAP server
> m...@ohprs.org", or perhapd kerberos is not configured correctly.  My 
> /etc/krb5.conf is shown
> below.  Any ideas on what might be wrong?
It's doubtful it's a thunderbird issue unless you've given it bad information. 
Unfortunately I don't use ldap or gssapi so I'm afraid I can't offer much help. 


> 
>>>>> [libdefaults]
>>>>> default_realm = HPRS.LOCAL
>>>>> dns_lookup_realm = false
>>>>> dns_lookup_kdc = true
>>>>> 
>>>>> [libdefaults]
>>>>> default_realm = HPRS.LOCAL
>>>>> dns_lookup_kdc = true
>>>>> kdc_timesync = 1
>>>>> ccache_type = 4
>>>>> forwardable = true
>>>>> proxiable = true
>>>>> fcc-mit-ticketflags = true
>>>>> 
>>>>> [realms]
>>>>> HPRS.LOCAL = {
>>>>>   default_domain = hprs.local
>>>>>   auth_to_local_names = {
>>>>>   Administrator = root
>>>>> }
>>>>> }
>>>>> 
>>>>> [domain_realm]
>>>>>   hprs.local = HPRS.LOCAL
>>>>> # this is not a mistake
>>>>>   .hprs.local = HPRS.LOCAL
> 
> Thanks, --Mark
> 
> -Original Message-
>> From: Edgar Pettijohn <ed...@pettijohn-web.com>
>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>> Date: Tue, 28 Jun 2016 22:52:25 -0500
>> To: Mark Foley <mfo...@ohprs.org>
>> 
>> 
>> 
>>> On Jun 28, 2016, at 10:32 PM, Mark Foley <mfo...@ohprs.org> wrote:
>>> 
>>> Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, 
>>> and restarted. Now I
>>> don't get that "Unknown authentication mechanism 'gssapi'" message in 
>>> maillog, and mail is
>>> delivered successfully to the other domain users having PLAIN 
>>> authentication. That's a big
>>> step. In examining my original config.log output I apparently did not have 
>>> --with-gssapi enabled.
>>> 
>>> HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still 
>>> cannot correctly
>>> authenticate and retrieve mail. Here is the dovecot log for that host:
>> What does thunderbird tell you?
>> 
>> 
>>> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be 
>>> used for ECDH and ECDHE key exchanges
>>> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be 
>>> used for ECDH and ECDHE key exchanges
>>> Jun 28 22:44:05 auth: Debug: Loading modules from directory: 
>>> /usr/local/lib/dovecot/auth
>>> Jun 28 22:44:05 auth: Debug: Read auth token secret from 
>>> /usr/local/var/run/dovecot/auth-token-secret.dat
>>> Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076)
>>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
>>> initialization [192.168.0.58]
>>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Yes, I think that's exactly correct. I just made a similar reply to Edgar 
Pettijohn about that.
The Thunderbird message is:

"The Kerberos/GSSAPI ticket was not accepted by the IMAP server m...@ohprs.org. 
Please check
that you are logged in to the Kerberos/GSSAPI realm."

I made further comments in that message that I won't clutter the list by 
repeating here. Check
out that message and see what you think could be wrong.

Thanks for your help! I'm sure this is solvable!

--Mark

-Original Message-
> Date: Wed, 29 Jun 2016 08:03:14 -0400
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> From: brendan kearney <bpk...@gmail.com>
> To: Mark Foley <mfo...@ohprs.org>
> Cc: dovecot@dovecot.org
>
> The last log line shows "user=<>".  This indicates no credentials were
> presented.  If the rip field matches the client ip you tested from, I would
> bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not
> pulled for the authentication.
> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfo...@ohprs.org> wrote:

[deleted]

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

On Tue, 28 Jun 2016 22:52:25 -0500 Edgar Pettijohn <ed...@pettijohn-web.com> 
wrote:

> What does thunderbird tell you?

Good question.  I saw Tbird's message after sending my last email.  When Tbird 
starts I get a
message box in the lower right saying:

"The Kerberos/GSSAPI ticket was not accepted by the IMAP server m...@ohprs.org. 
Please check
that you are logged in to the Kerberos/GSSAPI realm."

The interesting bit, to me, is that the IMAP server's hostname is not 
m...@ohprs.org. It should
be mail.ohprs.org, or I would rather expect it to be mail.hprs.local using the 
actual local
domain/realm name, not the public FQDN. I'm suspecting there is something wrong 
with the
kerberos config.

To further confuse.  There *is* a WIN7 workstation 'mark' in the domain, though 
not the
workstation from which this testing is being done (this workstation is named 
'common') and host
'mark' is not reachable as m...@ohprs.org.  Furthermore, the Thunderbird 
account/user for this
testing is also 'mark', not to be confused with the host 'mark' (though I think 
that's exactly
what's being confused). 

Where is this m...@ohprs.org coming from? The Thunderbird Account Name is 
m...@ohprs.org, which
is this user's email address.

Perhaps Thunderbird simply has a badly worded error message and didn't really 
mean "IMAP server
m...@ohprs.org", or perhapd kerberos is not configured correctly.  My 
/etc/krb5.conf is shown
below.  Any ideas on what might be wrong?

> >>> [libdefaults]
> >>>  default_realm = HPRS.LOCAL
> >>>  dns_lookup_realm = false
> >>>  dns_lookup_kdc = true
> >>> 
> >>> [libdefaults]
> >>>  default_realm = HPRS.LOCAL
> >>>  dns_lookup_kdc = true
> >>>  kdc_timesync = 1
> >>>  ccache_type = 4
> >>>  forwardable = true
> >>>  proxiable = true
> >>>  fcc-mit-ticketflags = true
> >>> 
> >>> [realms]
> >>>  HPRS.LOCAL = {
> >>>default_domain = hprs.local
> >>>auth_to_local_names = {
> >>>Administrator = root
> >>>  }
> >>> }
> >>> 
> >>> [domain_realm]
> >>>hprs.local = HPRS.LOCAL
> >>> # this is not a mistake
> >>>.hprs.local = HPRS.LOCAL

Thanks, --Mark

-Original Message-
> From: Edgar Pettijohn <ed...@pettijohn-web.com>
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> Date: Tue, 28 Jun 2016 22:52:25 -0500
> To: Mark Foley <mfo...@ohprs.org>
>
>
>
> > On Jun 28, 2016, at 10:32 PM, Mark Foley <mfo...@ohprs.org> wrote:
> > 
> > Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, 
> > and restarted. Now I
> > don't get that "Unknown authentication mechanism 'gssapi'" message in 
> > maillog, and mail is
> > delivered successfully to the other domain users having PLAIN 
> > authentication. That's a big
> > step. In examining my original config.log output I apparently did not have 
> > --with-gssapi enabled.
> > 
> > HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still 
> > cannot correctly
> > authenticate and retrieve mail. Here is the dovecot log for that host:
> > 
> What does thunderbird tell you?
>
>
> > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be 
> > used for ECDH and ECDHE key exchanges
> > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be 
> > used for ECDH and ECDHE key exchanges
> > Jun 28 22:44:05 auth: Debug: Loading modules from directory: 
> > /usr/local/lib/dovecot/auth
> > Jun 28 22:44:05 auth: Debug: Read auth token secret from 
> > /usr/local/var/run/dovecot/auth-token-secret.dat
> > Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076)
> > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
> > initialization [192.168.0.58]
> > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
> > initialization [192.168.0.58]
> > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read 
> > client hello A [192.168.0.58]
> > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> > client hello A [192.168.0.58]
> > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> > server hello A [192.168.0.58]
> > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> > certificate A [192.168.0.58]
> > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> > key exchange A [192.168.0.58]
>

