Hi,
On 27-06-2016 08:58, Mark Foley wrote:
So, I'm apparently lacking in the kerberos stuff. Here's the problem -- Samba4 uses Heimdal Kerberos and when I provisioned my domain apparently none of these needed kerberos files were set up. I can, however, kerberos authenticate from domain workstations both WIN7 and Linux.
You don't need any Samba4 stuff, to get it working. Samba is great, but can be hard to get right. I tend to steer clear of Samba when I don't really need it.
My first experience was with an OTRS helpdesk install, and trying to get it to do SSO. I was helped a great deal by wireshark, and this website: http://www.grolmsnet.de/kerbtut/
On a sidenote: mod_auth_kerb is rather ancient, in computer-terms. You'd be better off with mod_auth_gssapi. In the case of Dovecot we are not using Apache, of course.
With Dovecot I got the SSO working with Kerberos, and this part is working great. Other parts (shared mailboxes, that sort of stuff) aren't working for me yet. This is my own fault, not a dovecot one, haven't looked into it enough. Anyway, the SSO is working great.
One of the tricky bits is you need a kerberos keytab with two services. I used ktutil: # ktutil ktutil: read_kt mail-imap.keytab ktutil: read_kt mail-smtp.keytab ktutil: write_kt mail.keytab ktutil: quit
I'm using a windows 2003 r2 server as domain controller, to create a keytab file you need the windows 2003 support tools.
ktpass.exe -princ imap/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL -mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 -ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab
ktpass.exe -princ smtp/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL -mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234 -ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab
Most instructions on the internet do not quite work out that well. RC4-HMAC-NT crypto is needed if you still have Windows XP machines. It should work with a newer crypto but have not tested that. FYI: Kerberos service names (imap, smtp) are sometimes capitalised, mostly when using HTTP. Great, isn't it?
On the dovecot server I had to install a kerberos package: # yum install krb5-workstation (I am using CentOS7, but it should not be too hard to translate this to your own distro)
My kerberos configuration: # vi /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = GCECAD-SERVICE.LOCAL default_keytab_file = /etc/krb5.keytab default_ccache_name = KEYRING:persistent:%{uid} allow_weak_crypto = true default_tkt_enctypes = arcfour-hmac-md5 default_tgs_enctypes = arcfour-hmac-md5 permitted_enctypes = arcfour-hmac-md5
[appdefaults] pam = { debug = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true krb4_convert = false }
[realms] GCECAD-SERVICE.LOCAL = { kdc = this.is.the.dns.name.of.your.kdc admin_server = this.is.the.dns.name.of.your.kdc }
[domain_realm] .gcecad-service.local = GCECAD-SERVICE.LOCAL gcecad-service.local = GCECAD-SERVICE.LOCAL .gcecad-service.nl = GCECAD-SERVICE.LOCAL gcecad-service.nl = GCECAD-SERVICE.LOCAL
Dovecot config, the needed parts: In /etc/dovecot/conf.d/10-auth.conf : auth_krb5_keytab = /etc/dovecot/mail.keytab auth_mechanisms = plain gssapi
In /etc/dovecot/conf.d/auth-system.conf.ext : passdb { driver = pam } userdb { driver = static args = uid=2000 gid=2000 home=/var/vmail/%Ln allow_all_users=yes }
In /etc/pam.d/dovecot : #%PAM-1.0 auth sufficient pam_krb5.so no_user_check validate account sufficient pam_permit.so
I'm not entirely happy with the static userdb, because of the limitations with kerberos/pam, but this can of course be changed rather easily. The hardest part is to get the SSO working. One of the limitiations is stated here: http://wiki.dovecot.org/UserDatabase/Static
Postfix SMTP auth is using LMTP, reading from my notes.
I hope you can get a clearer picture with this rather long and chaotic reply.
-- Jan Jurkus | ICT Beheerder | GCE cad-service B.V. Postbus 12, 3220 AA Hellevoetsluis Daltonweg 9, 3225 LR Hellevoetsluis tel: 0181-336955 | fax: 0181-311899 j.jurkus@gcecad-service.nl | www.gcecad-service.nl