Looking for GSSAPI config [was: Looking for NTLM config example]
Edgar Pettijohn
edgar at pettijohn-web.com
Wed Jun 29 03:52:25 UTC 2016
> On Jun 28, 2016, at 10:32 PM, Mark Foley <mfoley at ohprs.org> wrote:
>
> Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and restarted. Now I
> don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, and mail is
> delivered successfully to the other domain users having PLAIN authentication. That's a big
> step. In examining my original config.log output I apparently did not have --with-gssapi enabled.
>
> HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still cannot correctly
> authenticate and retrieve mail. Here is the dovecot log for that host:
>
What does thunderbird tell you?
> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Jun 28 22:44:05 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> Jun 28 22:44:05 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat
> Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076)
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.58]
> Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
> Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
> Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session=<WeZyumE25wDAqAA6>
>
> Does this tell you anything? `doveconf -n` and krb5.conf are configured as shown in previous
> messages below.
>
> Closer! --Mark
>
> -----Original Message-----
> From: Mark Foley <mfoley at ohprs.org>
> Date: Tue, 28 Jun 2016 22:04:42 -0400
> To: dovecot at dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>
> Aki, you wrote:
>
>> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself?
>>
>> I'll try to check status of NTLM this week.
>
> I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.
>
> I do have the Dovecot sources and will peruse the possible options after I send this. I am on
> version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do
> you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious
> realated to gssapi)
>
> --Mark
>
> -----Original Message-----
>> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST)
>> From: aki.tuomi at dovecot.fi
>> To: dovecot at dovecot.org
>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>>
>>> On June 28, 2016 at 5:17 PM Mark Foley <mfoley at ohprs.org> wrote:
>>>
>>>
>>> Aki - made your suggested changes, but no joy :(
>>>
>>> My /etc/krb5.conf:
>>>
>>> ------SNIP--------
>>> [libdefaults]
>>> default_realm = HPRS.LOCAL
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>>
>>> [libdefaults]
>>> default_realm = HPRS.LOCAL
>>> dns_lookup_kdc = true
>>> kdc_timesync = 1
>>> ccache_type = 4
>>> forwardable = true
>>> proxiable = true
>>> fcc-mit-ticketflags = true
>>>
>>> [realms]
>>> HPRS.LOCAL = {
>>> default_domain = hprs.local
>>> auth_to_local_names = {
>>> Administrator = root
>>> }
>>> }
>>>
>>> [domain_realm]
>>> hprs.local = HPRS.LOCAL
>>> # this is not a mistake
>>> .hprs.local = HPRS.LOCAL
>>> ------PINS-----------
>>>
>>> you wrote:
>>>> You can remove the krb4_ stuff
>>>
>>> I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether.
>>> Question on [realms]Administrator: should that really be root or should it be my AD Administrator?
>>>
>>> my doveconf -n is exactly the same as posted below, but in particular:
>>>
>>> auth_krb5_keytab = /etc/krb5.keytab
>>> auth_mechanisms = plain login gssapi
>>>
>>> When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using
>>> plain/ssl, no one yet configured for gssapi).
>>>
>>> In /var/log/maillog I got (repeatedly):
>>>
>>> Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2>
>>> Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi'
>>> Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs
>>> Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh>
>>>
>>> This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"?
>>>
>>> Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd
>>> finally able to get AD authentication going for Dovecot. Not ready to give up though!
>>>
>>> Suggestions?
>>>
>>> THX -- Mark
>>>
>>> -----original Message-----
>>>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>>>> To: dovecot at dovecot.org
>>>> From: Aki Tuomi <aki.tuomi at dovecot.fi>
>>>> Date: Tue, 28 Jun 2016 15:13:11 +0300
>>>>
>>>>> On 28.06.2016 09:27, Mark Foley wrote:
>>>>> Aki,
>>>>>
>>>>> To review your 5 points:
>>>>>
>>>>>> On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>>>>>>
>>>>>> 1. Functional AD or Kerberos environment
>>>>>> 2. Time synced against your KDC (which is your Domain Controller on Windows)
>>>>>> 3. /etc/krb5.conf configured
>>>>>> 4. Both forward / reverse DNS names correct for clients and servers.
>>>>>> Reverse is only mandatory for servers, but having them right will work
>>>>>> wonders. Most kerberos problems are about DNS problems.
>>>>>> 5. You need a keytab. This keytab needs to hold entries like
>>>>>> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate
>>>>>> these on any Windows DC server (at least).