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[brendan kearney]

The last log line shows "user=<>".  This indicates no credentials were
presented.  If the rip field matches the client ip you tested from, I would
bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not
pulled for the authentication.
On Jun 28, 2016 11:33 PM, "Mark Foley" <mfo...@ohprs.org> wrote:

> Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi,
> and restarted. Now I
> don't get that "Unknown authentication mechanism 'gssapi'" message in
> maillog, and mail is
> delivered successfully to the other domain users having PLAIN
> authentication. That's a big
> step. In examining my original config.log output I apparently did not have
> --with-gssapi enabled.
>
> HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still
> cannot correctly
> authenticate and retrieve mail. Here is the dovecot log for that host:
>
> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be
> used for ECDH and ECDHE key exchanges
> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be
> used for ECDH and ECDHE key exchanges
> Jun 28 22:44:05 auth: Debug: Loading modules from directory:
> /usr/local/lib/dovecot/auth
> Jun 28 22:44:05 auth: Debug: Read auth token secret from
> /usr/local/var/run/dovecot/auth-token-secret.dat
> Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076)
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept
> initialization [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept
> initialization [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3
> read client hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> client hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> server hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> key exchange A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> server done A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush
> data [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
> client certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
> client certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> client key exchange A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> certificate verify A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> finished A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> session ticket A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> change cipher spec A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> finished A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush
> data [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation
> finished successfully [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL
> negotiation finished successfully [192.168.0.58]
> Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
> Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
> Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6
> secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS,
> session=
>
> Does this tell you anything? `doveconf -n` and krb5.conf are configured as
> shown in previous
> messages below.
>
> Closer! --Mark
>
> -Original Message-
> From: Mark Foley <mfo...@ohprs.org>
> Date: Tue, 28 Jun 2016 22:04:42 -0400
> To: dovecot@dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config
> example]
>
> Aki, you wrote:
>
> > Doh. Seems your dovecot isn't compiled with gssapi support? Can you
> compile it yourself?
> >
> > I'll try to check status of NTLM this week.
>
> I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.
>
> I do have the Dovecot sources and will peruse the possible options after I
> send this.  I am on
> version 2.2.15 and I see that the current downloadable version is 2.2.24.
> Should I upgrade? Do
&

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Edgar Pettijohn]

> On Jun 28, 2016, at 10:32 PM, Mark Foley <mfo...@ohprs.org> wrote:
> 
> Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and 
> restarted. Now I
> don't get that "Unknown authentication mechanism 'gssapi'" message in 
> maillog, and mail is
> delivered successfully to the other domain users having PLAIN authentication. 
> That's a big
> step. In examining my original config.log output I apparently did not have 
> --with-gssapi enabled.
> 
> HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still 
> cannot correctly
> authenticate and retrieve mail. Here is the dovecot log for that host:
> 
What does thunderbird tell you?


> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
> for ECDH and ECDHE key exchanges
> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
> for ECDH and ECDHE key exchanges
> Jun 28 22:44:05 auth: Debug: Loading modules from directory: 
> /usr/local/lib/dovecot/auth
> Jun 28 22:44:05 auth: Debug: Read auth token secret from 
> /usr/local/var/run/dovecot/auth-token-secret.dat
> Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076)
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
> initialization [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
> initialization [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read 
> client hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> client hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> server hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key 
> exchange A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> server done A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data 
> [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
> client certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
> client certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> client key exchange A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> certificate verify A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> finished A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> session ticket A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> change cipher spec A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> finished A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data 
> [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation 
> finished successfully [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation 
> finished successfully [192.168.0.58]
> Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
> Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
> Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): 
> user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session=
> 
> Does this tell you anything? `doveconf -n` and krb5.conf are configured as 
> shown in previous
> messages below.
> 
> Closer! --Mark
> 
> -Original Message-
> From: Mark Foley <mfo...@ohprs.org>
> Date: Tue, 28 Jun 2016 22:04:42 -0400
> To: dovecot@dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> 
> Aki, you wrote:
> 
>> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile 
>> it yourself?
>> 
>> I'll try to check status of NTLM this week.
> 
> I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.
> 
> I do have the Dovecot sources and will peruse the possible options after I 
> send this.  I am on
> version 2.2.15 and I see that the current downloadable version is 2.2.24.  
> Should I upgrade? Do
> you think that would help? (a perusal of the changes since 2.2.15 shows 
> nothing obvious
> realated to gssapi)
> 
> --Mark
> 
> -Original Message-
>> Date: Tue, 28 Jun

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and 
restarted. Now I
don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, 
and mail is
delivered successfully to the other domain users having PLAIN authentication. 
That's a big
step. In examining my original config.log output I apparently did not have 
--with-gssapi enabled.

HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still 
cannot correctly
authenticate and retrieve mail. Here is the dovecot log for that host:

Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Jun 28 22:44:05 auth: Debug: Loading modules from directory: 
/usr/local/lib/dovecot/auth
Jun 28 22:44:05 auth: Debug: Read auth token secret from 
/usr/local/var/run/dovecot/auth-token-secret.dat
Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076)
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
initialization [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
initialization [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read 
client hello A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client 
hello A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server 
hello A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
certificate A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key 
exchange A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server 
done A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data 
[192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client 
certificate A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client 
certificate A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client 
key exchange A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
certificate verify A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
finished A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
session ticket A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change 
cipher spec A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
finished A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data 
[192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation 
finished successfully [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation 
finished successfully [192.168.0.58]
Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): 
user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session=

Does this tell you anything? `doveconf -n` and krb5.conf are configured as 
shown in previous
messages below.

Closer! --Mark

-Original Message-
From: Mark Foley <mfo...@ohprs.org>
Date: Tue, 28 Jun 2016 22:04:42 -0400
To: dovecot@dovecot.org
Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]

Aki, you wrote:

> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile 
> it yourself?
>
> I'll try to check status of NTLM this week.

I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.

I do have the Dovecot sources and will peruse the possible options after I send 
this.  I am on
version 2.2.15 and I see that the current downloadable version is 2.2.24.  
Should I upgrade? Do
you think that would help? (a perusal of the changes since 2.2.15 shows nothing 
obvious
realated to gssapi)

--Mark

-Original Message-
> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST)
> From: aki.tu...@dovecot.fi
> To: dovecot@dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>
> > On June 28, 2016 at 5:17 PM Mark Foley <mfo...@ohprs.org> wrote:
> > 
> > 
> > Aki - made your suggested changes, but no joy :(
> > 
> > My /etc/krb5.conf:
> > 
> > --SNIP
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_realm = false
> >   dns_lookup_kdc = true
> > 
> > [libdefaults]
> >   default_realm = 

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Aki, you wrote:

> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile 
> it yourself?
>
> I'll try to check status of NTLM this week.

