dovecot and ntlm_auth through winbind
Hi all, I am upgrading a dovecot 1.2 installation to a 2.2 installation and have found and fixed a number of problems.. I've seen several postings in the archive about ntlm_auth not working, and it is true, there are several regressions in dovecot here. The first and simplest is that the enablement instructions in the wikki are wrong. ntlm_auth must be called as root, which is what 1.2 did. 2.2 defaults to calling it as the auth user which subtly doesn't work: Dec 30 20:30:21 quartz dovecot[8439]: auth: Error: Login for user []\[jgg]@[wakko] failed due to [Reading winbind reply failed!] Dec 30 20:30:21 quartz dovecot[8439]: auth: Error: ../auth/ntlmssp/ntlmssp_server.c:454: Checking NTLMSSP password for \jgg failed: NT_STATUS_UNSUCCESSFUL Dec 30 20:30:21 quartz dovecot[8439]: auth: Error: GENSEC login failed: NT_STATUS_UNSUCCESSFUL Dec 30 20:30:21 quartz dovecot[8439]: auth: Error: winbind: ntlm_auth exited with exit code 0 The fix is simple, run auth as root: service auth { user = root } This ended up as debian bug #774263 which has a few more details. Regards, Jason
[PATCH] LAYOUT=imapdir is broken in v2.2
The next thing I noticed in my v1.2 - 2.2 upgrade is that mail_location = maildir:[..]:LAYOUT=imapdir is broken, the symptom is dovecot returning this to the client when requesting any mailbox beyond INBOX: Character not allowed in mailbox name: ' Which is actually trying to say Character not allowed in mailbox name: '\0', but since the %c is not escaped it ends up with the truncated string. This patch fixes it: diff --git a/src/lib-storage/list/mailbox-list-maildir.c b/src/lib-storage/list/mailbox-list-maildir.c index c99a2900a6d6..ae5f35d955ac 100644 --- a/src/lib-storage/list/mailbox-list-maildir.c +++ b/src/lib-storage/list/mailbox-list-maildir.c @@ -46,6 +46,7 @@ static struct mailbox_list *imapdir_list_alloc(void) list = p_new(pool, struct maildir_mailbox_list, 1); list-list = imapdir_mailbox_list; list-list.pool = pool; + list-sep = '.'; list-global_temp_prefix = IMAPDIR_GLOBAL_TEMP_PREFIX; list-temp_prefix = p_strconcat(pool, list-global_temp_prefix, Analysis: I noticed this while upgrading a dovecot install from 1.2.15 (squeeze) to 2.2.13 (jessie). This upstream commit author Timo Sirainen t...@iki.fi Thu Jan 20 20:59:07 2011 +0200 (2011-01-20) changeset 12586 a2780b694b2d parent 12585b748c622e896 child 12587 c3a258ee96c4 lib-storage: mailbox_alloc() now takes a virtual mailbox name and other related API changes. All storage_name - vname conversions now go through the same two mailbox_list methods. This has many benefits, such as: * listescape plugin is now much simpler and bugfree * allows changing lib-storage API to use UTF-8 mailbox names in future * allows creation of mailbox aliases plugin Restructed the _alloc functions to move the hierarchy_sep from the initializer into the _alloc call itself: @@ -29,6 +30,7 @@ static struct mailbox_list *maildir_list_alloc(void) list = p_new(pool, struct maildir_mailbox_list, 1); list-list = maildir_mailbox_list; list-list.pool = pool; + list-sep = '.'; list-global_temp_prefix = MAILDIR_GLOBAL_TEMP_PREFIX; list-temp_prefix = p_strconcat(pool, list-global_temp_prefix, [..] struct mailbox_list maildir_mailbox_list = { .name = MAILBOX_LIST_NAME_MAILDIRPLUSPLUS, - .hierarchy_sep = '.', .props = MAILBOX_LIST_PROP_NO_MAILDIR_NAME | MAILBOX_LIST_PROP_NO_ALT_DIR | MAILBOX_LIST_PROP_NO_NOSELECT, [..] struct mailbox_list imapdir_mailbox_list = { .name = MAILBOX_LIST_NAME_IMAPDIR, - .hierarchy_sep = '.', .props = MAILBOX_LIST_PROP_NO_MAILDIR_NAME | MAILBOX_LIST_PROP_NO_ALT_DIR | MAILBOX_LIST_PROP_NO_NOSELECT, Noting that heierarchy_sep was removed from maildir_mailbox_list and imapdir_mailbox_list but only added to maildir_list_alloc(), and not imapdir_list_alloc(). This ultimately results in mailbox_list_get_hierarchy_sep() returning '\0' and mailbox_verify_name() failing everything (all strings contain '\0' according to strchr). This ended up as debian bug #774533 Regards, Jason
ntlm_auth random failures with dovecot
I'm still a bit fuzzy on exactly what has blown up here since my 1.2 install (or maybe it was broken then and I never noticed), but it looks like the way dovecot is calling out to ntlm_auth is violating the --helper-protocol=squid-2.5-ntlmssp scheme. The issue is how it handles simultaneous clients connecting - for instance launching thunderbird with NTLM auth creates multiple imapds that all have to be auth'd. Since dovecot doesn't (and apparrently didn't in 1.2?) serialize this it ends up sending a jumble to ntlm_auth. Strace sayth, as example: read(0, YR xxx=\n, 4096) = 48 read(0, YR xxx=\n, 4096) = 48 read(0, KK xxx=\n,4096) = 176 read(0, KK xxx=\n,4096) = 176 That is two clients connecting at once, and the sequence has become jumbled. Fiddling around with ntlm_auth manually I can get it to give me this: YR xxx # 1 TT xxx # 1 YR xxx # 2 TT xxx # 2 KK xxx # 2 AF jgg # 2 KK xxx # 1 Called NTLMSSP after state machine was 'done' GENSEC login failed: NT_STATUS_INVALID_PARAMETER NA NT_STATUS_INVALID_PARAMETER Ie, reordering the sequence (# 1 and # 2) causes it to tell you that, no, the sequence cannot be reordered. To me this says the samba folks expect that the YY/TT/KK/AF sequence is *NOT* reordered. The implication is that the mech-winbind in dovecot must seralize everything, and it doesn't! So, this is fairly broken, I can hit these failure causes with a high probability when using thunderbird. Any thoughts on how to repair this? The simplest answer would be to pool and assign a ntlm_auth process to each incoming auth context, or to actually serialize auth. But it can't treat ntlm_auth as a stateless helper. Jason
