Looking for GSSAPI config [was: Looking for NTLM config example]
Mark Foley
mfoley at ohprs.org
Tue Jun 28 06:27:34 UTC 2016
Aki,
To review your 5 points:
On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
> 1. Functional AD or Kerberos environment
> 2. Time synced against your KDC (which is your Domain Controller on Windows)
> 3. /etc/krb5.conf configured
> 4. Both forward / reverse DNS names correct for clients and servers.
> Reverse is only mandatory for servers, but having them right will work
> wonders. Most kerberos problems are about DNS problems.
> 5. You need a keytab. This keytab needs to hold entries like
> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate
> these on any Windows DC server (at least).
I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit
and klist according to the instructions at
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
As to the the keytab (#5) I did the following:
$ samba-tool domain exportkeytab /etc/krb5.keytab
which created the file. I made this owned and readable by group dovecot, per instructions at
http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me
configuration listing all the users and computers in the domain, mostly in triplicate. A
partial list:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
18 COMMON$@HPRS.LOCAL
18 COMMON$@HPRS.LOCAL
18 COMMON$@HPRS.LOCAL
1 MAIL$@HPRS.LOCAL
1 MAIL$@HPRS.LOCAL
1 MAIL$@HPRS.LOCAL
1 charmaine at HPRS.LOCAL
1 charmaine at HPRS.LOCAL
1 charmaine at HPRS.LOCAL
where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing,
but am assuming it is OK.
> setspn -q is helpful here, also setspn command in general.
I have no such command in my system. Is that a Windows thing?
As to the /etc/krb5.conf, the default one generated by samba is:
[libdefaults]
default_realm = HPRS.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
I'd like to modify that to your suggestions, but I need more help. You have (with my questions):
> Here is a *SAMPLE* configuration:
>
> [libdefaults]
> default_realm = YOUR.REALM
> dns_lookup_kdc = true
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have:
krb5_config = /etc/krb5.conf
Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there?
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> fcc-mit-ticketflags = true
>
> [realms]
> YOUR.REALM = {
> default_domain = your.domain.name
> auth_to_local_names = {
> Administrator = root
> }
> }
I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD
server: mail.hprs.local, or is it just hprs.local? (or something else!)
> [domain_realm]
> your.domain.name = YOUR.REALM
> # this is not a mistake
> .your.domain.name = YOUR.REALM
> [login]
> krb4_convert = true
> krb4_get_tickets = false
Likewise here a question on the whole krb4 versus krb5 thing.
Your closing comment:
> Also, note that kerberos can only act as AUTHENTICATION system. It
> cannot act as USER DATABASE. For that you need to configure LDAP or
> something else. With Active Directory LDAP is probably a damn good idea.
I have the following doveconf -n:
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in
any case I still have all but this test workstation NOT using gssapi, so I still need to
accomodate them.
Thanks, --Mark
More information about the dovecot
mailing list