[Dovecot] NTLM failures with an interesting twist
This is a tired old topic but I've at least got an angle on it:
Outlook Express works perfectly with IMAP / SPA for users logged into our Windows domain; I just give the server address and username, and it logs in without any password required; beautiful!
auth_ntlm_use_winbind = yes auth_winbind_helper_path = /usr/bin/ntlm_auth auth default { mechanisms = ntlm userdb static { args = uid=500 gid=500 home=/var/mail/%u allow_all_users=yes } }
Dovecot is the 1.1.13-2~bpo50+1 package from backports.org on Debian lenny, with winbind 3.2.5
Aug 28 23:49:38 ccimap dovecot: auth(default): client in: AUTH#0111#011NTLM#011service=imap#011lip=10.6.1.82#011rip=10.6.1.81#011lport=143#011rport=1205 Aug 28 23:49:38 ccimap dovecot: auth(default): client out: CONT#0111#011 Aug 28 23:49:38 ccimap dovecot: auth(default): client in: CONT#0111#011TlRMTVNTUAABAAAAB7IIogIAAgAvAAAABwAHACgAAAAFASgKAAAAD01SSklHR1NBRA== Aug 28 23:49:38 ccimap dovecot: auth(default): client out: CONT#0111#011TlRMTVNTUAACAAAABAAEADAAAAAFgominEGMs1Rz3YQAAAAAAAAAAGYAZgA0AAAAQQBEAAIABABBAEQAAQAMAEMAQwBJAE0AQQBQAAQAGgBsAGEAdABlAHIAbwBvAG0AcwAuAGMAbwBtAAMAKABjAGMAaQBtAGEAcAAuAGwAYQB0AGUAcgBvAG8AbQBzAC4AYwBvAG0AAAAAAA== Aug 28 23:49:38 ccimap dovecot: auth(default): client in: CONT#0111#011TlRMTVNTUAADAAAAGAAYAGYAAAAYABgAfgAAAAQABABIAAAADAAMAEwAAAAOAA4AWAAAAAAAAACWAAAABYKIogUBKAoAAAAPQQBEAG0AagBpAGcAZwBzAE0AUgBKAEkARwBHAFMAKYRSdfpULaQAAAAAAAAAAAAAAAAAAAAAj90Vff2FIU1+Gs/eei8bL8dMJFGZnzSg Aug 28 23:49:38 ccimap dovecot: auth(default): client out: OK#0111#011user=mjiggs Aug 28 23:49:38 ccimap dovecot: auth(default): master in: REQUEST#0112#0111869#0111 Aug 28 23:49:38 ccimap dovecot: auth(default): passwd(mjiggs,10.6.1.81): lookup Aug 28 23:49:38 ccimap dovecot: auth(default): master out: USER#0112#011mjiggs#011system_user=mjiggs#011uid=10416#011gid=10000#011home=/home/AD/mjiggs Aug 28 23:49:38 ccimap dovecot: imap-login: Login: user=<mjiggs>, method=NTLM, rip=10.6.1.81, lip=10.6.1.82
So, Outlook Express works. Great. The worst email client I know and it works fine with SPA.
Unfortunately Outlook 2007 doesn't work - it prompts me for a password, and then obviously fails with NT_STATUS_WRONG_PASSWORD..
