Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]

Mon Jul 4 18:40:43 UTC 2016

On 04.07.2016 17:40, Brendan Kearney wrote:
> On 07/04/2016 03:30 AM, Mark Foley wrote:
>> Actually, I see that you used host.domain.name further down. That's a 
>> good substitute for mail.hprs.local.
>>
>> Also, not to be a literary critic, but it might not hurt to show an 
>> example keytab beneath your
>> "Make sure your keytab has entry for ...". Just in case people don't 
>> exactly know how to "make sure:
>>
>> $ klist -Kek /etc/dovecot/dovecot.keytab
>> Keytab name: FILE:/etc/dovecot/dovecot.keytab
>> KVNO Principal
>> ---- 
>> --------------------------------------------------------------------------
>>     1 imap/host.domain.name at MYREALM (des-cbc-crc) (0x232616c2a4fd08f7)
>>     1 imap/host.domain.name at MYREALM (des-cbc-md5) (0x232616c2a4fd08f7)
>>     1 imap/host.domain.name at MYREALM (arcfour-hmac) 
>> (0x9dae89a221dc374a39f560833
>>
>> --Mark
>>
>> -----Original Message-----
>> From: Mark Foley <mfoley at ohprs.org>
>> Date: Mon, 04 Jul 2016 03:23:30 -0400
>> Organization: Ohio Highway Patrol Retirement System
>> To: dovecot at dovecot.org
>> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for 
>> GSSAPI config]
>>
>> On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> 
>> wrote:
>>
>>>> http://wiki2.dovecot.org/Authentication/Kerberos
>>> It has been now updated.
>> Excellent! That was quick!
>>
>> Although, you used my actual local domain in your example: 
>> mail.hprs.local.  Not that I care,
>> no one can get to that, but it might be clearer to those of us who 
>> uncomprehendingly
>> monkey-type things from wiki's when we don't fully understand. 
>> Perhaps something more generic
>> would be clearer: myhost.myrealm, or myhost.mydom.local, or 
>> myLocalFDQN -- something like that.
>> Not sure what is best; just don't want to imply that they HAVE TO use 
>> mail.hprs.local.
>>
>>> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2.
>>> I have to set up some kind of test environment to find out why it bugs.
>> I'm going to give my brain a rest for a bit before I resume tilting 
>> at the NTML windmill! I'll
>> check back with the list to see if you've come up with anything.
>>
>>> Aki
>> Again, thanks for all your help.
>>
>> --Mark
>>
>> -----Original Message-----
>>> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for 
>>> GSSAPI config]
>>> To: dovecot at dovecot.org
>>> From: Aki Tuomi <aki.tuomi at dovecot.fi>
>>> Organization: Dovecot Oy
>>> Date: Mon, 4 Jul 2016 08:54:27 +0300
>>> On 04.07.2016 07:44, Mark Foley wrote:
>>>> After a over a year and a half struggling to get Dovecot to do 
>>>> either NTLM or GSSAPI
>>>> authentication with Samba4 AD/DC, I believe I've finally got it! 
>>>> Thanks to all those in this
>>>> list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom 
>>>> Talpey especially Aki Tuomi;
>>>> and infinite thanks to Achim Gottinger on the SambaList for his 
>>>> patience in working this
>>>> through with me.  Although my purpose was for Dovecot to 
>>>> authenticate mail clients, the
>>>> configuration settings needed were on the Samba side.  I hope a 
>>>> variation of these instructions
>>>> can eventually make it into:
>>>>
>>>> http://wiki2.dovecot.org/Authentication/Kerberos
>>>>
>>>>
>>> It has been now updated.
>>>
>>> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2.
>>> I have to set up some kind of test environment to find out why it bugs.
>>>
>>> Aki
>>>
> i have a document that i had written, recording each of the changes 
> needed to each of the files to be modified, in order to have dovecot 
> authenticate against kerberos and authorize against ldap.  in 
> addition, the use of nfs for maildir mailboxes and load balanced 
> nuances are covered.  the doc is in odt format (libre office writer), 
> and i have attempted to post it to this mailing list, but it was 
> quarantined.
>
> if there is any interest in the doc, reach out to me.  i welcome input 
> and feedback on it.
>
> brendan

I would very much like to have a copy, please.

Aki