Looking for GSSAPI config [was: Looking for NTLM config example]

Aki Tuomi aki.tuomi at dovecot.fi
Fri Jul 1 07:10:43 UTC 2016


The distinction is that kerberos principals are in form

<service>/<hostname>@<REALM>

the hostname bit *must* match to the host you are connecting to, exactly
and verbatim. It can differ in case, I guess.

The service is what service you are connecting to. These have special
meanings and can be case sensitive (like http won't always work, it has
to be HTTP).

host/ is always needed in at least system keytab. Not sure if it's
needed now in the service tab. But I suspect that you need to have IMAP
and not imap. Also make sure and double-check that the hostname is correct.

Once you've done the keytab you'll want to grab a cup of coffee and
local newspaper or something and read it thru before trying, because it
might take some time for it to work.

Also, your client *and* host needs to be able to access KDC (all of
them) on 88/tcp.

Aki

On 01.07.2016 09:42, Mark Foley wrote:
> My keytab now has:
>
> ktutil:  read_kt /etc/dovecot/dovecot.keytab
> ktutil:  list
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
>    1    1          smtp/mail.hprs.local at HPRS.LOCAL
>    2    1          imap/mail.hprs.local at HPRS.LOCAL
>
> I added these in ktutil with:
>
> addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac
>
> Aki wrote:
>
>> I think the problem still is that your keytab file has no entry
>> imap/hostname at DOMAIN and IMAP/hostname at DOMAIN
>> you also have no host/hostname at DOMAIN
> Not sure how to interpret your template. Are you suggesting I should ...
>
> addent -password -p IMAP/mail at HPRS.LOCAL -k 1 -e arcfour-hmac
> addent -password -p imap/mail at HPRS.LOCAL -k 1 -e arcfour-hmac
>
> (one IMAP uppercase and one lowercase?)
>
> I don't get your distinction between host and hostname in your 3rd example: host/hostname at DOMAIN
>
> Meanwhile ...
>
> Tried a bunch of things.  No go so far.  In fact, I'm questioning if gssapi is enabled in my
> dovecot.  I did rebuild and reinstall using `./configure --with-gssapi=yes`, but if I only
> enable gssapi authentication, I get "No authenticators available" (mail client).  How can I
> verify gssapi is really available? dovecot --build-options shows:
>
> Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192
> Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail
> SQL drivers:
> Passdb: checkpassword passwd passwd-file shadow
> Userdb: checkpassword nss passwd prefetch passwd-file
>
> should I see authentication methods there?
>
> --Mark
>
> -----Original Message-----
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> To: dovecot at dovecot.org
> From: Aki Tuomi <aki.tuomi at dovecot.fi>
> Organization: Dovecot Oy
> Date: Thu, 30 Jun 2016 09:58:14 +0300
>
> I think the problem still is that your keytab file has no entry
> imap/hostname at DOMAIN and IMAP/hostname at DOMAIN
>
> you also have no host/hostname at DOMAIN
>
> Aki
>
> On 29.06.2016 18:40, Mark Foley wrote:
>> Yes, I think that's exactly correct. I just made a similar reply to Edgar Pettijohn about that.
>> The Thunderbird message is:
>>
>> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check
>> that you are logged in to the Kerberos/GSSAPI realm."
>>
>> I made further comments in that message that I won't clutter the list by repeating here. Check
>> out that message and see what you think could be wrong.
>>
>> Thanks for your help! I'm sure this is solvable!
>>
>> --Mark
>>
>> -----Original Message-----
>>> Date: Wed, 29 Jun 2016 08:03:14 -0400
>>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>>> From: brendan kearney <bpk678 at gmail.com>
>>> To: Mark Foley <mfoley at ohprs.org>
>>> Cc: dovecot at dovecot.org
>>>
>>> The last log line shows "user=<>".  This indicates no credentials were
>>> presented.  If the rip field matches the client ip you tested from, I would
>>> bet the appropriate kerberos ticket (imap/host.domain.tld at REALM) was not
>>> pulled for the authentication.
>>> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfoley at ohprs.org> wrote:
>> [deleted]



More information about the dovecot mailing list