You need a KDC for Kerberos, Samba provides it but there are some other possible solutions, such as Active Directory or Redhat's IDM.
Op ma 24 okt. 2022 01:53 schreef mich <[email protected]>: > Hello > > > > So you have to install Samba? > > > > Michel > > > > *De : *<[email protected]> au nom de "[email protected]" <[email protected]> > *Répondre à : *"[email protected]" <[email protected]> > *Date : *dimanche 23 octobre 2022 à 19:22 > *À : *"[email protected]" <[email protected]> > *Objet : *Re: [SOGo] kerberos sogo > > > > > > The session key is a 32 bytes random string, all details are in: > https://github.com/gssapi/mod_auth_gssapi > You can also specify it inline but then it must be base64 encoded, e.g. > > makepasswd --chars=32 | base64 > > And in the apache conf: > > GssapiSessionKey key:<the base64 encoded key> > > In this case there is no file, hence no file permissions to think about. > > If your machine is a Samba domain member you can also use the default > /etc/krb5.keytab just do: > > chgrp www-data /etc/krb5.keytab > > To make it accessible for apache. > Do note that www-data is the group on Debian, other distros may use a > different group name. > > If your machine is not a domain-member, it is a bit more work. > > You create a machine account in samba and create the principal: > > samba-tool computer create <hostname> > # Set encryption types on the account > net ads enctypes set <hostname> 28 > # set a password on the computer account: > PW=$(makepasswd --chars=32 | iconv -f UTF-8 -t UTF-16LE | base64 -w 0) > echo "dn: <host DN>\nchangetype: modify\nreplace: > unicodePwd\nunicodePwd::${PW}" | ldbmodify -H /var/lib/samba/private/sam.ldb > > PRINCIPAL="http/<host fqdn>" > samba-tool spn add ${PRINCIPAL} <hostname> -H > /var/lib/samba/private/sam.ldb > samba-tool domain exportkeytab -d 8 --principal=${PRINCIPAL} > <keytab_filename> > > Now copy the keytab filename to the target host and provide access to > apache with: > > chgrp www-data /etc/krb5.keytab > > Done. > > On 22-10-2022 15:20, mich ([email protected]) wrote: > > Hello Kees > > > > Thanks for the approach. > > > > A tu tutorial more detailed, especially for the creation of keys > gssapi_session.key, apache.keytab is I do not use LDAP to identify me > during user connections, I use mysql. > > With the solution you asked for, Kerberos is used for authentication, not > Mysql nor LDAP. > > Samba4 provides MS-AD functionality, which is a.o. Kerberos + LDAP. In the > example below LDAP is used for authorization on top of the authentication > provided by Kerberos (to get access a user must be member of a certain > group, the "users_with_sogo_access" group). > > Sogo still requires a database to store the user profile. > > - Kees > > > > Michel > > > > *De : *<[email protected]> <[email protected]> au nom de > "[email protected]" <[email protected]> <[email protected]> <[email protected]> > *Répondre à : *"[email protected]" <[email protected]> <[email protected]> > <[email protected]> > *Date : *vendredi 21 octobre 2022 à 11:43 > *À : *"[email protected]" <[email protected]> <[email protected]> <[email protected]> > *Objet : *Re: [SOGo] kerberos sogo > > > > You can let your webserver do the authentication, there it can do > krb5/gssapi authentication. > > In sogo.conf st: > > SOGoTrustProxyAuthentication = YES; > > In Apache conf put something like: > > <Location /SOGo> > AuthName "Login" > AuthType GSSAPI > GssapiSSLonly On > GssapiLocalName On > GssapiUseSessions On > GssapiSessionKey file:/var/lib/apache2/secrets/gssapi_session.key > GssapiCredStore keytab:/etc/keytab/apache.keytab > GssapiDelegCcacheDir /run/apache2/krb5 > GssapiBasicAuth on > GssapiAllowedMech krb5 > GssapiBasicAuthMech krb5 > Session On > SessionCookieName gssapi_session path=/private;httponly;secure; > Require valid-user > SetEnv proxy-nokeepalive 1 > RewriteEngine On > RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}] > </Location> > > If you also want authorization with ldap group-membership then that can > simply be added to the Apache config. Replace "Require valid-user" with: > > AuthLDAPURL "ldap://dc1.example.com > dc2.example.com/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)" > AuthLDAPRemoteUserAttribute sAMAccountName > <RequireAll> > Require valid-user > Require ldap-attribute userAccountControl="512" > Require ldap-filter > memberof:1.2.840.113556.1.4.1941:=CN=<MY-AUTHORIZATION-GROUP>,OU=<AUTHORIZATION-GROUPS>,DC=example,DC=com > </RequireAll> > > This example is for Samba4 (or AD). > > There is one side-effect of webserver authentication: the user's password > is not available in Sogo. This means that you must have password-less login > from Sogo to imap and smtp/submission. > > For example run Sogo on the same machine as Dovecot and add this to the > dovecot config: > > passdb { > args = nopassword=y allow_nets=127.0.0.1/32 > driver = static > } > > - Kees > > > > On 21-10-2022 11:04, Christian Mack ([email protected]) > wrote: > > Hello > > SOGo itself does not know about Kerberos. > But you can use its SAML interface in order to use it. > For that to work you have to setup an "Identity Provider" which delivers > Kerberos Tickets and a "Service Provider" for SOGo which handles > authentication for it. > Also your mail servers (IMAP + SMTP) have to either use kerberos for > authentication, or you have to allow not authenticated access from the SOGo > server. > > SAML settings are documented in the Installation Documentation of SOGo, > but how to set up Identity and Service Providers is not. > You will need additional expertise for that. > > How to enable and use Kerberos authentication with your mail server, you > have to check on its documentation. > > > Kind regards, > Christian Mack > > Am 20.10.22 um 13:10 schrieb mich ([email protected]): > > Hello > > Is this solution "kerberos sogo" still actuality? > > Is also if it works online and not locally is there any documentation on > the subject? > > Michel > > > >
