Looking for GSSAPI config [was: Looking for NTLM config example]

Aki Tuomi aki.tuomi at dovecot.fi
Tue Jun 28 12:13:11 UTC 2016



On 28.06.2016 09:27, Mark Foley wrote:
> Aki,
>
> To review your 5 points:
>
> On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>
>> 1. Functional AD or Kerberos environment
>> 2. Time synced against your KDC (which is your Domain Controller on Windows)
>> 3. /etc/krb5.conf configured
>> 4. Both forward / reverse DNS names correct for clients and servers.
>> Reverse is only mandatory for servers, but having them right will work
>> wonders. Most kerberos problems are about DNS problems.
>> 5. You need a keytab. This keytab needs to hold entries like
>> IMAP/your.host.name at REALM  and IMAP/$HOSTNAME at REALM. You can generate
>> these on any Windows DC server (at least).
> I believe I am good on 1,2 and 4.  I downloaded and installed kerberos and tested it with kinit
> and klist according to the instructions at
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
>
> As to the the keytab (#5) I did the following:
>
> $ samba-tool domain exportkeytab /etc/krb5.keytab
>
> which created the file.  I made this owned and readable by group dovecot, per instructions at
> http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k /etc/krb5.keytab` shows me
> configuration listing all the users and computers in the domain, mostly in triplicate.  A
> partial list:
>
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    18 COMMON$@HPRS.LOCAL
>    18 COMMON$@HPRS.LOCAL
>    18 COMMON$@HPRS.LOCAL
>     1 MAIL$@HPRS.LOCAL
>     1 MAIL$@HPRS.LOCAL
>     1 MAIL$@HPRS.LOCAL
>     1 charmaine at HPRS.LOCAL
>     1 charmaine at HPRS.LOCAL
>     1 charmaine at HPRS.LOCAL
>
> where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing,
> but am assuming it is OK.

Strange that you do not have any host/ entries. Maybe it works without.

>> setspn -q is helpful here, also setspn command in general.
> I have no such command in my system. Is that a Windows thing?
>

Yes, but you can do those kind of things in Samba too.

> As to the /etc/krb5.conf, the default one generated by samba is:
>
> [libdefaults]
>          default_realm = HPRS.LOCAL
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>
> I'd like to modify that to your suggestions, but I need more help. You have (with my questions):
>
>> Here is a *SAMPLE* configuration:
>>
>> [libdefaults]
>>          default_realm = YOUR.REALM
>>          dns_lookup_kdc = true
>>          krb4_config = /etc/krb.conf
>>          krb4_realms = /etc/krb.realms
> Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have:

You can remove the krb4_ stuff

> 	krb5_config = /etc/krb5.conf
>
> Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there?
You don't necessarely require that.

>>          kdc_timesync = 1
>>          ccache_type = 4
>>          forwardable = true
>>          proxiable = true
>>          fcc-mit-ticketflags = true
>>
>> [realms]
>>          YOUR.REALM = {
>>                  default_domain = your.domain.name
>>                  auth_to_local_names = {
>>                          Administrator = root
>>                  }
>>          }
> I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD
> server: mail.hprs.local, or is it just hprs.local? (or something else!)

HPRS.LOCAL is your REALM, hprs.local is your domain name.
>
>> [domain_realm]
>>        your.domain.name = YOUR.REALM
>> # this is not a mistake
>>        .your.domain.name = YOUR.REALM
>> [login]
>>          krb4_convert = true
>>          krb4_get_tickets = false
> Likewise here a question on the whole krb4 versus krb5 thing.
>
> Your closing comment:
>
>> Also, note that kerberos can only act as AUTHENTICATION system. It
>> cannot act as USER DATABASE. For that you need to configure LDAP or
>> something else. With Active Directory LDAP is probably a damn good idea.
> I have the following doveconf -n:
>
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_krb5_keytab = /etc/krb5.keytab
> auth_mechanisms = plain login gssapi
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>    driver = shadow
> }
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> userdb {
>    driver = passwd
> }
> verbose_ssl = yes
>
> I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in
> any case I still have all but this test workstation NOT using gssapi, so I still need to
> accomodate them.
>
> Thanks, --Mark
passwd driver is fine, yes, if you ensure that users can be found.

Aki


More information about the dovecot mailing list