Aki - comments interspersed below ...
--Mark
-----Original Message-----
Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] To: dovecot@dovecot.org From: Aki Tuomi <aki.tuomi@dovecot.fi> Organization: Dovecot Oy Date: Fri, 1 Jul 2016 10:10:43 +0300
The distinction is that kerberos principals are in form
<service>/<hostname>@<REALM>
the hostname bit *must* match to the host you are connecting to, exactly and verbatim. It can differ in case, I guess.
The service is what service you are connecting to. These have special meanings and can be case sensitive (like http won't always work, it has to be HTTP).
The current IMAP "Principle" in my keytab is:
imap/mail.hprs.local@HPRS.LOCAL
Explicitly, are you saying it needs to look like:
IMAP/mail@HPRS.LOCAL
Meaning, capitalized "IMAP" and just hostname, no FDQN?
host/ is always needed in at least system keytab. Not sure if it's needed now in the service tab. But I suspect that you need to have IMAP and not imap. Also make sure and double-check that the hostname is correct.
Confused. What do you mean by "host/"? Can you give an example using my host and domain names? I don't know where "host/" goes. I assume this is not a synonym for "<service>/"?
This is the first I've head of a system keytab versus a service tab. What are they? Do I need both?
Once you've done the keytab you'll want to grab a cup of coffee and local newspaper or something and read it thru before trying, because it might take some time for it to work.
Really? I can reboot this evening.
Also, your client *and* host needs to be able to access KDC (all of them) on 88/tcp.
There should be no problem with the intra-LAN firewall. Everything is permitted, but I'll double-check on the WIN7 workstation I'm testing from.
Is there a way to know for sure my dovecot is enabled for gssapi?
Aki
On 01.07.2016 09:42, Mark Foley wrote:
My keytab now has:
ktutil: read_kt /etc/dovecot/dovecot.keytab ktutil: list slot KVNO Principal
1 1 smtp/mail.hprs.local@HPRS.LOCAL 2 1 imap/mail.hprs.local@HPRS.LOCAL
I added these in ktutil with:
addent -password -p smtp/mail.hprs.local@HPRS.LOCAL -k 1 -e arcfour-hmac
Aki wrote:
I think the problem still is that your keytab file has no entry imap/hostname@DOMAIN and IMAP/hostname@DOMAIN you also have no host/hostname@DOMAIN Not sure how to interpret your template. Are you suggesting I should ...
addent -password -p IMAP/mail@HPRS.LOCAL -k 1 -e arcfour-hmac addent -password -p imap/mail@HPRS.LOCAL -k 1 -e arcfour-hmac
(one IMAP uppercase and one lowercase?)
I don't get your distinction between host and hostname in your 3rd example: host/hostname@DOMAIN
Meanwhile ...
Tried a bunch of things. No go so far. In fact, I'm questioning if gssapi is enabled in my dovecot. I did rebuild and reinstall using
./configure --with-gssapi=yes
, but if I only enable gssapi authentication, I get "No authenticators available" (mail client). How can I verify gssapi is really available? dovecot --build-options shows:Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail SQL drivers: Passdb: checkpassword passwd passwd-file shadow Userdb: checkpassword nss passwd prefetch passwd-file
should I see authentication methods there?
--Mark
-----Original Message----- Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] To: dovecot@dovecot.org From: Aki Tuomi <aki.tuomi@dovecot.fi> Organization: Dovecot Oy Date: Thu, 30 Jun 2016 09:58:14 +0300
I think the problem still is that your keytab file has no entry imap/hostname@DOMAIN and IMAP/hostname@DOMAIN
you also have no host/hostname@DOMAIN
Aki
On 29.06.2016 18:40, Mark Foley wrote:
Yes, I think that's exactly correct. I just made a similar reply to Edgar Pettijohn about that. The Thunderbird message is:
"The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark@ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm."
I made further comments in that message that I won't clutter the list by repeating here. Check out that message and see what you think could be wrong.
Thanks for your help! I'm sure this is solvable!
--Mark
-----Original Message-----
Date: Wed, 29 Jun 2016 08:03:14 -0400 Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] From: brendan kearney <bpk678@gmail.com> To: Mark Foley <mfoley@ohprs.org> Cc: dovecot@dovecot.org
The last log line shows "user=<>". This indicates no credentials were presented. If the rip field matches the client ip you tested from, I would bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not pulled for the authentication. On Jun 28, 2016 11:33 PM, "Mark Foley" <mfoley@ohprs.org> wrote: [deleted]