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On Wed, Aug 31, 2011 at 09:28:50AM -0600, Trever L. Adams wrote: I have only followed part of this. It the original poster's problem is that the LDAP database is not being able to be accessed with an SPN ticket, this is because SPNs are not allowed to log in in AD. You need to use a user account (including MACHINE$ accounts). It took me forever to figure this out. To use this, you need a cron job that creates/renews tickets from time to time for the user/machine account. Then you use Dovecot's environment setup configuration to set the KRB5_CC (or whatever it is called, my head is elsewhere) env variable to that Kerberos ticket cache that was created in the cronjob. This cache needs to be readable by dovecot and should be owned by its user. This all works a 1000% better if you use Samba to join the domain and create your keytab with the right SPNs. See my prior posts to this list for a formula. Using the MS kerberos compatability tools is painful, complicated and tends to make a mess. Samba will create a machine UPN and populate the system keytab appropriately. From a cron job you can use 'kinit -k' to maintain an active ticket for the machine UPN which dovecot can use for LDAP operations. Jason
Re: [Dovecot] LDAP and GSSAPI problems
On Fri, Feb 04, 2011 at 12:57:11PM -0700, Trever L. Adams wrote: On 02/02/2011 04:17 PM, Timo Sirainen wrote: It does set that, but only on first GSSAPI authentication. I guess it wouldn't hurt moving it to do it always. If that script helps you, I can do this change. It appears that the script you recommended doesn't do the trick. Does /usr/libexec/dovecot/auth clear the environment. Even doing it manually from the command line the openldap stuff doesn't seem to pick up the KRB5_KTNAME environment variable. Isn't it called KRB5CCNAME? Ie if you are using a AD type environment then I think the only way this can work is if you do these steps: # JGGL is the name of your machine in AD klist -k should tell # you what it is, and you must have samba setup properly, the # machine joined, and samba must be set to write the system keytab. # See 'net ads keytab' $ KRB5CCNAME=/tmp/machine kinit -k JGGL$ $ KRB5CCNAME=/tmp/machine klist Ticket cache: FILE:/tmp/machine Default principal: JGGL$@ADS.ORCORP.CA Valid starting ExpiresService principal 02/05/11 18:26:34 02/06/11 04:26:34 krbtgt/ads.orcorp...@ads.orcorp.ca renew until 02/12/11 18:26:34 $ KRB5CCNAME=/tmp/machine ldapsearch uid=jgg SASL/GSSAPI authentication started SASL username: JGGL$@ADS.ORCORP.CA SASL SSF: 56 SASL data security layer installed. [..] Presumably if dovecot has SASL setup properly for Openldap then it will work just fine if KRB5CCNAME is properly exported to it. However! Be aware that the TGT must be refreshed periodically, that is just how kerberos works. I can kinit on the command line and get auth to work, but the kinit doesn't hold over to the dovecot process (for good reasons I am sure). Maybe dovecot isn't enabling SASL for openldap? eg the python wrappers for openldap require this sequence: conn = ldap.initialize(server); auth_tokens = ldap.sasl.gssapi(); conn.sasl_interactive_bind_s(,auth_tokens); Before they attempt gssapi - so this will also be true for the C version. The *ideal* world would be if dovecot supported an in-memory ticket cache that it stored a TGT for a given UPN that it initializes using a given keytab. This is what samba does internally and realistically is required to use kerberos as a client. IMHO, doing ldap without kerb is kinda sketchy unless you completely trust your network - it is easy to spoof ldap replies, kerb fixes that and has low overhead compared to ssl. Jason
Re: [Dovecot] Samba AD and Dovecot
On Fri, Feb 04, 2011 at 01:47:31PM -0700, Trever L. Adams wrote: There was a thread a month or so ago on how to do GSSAPI with AD and dovecot kerberos. It works great, and I highly recommend it for AD sites. Check the archives, it isn't really too hard. I am not finding this. Do you happen to remember the subject? No, but it is pretty simple using latest everything (well, Debian squeeze).. Basically from scratch.. Notice this also sets up NTLM, which is supported by many roaming devices (ie phones). 1) Put this or similar in /etc/samba/smb.conf [global] workgroup = $NT_WORKGROUP$ realm = $REALM$ security = ads kerberos method = secrets and keytab 2) Confirm that hostname gives an unqualified name and hostname -f gives a fully qualified name. Confirm you have DNS setup properly (eg dig -t SRV _kerberos._udp.$REALM$ works OK) 3) Join the machine to AD $ net ads join -U 'user with AD privs' $ kinit AD_USER $ kvno host/`hostname -f` 4) Setup imap SPN: $ net ads keytab add imap $ net ads search cn=`hostname` | grep servicePrincipalName $ klist -k $ kvno imap/`hostname -f` The last three should report imap/`hostname -f` entries. 5) Setup dovecot.. Set these things in the config auth_use_winbind = yes mechanisms = plain gssapi gss-spnego login ntlm 6) Setup exim.. $ net ads keytab add smtp Use these in the dovecot config: client { path = /var/run/dovecot/auth-client mode = 0660 group = Debian-exim } } And this at the end of the exim.conf: dovecot_plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id=PLAIN-${quote:$auth1} dovecot_ntlm: driver = dovecot public_name = NTLM server_socket = /var/run/dovecot/auth-client server_set_id=NTLM-${quote:$auth1} dovecot_gssapi: driver = dovecot public_name = GSSAPI server_socket = /var/run/dovecot/auth-client server_set_id=GSSAPI-${quote:$auth1} dovecot_gssapi_spnego: driver = dovecot public_name = GSS-SPNEGO server_socket = /var/run/dovecot/auth-client server_set_id=GSS-SPNEGO-${quote:$auth1} 7) Setup openssh in sshd_config GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes Jason
Re: [Dovecot] Samba AD and Dovecot