Aug 28 23:39:40 ccimap dovecot: auth(default): client in: AUTH#0111#011NTLM#011service=imap#011lip=10.6.1.82#011rip=10.6.1.81#011lport=143#011rport=1162 Aug 28 23:39:40 ccimap dovecot: auth(default): client out: CONT#0111#011 Aug 28 23:39:40 ccimap dovecot: auth(default): client in: CONT#0111#011TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== Aug 28 23:39:40 ccimap dovecot: auth(default): client out: CONT#0111#011TlRMTVNTUAACAAAABAAEADAAAAAFgomiAN6hAS8XKA4AAAAAAAAAAGYAZgA0AAAAQQBEAAIABABBAEQAAQAMAEMAQwBJAE0AQQBQAAQAGgBsAGEAdABlAHIAbwBvAG0AcwAuAGMAbwBtAAMAKABjAGMAaQBtAGEAcAAuAGwAYQB0AGUAcgBvAG8AbQBzAC4AYwBvAG0AAAAAAA== Aug 28 23:39:40 ccimap dovecot: auth(default): client in: CONT#0111#011TlRMTVNTUAADAAAAGAAYAGIAAAAYABgAegAAAAAAAABIAAAADAAMAEgAAAAOAA4AVAAAAAAAAACSAAAABYKIogUBKAoAAAAPbQBqAGkAZwBnAHMATQBSAEoASQBHAEcAUwBVhYHxX9PdSQAAAAAAAAAAAAAAAAAAAAC0rohzeNXOHMxVHQkogW4ytyNC9hcpnCg= Aug 28 23:39:40 ccimap dovecot: auth(default): winbind(?,10.6.1.81): user not authenticated: NT_STATUS_WRONG_PASSWORD Aug 28 23:39:40 ccimap dovecot: auth(default): new auth connection: pid=1867 Aug 28 23:39:41 ccimap dovecot: auth(default): client out: FAIL#0111
Does anyone have any magic beans for Outlook 2007 (tried both original release + SP2) ?
Cheers, Gavin
On Aug 28, 2009, at 7:25 PM, Gavin Hamill wrote:
auth_ntlm_use_winbind = yes .. Does anyone have any magic beans for Outlook 2007 (tried both original release + SP2) ?
No idea. Have you tried if Dovecot's internal NTLM support logs
anything useful (so without winbind)?
On Fri, 2009-08-28 at 19:32 -0400, Timo Sirainen wrote:
On Aug 28, 2009, at 7:25 PM, Gavin Hamill wrote:
auth_ntlm_use_winbind = yes .. Does anyone have any magic beans for Outlook 2007 (tried both original release + SP2) ?
No idea. Have you tried if Dovecot's internal NTLM support logs
anything useful (so without winbind)?
Today's my first day with Dovecot, so be gentle :)
I did notice that winbind was optional but I wasn't able to find a drool-proof walkthrough to set up the internal support. I've had recent good experience with winbind (squid and samba + ntlm auth) so decided to press ahead with it.
Is there a Wiki article on using the internal support?
Cheers, Gavin,
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2008-May/001388.html
This looks to be relevant .. OL2007 sends username@emaildomain.com as the username rather than username@windows-domain.com.
In our setup, the email domain is not the same as the Windows domain name (domainname.com versus ad.domainname.com) so I guess that's why it fails for us, but probably works for other people..
gdh
Has anyone successfully configured the above to enable Single Sign-On? I would love to move away from Exchange but SSO is a corporate requirement.
Outlook Express works fine with it, but not OL2007, and the latteris the only client I can realistically use.
Cheers, Gavin.
On Sun, Aug 30, 2009 at 01:50:02AM +0100, Gavin Hamill wrote:
Has anyone successfully configured the above to enable Single Sign-On? I would love to move away from Exchange but SSO is a corporate requirement.
I looked at this in some detail and concluded that the NTLM support on Outlook 2007 was only for encryption, it was not using SPA. I couldn't find a hidden registry setting or whatnot to switch it.
If you have a corporate support arrangement with MS, maybe ask them? Many people would love an answer. Even a trace of outlook using SPA with Exchange over IMAP would be interesting to see.
IMHO, clearly Dovecot is setup properly, Outlook Express works, Thunderbird w/ SPA works, etc. I believe MS has deliberately decided not to make SSO work in Outlook over IMAP specifically because that is a must have feature for enterprises, so it only works over MAPI and thus only with Exchange.
Jason
On Sat, 2009-08-29 at 21:55 -0600, Jason Gunthorpe wrote:
On Sun, Aug 30, 2009 at 01:50:02AM +0100, Gavin Hamill wrote:
Has anyone successfully configured the above to enable Single Sign-On? I would love to move away from Exchange but SSO is a corporate requirement.
I looked at this in some detail and concluded that the NTLM support on Outlook 2007 was only for encryption, it was not using SPA. I couldn't find a hidden registry setting or whatnot to switch it.
Heh, have just found you here: https://bugzilla.mozilla.org/show_bug.cgi?id=284538
You mention that you managed to get Thunderbird working with SSO; I've not achieved that - I'm still required to provide the password before the NTLM login is successful.. Is there any particular magic needed with Thunderbird 2.0.0.23 ?
