Aki,
To review your 5 points:
On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
- Functional AD or Kerberos environment
- Time synced against your KDC (which is your Domain Controller on Windows)
- /etc/krb5.conf configured
- Both forward / reverse DNS names correct for clients and servers. Reverse is only mandatory for servers, but having them right will work wonders. Most kerberos problems are about DNS problems.
- You need a keytab. This keytab needs to hold entries like IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate these on any Windows DC server (at least).
I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit and klist according to the instructions at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Contr...
As to the the keytab (#5) I did the following:
$ samba-tool domain exportkeytab /etc/krb5.keytab
which created the file. I made this owned and readable by group dovecot, per instructions at
http://wiki2.dovecot.org/Authentication/Kerberos. Running klist -k /etc/krb5.keytab
shows me
configuration listing all the users and computers in the domain, mostly in triplicate. A
partial list:
Keytab name: FILE:/etc/krb5.keytab KVNO Principal
18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL
where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, but am assuming it is OK.
setspn -q is helpful here, also setspn command in general.
I have no such command in my system. Is that a Windows thing?
As to the /etc/krb5.conf, the default one generated by samba is:
[libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true
I'd like to modify that to your suggestions, but I need more help. You have (with my questions):
Here is a *SAMPLE* configuration:
[libdefaults] default_realm = YOUR.REALM dns_lookup_kdc = true krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms
Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have:
krb5_config = /etc/krb5.conf
Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there?
kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true
[realms] YOUR.REALM = { default_domain = your.domain.name auth_to_local_names = { Administrator = root } }
I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD server: mail.hprs.local, or is it just hprs.local? (or something else!)
[domain_realm] your.domain.name = YOUR.REALM # this is not a mistake .your.domain.name = YOUR.REALM [login] krb4_convert = true krb4_get_tickets = false
Likewise here a question on the whole krb4 versus krb5 thing.
Your closing comment:
Also, note that kerberos can only act as AUTHENTICATION system. It cannot act as USER DATABASE. For that you need to configure LDAP or something else. With Active Directory LDAP is probably a damn good idea.
I have the following doveconf -n:
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes
I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in any case I still have all but this test workstation NOT using gssapi, so I still need to accomodate them.
Thanks, --Mark