On Sat, Feb 05, 2011 at 08:39:37PM -0700, Trever L. Adams wrote: Set these things in the config auth_use_winbind = yes mechanisms = plain gssapi gss-spnego login ntlm Ok, I do this step differently as I use gssapi directly and not with winbind. This is also what this does. auth_use_winbind only affects gss-spnego and ntlm which call out to the ntlm_auth helper to make it go. IMHO, if you have AD you should set this up too. I use postfix instead of exim. How do you know what user is valid and what isn't in exim. I don't see any LDAP. I use LDAP (both postfix and dovecot deliver... I have to use LDAP for the aliases to be setup the way they have been requested). I also don't see any mention of any other user database. In my simple world everything rides on nss_winbind and winbindd. These instructions are just how to setup kerberos for authentication not the much sticker authorization.. Jason
Re: [Dovecot] LDAP and GSSAPI problems
On Sat, Feb 05, 2011 at 08:49:21PM -0700, Trever L. Adams wrote: It appears that the script you recommended doesn't do the trick. Does /usr/libexec/dovecot/auth clear the environment. Even doing it manually from the command line the openldap stuff doesn't seem to pick up the KRB5_KTNAME environment variable. Isn't it called KRB5CCNAME? Yes. Some things (Amanda, at least from the directions, I haven't done it yet) actually still use service principals which are KRB5_KTNAME. For credentials in most clients, yes, KRB5CCNAME and that does work. Amanda is doing what I described below internally. The keytab file contains kerberos shared secrets so Amanda uses that to get a TGT. You can't use kerberos without a TGT. The fact it is using a SPN or UPN shared secret doesn't matter at the client. However! Be aware that the TGT must be refreshed periodically, that is just how kerberos works. Yes, this refresh is EXACTLY what I have been trying to avoid with service principals. I am starting to wish that Samba 4 supported SASL CRAM-MD5 or something so that I could just use that; no refresh. Put the kinit -k line in a crontab. That command gets a fresh TGT for the machine account. Service principles just avoid having to create a new UPN in MIT kerberos. In AD kerberos a SPN cannot get a TGT so that is undoable. The machine account works in very similarly to how a SPN would be used in MIT kerberos except that it is a UPN at the KDC. Samba writes a keytab entry for the machine account that contains the shared secret which lets kinit -k work. Thank you for all your input. I am afraid this is the same problem I am going to hit with Postfix (it does a similar setup to Dovecot, I am just not running the recent version yet that supports it). Yes. Same answer, run it pointing to the same CC cache you setup for dovecot. Be aware that both the keytab and the creditial cache are 'password equilvients' and must be protected. Jason
Re: [Dovecot] LDAP and GSSAPI problems
On Thu, Feb 03, 2011 at 01:17:02AM +0200, Timo Sirainen wrote: Postfix (the other half of my solution -- though the version I am using doesn't do SASL LDAP yet, but 2.9.x does) allows you, in the configuration, to set what environment variables it should not unset and even define new ones (an example -- import_environment = KRB5_KTNAME=/etc/dovecot/krb5.keytab). This may be a good solution for Dovecot specifically for things like this. Maybe.. But there haven't really been all that many uses for it. Windows AD's LDAP server behaves by default in the same way, in that all LDAP must be authenticated - this makes alot of sense, IMHO. It would be nice to have LDAP out of the box support kerberos authentication using the machine principle setup by samba. Jason
Re: [Dovecot] dovecot + dns srv registers
On Wed, Nov 04, 2009 at 02:33:07PM -0500, Timo Sirainen wrote: I still don't really understand. Probably because I don't know how exactly SRV records are supposed to even work. How would I query LDAP service with e.g. dig? Latest versions of openldap do this automatically, IIRC you specify a LDAP url something like: ldap:///DC=foo,DC=bar,DC=com And it looks up _ldap._tcp.foo.bar.com: $ dig -t SRV _ldap._tcp.foo.bar.com. _ldap._tcp.foo.bar.com. 600 IN SRV 0 100 389 ldap.foo.bar.com. And then it picks the best priority SRV and looks that up, and rotates around to the other ones if the first doesn't work. SRV records are better than RR DNS because the priority field lets the client sort them. In MS implementations the DNS server will return priority fields that reflect the queriers subnet - it will dynamically make closer servers have better priority. Jason
Re: [Dovecot] Samba AD and Dovecot
On Wed, Oct 07, 2009 at 12:57:21AM -0400, Timo Sirainen wrote: Ccing mailing list, since I'm not all-knowing.. On Oct 7, 2009, at 12:49 AM, Trever L. Adams wrote: Timo Sirainen wrote: On Oct 7, 2009, at 12:36 AM, Trever L. Adams wrote: 1) I have seen how to configure for LDAP and Kerberos. AD uses both together. All user information is in AD/LDAP and authentication is AD/Kerberos. How can I configure Dovecot to use both appropriately? You could forget about the Kerberos part and just use AD as an LDAP server. I really want to use kerberos/SPNEGO everywhere I can for various reasons. The LDAP would be for the configuration. Do you actually want the IMAP/POP3 clients to use Kerberos? For plaintext auth I don't see any benefit in Dovecot using Kerberos rather than LDAP (and it doesn't support that, except via pam_kerberos or whatever I guess). But for clients to use Kerberos (GSSAPI) and authenticate against AD while Dovecot is in the middle... I've no idea. I guess that's possible somehow. There was a thread a month or so ago on how to do GSSAPI with AD and dovecot kerberos. It works great, and I highly recommend