Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and restarted. Now I don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, and mail is delivered successfully to the other domain users having PLAIN authentication. That's a big step. In examining my original config.log output I apparently did not have --with-gssapi enabled.
HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still cannot correctly authenticate and retrieve mail. Here is the dovecot log for that host:
Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 22:44:05 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 22:44:05 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.58] Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session=<WeZyumE25wDAqAA6>
Does this tell you anything? doveconf -n and krb5.conf are configured as shown in previous
messages below.
Closer! --Mark
-----Original Message----- From: Mark Foley <mfoley@ohprs.org> Date: Tue, 28 Jun 2016 22:04:42 -0400 To: dovecot@dovecot.org Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki, you wrote:
Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself?
I'll try to check status of NTLM this week.
I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.
I do have the Dovecot sources and will peruse the possible options after I send this. I am on version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious realated to gssapi)
--Mark
-----Original Message-----
Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) From: aki.tuomi@dovecot.fi To: dovecot@dovecot.org Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
On June 28, 2016 at 5:17 PM Mark Foley <mfoley@ohprs.org> wrote:
Aki - made your suggested changes, but no joy :(
My /etc/krb5.conf:
------SNIP-------- [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true
[libdefaults] default_realm = HPRS.LOCAL dns_lookup_kdc = true kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true
[realms] HPRS.LOCAL = { default_domain = hprs.local auth_to_local_names = { Administrator = root } }
[domain_realm] hprs.local = HPRS.LOCAL # this is not a mistake .hprs.local = HPRS.LOCAL ------PINS-----------
you wrote:
You can remove the krb4_ stuff
I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. Question on [realms]Administrator: should that really be root or should it be my AD Administrator?
my doveconf -n is exactly the same as posted below, but in particular:
auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi
When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using plain/ssl, no one yet configured for gssapi).
In /var/log/maillog I got (repeatedly):
Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2> Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh>
This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"?
Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd finally able to get AD authentication going for Dovecot. Not ready to give up though!
Suggestions?
THX -- Mark
-----original Message-----
Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] To: dovecot@dovecot.org From: Aki Tuomi <aki.tuomi@dovecot.fi> Date: Tue, 28 Jun 2016 15:13:11 +0300
On 28.06.2016 09:27, Mark Foley wrote:
Aki,
To review your 5 points:
On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
- Functional AD or Kerberos environment
- Time synced against your KDC (which is your Domain Controller on Windows)
- /etc/krb5.conf configured
- Both forward / reverse DNS names correct for clients and servers. Reverse is only mandatory for servers, but having them right will work wonders. Most kerberos problems are about DNS problems.
- You need a keytab. This keytab needs to hold entries like IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate these on any Windows DC server (at least). I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit and klist according to the instructions at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Contr...
As to the the keytab (#5) I did the following:
$ samba-tool domain exportkeytab /etc/krb5.keytab
which created the file. I made this owned and readable by group dovecot, per instructions at http://wiki2.dovecot.org/Authentication/Kerberos. Running
klist -k /etc/krb5.keytabshows me configuration listing all the users and computers in the domain, mostly in triplicate. A partial list:Keytab name: FILE:/etc/krb5.keytab KVNO Principal
18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL
where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, but am assuming it is OK.
Strange that you do not have any host/ entries. Maybe it works without.
setspn -q is helpful here, also setspn command in general. I have no such command in my system. Is that a Windows thing?
Yes, but you can do those kind of things in Samba too.
As to the /etc/krb5.conf, the default one generated by samba is:
[libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true
I'd like to modify that to your suggestions, but I need more help. You have (with my questions):
Here is a *SAMPLE* configuration:
[libdefaults] default_realm = YOUR.REALM dns_lookup_kdc = true krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have:
You can remove the krb4_ stuff
krb5_config = /etc/krb5.conf
Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? You don't necessarely require that.
kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true[realms] YOUR.REALM = { default_domain = your.domain.name auth_to_local_names = { Administrator = root } }
I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD server: mail.hprs.local, or is it just hprs.local? (or something else!)
HPRS.LOCAL is your REALM, hprs.local is your domain name.
[domain_realm] your.domain.name = YOUR.REALM # this is not a mistake .your.domain.name = YOUR.REALM [login] krb4_convert = true krb4_get_tickets = false Likewise here a question on the whole krb4 versus krb5 thing.
Your closing comment:
Also, note that kerberos can only act as AUTHENTICATION system. It cannot act as USER DATABASE. For that you need to configure LDAP or something else. With Active Directory LDAP is probably a damn good idea. I have the following doveconf -n:
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes
I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in any case I still have all but this test workstation NOT using gssapi, so I still need to accomodate them.
Thanks, --Mark
passwd driver is fine, yes, if you ensure that users can be found.
Aki
Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself?
I'll try to check status of NTLM this week.
Aki