I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.

I do have the Dovecot sources and will peruse the possible options after I send 
this.  I am on
version 2.2.15 and I see that the current downloadable version is 2.2.24.  
Should I upgrade? Do
you think that would help? (a perusal of the changes since 2.2.15 shows nothing 
obvious
realated to gssapi)

--Mark

-Original Message-
> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST)
> From: aki.tu...@dovecot.fi
> To: dovecot@dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>
> > On June 28, 2016 at 5:17 PM Mark Foley <mfo...@ohprs.org> wrote:
> > 
> > 
> > Aki - made your suggested changes, but no joy :(
> > 
> > My /etc/krb5.conf:
> > 
> > --SNIP
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_realm = false
> >   dns_lookup_kdc = true
> > 
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_kdc = true
> >   kdc_timesync = 1
> >   ccache_type = 4
> >   forwardable = true
> >   proxiable = true
> >   fcc-mit-ticketflags = true
> > 
> > [realms]
> >   HPRS.LOCAL = {
> > default_domain = hprs.local
> > auth_to_local_names = {
> > Administrator = root
> >   }
> > }
> > 
> > [domain_realm]
> > hprs.local = HPRS.LOCAL
> > # this is not a mistake
> > .hprs.local = HPRS.LOCAL
> > --PINS---
> > 
> > you wrote:
> > > You can remove the krb4_ stuff
> > 
> > I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] 
> > section altogether.
> > Question on [realms]Administrator: should that really be root or should it 
> > be my AD Administrator?
> > 
> > my doveconf -n is exactly the same as posted below, but in particular:
> > 
> > auth_krb5_keytab = /etc/krb5.keytab
> > auth_mechanisms = plain login gssapi
> > 
> > When I reloaded dovecot no mail was delivered to anyone (even though 
> > everyone was still using
> > plain/ssl, no one yet configured for gssapi).
> > 
> > In /var/log/maillog I got (repeatedly):
> > 
> > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not 
> > responding, delayed sending initial response (greeting): user=<>, 
> > rip=192.168.0.54, lip=192.168.0.2, session=
> > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 
> > 'gssapi'
> > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup 
> > failed, throttling for 60 secs
> > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not 
> > responding, delayed sending initial response (greeting): user=<>, 
> > rip=166.170.27.161, lip=98.102.63.107, TLS, session=
> > 
> > This looks pretty bad right off. Why "Unknown authentication mechanism 
> > 'gssapi'"?
> > 
> > Do you have any idea from the configs I've posted? I'm rather depressed 
> > about this. I thought I'd
> > finally able to get AD authentication going for Dovecot. Not ready to give 
> > up though!
> > 
> > Suggestions?
> > 
> > THX -- Mark
> > 
> > -original Message-
> > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config 
> > > example]
> > > To: dovecot@dovecot.org
> > > From: Aki Tuomi <aki.tu...@dovecot.fi>
> > > Date: Tue, 28 Jun 2016 15:13:11 +0300
> > >
> > > On 28.06.2016 09:27, Mark Foley wrote:
> > > > Aki,
> > > >
> > > > To review your 5 points:
> > > >
> > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tu...@dovecot.fi> 
> > > > wrote:
> > > >
> > > >> 1. Functional AD or Kerberos environment
> > > >> 2. Time synced against your KDC (which is your Domain Controller on 
> > > >> Windows)
> > > >> 3. /etc/krb5.conf configured
> > > >> 4. Both forward / reverse DNS names correct for clients and servers.
> > > >> Reverse is only mandatory for servers, but having them right will work
> > > >> wonders. Most kerberos problems are about DNS problems.
> > > >> 5. You need a keytab. This keytab needs to hold entries like
> > > >> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You 

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[aki . tuomi]

> On June 28, 2016 at 5:17 PM Mark Foley <mfo...@ohprs.org> wrote:
> 
> 
> Aki - made your suggested changes, but no joy :(
> 
> My /etc/krb5.conf:
> 
> --SNIP
> [libdefaults]
>   default_realm = HPRS.LOCAL
>   dns_lookup_realm = false
>   dns_lookup_kdc = true
> 
> [libdefaults]
>   default_realm = HPRS.LOCAL
>   dns_lookup_kdc = true
>   kdc_timesync = 1
>   ccache_type = 4
>   forwardable = true
>   proxiable = true
>   fcc-mit-ticketflags = true
> 
> [realms]
>   HPRS.LOCAL = {
> default_domain = hprs.local
> auth_to_local_names = {
> Administrator = root
>   }
> }
> 
> [domain_realm]
> hprs.local = HPRS.LOCAL
> # this is not a mistake
> .hprs.local = HPRS.LOCAL
> --PINS---
> 
> you wrote:
> > You can remove the krb4_ stuff
> 
> I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] 
> section altogether.
> Question on [realms]Administrator: should that really be root or should it be 
> my AD Administrator?
> 
> my doveconf -n is exactly the same as posted below, but in particular:
> 
> auth_krb5_keytab = /etc/krb5.keytab
> auth_mechanisms = plain login gssapi
> 
> When I reloaded dovecot no mail was delivered to anyone (even though everyone 
> was still using
> plain/ssl, no one yet configured for gssapi).
> 
> In /var/log/maillog I got (repeatedly):
> 
> Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not 
> responding, delayed sending initial response (greeting): user=<>, 
> rip=192.168.0.54, lip=192.168.0.2, session=
> Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 
> 'gssapi'
> Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup 
> failed, throttling for 60 secs
> Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not 
> responding, delayed sending initial response (greeting): user=<>, 
> rip=166.170.27.161, lip=98.102.63.107, TLS, session=
> 
> This looks pretty bad right off. Why "Unknown authentication mechanism 
> 'gssapi'"?
> 
> Do you have any idea from the configs I've posted? I'm rather depressed about 
> this. I thought I'd
> finally able to get AD authentication going for Dovecot. Not ready to give up 
> though!
> 
> Suggestions?
> 
> THX -- Mark
> 
> -original Message-
> > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config 
> > example]
> > To: dovecot@dovecot.org
> > From: Aki Tuomi <aki.tu...@dovecot.fi>
> > Date: Tue, 28 Jun 2016 15:13:11 +0300
> >
> > On 28.06.2016 09:27, Mark Foley wrote:
> > > Aki,
> > >
> > > To review your 5 points:
> > >
> > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote:
> > >
> > >> 1. Functional AD or Kerberos environment
> > >> 2. Time synced against your KDC (which is your Domain Controller on 
> > >> Windows)
> > >> 3. /etc/krb5.conf configured
> > >> 4. Both forward / reverse DNS names correct for clients and servers.
> > >> Reverse is only mandatory for servers, but having them right will work
> > >> wonders. Most kerberos problems are about DNS problems.
> > >> 5. You need a keytab. This keytab needs to hold entries like
> > >> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
> > >> these on any Windows DC server (at least).
> > > I believe I am good on 1,2 and 4.  I downloaded and installed kerberos 
> > > and tested it with kinit
> > > and klist according to the instructions at
> > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> > >
> > > As to the the keytab (#5) I did the following:
> > >
> > > $ samba-tool domain exportkeytab /etc/krb5.keytab
> > >
> > > which created the file.  I made this owned and readable by group dovecot, 
> > > per instructions at
> > > http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k 
> > > /etc/krb5.keytab` shows me
> > > configuration listing all the users and computers in the domain, mostly 
> > > in triplicate.  A
> > > partial list:
> > >
> > > Keytab name: FILE:/etc/krb5.keytab
> > > KVNO Principal
> > >  
> > > --
> > >18 COMMON$@HPRS.LOCAL
> > >18 COMMON$@HPRS.LOCAL
> > >18 COMMON$@HPRS.LOCAL
> > > 1 MAIL$@HPRS.LOCAL