it for AD sites. Check the archives, it isn't really too hard. The problem with LDAP is you have to use SSL ldap for security. The overhead is much higher than using native kerberos or samba pam modules. There is also an obnoxios setup procedure on the AD side to get a LDAP SSL cert installed and serious issues with failover to backup domain controllers. For plain text password auth on AD sites, samba's pam_winbind is probably the best choice. Secure, easy to setup and pretty fast. If you have an AD server I also *highly* recommend the dovcot winbind NTLM method. Almost every client in the world will do some level of NTLM hashing and it reduces the risk from plain password exposure. No, I will be using the new Samba IDMAP stuff that hashes all the parts of the windows ID to a 32 bit UID. Anyway to do to this, or will I need to find another solution (not for mailing, but for directory creation)? There's no great way to do this.. A couple of kludgy ways. Like chmod 01777 /var/mail. Or override mail_executable setting to a script that still runs as root and can create the directory with proper permissions. http://wiki.dovecot.org/PostLoginScripting Can dovecot use pam_mkhomedir? Jason
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Mon, Aug 31, 2009 at 07:23:22PM +0100, Gavin Hamill wrote: On Sun, 2009-08-30 at 14:29 -0600, Jason Gunthorpe wrote: The kerberos setup is pretty easy.. 'net ads join' your server, go into the adsi editor and provide a imap and smtp SPN for the host, use 'net ads keytab' to put the imap and smtp SPNs in the system keytab, and then you are good to go. I test it with mutt first as the error messages are somewhat better. Ouch, can you go a little more slowly, please? I think I've joined the domain OK: Sure.. ccimap:~# net ads testjoin Join is OK ccimap:~# net ads info LDAP server: 10.6.1.245 LDAP server name: orwell.ad.laterooms.com [...] Yah, thats good You also want kerberos and LDAP to work easily on your server machine: # kinit 'your AD user' # klist # ldapsearch uid='your AD user' SASL/GSSAPI authentication started [..] For ldap stick the information from 'net ads info' in /etc/ldap/ldap.conf: URI ldap://orwell.ad.laterooms.com BASE dc= kinit should work if you got this far with samba, but if you have troubles ensure that /etc/krb5.conf has at least: [libdefaults] default_realm = AD.LATEROOMS.COM # guessing dns_lookup_realm = true dns_lookup_kdc = true Once the above two are working your basic stuff is OK. (You can skip the ldap, but I find it is helpful) Also verify that 'hostname -f' returns what you want. Very important. But I have no idea how / where you add a service principal with ADSIEdit - can you point me in the right direction? Kerberos is still mainly a mystery to me (and I'm sure many others!) Hmm. So upon reviewing this, it seems samba has changed, in some ways it is better, others worse.. Hmm. (I'm using 3.3.2) Just do this: ccimap:~# net ads keytab add imap Then: ccimap:~ klist -k And verify you have imap/ entries Then verify kerberos is working with: ccimap:~# kvno imap/ccimap.ad.laterooms.com imap/ccimap.ad.laterooms@ad.laterooms.com: kvno = 2 ccimap:~# ldapsearch CN=ccimap servicePrincipalName SASL/GSSAPI authentication started [..] servicePrincipalName: imap/ccimap.ad.laterooms.com Unfortunately 'net ads keytab add' can only add SPNs without a hostname qualifier, so you cannot add another alias. This is bad if you have multiple names for your host. I can't think of an easy way to make that work with the new samba behavior. I'd probably patch samba to fix that.. Since samba now does the adsiedit part on its own you probably don't need to worry about it, but here is a posting explaining it: http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx Please note that Windows and Linux use different methods to resolve the SPN. If your reverse IP and SSL hostname are different you'll need extra help to make this work, as samba cannot do it by itself!! Easiest plan is to Not Do That. That should do the trick for both native GSSAPI and for winbind GSSAPI. The key part is that the kvno works. Make sure dovecot is setup with the: auth_gssapi_hostname = $ALL option, and turn on the 'gssapi' mechanism. Those steps should give you working kerberos and gssapi in dovecot. I like to start simple and test with mutt. 'kinit' a ticket for that user, setup mutt, and then give it a try. Then try thunderbird on linux then thunderbird on windows. The .muttrc config is simple: set spoolfile=imap://u...@ccimap.ad.laterooms.com/INBOX set folder=imap://u...@ccimap.ad.laterooms.com/ And 'kinit user' before hand. Use winbind to process ntlm messages. Setup winbind in smb.conf and test the authentication function: wbinfo -D AD.LATEROOMS.COM wbinfo -K user%pass wbinfo -a user%pass Then turn it on in dovecot I run plain password authentication for dovecot through pam. Right now I use pam_krb5.so, but pam_winbind.so is a better choice with a modern samba. exim piggy backs off dovecot-auth: dovecot_ntlm: driver = dovecot public_name = NTLM server_socket = /var/run/dovecot/auth-client server_set_id=NTLM-${quote:$auth1} dovecot_gssapi: driver = dovecot public_name = GSSAPI server_socket = /var/run/dovecot/auth-client server_set_id=GSSAPI-${quote:$auth1} dovecot_gssapi_spnego: driver = dovecot public_name = GSS-SPNEGO server_socket = /var/run/dovecot/auth-client server_set_id=GSS-SPNEGO-${quote:$auth1} I also drive all the Linux directory services through winbind and the rfc2307 LDAP scheme AD supports, so all my Linux users get kerberos tickets on logon, and SSO for everything. Windows is the same. Jason
