Jan, thanks for your helpful reply. You wrote:
With Dovecot I got the SSO working with Kerberos, and this part is working great. Other parts (shared mailboxes, that sort of stuff) aren't working for me yet. ...
I'm the opposite. My mailbox setup has been working great for a year and a half, though I've not bothered with shared mailboxes yet.
I've attempted to follow your instructions, but still having problems. First, my errors:
Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 01:04:49 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 01:04:49 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 01:04:49 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<Zg2Nk082LgDAqAA6>
Now, your instructions:
One of the tricky bits is you need a kerberos keytab with two services. I used ktutil: # ktutil ktutil: read_kt mail-imap.keytab ktutil: read_kt mail-smtp.keytab ktutil: write_kt mail.keytab ktutil: quit
I'm using a windows 2003 r2 server as domain controller, to create a keytab file you need the windows 2003 support tools.
ktpass.exe -princ imap/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL -mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 -ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab
ktpass.exe -princ smtp/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL -mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234 -ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab
I ran ktutil, but the commands "read_kt mail-imap.keytab" and "read_kt mail-smtp.keytab" returned: No such file or directory while reading keytab "mail-imap.keytab"
Perhaps your subsequent ktpass commands are meant to create those. I do not have a ktpass command. I therefore do not have these files. I suppose that could be part of my problem. Can you share the actual contents of these file? I could create them by-hand. Does Dovecot and/or kerberos know where to look for these?
On the dovecot server I had to install a kerberos package:
Likewise, I installed kerberos for slackware. It tested OK. I was able to do a kinit and klist per the instruction at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Contr...
My kerberos configuration: # vi /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
I added the [logging] section. Of note, these log file do not exists after multiple attempts with my gssapi connection. Probably a bad sign.
[libdefaults] dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = GCECAD-SERVICE.LOCAL default_keytab_file = /etc/krb5.keytab default_ccache_name = KEYRING:persistent:%{uid} allow_weak_crypto = true default_tkt_enctypes = arcfour-hmac-md5 default_tgs_enctypes = arcfour-hmac-md5 permitted_enctypes = arcfour-hmac-md5
I added all these as well, changing your GCECAD-SERVICE.LOCAL to my HPRS.LOCAL
[appdefaults] pam = { debug = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true krb4_convert = false }
I also added this [appdefaults] section.
[realms] GCECAD-SERVICE.LOCAL = { kdc = this.is.the.dns.name.of.your.kdc admin_server = this.is.the.dns.name.of.your.kdc }
I tried with and without this section. Not sure what this.is.the.dns.name.of.your.kdc is supposed to be. I changed mine to the domain FDQN of the server:
[realms] HPRS.LOCAL = { kdc = mail.hprs.local admin_server = mail.hprs.local }
[domain_realm] .gcecad-service.local = GCECAD-SERVICE.LOCAL gcecad-service.local = GCECAD-SERVICE.LOCAL .gcecad-service.nl = GCECAD-SERVICE.LOCAL gcecad-service.nl = GCECAD-SERVICE.LOCAL
I also tried with and without this section. Again, not sure what should go there. I tried:
[domain_realm] .hprs.local = HPRS.LOCAL hprs.local = HPRS.LOCAL .hprs.nl = HPRS.LOCAL hprs.nl = HPRS.LOCAL
I'm a bit skeptical on the above as .nl your public top level domain.
In fact, after adding these sections I got no error logged in dovecot_log, but did get a message pop up on Thunderbird saying, "Could not connect to mail server mark@ohprs.org; the connection was refused."
Dovecot config, the needed parts: In /etc/dovecot/conf.d/10-auth.conf : auth_krb5_keytab = /etc/dovecot/mail.keytab auth_mechanisms = plain gssapi
I added those.
In /etc/dovecot/conf.d/auth-system.conf.ext : passdb { driver = pam } userdb { driver = static args = uid=2000 gid=2000 home=/var/vmail/%Ln allow_all_users=yes }
I used my same userdb and passdb settings (although I understand that passdb is not used by gssapi?)
passdb { driver = shadow } userdb { driver = passwd }
In /etc/pam.d/dovecot : #%PAM-1.0 auth sufficient pam_krb5.so no_user_check validate account sufficient pam_permit.so
The /etc/pam.d directory did not exist so I created it and added the dovecot file as shown. The permissions are a+r.
So, no go so far, but I am encouraged that you have it working. Perhaps you can point out what I might have missing or am otherwise done wrong?
THX --Mark