Looking for GSSAPI config [was: Looking for NTLM config example]

Jan Jurkus j.jurkus at gcecad-service.nl
Mon Jun 27 21:02:17 UTC 2016 

Hi,

On 27-06-2016 08:58, Mark Foley wrote:

> So, I'm apparently lacking in the kerberos stuff. Here's the problem -- Samba4 uses Heimdal
> Kerberos and when I provisioned my domain apparently none of these needed kerberos files were
> set up. I can, however, kerberos authenticate from domain workstations both WIN7 and Linux.

You don't need any Samba4 stuff, to get it working. Samba is great, but 
can be hard to get right. I tend to steer clear of Samba when I don't 
really need it.

My first experience was with an OTRS helpdesk install, and trying to get 
it to do SSO. I was helped a great deal by wireshark, and this website: 
http://www.grolmsnet.de/kerbtut/

On a sidenote: mod_auth_kerb is rather ancient, in computer-terms. You'd 
be better off with mod_auth_gssapi.
In the case of Dovecot we are not using Apache, of course.

With Dovecot I got the SSO working with Kerberos, and this part is 
working great. Other parts (shared mailboxes, that sort of stuff) aren't 
working for me yet. This is my own fault, not a dovecot one, haven't 
looked into it enough. Anyway, the SSO is working great.

One of the tricky bits is you need a kerberos keytab with two services. 
I used ktutil:
# ktutil
   ktutil: read_kt mail-imap.keytab
   ktutil: read_kt mail-smtp.keytab
   ktutil: write_kt mail.keytab
   ktutil: quit

I'm using a windows 2003 r2 server as domain controller, to create a 
keytab file you need the windows 2003 support tools.

ktpass.exe -princ imap/mailserver.gcecad-service.nl at GCECAD-SERVICE.LOCAL 
-mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 
-ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab

ktpass.exe -princ smtp/mailserver.gcecad-service.nl at GCECAD-SERVICE.LOCAL 
-mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234 
-ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab

Most instructions on the internet do not quite work out that well. 
RC4-HMAC-NT crypto is needed if you still have Windows XP machines. It 
should work with a newer crypto but have not tested that.
FYI: Kerberos service names (imap, smtp) are sometimes capitalised, 
mostly when using HTTP. Great, isn't it?

On the dovecot server I had to install a kerberos package:
# yum install krb5-workstation
(I am using CentOS7, but it should not be too hard to translate this to 
your own distro)

My kerberos configuration:
# vi /etc/krb5.conf
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
  rdns = false
  default_realm = GCECAD-SERVICE.LOCAL
  default_keytab_file = /etc/krb5.keytab
  default_ccache_name = KEYRING:persistent:%{uid}
  allow_weak_crypto = true
  default_tkt_enctypes = arcfour-hmac-md5
  default_tgs_enctypes = arcfour-hmac-md5
  permitted_enctypes = arcfour-hmac-md5

[appdefaults]
  pam = {
   debug = false
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true
   krb4_convert = false
  }

[realms]
  GCECAD-SERVICE.LOCAL = {
   kdc = this.is.the.dns.name.of.your.kdc
   admin_server = this.is.the.dns.name.of.your.kdc
  }

[domain_realm]
  .gcecad-service.local = GCECAD-SERVICE.LOCAL
  gcecad-service.local = GCECAD-SERVICE.LOCAL
  .gcecad-service.nl = GCECAD-SERVICE.LOCAL
  gcecad-service.nl = GCECAD-SERVICE.LOCAL


Dovecot config, the needed parts:
In /etc/dovecot/conf.d/10-auth.conf :
auth_krb5_keytab = /etc/dovecot/mail.keytab
auth_mechanisms = plain gssapi

In /etc/dovecot/conf.d/auth-system.conf.ext :
passdb {
   driver = pam
}
userdb {
   driver = static
   args = uid=2000 gid=2000 home=/var/vmail/%Ln allow_all_users=yes
}

In /etc/pam.d/dovecot :
#%PAM-1.0
auth       sufficient   pam_krb5.so no_user_check validate
account    sufficient   pam_permit.so

I'm not entirely happy with the static userdb, because of the 
limitations with kerberos/pam, but this can of course be changed rather 
easily. The hardest part is to get the SSO working.
One of the limitiations is stated here: 
http://wiki.dovecot.org/UserDatabase/Static

Postfix SMTP auth is using LMTP, reading from my notes.

I hope you can get a clearer picture with this rather long and chaotic 
reply.

-- 
Jan Jurkus | ICT Beheerder | GCE cad-service B.V.
Postbus 12, 3220 AA Hellevoetsluis
Daltonweg 9, 3225 LR Hellevoetsluis
tel: 0181-336955 | fax: 0181-311899
j.jurkus at gcecad-service.nl | www.gcecad-service.nl

More information about the dovecot mailing list