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Mon, Aug 31, 2009 at 10:21:47PM +0100, Gavin Hamill wrote: On Mon, 2009-08-31 at 13:24 -0600, Jason Gunthorpe wrote: Ouch, can you go a little more slowly, please? I think I've joined the domain OK: Sure.. Many thanks for taking the time on this - it is appreciated. NP, if you have success consider making a HOWTO for the dovcot wikki :) Also verify that 'hostname -f' returns what you want. Very important. Yep, 'ccimap.ad.laterooms.com' - forward + reverse DNS are correct in AD Good ccimap:~# net ads keytab add imap Then: ccimap:~ klist -k And verify you have imap/ entries Then verify kerberos is working with: ccimap:~# kvno imap/ccimap.ad.laterooms.com imap/ccimap.ad.laterooms@ad.laterooms.com: kvno = 2 I get ccimap:/etc# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal 7 imap/ccimap.ad.laterooms@ad.laterooms.com 7 imap/ccimap.ad.laterooms@ad.laterooms.com 7 imap/ccimap.ad.laterooms@ad.laterooms.com 7 imap/cci...@ad.laterooms.com 7 imap/cci...@ad.laterooms.com 7 imap/cci...@ad.laterooms.com Ok.. this is not too good, you should have many other entries too, several starting with host/ and CCIMAP$. What version of samba is this? does 'net ads keytab create' fix it up? Check that you have use kerberos keytab = true In smb.conf ccimap:/etc# kvno imap/ccimap.ad.laterooms.com kvno: Server not found in Kerberos database while getting credentials for imap/ccimap.ad.laterooms@ad.laterooms.com This is fatal. If ldapsearch indicates that SPN exists then you are probably right that something has become damaged in AD. Otherwise you are just having wacky samba problems. However, before I received your message I had been following the 'old-school' ktpass.exe method and I think I have poisoned the 'imap' name as a result: Possibly, it would be good to start again. Go into AD, and delete the ccimap computer account, then re-do 'net ads join'. That should clean everything out. The ktpass.exe method has so many problems, don't use it. Samba can generate all the keys directly itself now, there is no need for ktpass. Is 'imap' a magic hardcoded name that Thunderbird will use? If so, should creating 'pop3' using 'net ads keytab add' also do the business? I'd rather try that and get a basic working auth than try to unpick my AD problems just yet. The SPN service name is hardwired based on the protocol, imap, smtp and something for pop. I'm not sure what. :) I ask because if I do a random name 'net ads keytab add purmle' and then 'kvno purmle/ccimap.ad.laterooms.com' then I get sensible output: purmle/ccimap.ad.laterooms@ad.laterooms.com: kvno = 7 Hmm. You do need the '-U Administrator' or similarly privileged account for the keytab add. Otherwise I noticed that samba silently fails to update LDAP when it gets permission denied from ADS. The true test that it worked is the ldapsearch command I gave, or adsi edit. Jason
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Mon, Aug 31, 2009 at 11:20:18PM +0100, Gavin Hamill wrote: Ok.. this is not too good, you should have many other entries too, several starting with host/ and CCIMAP$. The suggestion to remove the computer object (and the 'imapCcimap' user I bound the SPN to using ktpass) and 'net ads join' worked like a charm - I have lots more output in 'net ads keytab list' and kvno imap/ccimap.ad.laterooms.com works now. Snazzy Aug 31 23:13:02 ccimap dovecot: imap-login: Login: user=mjiggs, method=GSSAPI, rip=10.6.1.81, lip=10.6.1.82 Yap, that is it The 'auth_gssapi_hostname = $ALL' was confusing so I commented that out and let it do a gethostname() instead - now it works :) I thought Timo included this patch?? You need the $ALL for various cases, including, I think, exim.. All it says it match any entry in the keytab, not just imap/gethostbyname()@REALM. If you have AD and Linux servers it is worth kerberdizing everything (ssh, logins, imap, pop, smtp, apache, etc) the method you just used is basically how to do it for anything. Ie you can now turn on ssh kerberos via its config file, and with kerberdized putty on windows you get SSO ssh logins, etc. Jason
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Sun, Aug 30, 2009 at 08:38:20PM +0100, Gavin Hamill wrote: On Sat, 2009-08-29 at 21:55 -0600, Jason Gunthorpe wrote: On Sun, Aug 30, 2009 at 01:50:02AM +0100, Gavin Hamill wrote: Has anyone successfully configured the above to enable Single Sign-On? I would love to move away from Exchange but SSO is a corporate requirement. I looked at this in some detail and concluded that the NTLM support on Outlook 2007 was only for encryption, it was not using SPA. I couldn't find a hidden registry setting or whatnot to switch it. Heh, have just found you here: https://bugzilla.mozilla.org/show_bug.cgi?id=284538 You mention that you managed to get Thunderbird working with SSO; I've not achieved that - I'm still required to provide the password before the NTLM login is successful.. Is there any particular magic needed with Thunderbird 2.0.0.23 ? Yes, you can't use NTLM in Thunderbird either, you have to use Kerberos (GSSAPI). I run NTLM through winbind and GSSAPI through MIT Kerberos, and then run exim through dovecot-auth. This gives complete SSO using GSSAPI for Thunderbird on all platforms, and secure challenge/response NTLM hashed passwords for roaming users without Kerberos. The kerberos setup is pretty easy.. 'net ads join' your server, go into the adsi editor and provide a imap and smtp SPN for the host, use 'net ads keytab' to put the imap and smtp SPNs in the system keytab, and then you are good to go. I test it with mutt first as the error messages are somewhat better. Apparently if you direct the GSSAPI messages through winbind (like for NTLM) then you can omit the 'net ads keytab' steps and things work a bit smoother, but I have not attempted that configuration. Jason
