Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
Achim Gottinger
achim at ag-web.biz
Tue Jul 5 12:50:54 UTC 2016
Am 04.07.2016 um 09:30 schrieb Mark Foley:
> Actually, I see that you used host.domain.name further down. That's a good substitute for mail.hprs.local.
>
> Also, not to be a literary critic, but it might not hurt to show an example keytab beneath your
> "Make sure your keytab has entry for ...". Just in case people don't exactly know how to "make sure:
>
> $ klist -Kek /etc/dovecot/dovecot.keytab
> Keytab name: FILE:/etc/dovecot/dovecot.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 1 imap/host.domain.name at MYREALM (des-cbc-crc) (0x232616c2a4fd08f7)
> 1 imap/host.domain.name at MYREALM (des-cbc-md5) (0x232616c2a4fd08f7)
> 1 imap/host.domain.name at MYREALM (arcfour-hmac) (0x9dae89a221dc374a39f560833
>
> --Mark
>
> -----Original Message-----
> From: Mark Foley <mfoley at ohprs.org>
> Date: Mon, 04 Jul 2016 03:23:30 -0400
> Organization: Ohio Highway Patrol Retirement System
> To: dovecot at dovecot.org
> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
>
> On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>
>>> http://wiki2.dovecot.org/Authentication/Kerberos
>> It has been now updated.
> Excellent! That was quick!
>
> Although, you used my actual local domain in your example: mail.hprs.local. Not that I care,
> no one can get to that, but it might be clearer to those of us who uncomprehendingly
> monkey-type things from wiki's when we don't fully understand. Perhaps something more generic
> would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that.
> Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local.
>
>> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2.
>> I have to set up some kind of test environment to find out why it bugs.
> I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll
> check back with the list to see if you've come up with anything.
>
>> Aki
> Again, thanks for all your help.
>
> --Mark
>
> -----Original Message-----
>> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
>> To: dovecot at dovecot.org
>> From: Aki Tuomi <aki.tuomi at dovecot.fi>
>> Organization: Dovecot Oy
>> Date: Mon, 4 Jul 2016 08:54:27 +0300
>> On 04.07.2016 07:44, Mark Foley wrote:
>>> After a over a year and a half struggling to get Dovecot to do either NTLM or GSSAPI
>>> authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all those in this
>>> list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey especially Aki Tuomi;
>>> and infinite thanks to Achim Gottinger on the SambaList for his patience in working this
>>> through with me. Although my purpose was for Dovecot to authenticate mail clients, the
>>> configuration settings needed were on the Samba side. I hope a variation of these instructions
>>> can eventually make it into:
>>>
>>> http://wiki2.dovecot.org/Authentication/Kerberos
>>>
>>>
>> It has been now updated.
>>
>> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2.
>> I have to set up some kind of test environment to find out why it bugs.
>>
>> Aki
>>
Thanks for updating the kerberos docs.
Usually it is also an good idea to disable password expiry for the
service accounts.
samba-tool user setexpiry dovecot --noexpiry
achim~
More information about the dovecot
mailing list