If you have a corporate support arrangement with MS, maybe ask them? Many people would love an answer. Even a trace of outlook using SPA with Exchange over IMAP would be interesting to see.
Alas our MS support arrangement extends to the same 'Google + web forums' that most other places use.
gdh
On Sun, Aug 30, 2009 at 08:38:20PM +0100, Gavin Hamill wrote:
On Sat, 2009-08-29 at 21:55 -0600, Jason Gunthorpe wrote:
On Sun, Aug 30, 2009 at 01:50:02AM +0100, Gavin Hamill wrote:
Has anyone successfully configured the above to enable Single Sign-On? I would love to move away from Exchange but SSO is a corporate requirement.
I looked at this in some detail and concluded that the NTLM support on Outlook 2007 was only for encryption, it was not using SPA. I couldn't find a hidden registry setting or whatnot to switch it.
Heh, have just found you here: https://bugzilla.mozilla.org/show_bug.cgi?id=284538
You mention that you managed to get Thunderbird working with SSO; I've not achieved that - I'm still required to provide the password before the NTLM login is successful.. Is there any particular magic needed with Thunderbird 2.0.0.23 ?
Yes, you can't use NTLM in Thunderbird either, you have to use Kerberos (GSSAPI). I run NTLM through winbind and GSSAPI through MIT Kerberos, and then run exim through dovecot-auth. This gives complete SSO using GSSAPI for Thunderbird on all platforms, and secure challenge/response NTLM hashed passwords for roaming users without Kerberos.
The kerberos setup is pretty easy.. 'net ads join' your server, go into the adsi editor and provide a imap and smtp SPN for the host, use 'net ads keytab' to put the imap and smtp SPNs in the system keytab, and then you are good to go. I test it with mutt first as the error messages are somewhat better.
Apparently if you direct the GSSAPI messages through winbind (like for NTLM) then you can omit the 'net ads keytab' steps and things work a bit smoother, but I have not attempted that configuration.
Jason
On Sun, 2009-08-30 at 14:29 -0600, Jason Gunthorpe wrote:
The kerberos setup is pretty easy.. 'net ads join' your server, go into the adsi editor and provide a imap and smtp SPN for the host, use 'net ads keytab' to put the imap and smtp SPNs in the system keytab, and then you are good to go. I test it with mutt first as the error messages are somewhat better.
Ouch, can you go a little more slowly, please? I think I've joined the domain OK:
ccimap:~# net ads testjoin Join is OK ccimap:~# net ads info LDAP server: 10.6.1.245 LDAP server name: orwell.ad.laterooms.com [...]
But I have no idea how / where you add a service principal with ADSIEdit
- can you point me in the right direction? Kerberos is still mainly a mystery to me (and I'm sure many others!)
gdh
On Mon, Aug 31, 2009 at 07:23:22PM +0100, Gavin Hamill wrote:
On Sun, 2009-08-30 at 14:29 -0600, Jason Gunthorpe wrote:
The kerberos setup is pretty easy.. 'net ads join' your server, go into the adsi editor and provide a imap and smtp SPN for the host, use 'net ads keytab' to put the imap and smtp SPNs in the system keytab, and then you are good to go. I test it with mutt first as the error messages are somewhat better.
Ouch, can you go a little more slowly, please? I think I've joined the domain OK:
Sure..
ccimap:~# net ads testjoin Join is OK ccimap:~# net ads info LDAP server: 10.6.1.245 LDAP server name: orwell.ad.laterooms.com [...]
Yah, thats good
You also want kerberos and LDAP to work easily on your server machine:
# kinit 'your AD user' # klist # ldapsearch uid='your AD user' SASL/GSSAPI authentication started [..]
For ldap stick the information from 'net ads info' in /etc/ldap/ldap.conf:
URI ldap://orwell.ad.laterooms.com BASE dc=....
kinit should work if you got this far with samba, but if you have troubles ensure that /etc/krb5.conf has at least:
[libdefaults] default_realm = AD.LATEROOMS.COM # guessing dns_lookup_realm = true dns_lookup_kdc = true
Once the above two are working your basic stuff is OK. (You can skip the ldap, but I find it is helpful)
Also verify that 'hostname -f' returns what you want. Very important.