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Sun, Aug 30, 2009 at 01:50:02AM +0100, Gavin Hamill wrote: Has anyone successfully configured the above to enable Single Sign-On? I would love to move away from Exchange but SSO is a corporate requirement. I looked at this in some detail and concluded that the NTLM support on Outlook 2007 was only for encryption, it was not using SPA. I couldn't find a hidden registry setting or whatnot to switch it. If you have a corporate support arrangement with MS, maybe ask them? Many people would love an answer. Even a trace of outlook using SPA with Exchange over IMAP would be interesting to see. IMHO, clearly Dovecot is setup properly, Outlook Express works, Thunderbird w/ SPA works, etc. I believe MS has deliberately decided not to make SSO work in Outlook over IMAP specifically because that is a must have feature for enterprises, so it only works over MAPI and thus only with Exchange. Jason
Re: [Dovecot] GSSAPI Authentication in v1.2.1
On Fri, Aug 07, 2009 at 12:50:25PM -0400, Timo Sirainen wrote: I think secure authentication usually means CRAM-MD5 in Thunderbird. But maybe they use it for GSSAPI too, no idea. For sure it enables NTML and GSSAPI at least. Jason
Re: [Dovecot] kerberos trying to obtain credentials for wrong machine
On Wed, Feb 18, 2009 at 10:33:09PM +0300, Nikolay Shopik wrote: I'm currently trying to configure Dovecot to use kerberos. My KDC is Windows 2003 and I successful generated keytab file for Dovecot machine. Problem is when I'm trying to use GSSAPI it told me Obtaining credentials for i...@debian5 - and of course this fails because debian5 isn't KDC, it should look for imap/debian5.inblock.lo...@inblock.local. What I'm missing? You need to make sure that 'hostname -f' returns a full hostname, and you need to put default_realm = INBLOCK.LOCAL into your krb5.conf Then confirm that 'kvno imap/debian5.inblock.local' works Jason
Re: [Dovecot] Active Directory authentication
On Wed, Jan 21, 2009 at 08:26:37AM +0200, Dimitrios Karapiperis wrote: I would like to ask if there is adequate mechanism to authenticate users through POP3 against Active Directory by Outlook Express so that users will authenticate seamlessly using logon credentials. I have implemented LDAP authentication but users must supply their credentials to Outlook Express although they have logged on to Windows (AD). the ntlm auth in Dovecot 1.1 (windind) satisies this requirement (no credentials in Outlook)? I don't know about Outlook Express, but I was unable to get Outlook 2007 to use login credentials, and my dovecot is configured to support NTLM, SPNEGO and GSSAPI :( Thunderbird on Windows will use the login credentials if dovecot supports GSSAPI and has the proper kerberos setup. Check use secure authentication or somesuch. Jason
Re: [Dovecot] Dovecot authenticating--- Active Directory Win2003
On Mon, Dec 08, 2008 at 02:43:53PM +0100, Thomas Siebert wrote: You have to use LDAP as Authentication Backend with Port 3268. http://wiki.dovecot.org/AuthDatabase/LDAP That works but has 3 main drawbacks: 1) It is a pain to setup SSL LDAP on both windows and linux. If you don't do this then it is massively insecure 2) Passwords must be exchanged in plain text over IMAP. Also no single sign on capabilities. 3) There is no redundancy or load balancing if you have multiple ADS servers The *best* answer is to use a combination of samba's winbind and kerberos. This gives you encryption and mutual authentication between dovecot and the ADS server and various non-plaintext options between the client and dovecot - plus single sign on capabilities for SSPI or kerberdized clients. Use dovecot's pam support to call out to pam_winbind/pam_krb5, and the native support to call out to winbind for ntlm and spnego. Dovecot's native gssapi kerberos rounds things out. The basic steps are 1) Get samba, winbind, dovecot, kerberos installed 1a) Setup smb.conf with the proper ADS options Note you do not need to run nmbd or smbd, just winbind. 2) Use samba to join the machine to the domain with 'net ads join -U Administrator' Verify in ADS you have a computer with the proper name 3) Create an imap keytab entry 'net ads keytab imap/[EMAIL PROTECTED]' Also tell windows imap is allowed for this host via the gui or adsiedit/ldapedit/etc 4) Start winbind 5) Setup dovecot 5a) Setup pma_winbind for dovecot 6) Test on the dovecot machine: net ads testjoin wbinfo -n mywinuser klist -k kinit [EMAIL PROTECTED] kvno imap/[EMAIL PROTECTED] # check DNS that host has proper forward and reverse entries telnet localhost imap 1 CAPABILITIY * CAPABILITY [..] AUTH=PLAIN AUTH=GSSAPI AUTH=GSS-SPNEGO AUTH=LOGIN AUTH=NTLM I also have exim setup to use dovecot SASL and so it also does NTLM, GSSAPI and SPNEGO. There is alot of information about this scattered on various web sites. The method I've outlined above is the lastest scheme using the newer software. Some reference material uses older techniques... In my experience pretty much every client supports some version of NTLM, so passwords will be exchanged non-plaintext in most cases (though weak flavors of NTLM might be negotiated). Many clients like thunderbird support kerberos, and so on windows you get single sign on too. Most linux clients also support kerberos so can gen single sign on for them too with some setup. Here are some config fragments you might find helpful smb.conf: [global] netbios name = host workgroup = FOO realm = ADS.FOO security = ads use kerberos keytab = true encrypt passwords = true winbind use default domain = yes Dovecot: auth_ntlm_use_winbind = yes auth_username_format = %n auth_winbind_helper_path = /usr/bin/ntlm_auth mechanisms = plain gssapi gss-spnego login ntlm passdb pam {}
[Dovecot] Has anyone ever seen outlook do single sign on with dovecot/etc?
