On 28.06.2016 09:27, Mark Foley wrote:
Aki,
To review your 5 points:
On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi aki.tuomi@dovecot.fi wrote:
- Functional AD or Kerberos environment
- Time synced against your KDC (which is your Domain Controller on Windows)
- /etc/krb5.conf configured
- Both forward / reverse DNS names correct for clients and servers. Reverse is only mandatory for servers, but having them right will work wonders. Most kerberos problems are about DNS problems.
- You need a keytab. This keytab needs to hold entries like IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate these on any Windows DC server (at least). I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit and klist according to the instructions at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Contr...
As to the the keytab (#5) I did the following:
$ samba-tool domain exportkeytab /etc/krb5.keytab
which created the file. I made this owned and readable by group dovecot, per instructions at http://wiki2.dovecot.org/Authentication/Kerberos. Running
klist -k /etc/krb5.keytabshows me configuration listing all the users and computers in the domain, mostly in triplicate. A partial list:Keytab name: FILE:/etc/krb5.keytab KVNO Principal
18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL
where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, but am assuming it is OK.
Strange that you do not have any host/ entries. Maybe it works without.
setspn -q is helpful here, also setspn command in general. I have no such command in my system. Is that a Windows thing?
Yes, but you can do those kind of things in Samba too.
As to the /etc/krb5.conf, the default one generated by samba is:
[libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true
I'd like to modify that to your suggestions, but I need more help. You have (with my questions):
Here is a *SAMPLE* configuration:
[libdefaults] default_realm = YOUR.REALM dns_lookup_kdc = true krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have:
You can remove the krb4_ stuff
krb5_config = /etc/krb5.conf
Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? You don't necessarely require that.
kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true[realms] YOUR.REALM = { default_domain = your.domain.name auth_to_local_names = { Administrator = root } }
I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD server: mail.hprs.local, or is it just hprs.local? (or something else!)
HPRS.LOCAL is your REALM, hprs.local is your domain name.
[domain_realm] your.domain.name = YOUR.REALM # this is not a mistake .your.domain.name = YOUR.REALM [login] krb4_convert = true krb4_get_tickets = false Likewise here a question on the whole krb4 versus krb5 thing.
Your closing comment:
Also, note that kerberos can only act as AUTHENTICATION system. It cannot act as USER DATABASE. For that you need to configure LDAP or something else. With Active Directory LDAP is probably a damn good idea. I have the following doveconf -n:
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =
I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in any case I still have all but this test workstation NOT using gssapi, so I still need to accomodate them.
Thanks, --Mark
passwd driver is fine, yes, if you ensure that users can be found.
Aki