But I have no idea how / where you add a service principal with ADSIEdit
- can you point me in the right direction? Kerberos is still mainly a mystery to me (and I'm sure many others!)
Hmm. So upon reviewing this, it seems samba has changed, in some ways it is better, others worse.. Hmm. (I'm using 3.3.2)
Just do this:
ccimap:~# net ads keytab add imap
Then: ccimap:~ klist -k
And verify you have imap/ entries
Then verify kerberos is working with:
ccimap:~# kvno imap/ccimap.ad.laterooms.com imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM: kvno = 2 ccimap:~# ldapsearch CN=ccimap servicePrincipalName SASL/GSSAPI authentication started [..] servicePrincipalName: imap/ccimap.ad.laterooms.com
Unfortunately 'net ads keytab add' can only add SPNs without a hostname qualifier, so you cannot add another alias. This is bad if you have multiple names for your host. I can't think of an easy way to make that work with the new samba behavior. I'd probably patch samba to fix that..
Since samba now does the adsiedit part on its own you probably don't need to worry about it, but here is a posting explaining it: http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx
Please note that Windows and Linux use different methods to resolve the SPN. If your reverse IP and SSL hostname are different you'll need extra help to make this work, as samba cannot do it by itself!! Easiest plan is to Not Do That.
That should do the trick for both native GSSAPI and for winbind GSSAPI. The key part is that the kvno works.
Make sure dovecot is setup with the: auth_gssapi_hostname = $ALL option, and turn on the 'gssapi' mechanism.
Those steps should give you working kerberos and gssapi in dovecot. I like to start simple and test with mutt. 'kinit' a ticket for that user, setup mutt, and then give it a try. Then try thunderbird on linux then thunderbird on windows.
The .muttrc config is simple: set spoolfile=imap://user@ccimap.ad.laterooms.com/INBOX set folder=imap://user@ccimap.ad.laterooms.com/
And 'kinit user' before hand.
Use winbind to process ntlm messages. Setup winbind in smb.conf and test the authentication function:
wbinfo -D AD.LATEROOMS.COM wbinfo -K user%pass wbinfo -a user%pass
Then turn it on in dovecot
I run plain password authentication for dovecot through pam. Right now I use pam_krb5.so, but pam_winbind.so is a better choice with a modern samba.
exim piggy backs off dovecot-auth:
dovecot_ntlm: driver = dovecot public_name = NTLM server_socket = /var/run/dovecot/auth-client server_set_id=NTLM-${quote:$auth1}
dovecot_gssapi: driver = dovecot public_name = GSSAPI server_socket = /var/run/dovecot/auth-client server_set_id=GSSAPI-${quote:$auth1}
dovecot_gssapi_spnego: driver = dovecot public_name = GSS-SPNEGO server_socket = /var/run/dovecot/auth-client server_set_id=GSS-SPNEGO-${quote:$auth1}
I also drive all the Linux directory services through winbind and the rfc2307 LDAP scheme AD supports, so all my Linux users get kerberos tickets on logon, and SSO for everything. Windows is the same.
Jason
On Mon, 2009-08-31 at 13:24 -0600, Jason Gunthorpe wrote:
Ouch, can you go a little more slowly, please? I think I've joined the domain OK:
Sure..
Many thanks for taking the time on this - it is appreciated.
Also verify that 'hostname -f' returns what you want. Very important.
Yep, 'ccimap.ad.laterooms.com' - forward + reverse DNS are correct in AD
Just do this:
ccimap:~# net ads keytab add imap
Then: ccimap:~ klist -k
And verify you have imap/ entries
Then verify kerberos is working with:
ccimap:~# kvno imap/ccimap.ad.laterooms.com imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM: kvno = 2
I get
ccimap:/etc# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal
7 imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM 7 imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM 7 imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM 7 imap/ccimap@AD.LATEROOMS.COM 7 imap/ccimap@AD.LATEROOMS.COM 7 imap/ccimap@AD.LATEROOMS.COM ccimap:/etc# kvno imap/ccimap.ad.laterooms.com kvno: Server not found in Kerberos database while getting credentials for imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM
However, before I received your message I had been following the 'old-school' ktpass.exe method and I think I have poisoned the 'imap' name as a result:
http://nfsworld.blogspot.com/2005/06/using-active-directory-as-your-kdc-for....
