Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki - made your suggested changes, but no joy :(
My /etc/krb5.conf:
------SNIP-------- [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true
[libdefaults] default_realm = HPRS.LOCAL dns_lookup_kdc = true kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true
[realms] HPRS.LOCAL = { default_domain = hprs.local auth_to_local_names = { Administrator = root } }
[domain_realm] hprs.local = HPRS.LOCAL
this is not a mistake
.hprs.local = HPRS.LOCAL------PINS-----------
you wrote:
You can remove the krb4_ stuff
I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. Question on [realms]Administrator: should that really be root or should it be my AD Administrator?
my doveconf -n is exactly the same as posted below, but in particular:
auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi
When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using plain/ssl, no one yet configured for gssapi).
In /var/log/maillog I got (repeatedly):
Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2> Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh>
This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"?
Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd finally able to get AD authentication going for Dovecot. Not ready to give up though!
Suggestions?
THX -- Mark
-----original Message-----
Aki, you wrote:
Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself?
I'll try to check status of NTLM this week.
I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.
I do have the Dovecot sources and will peruse the possible options after I send this. I am on version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious realated to gssapi)
--Mark
-----Original Message-----
Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and restarted. Now I don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, and mail is delivered successfully to the other domain users having PLAIN authentication. That's a big step. In examining my original config.log output I apparently did not have --with-gssapi enabled.
HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still cannot correctly authenticate and retrieve mail. Here is the dovecot log for that host:
Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 22:44:05 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 22:44:05 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.58] Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session=<WeZyumE25wDAqAA6>
Does this tell you anything? doveconf -n and krb5.conf are configured as shown in previous
messages below.
Closer! --Mark
-----Original Message----- From: Mark Foley <mfoley@ohprs.org> Date: Tue, 28 Jun 2016 22:04:42 -0400 To: dovecot@dovecot.org Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki, you wrote:
Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself?
I'll try to check status of NTLM this week.
I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.
I do have the Dovecot sources and will peruse the possible options after I send this. I am on version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious realated to gssapi)
--Mark
-----Original Message-----
On Tue, 28 Jun 2016 22:52:25 -0500 Edgar Pettijohn <edgar@pettijohn-web.com> wrote:
What does thunderbird tell you?
Good question. I saw Tbird's message after sending my last email. When Tbird starts I get a message box in the lower right saying:
"The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark@ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm."
The interesting bit, to me, is that the IMAP server's hostname is not mark@ohprs.org. It should be mail.ohprs.org, or I would rather expect it to be mail.hprs.local using the actual local domain/realm name, not the public FQDN. I'm suspecting there is something wrong with the kerberos config.
To further confuse. There *is* a WIN7 workstation 'mark' in the domain, though not the workstation from which this testing is being done (this workstation is named 'common') and host 'mark' is not reachable as mark@ohprs.org. Furthermore, the Thunderbird account/user for this testing is also 'mark', not to be confused with the host 'mark' (though I think that's exactly what's being confused).
Where is this mark@ohprs.org coming from? The Thunderbird Account Name is mark@ohprs.org, which is this user's email address.
Perhaps Thunderbird simply has a badly worded error message and didn't really mean "IMAP server mark@ohprs.org", or perhapd kerberos is not configured correctly. My /etc/krb5.conf is shown below. Any ideas on what might be wrong?
Thanks, --Mark
-----Original Message-----
The last log line shows "user=<>". This indicates no credentials were presented. If the rip field matches the client ip you tested from, I would bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not pulled for the authentication. On Jun 28, 2016 11:33 PM, "Mark Foley" <mfoley@ohprs.org> wrote:
Yes, I think that's exactly correct. I just made a similar reply to Edgar Pettijohn about that. The Thunderbird message is:
"The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark@ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm."
I made further comments in that message that I won't clutter the list by repeating here. Check out that message and see what you think could be wrong.
Thanks for your help! I'm sure this is solvable!