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Aki - made your suggested changes, but no joy :(

My /etc/krb5.conf:

--SNIP
[libdefaults]
  default_realm = HPRS.LOCAL
  dns_lookup_realm = false
  dns_lookup_kdc = true

[libdefaults]
  default_realm = HPRS.LOCAL
  dns_lookup_kdc = true
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true
  fcc-mit-ticketflags = true

[realms]
  HPRS.LOCAL = {
default_domain = hprs.local
auth_to_local_names = {
Administrator = root
  }
}

[domain_realm]
hprs.local = HPRS.LOCAL
# this is not a mistake
.hprs.local = HPRS.LOCAL
--PINS---

you wrote:
> You can remove the krb4_ stuff

I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] 
section altogether.
Question on [realms]Administrator: should that really be root or should it be 
my AD Administrator?

my doveconf -n is exactly the same as posted below, but in particular:

auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = plain login gssapi

When I reloaded dovecot no mail was delivered to anyone (even though everyone 
was still using
plain/ssl, no one yet configured for gssapi).

In /var/log/maillog I got (repeatedly):

Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, 
delayed sending initial response (greeting): user=<>, rip=192.168.0.54, 
lip=192.168.0.2, session=
Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 
'gssapi'
Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup 
failed, throttling for 60 secs
Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, 
delayed sending initial response (greeting): user=<>, rip=166.170.27.161, 
lip=98.102.63.107, TLS, session=

This looks pretty bad right off. Why "Unknown authentication mechanism 
'gssapi'"?

Do you have any idea from the configs I've posted? I'm rather depressed about 
this. I thought I'd
finally able to get AD authentication going for Dovecot. Not ready to give up 
though!

Suggestions?

THX -- Mark

-original Message-
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> To: dovecot@dovecot.org
> From: Aki Tuomi <aki.tu...@dovecot.fi>
> Date: Tue, 28 Jun 2016 15:13:11 +0300
>
> On 28.06.2016 09:27, Mark Foley wrote:
> > Aki,
> >
> > To review your 5 points:
> >
> > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote:
> >
> >> 1. Functional AD or Kerberos environment
> >> 2. Time synced against your KDC (which is your Domain Controller on 
> >> Windows)
> >> 3. /etc/krb5.conf configured
> >> 4. Both forward / reverse DNS names correct for clients and servers.
> >> Reverse is only mandatory for servers, but having them right will work
> >> wonders. Most kerberos problems are about DNS problems.
> >> 5. You need a keytab. This keytab needs to hold entries like
> >> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
> >> these on any Windows DC server (at least).
> > I believe I am good on 1,2 and 4.  I downloaded and installed kerberos and 
> > tested it with kinit
> > and klist according to the instructions at
> > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> >
> > As to the the keytab (#5) I did the following:
> >
> > $ samba-tool domain exportkeytab /etc/krb5.keytab
> >
> > which created the file.  I made this owned and readable by group dovecot, 
> > per instructions at
> > http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k 
> > /etc/krb5.keytab` shows me
> > configuration listing all the users and computers in the domain, mostly in 
> > triplicate.  A
> > partial list:
> >
> > Keytab name: FILE:/etc/krb5.keytab
> > KVNO Principal
> >  
> > --
> >18 COMMON$@HPRS.LOCAL
> >18 COMMON$@HPRS.LOCAL
> >18 COMMON$@HPRS.LOCAL
> > 1 MAIL$@HPRS.LOCAL
> > 1 MAIL$@HPRS.LOCAL
> > 1 MAIL$@HPRS.LOCAL
> > 1 charmaine@HPRS.LOCAL
> > 1 charmaine@HPRS.LOCAL
> > 1 charmaine@HPRS.LOCAL
> >
> > where COMMON and MAIL are hosts and charmaine is a user. I don't really 
> > understand the listing,
> > but am assuming it is OK.
>
> Strange that you do not have any host/ entries. Maybe it works without.
>
> >> setspn -q is helpful here, also setspn command in general.
> > I have no such command in my system. Is that a Windows thing?
> >
>
> Yes, but you can do those kind of things in Samba too.
>
> > As to the /etc/krb5.conf, the default one generated by s

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Aki Tuomi]

On 28.06.2016 09:27, Mark Foley wrote:

Aki,

To review your 5 points:

On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi  wrote:


1. Functional AD or Kerberos environment
2. Time synced against your KDC (which is your Domain Controller on Windows)
3. /etc/krb5.conf configured
4. Both forward / reverse DNS names correct for clients and servers.
Reverse is only mandatory for servers, but having them right will work
wonders. Most kerberos problems are about DNS problems.
5. You need a keytab. This keytab needs to hold entries like
IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
these on any Windows DC server (at least).

I believe I am good on 1,2 and 4.  I downloaded and installed kerberos and 
tested it with kinit
and klist according to the instructions at
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos

As to the the keytab (#5) I did the following:

$ samba-tool domain exportkeytab /etc/krb5.keytab

which created the file.  I made this owned and readable by group dovecot, per 
instructions at
http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k 
/etc/krb5.keytab` shows me
configuration listing all the users and computers in the domain, mostly in 
triplicate.  A
partial list:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
 --
   18 COMMON$@HPRS.LOCAL
   18 COMMON$@HPRS.LOCAL
   18 COMMON$@HPRS.LOCAL
1 MAIL$@HPRS.LOCAL
1 MAIL$@HPRS.LOCAL
1 MAIL$@HPRS.LOCAL
1 charmaine@HPRS.LOCAL
1 charmaine@HPRS.LOCAL
1 charmaine@HPRS.LOCAL

where COMMON and MAIL are hosts and charmaine is a user. I don't really 
understand the listing,
but am assuming it is OK.


Strange that you do not have any host/ entries. Maybe it works without.


setspn -q is helpful here, also setspn command in general.

I have no such command in my system. Is that a Windows thing?



Yes, but you can do those kind of things in Samba too.


