Looking for GSSAPI config [was: Looking for NTLM config example]

Mark Foley mfoley at ohprs.org
Tue Jun 28 05:45:13 UTC 2016 

Jan, thanks for your helpful reply. You wrote:

> With Dovecot I got the SSO working with Kerberos, and this part is 
> working great. Other parts (shared mailboxes, that sort of stuff) aren't 
> working for me yet. ...

I'm the opposite. My mailbox setup has been working great for a year and a half, though I've
not bothered with shared mailboxes yet.

I've attempted to follow your instructions, but still having problems. First, my errors:

Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Jun 28 01:04:49 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Jun 28 01:04:49 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Jun 28 01:04:49 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<Zg2Nk082LgDAqAA6>

Now, your instructions:

> One of the tricky bits is you need a kerberos keytab with two services. 
> I used ktutil:
> # ktutil
>    ktutil: read_kt mail-imap.keytab
>    ktutil: read_kt mail-smtp.keytab
>    ktutil: write_kt mail.keytab
>    ktutil: quit
>
> I'm using a windows 2003 r2 server as domain controller, to create a 
> keytab file you need the windows 2003 support tools.
>
> ktpass.exe -princ imap/mailserver.gcecad-service.nl at GCECAD-SERVICE.LOCAL 
> -mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 
> -ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab
>
> ktpass.exe -princ smtp/mailserver.gcecad-service.nl at GCECAD-SERVICE.LOCAL 
> -mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234 
> -ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab

I ran ktutil, but the commands "read_kt mail-imap.keytab" and "read_kt mail-smtp.keytab" 
returned: No such file or directory while reading keytab "mail-imap.keytab"

Perhaps your subsequent ktpass commands are meant to create those. I do not have a ktpass
command. I therefore do not have these files. I suppose that could be part of my problem. Can
you share the actual contents of these file? I could create them by-hand. Does Dovecot and/or
kerberos know where to look for these?

> On the dovecot server I had to install a kerberos package:

Likewise, I installed kerberos for slackware. It tested OK. I was able to do a kinit and klist
per the instruction at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos

> My kerberos configuration:
> # vi /etc/krb5.conf
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log

I added the [logging] section.  Of note, these log file do not exists after multiple attempts
with my gssapi connection.  Probably a bad sign.  

> [libdefaults]
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>   ticket_lifetime = 24h
>   renew_lifetime = 7d
>   forwardable = true
>   rdns = false
>   default_realm = GCECAD-SERVICE.LOCAL
>   default_keytab_file = /etc/krb5.keytab
>   default_ccache_name = KEYRING:persistent:%{uid}
>   allow_weak_crypto = true
>   default_tkt_enctypes = arcfour-hmac-md5
>   default_tgs_enctypes = arcfour-hmac-md5
>   permitted_enctypes = arcfour-hmac-md5
 
I added all these as well, changing your GCECAD-SERVICE.LOCAL to my HPRS.LOCAL

> [appdefaults]
>   pam = {
>    debug = false
>    ticket_lifetime = 24h
>    renew_lifetime = 7d
>    forwardable = true
>    krb4_convert = false
>   }

I also added this [appdefaults] section.

>
> [realms]
>   GCECAD-SERVICE.LOCAL = {
>    kdc = this.is.the.dns.name.of.your.kdc
>    admin_server = this.is.the.dns.name.of.your.kdc
>   }

I tried with and without this section. Not sure what this.is.the.dns.name.of.your.kdc is
supposed to be. I changed mine to the domain FDQN of the server:

[realms]
  HPRS.LOCAL = {
    kdc = mail.hprs.local
    admin_server = mail.hprs.local
  }

>
> [domain_realm]
>   .gcecad-service.local = GCECAD-SERVICE.LOCAL
>   gcecad-service.local = GCECAD-SERVICE.LOCAL
>   .gcecad-service.nl = GCECAD-SERVICE.LOCAL
>   gcecad-service.nl = GCECAD-SERVICE.LOCAL
>

I also tried with and without this section. Again, not sure what should go there. I tried:

[domain_realm]
  .hprs.local = HPRS.LOCAL
  hprs.local = HPRS.LOCAL
  .hprs.nl = HPRS.LOCAL
  hprs.nl = HPRS.LOCAL

I'm a bit skeptical on the above as .nl your public top level domain.

In fact, after adding these sections I got no error logged in dovecot_log, but did get a
message pop up on Thunderbird saying, "Could not connect to mail server mark at ohprs.org; the
connection was refused."

> Dovecot config, the needed parts:
> In /etc/dovecot/conf.d/10-auth.conf :
> auth_krb5_keytab = /etc/dovecot/mail.keytab
> auth_mechanisms = plain gssapi

I added those.

> In /etc/dovecot/conf.d/auth-system.conf.ext :
> passdb {
>    driver = pam
> }
> userdb {
>    driver = static
>    args = uid=2000 gid=2000 home=/var/vmail/%Ln allow_all_users=yes
> }

I used my same userdb and passdb settings (although I understand that passdb is not used by gssapi?)

passdb {
  driver = shadow
}
userdb {
  driver = passwd
}

> In /etc/pam.d/dovecot :
> #%PAM-1.0
> auth       sufficient   pam_krb5.so no_user_check validate
> account    sufficient   pam_permit.so

The /etc/pam.d directory did not exist so I created it and added the dovecot file as shown.
The permissions are a+r.

So, no go so far, but I am encouraged that you have it working. Perhaps you can point out what
I might have missing or am otherwise done wrong?

THX --Mark

More information about the dovecot mailing list