Hey all, I'm curious, has anyone been able to get outlook to do single sign on with a linux IMAP/SMTP back end? I have it doing NTLM authentication via the dovecot winbind module with Samba 3.2 just fine, but I have yet to see it try to use the cached windows logon credentials.. It appears to do an NTLM exchange with a blank password and then prompt for a password and then do an exchange with the given password. It does the same thing if PLAIN authentication is used. I'm starting to suspect MS deliberately hobbled outlook so that it uses the SSPI to exchange an entered password but not ever the logon credentials.. Does anyone know different? What a topsy-turvy world when thunderbird using SSPI works better on Windows than outlook. :| Thanks, Jason
Re: [Dovecot] [PATCH] Support GSS-SPNEGO natively
On Wed, Aug 13, 2008 at 04:23:46PM -0400, Timo Sirainen wrote: Committed the patch to v1.2 tree with some changes: http://hg.dovecot.org/dovecot-1.2/rev/641d761219a6 What happens when the winbind_spnego and the gssapi_spnego are registered at once? I did not address this because I did not have winbind in my tree at the time.. I imagine that the same 'if' that surrounds the internal ntlm module is needed here.. Ideally though it would be nice if the config file could specify a mapping from SASL name to internal module and NTLM_USE_WINBIND could go away. BTW, I have yet to find anything that uses this SASL mode.. MS did not implement it in even the latest version of outlook, despite authoring the standard. :( Thunderbird has all the machinery to support it through SSPI, but it never parses the SASL name to use the negotiate-sspi module, so it doesn't use it either.. Plus, nobody outside of Windows sspi clients cares about NTLM. Thanks, Jason
Re: [Dovecot] [PATCH] Allow GSSAPI to work with multihomed hosts
On Wed, Aug 13, 2008 at 03:07:55PM -0400, Timo Sirainen wrote: + auth_request_log_info(request, gssapi, +Using all keytab entires); I'm beginning to wonder about the logging in the code though. To me it looks like all of these should rather be log_debug instead of log_info. And I don't see any log_infos for logging why the user login actually failed (does gssapi even tell anything about it?). Or debug logging about what the usernames are when trying to log in. And the GSSAPI errors probably should be logged with log_info instead of log_error, because they probably aren't errors that the sysadmin can do anything about, but rather some client misconfiguration or a client bug (at least after the initial configuration is done and working). Well, I am not an expert on gssapi, but there are definately failures due to administrator misconfiguration and some are the users fault. For instance any failure from obtain_service_credentials is a configuration error. Failures due to service credential mismatch, encryption type mismatch, etc are also configuration errors, but they occure later in the process.. To be honest nobody seems to do a super job of logging kerberos messages. The erro messages from the library are terse and contain no information from the packet. Debugging a service principle name mismatch is a royal pain. The log in my patch probably should be log debug, I just copied the log level from the existing 'Obtaining credentials' message. They are not important unles someone is debugging. Thanks, Jason
[Dovecot] [PATCH] Allow GSSAPI to work with multihomed hosts
I saw some past chatter on this in the list archives, but here is another stab and another rational. This patch follows a similar patch to openssh in that it allows any key in the specified keytab to match the incoming host key. This is necessary for multihomed hosts. See: https://bugzilla.mindrot.org/show_bug.cgi?id=928 IMAP/POP seem to be a strong candidate to be multihomed because they are very likely to have an internal to a firewall and external to a firewall name. Due to the way MIT kerberos handles host name resolution via reverse IP lookup this can often result in multiple principle names and there is simply nothing to be done about it. This is my situation.. When you add windows into the mix, which uses a totally different set of rules to determine the principle all hope seems to be lost to have a single service principle name for an imap server :( I was able to make things work for my environment using only the auth_gssapi_hostname feature if only MIT kerberos was used, but as soon as windows SSPI was involved it choose a different hostname. Thus we want to have GSSAPI to match any service principle in the keytab. As far as security concerns go, the admin can configure the keytab for dovecot to be seperate from the system key tab and contain only valid imap SPNs, but in truth it probably doesn't matter. I choose to just use the magic configurable: auth_gssapi_hostname = $ALL rather than introduce more configurables FWIW, after applying this I now am happy to say I have an Active Directory KDC, with dovecot providing gssapi auth to thunderbird on both linux (mit kerb 1.6) and windows (sspi).. --- dovecot-1.0.13/src/auth/mech-gssapi.c 2007-12-11 11:52:08.0 -0700 +++ dovecot-1.0.13-jgg/src/auth/mech-gssapi.c 2008-08-11 23:52:15.0 -0600 @@ -101,6 +101,13 @@ gss_name_t gss_principal; const char *service_name; +if (strcmp(request-auth-gssapi_hostname,$ALL) == 0) { + auth_request_log_info(request, gssapi, +Using all keytab entires); + *ret = GSS_C_NO_CREDENTIAL; + return GSS_S_COMPLETE; + } + if (strcasecmp(request-service, POP3) == 0) { /* The standard POP3 service name with GSSAPI is called just pop. */
[Dovecot] [PATCH] Support GSS-SPNEGO natively