As to the /etc/krb5.conf, the default one generated by samba is:

[libdefaults]
 default_realm = HPRS.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = true

I'd like to modify that to your suggestions, but I need more help. You have 
(with my questions):


Here is a *SAMPLE* configuration:

[libdefaults]
 default_realm = YOUR.REALM
 dns_lookup_kdc = true
 krb4_config = /etc/krb.conf
 krb4_realms = /etc/krb.realms

Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I 
rather have:


You can remove the krb4_ stuff


krb5_config = /etc/krb5.conf

Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in 
there?

You don't necessarely require that.


 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true
 fcc-mit-ticketflags = true

[realms]
 YOUR.REALM = {
 default_domain = your.domain.name
 auth_to_local_names = {
 Administrator = root
 }
 }

I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my 
FQDN for my AD
server: mail.hprs.local, or is it just hprs.local? (or something else!)


HPRS.LOCAL is your REALM, hprs.local is your domain name.



[domain_realm]
   your.domain.name = YOUR.REALM
# this is not a mistake
   .your.domain.name = YOUR.REALM
[login]
 krb4_convert = true
 krb4_get_tickets = false

Likewise here a question on the whole krb4 versus krb5 thing.

Your closing comment:


Also, note that kerberos can only act as AUTHENTICATION system. It
cannot act as USER DATABASE. For that you need to configure LDAP or
something else. With Active Directory LDAP is probably a damn good idea.

I have the following doveconf -n:

# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
   driver = shadow
}
protocols = imap
ssl_cert = 
passwd driver is fine, yes, if you ensure that users can be found.

Aki

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Aki,

To review your 5 points:

On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi  wrote:

> 1. Functional AD or Kerberos environment
> 2. Time synced against your KDC (which is your Domain Controller on Windows)
> 3. /etc/krb5.conf configured
> 4. Both forward / reverse DNS names correct for clients and servers.
> Reverse is only mandatory for servers, but having them right will work
> wonders. Most kerberos problems are about DNS problems.
> 5. You need a keytab. This keytab needs to hold entries like
> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
> these on any Windows DC server (at least).

I believe I am good on 1,2 and 4.  I downloaded and installed kerberos and 
tested it with kinit
and klist according to the instructions at
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos

As to the the keytab (#5) I did the following:

$ samba-tool domain exportkeytab /etc/krb5.keytab

which created the file.  I made this owned and readable by group dovecot, per 
instructions at
http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k 
/etc/krb5.keytab` shows me
configuration listing all the users and computers in the domain, mostly in 
triplicate.  A
partial list:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
 --
  18 COMMON$@HPRS.LOCAL
  18 COMMON$@HPRS.LOCAL
  18 COMMON$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 charmaine@HPRS.LOCAL
   1 charmaine@HPRS.LOCAL
   1 charmaine@HPRS.LOCAL

where COMMON and MAIL are hosts and charmaine is a user. I don't really 
understand the listing,
but am assuming it is OK.

> setspn -q is helpful here, also setspn command in general.

I have no such command in my system. Is that a Windows thing?


As to the /etc/krb5.conf, the default one generated by samba is:

[libdefaults]
default_realm = HPRS.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true

I'd like to modify that to your suggestions, but I need more help. You have 
(with my questions):

> Here is a *SAMPLE* configuration:
>
> [libdefaults]
> default_realm = YOUR.REALM
> dns_lookup_kdc = true
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms

Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I 
rather have:

krb5_config = /etc/krb5.conf

Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in 
there?

> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> fcc-mit-ticketflags = true
>
> [realms]
> YOUR.REALM = {
> default_domain = your.domain.name
> auth_to_local_names = {
> Administrator = root
> }
> }

I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my 
FQDN for my AD
server: mail.hprs.local, or is it just hprs.local? (or something else!)

> [domain_realm]
>   your.domain.name = YOUR.REALM
> # this is not a mistake
>   .your.domain.name = YOUR.REALM
> [login]
> krb4_convert = true
> krb4_get_tickets = false

Likewise here a question on the whole krb4 versus krb5 thing.

Your closing comment:

> Also, note that kerberos can only act as AUTHENTICATION system. It
> cannot act as USER DATABASE. For that you need to configure LDAP or
> something else. With Active Directory LDAP is probably a damn good idea.

I have the following doveconf -n:

# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = 

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

aki.tu...@dovecot.fi wrote:

> As mentioned before, you can use ldap as userdb instead of static userdb. 
> Username matching in AD environment should be done against userPrincipalName 
> attribute.

Do you see any problem with my continuing to use:

userdb {
driver = passwd
}

... with gssapi? (providing I get other configs correct)

--Mark

-Original Message-
> Date: Tue, 28 Jun 2016 00:19:45 +0300 (EEST)
> From: aki.tu...@dovecot.fi
> To: dovecot@dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>
> > On June 28, 2016 at 12:02 AM Jan Jurkus <j.jur...@gcecad-service.nl> wrote:
> > 
> > 
> > Hi,
> > 
> > I'm not entirely happy with the static userdb, because of the 
> > limitations with kerberos/pam, but this can of course be changed rather 
> > easily. The hardest part is to get the SSO working.
> > One of the limitiations is stated here: 
> > http://wiki.dovecot.org/UserDatabase/Static
> > 
> > Postfix SMTP auth is using LMTP, reading from my notes.
> > 
> > I hope you can get a clearer picture with this rather long and chaotic 
> > reply.
> > 
>
> As mentioned before, you can use ldap as userdb instead of static userdb. 
> Username matching in AD environment should be done against userPrincipalName 
> attribute.
>
> This should let you get rid of pam as well.
>
> ---
> Aki Tuomi 
> Dovecot oy 
>
> > -- 
> > Jan Jurkus | ICT Beheerder | GCE cad-service B.V.
> > Postbus 12, 3220 AA Hellevoetsluis
> > Daltonweg 9, 3225 LR Hellevoetsluis
> > tel: 0181-336955 | fax: 0181-311899
> > j.jur...@gcecad-service.nl | www.gcecad-service.nl

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Jan, thanks for your helpful reply. You wrote:

> With Dovecot I got the SSO working with Kerberos, and this part is 
> working great. Other parts (shared mailboxes, that sort of stuff) aren't 
> working for me yet. ...

I'm the opposite. My mailbox setup has been working great for a year and a 
half, though I've
not bothered with shared mailboxes yet.

I've attempted to follow your instructions, but still having problems. First, 
my errors:

Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Jun 28 01:04:49 auth: Debug: Loading modules from directory: 
/usr/local/lib/dovecot/auth
Jun 28 01:04:49 auth: Debug: Loading modules from directory: 
/usr/local/lib/dovecot/auth
Jun 28 01:04:49 imap-login: Info: Disconnected: Auth process broken 
(disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, 
lip=98.102.63.107, session=

Now, your instructions:

> One of the tricky bits is you need a kerberos keytab with two services. 
> I used ktutil:
> # ktutil
>ktutil: read_kt mail-imap.keytab
>ktutil: read_kt mail-smtp.keytab
>ktutil: write_kt mail.keytab
>ktutil: quit
>
> I'm using a windows 2003 r2 server as domain controller, to create a 
> keytab file you need the windows 2003 support tools.
>
> ktpass.exe -princ imap/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL 
> -mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 
> -ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab
>
> ktpass.exe -princ smtp/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL 
> -mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234 
> -ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab

I ran ktutil, but the commands "read_kt mail-imap.keytab" and "read_kt 
mail-smtp.keytab" 
returned: No such file or directory while reading keytab "mail-imap.keytab"

Perhaps your subsequent ktpass commands are meant to create those. I do not 
have a ktpass
command. I therefore do not have these files. I suppose that could be part of 
my problem. Can
you share the actual contents of these file? I could create them by-hand. Does 
Dovecot and/or
kerberos know where to look for these?

