Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]

Mark Foley mfoley at ohprs.org
Mon Jul 4 07:30:52 UTC 2016 

Actually, I see that you used host.domain.name further down. That's a good substitute for mail.hprs.local.

Also, not to be a literary critic, but it might not hurt to show an example keytab beneath your
"Make sure your keytab has entry for ...". Just in case people don't exactly know how to "make sure:

$ klist -Kek /etc/dovecot/dovecot.keytab
Keytab name: FILE:/etc/dovecot/dovecot.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 imap/host.domain.name at MYREALM (des-cbc-crc)  (0x232616c2a4fd08f7)
   1 imap/host.domain.name at MYREALM (des-cbc-md5)  (0x232616c2a4fd08f7)
   1 imap/host.domain.name at MYREALM (arcfour-hmac)  (0x9dae89a221dc374a39f560833

--Mark

-----Original Message-----
From: Mark Foley <mfoley at ohprs.org>
Date: Mon, 04 Jul 2016 03:23:30 -0400
Organization: Ohio Highway Patrol Retirement System
To: dovecot at dovecot.org
Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]

On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote:

> > http://wiki2.dovecot.org/Authentication/Kerberos
>
> It has been now updated.

Excellent! That was quick!

Although, you used my actual local domain in your example: mail.hprs.local.  Not that I care,
no one can get to that, but it might be clearer to those of us who uncomprehendingly
monkey-type things from wiki's when we don't fully understand.  Perhaps something more generic
would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that.
Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local.

> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2.
> I have to set up some kind of test environment to find out why it bugs.

I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll
check back with the list to see if you've come up with anything.

> Aki

Again, thanks for all your help.

--Mark

-----Original Message-----
> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
> To: dovecot at dovecot.org
> From: Aki Tuomi <aki.tuomi at dovecot.fi>
> Organization: Dovecot Oy
> Date: Mon, 4 Jul 2016 08:54:27 +0300

>
> On 04.07.2016 07:44, Mark Foley wrote:
> > After a over a year and a half struggling to get Dovecot to do either NTLM or GSSAPI
> > authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all those in this
> > list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey especially Aki Tuomi;
> > and infinite thanks to Achim Gottinger on the SambaList for his patience in working this
> > through with me.  Although my purpose was for Dovecot to authenticate mail clients, the
> > configuration settings needed were on the Samba side.  I hope a variation of these instructions
> > can eventually make it into:
> >
> > http://wiki2.dovecot.org/Authentication/Kerberos
> >
> >
>
> It has been now updated.
>
> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2.
> I have to set up some kind of test environment to find out why it bugs.
>
> Aki
>

More information about the dovecot mailing list