On Mon, Aug 31, 2009 at 07:23:22PM +0100, Gavin Hamill wrote:
On Sun, 2009-08-30 at 14:29 -0600, Jason Gunthorpe wrote:
The kerberos setup is pretty easy.. 'net ads join' your server, go into the adsi editor and provide a imap and smtp SPN for the host, use 'net ads keytab' to put the imap and smtp SPNs in the system keytab, and then you are good to go. I test it with mutt first as the error messages are somewhat better.
Ouch, can you go a little more slowly, please? I think I've joined the domain OK:
Sure..
ccimap:~# net ads testjoin Join is OK ccimap:~# net ads info LDAP server: 10.6.1.245 LDAP server name: orwell.ad.laterooms.com [...]
Yah, thats good
You also want kerberos and LDAP to work easily on your server machine:
# kinit 'your AD user' # klist # ldapsearch uid='your AD user' SASL/GSSAPI authentication started [..]
For ldap stick the information from 'net ads info' in /etc/ldap/ldap.conf:
URI ldap://orwell.ad.laterooms.com BASE dc=....
kinit should work if you got this far with samba, but if you have troubles ensure that /etc/krb5.conf has at least:
[libdefaults] default_realm = AD.LATEROOMS.COM # guessing dns_lookup_realm = true dns_lookup_kdc = true
Once the above two are working your basic stuff is OK. (You can skip the ldap, but I find it is helpful)
Also verify that 'hostname -f' returns what you want. Very important.
But I have no idea how / where you add a service principal with ADSIEdit
- can you point me in the right direction? Kerberos is still mainly a mystery to me (and I'm sure many others!)
Hmm. So upon reviewing this, it seems samba has changed, in some ways it is better, others worse.. Hmm. (I'm using 3.3.2)
Just do this:
ccimap:~# net ads keytab add imap
Then: ccimap:~ klist -k
And verify you have imap/ entries
Then verify kerberos is working with:
ccimap:~# kvno imap/ccimap.ad.laterooms.com imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM: kvno = 2 ccimap:~# ldapsearch CN=ccimap servicePrincipalName SASL/GSSAPI authentication started [..] servicePrincipalName: imap/ccimap.ad.laterooms.com
Unfortunately 'net ads keytab add' can only add SPNs without a hostname qualifier, so you cannot add another alias. This is bad if you have multiple names for your host. I can't think of an easy way to make that work with the new samba behavior. I'd probably patch samba to fix that..
Since samba now does the adsiedit part on its own you probably don't need to worry about it, but here is a posting explaining it: http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx
Please note that Windows and Linux use different methods to resolve the SPN. If your reverse IP and SSL hostname are different you'll need extra help to make this work, as samba cannot do it by itself!! Easiest plan is to Not Do That.
That should do the trick for both native GSSAPI and for winbind GSSAPI. The key part is that the kvno works.
Make sure dovecot is setup with the: auth_gssapi_hostname = $ALL option, and turn on the 'gssapi' mechanism.
Those steps should give you working kerberos and gssapi in dovecot. I like to start simple and test with mutt. 'kinit' a ticket for that user, setup mutt, and then give it a try. Then try thunderbird on linux then thunderbird on windows.
The .muttrc config is simple: set spoolfile=imap://user@ccimap.ad.laterooms.com/INBOX set folder=imap://user@ccimap.ad.laterooms.com/
And 'kinit user' before hand.
Use winbind to process ntlm messages. Setup winbind in smb.conf and test the authentication function:
wbinfo -D AD.LATEROOMS.COM wbinfo -K user%pass wbinfo -a user%pass
Then turn it on in dovecot
I run plain password authentication for dovecot through pam. Right now I use pam_krb5.so, but pam_winbind.so is a better choice with a modern samba.
exim piggy backs off dovecot-auth:
dovecot_ntlm: driver = dovecot public_name = NTLM server_socket = /var/run/dovecot/auth-client server_set_id=NTLM-${quote:$auth1}
dovecot_gssapi: driver = dovecot public_name = GSSAPI server_socket = /var/run/dovecot/auth-client server_set_id=GSSAPI-${quote:$auth1}
dovecot_gssapi_spnego: driver = dovecot public_name = GSS-SPNEGO server_socket = /var/run/dovecot/auth-client server_set_id=GSS-SPNEGO-${quote:$auth1}
I also drive all the Linux directory services through winbind and the rfc2307 LDAP scheme AD supports, so all my Linux users get kerberos tickets on logon, and SSO for everything. Windows is the same.
Jason