> On the dovecot server I had to install a kerberos package:

Likewise, I installed kerberos for slackware. It tested OK. I was able to do a 
kinit and klist
per the instruction at 
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos

> My kerberos configuration:
> # vi /etc/krb5.conf
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log

I added the [logging] section.  Of note, these log file do not exists after 
multiple attempts
with my gssapi connection.  Probably a bad sign.  

> [libdefaults]
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>   ticket_lifetime = 24h
>   renew_lifetime = 7d
>   forwardable = true
>   rdns = false
>   default_realm = GCECAD-SERVICE.LOCAL
>   default_keytab_file = /etc/krb5.keytab
>   default_ccache_name = KEYRING:persistent:%{uid}
>   allow_weak_crypto = true
>   default_tkt_enctypes = arcfour-hmac-md5
>   default_tgs_enctypes = arcfour-hmac-md5
>   permitted_enctypes = arcfour-hmac-md5
 
I added all these as well, changing your GCECAD-SERVICE.LOCAL to my HPRS.LOCAL

> [appdefaults]
>   pam = {
>debug = false
>ticket_lifetime = 24h
>renew_lifetime = 7d
>forwardable = true
>krb4_convert = false
>   }

I also added this [appdefaults] section.

>
> [realms]
>   GCECAD-SERVICE.LOCAL = {
>kdc = this.is.the.dns.name.of.your.kdc
>admin_server = this.is.the.dns.name.of.your.kdc
>   }

I tried with and without this section. Not sure what 
this.is.the.dns.name.of.your.kdc is
supposed to be. I changed mine to the domain FDQN of the server:

[realms]
  HPRS.LOCAL = {
kdc = mail.hprs.local
admin_server = mail.hprs.local
  }

>
> [domain_realm]
>   .gcecad-service.local = GCECAD-SERVICE.LOCAL
>   gcecad-service.local = GCECAD-SERVICE.LOCAL
>   .gcecad-service.nl = GCECAD-SERVICE.LOCAL
>   gcecad-service.nl = GCECAD-SERVICE.LOCAL
>

I also tried with and without this section. Again, not sure what should go 
there. I tried:

[domain_realm]
  .hprs.local = HPRS.LOCAL
  hprs.local = HPRS.LOCAL
  .hprs.nl = HPRS.LOCAL
  hprs.nl = HPRS.LOCAL

I'm a bit skeptical on the above as .nl your public top level domain.

In fact, after adding these sections I got no error logged in dovecot_log, but 
did get a
message pop up on Thunderbird saying, "Could not connect to mail server 
m...@ohprs.org; the
connection was refused."

> Dovecot config, the needed parts:
> In /etc/dovecot/conf.d/10-auth.conf :
> auth_krb5_keytab = /etc/dovecot/mail.keytab
> auth_mechanisms = plain gssapi

I added those.

> In /etc/dovecot/conf.d/auth-system.conf.ext :
> passdb {
>driver = 

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[aki . tuomi]

> On June 28, 2016 at 12:02 AM Jan Jurkus  wrote:
> 
> 
> Hi,
> 
> I'm not entirely happy with the static userdb, because of the 
> limitations with kerberos/pam, but this can of course be changed rather 
> easily. The hardest part is to get the SSO working.
> One of the limitiations is stated here: 
> http://wiki.dovecot.org/UserDatabase/Static
> 
> Postfix SMTP auth is using LMTP, reading from my notes.
> 
> I hope you can get a clearer picture with this rather long and chaotic 
> reply.
> 

As mentioned before, you can use ldap as userdb instead of static userdb. 
Username matching in AD environment should be done against userPrincipalName 
attribute.

This should let you get rid of pam as well.

---
Aki Tuomi 
Dovecot oy 

> -- 
> Jan Jurkus | ICT Beheerder | GCE cad-service B.V.
> Postbus 12, 3220 AA Hellevoetsluis
> Daltonweg 9, 3225 LR Hellevoetsluis
> tel: 0181-336955 | fax: 0181-311899
> j.jur...@gcecad-service.nl | www.gcecad-service.nl

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Jan Jurkus]

Hi,

On 27-06-2016 08:58, Mark Foley wrote:

> So, I'm apparently lacking in the kerberos stuff. Here's the problem -- 
> Samba4 uses Heimdal
> Kerberos and when I provisioned my domain apparently none of these needed 
> kerberos files were
> set up. I can, however, kerberos authenticate from domain workstations both 
> WIN7 and Linux.

You don't need any Samba4 stuff, to get it working. Samba is great, but 
can be hard to get right. I tend to steer clear of Samba when I don't 
really need it.

My first experience was with an OTRS helpdesk install, and trying to get 
it to do SSO. I was helped a great deal by wireshark, and this website: 
http://www.grolmsnet.de/kerbtut/

On a sidenote: mod_auth_kerb is rather ancient, in computer-terms. You'd 
be better off with mod_auth_gssapi.
In the case of Dovecot we are not using Apache, of course.

With Dovecot I got the SSO working with Kerberos, and this part is 
working great. Other parts (shared mailboxes, that sort of stuff) aren't 
working for me yet. This is my own fault, not a dovecot one, haven't 
looked into it enough. Anyway, the SSO is working great.

One of the tricky bits is you need a kerberos keytab with two services. 
I used ktutil:
# ktutil
   ktutil: read_kt mail-imap.keytab
   ktutil: read_kt mail-smtp.keytab
   ktutil: write_kt mail.keytab
   ktutil: quit

I'm using a windows 2003 r2 server as domain controller, to create a 
keytab file you need the windows 2003 support tools.

ktpass.exe -princ imap/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL 
-mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 
-ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab

ktpass.exe -princ smtp/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL 
-mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234 
-ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab

Most instructions on the internet do not quite work out that well. 
RC4-HMAC-NT crypto is needed if you still have Windows XP machines. It 
should work with a newer crypto but have not tested that.
FYI: Kerberos service names (imap, smtp) are sometimes capitalised, 
mostly when using HTTP. Great, isn't it?