Is 'imap' a magic hardcoded name that Thunderbird will use? If so, should creating 'pop3' using 'net ads keytab add' also do the business? I'd rather try that and get a basic working auth than try to unpick my AD problems just yet.
I ask because if I do a random name 'net ads keytab add purmle' and then 'kvno purmle/ccimap.ad.laterooms.com' then I get sensible output:
purmle/ccimap.ad.laterooms.com@AD.LATEROOMS.COM: kvno = 7
I just don't want to type anything else in cause I poison 'pop3' too :)
Cheers, Gavin
On Mon, Aug 31, 2009 at 10:21:47PM +0100, Gavin Hamill wrote:
On Mon, 2009-08-31 at 13:24 -0600, Jason Gunthorpe wrote:
Ouch, can you go a little more slowly, please? I think I've joined the domain OK:
Sure..
Many thanks for taking the time on this - it is appreciated.
NP, if you have success consider making a HOWTO for the dovcot wikki :)
Also verify that 'hostname -f' returns what you want. Very important.
Yep, 'ccimap.ad.laterooms.com' - forward + reverse DNS are correct in AD
Good
ccimap:~# net ads keytab add imap
Then: ccimap:~ klist -k
And verify you have imap/ entries
Then verify kerberos is working with:
ccimap:~# kvno imap/ccimap.ad.laterooms.com imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM: kvno = 2
I get
ccimap:/etc# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal 7 imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM 7 imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM 7 imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM 7 imap/ccimap@AD.LATEROOMS.COM 7 imap/ccimap@AD.LATEROOMS.COM 7 imap/ccimap@AD.LATEROOMS.COM
Ok.. this is not too good, you should have many other entries too, several starting with host/ and CCIMAP$.
What version of samba is this? does 'net ads keytab create' fix it up?
Check that you have
use kerberos keytab = true
In smb.conf
ccimap:/etc# kvno imap/ccimap.ad.laterooms.com kvno: Server not found in Kerberos database while getting credentials for imap/ccimap.ad.laterooms.com@AD.LATEROOMS.COM
This is fatal. If ldapsearch indicates that SPN exists then you are probably right that something has become damaged in AD. Otherwise you are just having wacky samba problems.
However, before I received your message I had been following the 'old-school' ktpass.exe method and I think I have poisoned the 'imap' name as a result:
Possibly, it would be good to start again. Go into AD, and delete the ccimap computer account, then re-do 'net ads join'. That should clean everything out.
The ktpass.exe method has so many problems, don't use it. Samba can generate all the keys directly itself now, there is no need for ktpass.
Is 'imap' a magic hardcoded name that Thunderbird will use? If so, should creating 'pop3' using 'net ads keytab add' also do the business? I'd rather try that and get a basic working auth than try to unpick my AD problems just yet.
The SPN service name is hardwired based on the protocol, imap, smtp and something for pop. I'm not sure what. :)
I ask because if I do a random name 'net ads keytab add purmle' and then 'kvno purmle/ccimap.ad.laterooms.com' then I get sensible output:
purmle/ccimap.ad.laterooms.com@AD.LATEROOMS.COM: kvno = 7
Hmm. You do need the '-U Administrator' or similarly privileged account for the keytab add. Otherwise I noticed that samba silently fails to update LDAP when it gets permission denied from ADS. The true test that it worked is the ldapsearch command I gave, or adsi edit.
Jason
On Mon, 2009-08-31 at 15:35 -0600, Jason Gunthorpe wrote:
NP, if you have success consider making a HOWTO for the dovcot wikki :)
For sure.
Ok.. this is not too good, you should have many other entries too, several starting with host/ and CCIMAP$.
The suggestion to remove the computer object (and the 'imapCcimap' user I bound the SPN to using ktpass) and 'net ads join' worked like a charm
- I have lots more output in 'net ads keytab list' and kvno imap/ccimap.ad.laterooms.com works now.
Check that you have
use kerberos keytab = true
Yep, it's there.
Possibly, it would be good to start again. Go into AD, and delete the ccimap computer account, then re-do 'net ads join'. That should clean everything out.