>>>>> I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit
>>>>> and klist according to the instructions at
>>>>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
>>>>>
>>>>> As to the the keytab (#5) I did the following:
>>>>>
>>>>> $ samba-tool domain exportkeytab /etc/krb5.keytab
>>>>>
>>>>> which created the file. I made this owned and readable by group dovecot, per instructions at
>>>>> http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me
>>>>> configuration listing all the users and computers in the domain, mostly in triplicate. A
>>>>> partial list:
>>>>>
>>>>> Keytab name: FILE:/etc/krb5.keytab
>>>>> KVNO Principal
>>>>> ---- --------------------------------------------------------------------------
>>>>> 18 COMMON$@HPRS.LOCAL
>>>>> 18 COMMON$@HPRS.LOCAL
>>>>> 18 COMMON$@HPRS.LOCAL
>>>>> 1 MAIL$@HPRS.LOCAL
>>>>> 1 MAIL$@HPRS.LOCAL
>>>>> 1 MAIL$@HPRS.LOCAL
>>>>> 1 charmaine at HPRS.LOCAL
>>>>> 1 charmaine at HPRS.LOCAL
>>>>> 1 charmaine at HPRS.LOCAL
>>>>>
>>>>> where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing,
>>>>> but am assuming it is OK.
>>>>
>>>> Strange that you do not have any host/ entries. Maybe it works without.
>>>>
>>>>>> setspn -q is helpful here, also setspn command in general.
>>>>> I have no such command in my system. Is that a Windows thing?
>>>>
>>>> Yes, but you can do those kind of things in Samba too.
>>>>
>>>>> As to the /etc/krb5.conf, the default one generated by samba is:
>>>>>
>>>>> [libdefaults]
>>>>> default_realm = HPRS.LOCAL
>>>>> dns_lookup_realm = false
>>>>> dns_lookup_kdc = true
>>>>>
>>>>> I'd like to modify that to your suggestions, but I need more help. You have (with my questions):
>>>>>
>>>>>> Here is a *SAMPLE* configuration:
>>>>>>
>>>>>> [libdefaults]
>>>>>> default_realm = YOUR.REALM
>>>>>> dns_lookup_kdc = true
>>>>>> krb4_config = /etc/krb.conf
>>>>>> krb4_realms = /etc/krb.realms
>>>>> Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have:
>>>>
>>>> You can remove the krb4_ stuff
>>>>
>>>>> krb5_config = /etc/krb5.conf
>>>>>
>>>>> Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there?
>>>> You don't necessarely require that.
>>>>
>>>>>> kdc_timesync = 1
>>>>>> ccache_type = 4
>>>>>> forwardable = true
>>>>>> proxiable = true
>>>>>> fcc-mit-ticketflags = true
>>>>>>
>>>>>> [realms]
>>>>>> YOUR.REALM = {
>>>>>> default_domain = your.domain.name
>>>>>> auth_to_local_names = {
>>>>>> Administrator = root
>>>>>> }
>>>>>> }
>>>>> I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD
>>>>> server: mail.hprs.local, or is it just hprs.local? (or something else!)
>>>>
>>>> HPRS.LOCAL is your REALM, hprs.local is your domain name.
>>>>>
>>>>>> [domain_realm]
>>>>>> your.domain.name = YOUR.REALM
>>>>>> # this is not a mistake
>>>>>> .your.domain.name = YOUR.REALM
>>>>>> [login]
>>>>>> krb4_convert = true
>>>>>> krb4_get_tickets = false
>>>>> Likewise here a question on the whole krb4 versus krb5 thing.
>>>>>
>>>>> Your closing comment:
>>>>>
>>>>>> Also, note that kerberos can only act as AUTHENTICATION system. It
>>>>>> cannot act as USER DATABASE. For that you need to configure LDAP or
>>>>>> something else. With Active Directory LDAP is probably a damn good idea.
>>>>> I have the following doveconf -n:
>>>>>
>>>>> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
>>>>> # OS: Linux 3.10.17 x86_64 Slackware 14.1
>>>>> auth_debug_passwords = yes
>>>>> auth_krb5_keytab = /etc/krb5.keytab
>>>>> auth_mechanisms = plain login gssapi
>>>>> auth_verbose = yes
>>>>> auth_verbose_passwords = plain
>>>>> disable_plaintext_auth = no
>>>>> info_log_path = /var/log/dovecot_info
>>>>> mail_location = maildir:~/Maildir
>>>>> passdb {
>>>>> driver = shadow
>>>>> }
>>>>> protocols = imap
>>>>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
>>>>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>>>>> userdb {
>>>>> driver = passwd
>>>>> }
>>>>> verbose_ssl = yes
>>>>>
>>>>> I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in
>>>>> any case I still have all but this test workstation NOT using gssapi, so I still need to
>>>>> accomodate them.
>>>>>
>>>>> Thanks, --Mark
>>>> passwd driver is fine, yes, if you ensure that users can be found.
>>>>
>>>> Aki
>>
>> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself?
>>
>> I'll try to check status of NTLM this week.
>>
>> Aki
>>
More information about the dovecot
mailing list