[Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
Jason Gunthorpe
jgunthorpe at obsidianresearch.com
Tue Sep 1 00:35:11 EEST 2009
On Mon, Aug 31, 2009 at 10:21:47PM +0100, Gavin Hamill wrote:
> On Mon, 2009-08-31 at 13:24 -0600, Jason Gunthorpe wrote:
>
> > > Ouch, can you go a little more slowly, please? I think I've joined the
> > > domain OK:
>
> > Sure..
>
> Many thanks for taking the time on this - it is appreciated.
NP, if you have success consider making a HOWTO for the dovcot wikki
:)
> > Also verify that 'hostname -f' returns what you want. Very important.
>
> Yep, 'ccimap.ad.laterooms.com' - forward + reverse DNS are correct in AD
Good
> > ccimap:~# net ads keytab add imap
> >
> > Then:
> > ccimap:~ klist -k
> >
> > And verify you have imap/ entries
> >
> > Then verify kerberos is working with:
> >
> > ccimap:~# kvno imap/ccimap.ad.laterooms.com
> > imap/ccimap.ad.laterooms.com at AD.LATEROOMS.COM: kvno = 2
>
> I get
>
> ccimap:/etc# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> 7 imap/ccimap.ad.laterooms.com at AD.LATEROOMS.COM
> 7 imap/ccimap.ad.laterooms.com at AD.LATEROOMS.COM
> 7 imap/ccimap.ad.laterooms.com at AD.LATEROOMS.COM
> 7 imap/ccimap at AD.LATEROOMS.COM
> 7 imap/ccimap at AD.LATEROOMS.COM
> 7 imap/ccimap at AD.LATEROOMS.COM
Ok.. this is not too good, you should have many other entries too,
several starting with host/ and CCIMAP$.
What version of samba is this? does 'net ads keytab create' fix it up?
Check that you have
use kerberos keytab = true
In smb.conf
> ccimap:/etc# kvno imap/ccimap.ad.laterooms.com
> kvno: Server not found in Kerberos database while getting credentials
> for imap/ccimap.ad.laterooms.com at AD.LATEROOMS.COM
This is fatal. If ldapsearch indicates that SPN exists then you are
probably right that something has become damaged in AD. Otherwise you
are just having wacky samba problems.
> However, before I received your message I had been following the
> 'old-school' ktpass.exe method and I think I have poisoned the 'imap'
> name as a result:
Possibly, it would be good to start again. Go into AD, and delete the
ccimap computer account, then re-do 'net ads join'. That should clean
everything out.
The ktpass.exe method has so many problems, don't use it. Samba can
generate all the keys directly itself now, there is no need for ktpass.
> Is 'imap' a magic hardcoded name that Thunderbird will use? If so,
> should creating 'pop3' using 'net ads keytab add' also do the business?
> I'd rather try that and get a basic working auth than try to unpick my
> AD problems just yet.
The SPN service name is hardwired based on the protocol, imap, smtp
and something for pop. I'm not sure what. :)
> I ask because if I do a random name 'net ads keytab add purmle' and then
> 'kvno purmle/ccimap.ad.laterooms.com' then I get sensible output:
>
> purmle/ccimap.ad.laterooms.com at AD.LATEROOMS.COM: kvno = 7
Hmm. You do need the '-U Administrator' or similarly privileged
account for the keytab add. Otherwise I noticed that samba silently
fails to update LDAP when it gets permission denied from ADS. The true
test that it worked is the ldapsearch command I gave, or adsi edit.
Jason
More information about the dovecot
mailing list