Looking for GSSAPI config [was: Looking for NTLM config example]

Mark Foley mfoley at ohprs.org
Tue Jun 28 06:27:34 UTC 2016 

Aki,

To review your 5 points:

On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote:

> 1. Functional AD or Kerberos environment
> 2. Time synced against your KDC (which is your Domain Controller on Windows)
> 3. /etc/krb5.conf configured
> 4. Both forward / reverse DNS names correct for clients and servers.
> Reverse is only mandatory for servers, but having them right will work
> wonders. Most kerberos problems are about DNS problems.
> 5. You need a keytab. This keytab needs to hold entries like
> IMAP/your.host.name at REALM  and IMAP/$HOSTNAME at REALM. You can generate
> these on any Windows DC server (at least).

I believe I am good on 1,2 and 4.  I downloaded and installed kerberos and tested it with kinit
and klist according to the instructions at
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos

As to the the keytab (#5) I did the following:

$ samba-tool domain exportkeytab /etc/krb5.keytab

which created the file.  I made this owned and readable by group dovecot, per instructions at
http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k /etc/krb5.keytab` shows me
configuration listing all the users and computers in the domain, mostly in triplicate.  A
partial list:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  18 COMMON$@HPRS.LOCAL
  18 COMMON$@HPRS.LOCAL
  18 COMMON$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 charmaine at HPRS.LOCAL
   1 charmaine at HPRS.LOCAL
   1 charmaine at HPRS.LOCAL

where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing,
but am assuming it is OK.

> setspn -q is helpful here, also setspn command in general.

I have no such command in my system. Is that a Windows thing?


As to the /etc/krb5.conf, the default one generated by samba is:

[libdefaults]
        default_realm = HPRS.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true

I'd like to modify that to your suggestions, but I need more help. You have (with my questions):

> Here is a *SAMPLE* configuration:
>
> [libdefaults]
>         default_realm = YOUR.REALM
>         dns_lookup_kdc = true
>         krb4_config = /etc/krb.conf
>         krb4_realms = /etc/krb.realms

Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have:

	krb5_config = /etc/krb5.conf

Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there?

>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
>         fcc-mit-ticketflags = true
>
> [realms]
>         YOUR.REALM = {
>                 default_domain = your.domain.name
>                 auth_to_local_names = {
>                         Administrator = root
>                 }
>         }

I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD
server: mail.hprs.local, or is it just hprs.local? (or something else!)

> [domain_realm]
>       your.domain.name = YOUR.REALM
> # this is not a mistake
>       .your.domain.name = YOUR.REALM
> [login]
>         krb4_convert = true
>         krb4_get_tickets = false

Likewise here a question on the whole krb4 versus krb5 thing.

Your closing comment:

> Also, note that kerberos can only act as AUTHENTICATION system. It
> cannot act as USER DATABASE. For that you need to configure LDAP or
> something else. With Active Directory LDAP is probably a damn good idea.

I have the following doveconf -n:

# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
  driver = passwd
}
verbose_ssl = yes

I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in
any case I still have all but this test workstation NOT using gssapi, so I still need to
accomodate them.

Thanks, --Mark

More information about the dovecot mailing list