I cooked this up while trying to figure out why thunderbird on Windows w/ SSPI was not working, but it turned out thunderbird does not use it, so I haven't been able to test it yet. I'm presenting it for discussion only, unless someone else can try it :) Modern versions of MIT kerberos support GSS-SPNEGO natively, but are only willing to negotiate for kerberos tickets and not NTLM messages. This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which simply passes SPNEGO packets directly to gssapi if the library is new enough. There is even a configure feature test for the gssapi library in that packages configure script. Note that Debian etch's standard kerb libaries (1.4) are not good enough for this. Having this work means the other gssapi policy knobs in dovecot, like auth_gssapi_hostname, work properly. Instead of 'whatever it is that samba does'. I guess it fixes the concerns about winbind accesses blocking (although don't the gssapi calls block??) In light of this it is really only useful to use winbind if you want to support NTLM as kerberos will do the necessary exchanges with the kdc for an Active Directory domain. In truth a proper and complete design would somehow layer the built in NTLM module under the SPNEGO negotiation and only pass NTLM messages off to samba but I doubt anyone cares with NTLM being rather obsolete. --- dovecot-1.0.13/src/auth/mech-gssapi.c 2007-12-11 11:52:08.0 -0700 +++ dovecot-1.0.13-jgg/src/auth/mech-gssapi.c 2008-08-11 23:52:15.0 -0600 @@ -417,4 +424,21 @@ mech_gssapi_auth_free }; +/* MTI Kerberos 1.5 supports SPNEGO for Kerberos tickets internally. + Nothing else needs to be done here. Note however that this does not + support SPNEGO when the only available credential is NTLM.. */ +const struct mech_module mech_gssapi_spnego = { +GSS-SPNEGO, + +MEMBER(flags) 0, + +MEMBER(passdb_need_plain) FALSE, +MEMBER(passdb_need_credentials) FALSE, + +mech_gssapi_auth_new, +mech_gssapi_auth_initial, +mech_gssapi_auth_continue, +mech_gssapi_auth_free +}; + #endif --- dovecot-1.0.13/src/auth/mech.c 2007-12-11 11:52:08.0 -0700 +++ dovecot-1.0.13-jgg/src/auth/mech.c 2008-08-11 21:30:56.0 -0600 @@ -72,6 +72,7 @@ extern struct mech_module mech_anonymous; #ifdef HAVE_GSSAPI extern struct mech_module mech_gssapi; +extern struct mech_module mech_gssapi_spnego; #endif void mech_init(void) @@ -86,6 +87,7 @@ mech_register_module(mech_anonymous); #ifdef HAVE_GSSAPI mech_register_module(mech_gssapi); + mech_register_module(mech_gssapi_spnego); #endif } @@ -101,5 +103,6 @@ mech_unregister_module(mech_anonymous); #ifdef HAVE_GSSAPI mech_unregister_module(mech_gssapi); + mech_unregister_module(mech_gssapi_spnego); #endif }
Re: [Dovecot] [PATCH] Support GSS-SPNEGO natively
On Tue, Aug 12, 2008 at 10:27:40AM +0200, Angel Marin wrote: Jason Gunthorpe wrote: I cooked this up while trying to figure out why thunderbird on Windows w/ SSPI was not working, but it turned out thunderbird does not use it, so I haven't been able to test it yet. I'm presenting it for discussion only, unless someone else can try it :) thunderbird does all combinations of GSS auth w/ w/o SSPI I've ever tried; it's just a pain to find the correct combination of network.negotiate-auth.* and network.auth.use-sspi settings for any given case :) (plus enabling secure auth for the TB account at test) Really? I was looking through the source to TB and I can't find where it would use AUTH=GSS-SPNEGO.. For instance in mailnews/imap/src/nsImapServerResponseParser.cpp Where it parses the CAPABILITY reply it only looks for AUTH=GSSAPI Then when it goes to do the auth DoGSSAPIStep1 creates a sasl-gssapi which creates either a kerb-gss or a kerb-sspi and both of those set PACKAGE_KERBEROS to disable SPNEGO. I've been assuming AUTH=GSS-SPNEGO is only used by outlook? Jason
Re: [Dovecot] [PATCH] Support GSS-SPNEGO natively
On Tue, Aug 12, 2008 at 01:11:47PM -0400, Timo Sirainen wrote: On Aug 12, 2008, at 2:44 AM, Jason Gunthorpe wrote: This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which simply passes SPNEGO packets directly to gssapi if the library is new enough. There is even a configure feature test for the gssapi library in that packages configure script. Note that Debian etch's standard kerb libaries (1.4) are not good enough for this. Any thoughts on how exactly to detect that it's MIT kerberos (not Heimdal) and the version is new enough? It has been ages since I touched autoconf, but this is the test that libapace-mod-auth-kerb uses: # If SPNEGO is supported by the gssapi libraries, we shouln't build our support. # SPNEGO is supported as of Heimdal 0.7, and MIT 1.5. gssapi_supports_spnego= AC_MSG_CHECKING(whether the GSSAPI libraries support SPNEGO) ac_save_CFLAGS=$CFLAGS CFLAGS=$KRB5_CPPFLAGS ac_save_LDFLAGS=$LDFLAGS LDFLAGS=$KRB5_LDFLAGS AC_TRY_RUN([ #include string.h #include krb5.h #ifdef HEIMDAL #include gssapi.h #else #include gssapi/gssapi.h #endif int main(int argc, char** argv) { OM_uint32 major_status, minor_status; gss_OID_set mech_set; gss_OID_desc spnego_oid_desc = {6, (void *)\x2b\x06\x01\x05\x05\x02}; int SPNEGO = 0; major_status = gss_indicate_mechs(minor_status, mech_set); if (GSS_ERROR(major_status)) return 1; else { unsigned int i; for (i=0; i mech_set-count !SPNEGO; i++) { gss_OID tmp_oid = mech_set-elements[i]; if (tmp_oid-length == spnego_oid_desc.length !memcmp(tmp_oid-elements, spnego_oid_desc.elements, tmp_oid-length)) { SPNEGO = 1; break; } } gss_release_oid_set(minor_status, mech_set); return (!SPNEGO); } }], [ if test $? -eq 0; then AC_MSG_RESULT(yes) AC_DEFINE(GSSAPI_SUPPORTS_SPNEGO) gssapi_supports_spnego=yes else AC_MSG_RESULT(no) fi], [AC_MSG_RESULT(no)]) Jason
Re: [Dovecot] [PATCH] Support GSS-SPNEGO natively
On Tue, Aug 12, 2008 at 10:23:19PM +0200, Angel Marin wrote: Jason Gunthorpe wrote: On Tue, Aug 12, 2008 at 10:27:40AM +0200, Angel Marin wrote: Jason Gunthorpe wrote: I cooked this up while trying to figure out why thunderbird on Windows w/ SSPI was not working, but it turned out thunderbird does not use it, so I haven't been able to test it yet. I'm presenting it for discussion only, unless someone else can try it :) thunderbird does all combinations of GSS auth w/ w/o SSPI I've ever tried; it's just a pain to find the correct combination of network.negotiate-auth.* and network.auth.use-sspi settings for any given case :) (plus enabling secure auth for the TB account at test) Really? I was looking through the source to TB and I can't find where it would use AUTH=GSS-SPNEGO.. ok now rereading it again, I didn't make it clear what part of your message I was referring to :) I was just addressing the 'why thunderbird on Windows w/ SSPI was not working' part pointing out that thunderbird can do SSPI and that it should work tweaking the appropriate options. Oh right, in the end it did work. It turned out thunderbird was trying to use a different SPN than the linux environment. Since that SPN was not configured in AD thunderbird just bailed with an unhelpfull message :( FWIW, near as I can tell, thunderbird seems to use an SPN derived from the SSL cetrficate on Windows while on Linux it uses an SPN derived from the reverse lookup of the server's IP. In the end configuring the alternative SPN and using the multihoming patch I sent out made it all work. Now only outlook does not do single sign on.. Has anyone got outlook and dovecot to do SSO? Does the NTLM winbind patch make that work? Thanks, Jason