Bingo :)
Freakin' awesome.. the damn thing actually works! Aug 31 23:13:02 ccimap dovecot: auth(default): client in: AUTH#0111#011GSSAPI#011service=imap#011lip=10.6.1.82#011rip=10.6.1.81#011lport=143#011rport=2807 Aug 31 23:13:02 ccimap dovecot: auth(default): gssapi(?,10.6.1.81): Obtaining credentials for imap@ccimap.ad.laterooms.com Aug 31 23:13:02 ccimap dovecot: auth(default): client out: CONT#0111#011 Aug 31 23:13:02 ccimap dovecot: auth(default): client in: CONT#0111#011YIIExAYJKoZIhv (tons of stuff..)
Aug 31 23:13:02 ccimap dovecot: auth(default): gssapi(?,10.6.1.81): security context state completed. Aug 31 23:13:02 ccimap dovecot: auth(default): client out: CONT#0111#011YIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWhtquLoCp5Nm03quJPTFS+yuNrBo3PWH+dP4RZPcsYxMDJHklCAQ84LGmQWUftFgKiryc9ZK0mZI07tNVyE4Oath4fCg2dxu+RPZvpbqIr7BIteHeg2MGPeHMg== Aug 31 23:13:02 ccimap dovecot: auth(default): client in: CONT#0111#011 Aug 31 23:13:02 ccimap dovecot: auth(default): gssapi(?,10.6.1.81): Negotiated security layer Aug 31 23:13:02 ccimap dovecot: auth(default): client out: CONT#0111#011YDAGCSqGSIb3EgECAgIBEQD/////nXVwtOl9PTyrmeUqTZZLq61UowgQVqMIAf///wE= Aug 31 23:13:02 ccimap dovecot: auth(default): client in: CONT#0111#011YDYGCSqGSIb3EgECAgIBEQD/////4AbCCa3SFaSVtGEbd6teOPapNaUhDQFFAQAAAG1qaWdncwE= Aug 31 23:13:02 ccimap dovecot: auth(default): client out: OK#0111#011user=mjiggs Aug 31 23:13:02 ccimap dovecot: auth(default): master in: REQUEST#0111#0115968#0111 Aug 31 23:13:02 ccimap dovecot: auth(default): passwd(mjiggs,10.6.1.81): lookup Aug 31 23:13:02 ccimap dovecot: auth(default): master out: USER#0111#011mjiggs#011system_user=mjiggs#011uid=10416#011gid=10000#011home=/home/AD/mjiggs Aug 31 23:13:02 ccimap dovecot: imap-login: Login: user=<mjiggs>, method=GSSAPI, rip=10.6.1.81, lip=10.6.1.82
The 'auth_gssapi_hostname = $ALL' was confusing so I commented that out and let it do a gethostname() instead - now it works :)
Thank you! :D
Cheers Gavin.
On Mon, Aug 31, 2009 at 11:20:18PM +0100, Gavin Hamill wrote:
Ok.. this is not too good, you should have many other entries too, several starting with host/ and CCIMAP$.
The suggestion to remove the computer object (and the 'imapCcimap' user I bound the SPN to using ktpass) and 'net ads join' worked like a charm
- I have lots more output in 'net ads keytab list' and kvno imap/ccimap.ad.laterooms.com works now.
Snazzy
Aug 31 23:13:02 ccimap dovecot: imap-login: Login: user=<mjiggs>, method=GSSAPI, rip=10.6.1.81, lip=10.6.1.82
Yap, that is it
The 'auth_gssapi_hostname = $ALL' was confusing so I commented that out and let it do a gethostname() instead - now it works :)
I thought Timo included this patch?? You need the $ALL for various cases, including, I think, exim.. All it says it match any entry in the keytab, not just imap/gethostbyname()@REALM.
If you have AD and Linux servers it is worth kerberdizing everything (ssh, logins, imap, pop, smtp, apache, etc) the method you just used is basically how to do it for anything. Ie you can now turn on ssh kerberos via its config file, and with kerberdized putty on windows you get SSO ssh logins, etc.
Jason
participants (3)
-
Gavin Hamill
-
Jason Gunthorpe
-
Timo Sirainen