--Mark
-----Original Message-----
[deleted]
I think the problem still is that your keytab file has no entry imap/hostname@DOMAIN and IMAP/hostname@DOMAIN
you also have no host/hostname@DOMAIN
Aki
On 29.06.2016 18:40, Mark Foley wrote:
My keytab now has:
ktutil: read_kt /etc/dovecot/dovecot.keytab ktutil: list slot KVNO Principal
1 1 smtp/mail.hprs.local@HPRS.LOCAL 2 1 imap/mail.hprs.local@HPRS.LOCAL
I added these in ktutil with:
addent -password -p smtp/mail.hprs.local@HPRS.LOCAL -k 1 -e arcfour-hmac
Aki wrote:
Not sure how to interpret your template. Are you suggesting I should ...
addent -password -p IMAP/mail@HPRS.LOCAL -k 1 -e arcfour-hmac addent -password -p imap/mail@HPRS.LOCAL -k 1 -e arcfour-hmac
(one IMAP uppercase and one lowercase?)
I don't get your distinction between host and hostname in your 3rd example: host/hostname@DOMAIN
Meanwhile ...
Tried a bunch of things. No go so far. In fact, I'm questioning if gssapi is enabled in my
dovecot. I did rebuild and reinstall using ./configure --with-gssapi=yes, but if I only
enable gssapi authentication, I get "No authenticators available" (mail client). How can I
verify gssapi is really available? dovecot --build-options shows:
Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail SQL drivers: Passdb: checkpassword passwd passwd-file shadow Userdb: checkpassword nss passwd prefetch passwd-file
should I see authentication methods there?
--Mark
-----Original Message----- Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] To: dovecot@dovecot.org From: Aki Tuomi <aki.tuomi@dovecot.fi> Organization: Dovecot Oy Date: Thu, 30 Jun 2016 09:58:14 +0300
I think the problem still is that your keytab file has no entry imap/hostname@DOMAIN and IMAP/hostname@DOMAIN
you also have no host/hostname@DOMAIN
Aki
On 29.06.2016 18:40, Mark Foley wrote:
The distinction is that kerberos principals are in form
<service>/<hostname>@<REALM>
the hostname bit *must* match to the host you are connecting to, exactly and verbatim. It can differ in case, I guess.
The service is what service you are connecting to. These have special meanings and can be case sensitive (like http won't always work, it has to be HTTP).
host/ is always needed in at least system keytab. Not sure if it's needed now in the service tab. But I suspect that you need to have IMAP and not imap. Also make sure and double-check that the hostname is correct.
Once you've done the keytab you'll want to grab a cup of coffee and local newspaper or something and read it thru before trying, because it might take some time for it to work.
Also, your client *and* host needs to be able to access KDC (all of them) on 88/tcp.
Aki
On 01.07.2016 09:42, Mark Foley wrote:
Aki - comments interspersed below ...
--Mark
-----Original Message-----
The current IMAP "Principle" in my keytab is:
imap/mail.hprs.local@HPRS.LOCAL
Explicitly, are you saying it needs to look like:
IMAP/mail@HPRS.LOCAL
Meaning, capitalized "IMAP" and just hostname, no FDQN?
Confused. What do you mean by "host/"? Can you give an example using my host and domain names? I don't know where "host/" goes. I assume this is not a synonym for "<service>/"?
This is the first I've head of a system keytab versus a service tab. What are they? Do I need both?
Really? I can reboot this evening.
Also, your client *and* host needs to be able to access KDC (all of them) on 88/tcp.
There should be no problem with the intra-LAN firewall. Everything is permitted, but I'll double-check on the WIN7 workstation I'm testing from.
Is there a way to know for sure my dovecot is enabled for gssapi?
participants (5)
-
Aki Tuomi
-
aki.tuomi@dovecot.fi
-
brendan kearney
-
Edgar Pettijohn
-
Mark Foley