On the dovecot server I had to install a kerberos package:
# yum install krb5-workstation
(I am using CentOS7, but it should not be too hard to translate this to 
your own distro)

My kerberos configuration:
# vi /etc/krb5.conf
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
  rdns = false
  default_realm = GCECAD-SERVICE.LOCAL
  default_keytab_file = /etc/krb5.keytab
  default_ccache_name = KEYRING:persistent:%{uid}
  allow_weak_crypto = true
  default_tkt_enctypes = arcfour-hmac-md5
  default_tgs_enctypes = arcfour-hmac-md5
  permitted_enctypes = arcfour-hmac-md5

[appdefaults]
  pam = {
   debug = false
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true
   krb4_convert = false
  }

[realms]
  GCECAD-SERVICE.LOCAL = {
   kdc = this.is.the.dns.name.of.your.kdc
   admin_server = this.is.the.dns.name.of.your.kdc
  }

[domain_realm]
  .gcecad-service.local = GCECAD-SERVICE.LOCAL
  gcecad-service.local = GCECAD-SERVICE.LOCAL
  .gcecad-service.nl = GCECAD-SERVICE.LOCAL
  gcecad-service.nl = GCECAD-SERVICE.LOCAL


Dovecot config, the needed parts:
In /etc/dovecot/conf.d/10-auth.conf :
auth_krb5_keytab = /etc/dovecot/mail.keytab
auth_mechanisms = plain gssapi

In /etc/dovecot/conf.d/auth-system.conf.ext :
passdb {
   driver = pam
}
userdb {
   driver = static
   args = uid=2000 gid=2000 home=/var/vmail/%Ln allow_all_users=yes
}

In /etc/pam.d/dovecot :
#%PAM-1.0
auth   sufficient   pam_krb5.so no_user_check validate
accountsufficient   pam_permit.so

I'm not entirely happy with the static userdb, because of the 
limitations with kerberos/pam, but this can of course be changed rather 
easily. The hardest part is to get the SSO working.
One of the limitiations is stated here: 
http://wiki.dovecot.org/UserDatabase/Static

Postfix SMTP auth is using LMTP, reading from my notes.

I hope you can get a clearer picture with this rather long and chaotic 
reply.

-- 
Jan Jurkus | ICT Beheerder | GCE cad-service B.V.
Postbus 12, 3220 AA Hellevoetsluis
Daltonweg 9, 3225 LR Hellevoetsluis
tel: 0181-336955 | fax: 0181-311899
j.jur...@gcecad-service.nl | www.gcecad-service.nl

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Aki, again, thanks A LOT for your reply. Concerning your checklist:

> 1. Functional AD or Kerberos environment

Check!

> 2. Time synced against your KDC (which is your Domain Controller on Windows)

Check! (needed for AD/DC anyway)

> 3. /etc/krb5.conf configured

NO

> 4. Both forward / reverse DNS names correct for clients and servers.

> Reverse is only mandatory for servers, but having them right will work
> wonders. Most kerberos problems are about DNS problems.

Check!

> 5. You need a keytab. This keytab needs to hold entries like
> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
> these on any Windows DC server (at least).

NO

So, I'm apparently lacking in the kerberos stuff. Here's the problem -- Samba4 
uses Heimdal
Kerberos and when I provisioned my domain apparently none of these needed 
kerberos files were
set up. I can, however, kerberos authenticate from domain workstations both 
WIN7 and Linux.

I will (and have already) contacted the Samba list to see what needs to be done.

I'll post back what I find.

Maybe I can finally get to the bottom of this problem.

Thanks again -- Mark

-Original Message
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> To: dovecot@dovecot.org
> From: Aki Tuomi <aki.tu...@dovecot.fi>
> Organization: Dovecot Oy
> Date: Mon, 27 Jun 2016 09:18:54 +0300
>
> On 27.06.2016 07:31, Mark Foley wrote:
> > Thanks for the reply.  When you say it [NTLM] "should" work, I understand 
> > you to be implying
> > you've not actually tried NTLM yourself, right? I've never gotten a 
> > response from someone
> > saying they have or are actually using it. Your subsequent messages about 
> > NTLM v[1|2] may be
> > the problem, but email clients I've tried (Outlook, Thunderbird) don't 
> > really give a choice.
> >
> > That's OK, I'd be glad to try something different that would work!!! I am 
> > trying your advice
> > for gssapi.  I've followed the instructions at
> > http://wiki2.dovecot.org/Authentication/Kerberos.  In my 10-auth.conf I 
> > changed the
> > auth_mechanism line to:
> >
> > auth_mechanisms = plain login gssapi
> >
> > Which is only different from before with the addition of "gssapi".  That's 
> > all I've done.  I'm
> > using the same userdb as before which is /etc/passwd.  My doveconf -n is:
> >
> > --SNIP
> >> doveconf -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = plain login gssapi
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> >   driver = shadow
> > }
> > protocols = imap
> > ssl_cert = 
> >  > ssl_key =  > userdb {
> >   driver = passwd
> > }
> > verbose_ssl = yes
> > PINS-
> >
> > I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a 
> > Slackware 14.1 AD/DC. I
> > selected "Kerberos/GSSAPI" as the authentication method on Tbird. When 
> > trying the connection I
> > got the following in my Dovecot log:
> >
> > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be 
> > used for ECDH and ECDHE key exchanges
> > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be 
> > used for ECDH and ECDHE key exchanges
> > Jun 27 00:04:54 auth: Debug: Loading modules from directory: 
> > /usr/local/lib/dovecot/auth
> > Jun 27 00:04:54 auth: Debug: Loading modules from directory: 
> > /usr/local/lib/dovecot/auth
> > Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken 
> > (disconnected before auth was ready, waited 0 secs): user=<>, 
> > rip=192.168.0.99, lip=98.102.63.107, session=
> >
> > So, any idea why this is not working? I'll say up-front that I do not have 
> > the auth_krb5_keytab
> > configured in 10-auth.conf. I could find no such file on the host running 
> > Dovecot. Is that file
> > needed? If so, I've got a message in to the Samba4 folks asking where it is 
> > located.
> >
> > I'm also using Dovecot 2.2.15. Too old?
> >
> > Do you think auth_krb5_keytab is my problem or something deeper?
> >
> > THX --Mark
> >
>
> You need to set up keytab. I'll assume you know nothing about kerberos,
> so please if you already knew all this, sorry.
>
> For kerberos to work PROPERLY you nee

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Aki Tuomi]

On 27.06.2016 07:31, Mark Foley wrote:
> Thanks for the reply.  When you say it [NTLM] "should" work, I understand you 
> to be implying
> you've not actually tried NTLM yourself, right? I've never gotten a response 
> from someone
> saying they have or are actually using it. Your subsequent messages about 
> NTLM v[1|2] may be
> the problem, but email clients I've tried (Outlook, Thunderbird) don't really 
> give a choice.
>
> That's OK, I'd be glad to try something different that would work!!! I am 
> trying your advice
> for gssapi.  I've followed the instructions at
> http://wiki2.dovecot.org/Authentication/Kerberos.  In my 10-auth.conf I 
> changed the
> auth_mechanism line to:
>
> auth_mechanisms = plain login gssapi
>
> Which is only different from before with the addition of "gssapi".  That's 
> all I've done.  I'm
> using the same userdb as before which is /etc/passwd.  My doveconf -n is:
>
> --SNIP
>> doveconf -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = plain login gssapi
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
> driver = shadow
> }
> protocols = imap
> ssl_cert = 
>  ssl_key =  userdb {
> driver = passwd
> }
> verbose_ssl = yes
> PINS-
>
> I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a 
> Slackware 14.1 AD/DC. I
> selected "Kerberos/GSSAPI" as the authentication method on Tbird. When trying 
> the connection I
> got the following in my Dovecot log:
>
> Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
> for ECDH and ECDHE key exchanges
> Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
> for ECDH and ECDHE key exchanges
> Jun 27 00:04:54 auth: Debug: Loading modules from directory: 
> /usr/local/lib/dovecot/auth
> Jun 27 00:04:54 auth: Debug: Loading modules from directory: 
> /usr/local/lib/dovecot/auth
> Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken 
> (disconnected before auth was ready, waited 0 secs): user=<>, 
> rip=192.168.0.99, lip=98.102.63.107, session=
>
> So, any idea why this is not working? I'll say up-front that I do not have 
> the auth_krb5_keytab
> configured in 10-auth.conf. I could find no such file on the host running 
> Dovecot. Is that file
> needed? If so, I've got a message in to the Samba4 folks asking where it is 
> located.
>
> I'm also using Dovecot 2.2.15. Too old?
>
> Do you think auth_krb5_keytab is my problem or something deeper?
>
> THX --Mark
>

