On Fri, Feb 04, 2011 at 01:47:31PM -0700, Trever L. Adams wrote:
There was a thread a month or so ago on how to do GSSAPI with AD and dovecot kerberos. It works great, and I highly recommend it for AD sites. Check the archives, it isn't really too hard.
I am not finding this. Do you happen to remember the subject?
No, but it is pretty simple using latest everything (well, Debian squeeze).. Basically from scratch.. Notice this also sets up NTLM, which is supported by many roaming devices (ie phones).
- Put this or similar in /etc/samba/smb.conf
[global] workgroup = $NT_WORKGROUP$ realm = $REALM$ security = ads kerberos method = secrets and keytab
Confirm that hostname gives an unqualified name and hostname -f gives a fully qualified name. Confirm you have DNS setup properly (eg dig -t SRV _kerberos._udp.$REALM$ works OK)
Join the machine to AD
$ net ads join -U 'user with AD privs'
$ kinit AD_USER
$ kvno host/hostname -f
- Setup imap SPN:
$ net ads keytab add imap
$ net ads search cn=hostname | grep servicePrincipalName
$ klist -k
$ kvno imap/hostname -f
The last three should report imap/hostname -f entries.
- Setup dovecot..
Set these things in the config
auth_use_winbind = yes
mechanisms = plain gssapi gss-spnego login ntlm
- Setup exim..
$ net ads keytab add smtp
Use these in the dovecot config:
client { path = /var/run/dovecot/auth-client mode = 0660 group = Debian-exim } }
And this at the end of the exim.conf:
dovecot_plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id=PLAIN-${quote:$auth1}
dovecot_ntlm: driver = dovecot public_name = NTLM server_socket = /var/run/dovecot/auth-client server_set_id=NTLM-${quote:$auth1}
dovecot_gssapi: driver = dovecot public_name = GSSAPI server_socket = /var/run/dovecot/auth-client server_set_id=GSSAPI-${quote:$auth1}
dovecot_gssapi_spnego: driver = dovecot public_name = GSS-SPNEGO server_socket = /var/run/dovecot/auth-client server_set_id=GSS-SPNEGO-${quote:$auth1}
- Setup openssh
in sshd_config
GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes
Jason
Thank you Jason for your answer. This has helped a great deal. I haven't even gotten to the step of SSH yet. That will help me greatly.
On 02/05/2011 06:53 PM, Jason Gunthorpe wrote:
- Setup dovecot..
Set these things in the config
auth_use_winbind = yes
mechanisms = plain gssapi gss-spnego login ntlm
Ok, I do this step differently as I use gssapi directly and not with winbind.
- Setup exim..
I use postfix instead of exim. How do you know what user is valid and what isn't in exim. I don't see any LDAP. I use LDAP (both postfix and dovecot deliver... I have to use LDAP for the aliases to be setup the way they have been requested). I also don't see any mention of any other user database.
- Setup openssh
in sshd_config
GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes
Jason
Thank you much.
Trever
On Sat, Feb 05, 2011 at 08:39:37PM -0700, Trever L. Adams wrote:
Set these things in the config
auth_use_winbind = yes
mechanisms = plain gssapi gss-spnego login ntlm
Ok, I do this step differently as I use gssapi directly and not with winbind.
This is also what this does. auth_use_winbind only affects gss-spnego and ntlm which call out to the ntlm_auth helper to make it go. IMHO, if you have AD you should set this up too.
I use postfix instead of exim. How do you know what user is valid and what isn't in exim. I don't see any LDAP. I use LDAP (both postfix and dovecot deliver... I have to use LDAP for the aliases to be setup the way they have been requested). I also don't see any mention of any other user database.
In my simple world everything rides on nss_winbind and winbindd. These instructions are just how to setup kerberos for authentication not the much sticker authorization..
Jason
participants (2)
-
Jason Gunthorpe
-
Trever L. Adams