On Fri, Feb 04, 2011 at 01:47:31PM -0700, Trever L. Adams wrote:
There was a thread a month or so ago on how to do GSSAPI with AD and dovecot kerberos. It works great, and I highly recommend it for AD sites. Check the archives, it isn't really too hard.
I am not finding this. Do you happen to remember the subject?
No, but it is pretty simple using latest everything (well, Debian squeeze).. Basically from scratch.. Notice this also sets up NTLM, which is supported by many roaming devices (ie phones).
- Put this or similar in /etc/samba/smb.conf
[global] workgroup = $NT_WORKGROUP$ realm = $REALM$ security = ads kerberos method = secrets and keytab
Confirm that hostname gives an unqualified name and hostname -f gives a fully qualified name. Confirm you have DNS setup properly (eg dig -t SRV _kerberos._udp.$REALM$ works OK)
Join the machine to AD
$ net ads join -U 'user with AD privs'
$ kinit AD_USER
$ kvno host/hostname -f
- Setup imap SPN:
$ net ads keytab add imap
$ net ads search cn=hostname | grep servicePrincipalName
$ klist -k
$ kvno imap/hostname -f
The last three should report imap/hostname -f entries.
- Setup dovecot..
Set these things in the config
auth_use_winbind = yes
mechanisms = plain gssapi gss-spnego login ntlm
- Setup exim..
$ net ads keytab add smtp
Use these in the dovecot config:
client { path = /var/run/dovecot/auth-client mode = 0660 group = Debian-exim } }
And this at the end of the exim.conf:
dovecot_plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id=PLAIN-${quote:$auth1}
dovecot_ntlm: driver = dovecot public_name = NTLM server_socket = /var/run/dovecot/auth-client server_set_id=NTLM-${quote:$auth1}
dovecot_gssapi: driver = dovecot public_name = GSSAPI server_socket = /var/run/dovecot/auth-client server_set_id=GSSAPI-${quote:$auth1}
dovecot_gssapi_spnego: driver = dovecot public_name = GSS-SPNEGO server_socket = /var/run/dovecot/auth-client server_set_id=GSS-SPNEGO-${quote:$auth1}
- Setup openssh
in sshd_config
GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes
Jason