You need to set up keytab. I'll assume you know nothing about kerberos,
so please if you already knew all this, sorry.

For kerberos to work PROPERLY you need to have

1. Functional AD or Kerberos environment
2. Time synced against your KDC (which is your Domain Controller on Windows)
3. /etc/krb5.conf configured
4. Both forward / reverse DNS names correct for clients and servers.
Reverse is only mandatory for servers, but having them right will work
wonders. Most kerberos problems are about DNS problems.
5. You need a keytab. This keytab needs to hold entries like
IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
these on any Windows DC server (at least).

Only bullet 5. is about Dovecot really, but since this is usually rather
hard to gather information, I'll recap these things here:

2. Time sync

Install ntpd and configure it to use *your* *ad* *server*. (Not some
generic service).

3. /etc/krb5.conf

Here is a *SAMPLE* configuration:

[libdefaults]
default_realm = YOUR.REALM
dns_lookup_kdc = true
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true

[realms]
YOUR.REALM = {
default_domain = your.domain.name
auth_to_local_names = {
Administrator = root
}
}
[domain_realm]
  your.domain.name = YOUR.REALM
# this is not a mistake
  .your.domain.name = YOUR.REALM
[login]
krb4_convert = true
krb4_get_tickets = false

Note that some windows environments require additional configuration to
get this working.

4. Forward/reverse DNS.

For your *server* this is *absolutely* must. It has to match for your
clients and your server. So if your server name is mail.example.org, and
it has IP 10.0.2.3, then 10.0.2.3 MUST resolve to mail.example.org. It
will give you strange and convoluted errors otherwise.

5. Keytab

This is bit tricky to generate, and there are various ways to do this.
You can install samba, join it to your domain and use the samba tools to
generate a keytab. It's not a bad idea, just remember to add the
required spn's 

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Thanks for the reply.  When you say it [NTLM] "should" work, I understand you 
to be implying
you've not actually tried NTLM yourself, right? I've never gotten a response 
from someone
saying they have or are actually using it. Your subsequent messages about NTLM 
v[1|2] may be
the problem, but email clients I've tried (Outlook, Thunderbird) don't really 
give a choice.

That's OK, I'd be glad to try something different that would work!!! I am 
trying your advice
for gssapi.  I've followed the instructions at
http://wiki2.dovecot.org/Authentication/Kerberos.  In my 10-auth.conf I changed 
the
auth_mechanism line to:

auth_mechanisms = plain login gssapi

Which is only different from before with the addition of "gssapi".  That's all 
I've done.  I'm
using the same userdb as before which is /etc/passwd.  My doveconf -n is:

--SNIP
> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = , rip=192.168.0.99, 
lip=98.102.63.107, session=

So, any idea why this is not working? I'll say up-front that I do not have the 
auth_krb5_keytab
configured in 10-auth.conf. I could find no such file on the host running 
Dovecot. Is that file
needed? If so, I've got a message in to the Samba4 folks asking where it is 
located.

I'm also using Dovecot 2.2.15. Too old?

Do you think auth_krb5_keytab is my problem or something deeper?

THX --Mark

-Original Message-
> Date: Sun, 26 Jun 2016 14:00:49 +0300 (EEST)
> From: aki.tu...@dovecot.fi
> To: dovecot@dovecot.org
> Subject: Re: Looking for NTLM config example
>
> It should work. Although if you are using linux server you might want to use 
> gssapi instead. 
>
> > On June 25, 2016 at 7:43 PM Mark Foley  wrote:
> > 
> > 
> > I've asked this several times over the past year with essentially zero 
> > responses. I'll keep it simple:
> > 
> > Does NTLM authentication work in Dovecot?
> > 
> > I'll post this one last time. If I still have no responses I'll have to 
> > conclude that no one
> > has actually tried this authentication method and it therefore does not 
> > work.
> > 
> > Thanks, --Mark
> > 
> > -Original Message-
> > From: Mark Foley 
> > Date: Fri, 22 Apr 2016 02:07:24 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: dovecot@dovecot.org
> > Subject: Looking for NTLM config example
> > 
> > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, 
> > > I'd like to take
> > > another run at setting up NTLM authentication from Thunderbird to my 
> > > Samba4 AC/DC. 
> > >
> > > With the help of the samba maillist folks I was able to set up NTLM 
> > > authentication for domain
> > > user login.  I should be able to do the same for email!
> > >
> > > But, I need help. I went to 
> > > http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> > > lost immediately. Are "authenticaion submethods" synonymous with 
> > > "password schemes"? The 7th
> > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and 
> > > NTLMv2.", but in the
> > > referenced link I found no reference to "NTLM password scheme".
> > >
> > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what 
> > > the 4 NTLM
> > > authentication submethods are, tells you what password schemes are, tells 
> > > you what the NTLM
> > > client/server handshake is, but doesn't actually tell you how to 
> > > configure dovecot config
> > > files.  I'm much more interested in the "how to" than in: "NTLMv2: server 
> > > and client nonce,
> > > MITM can't force downgrade" ...  whatever that means. 
> > >
> > > Anyway, probably it's my lack of understanding terminology.  I don't even 
> > > know what a "nonce"
> > > is.  But, I learn well from examples! Can somone please give me a sample 
> > > 10-auth.conf for NTML
> > > and any other supporting settings or configs I need?
> > >
> > > My current/working dovecot settings, which have been running perfectly 
> > > for well over a year
> > > now, are:
> > >
> > > $ dovecot -n
> > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > auth_debug_passwords = yes
> > > auth_mechanisms = plain login
> > > auth_verbose = yes
> > > auth_verbose_passwords = plain
> > > disable_plaintext_auth = no
> > > info_log_path = /var/log/dovecot_info
> > > mail_location = maildir:~/Maildir
> > > passdb {
> > >   driver = shadow
> > > }
> > > protocols = imap
> > > ssl_cert = 
> > >  > > ssl_key =  > > userdb {
> > >   driver = passwd
> > > }
> > > verbose_ssl = yes
> > >
> > >
> > > Here's what I've