Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]

Tue Jul 5 12:52:45 UTC 2016

On 07/04/2016 02:40 PM, Aki Tuomi wrote:
>
>
> On 04.07.2016 17:40, Brendan Kearney wrote:
>> On 07/04/2016 03:30 AM, Mark Foley wrote:
>>> Actually, I see that you used host.domain.name further down. That's 
>>> a good substitute for mail.hprs.local.
>>>
>>> Also, not to be a literary critic, but it might not hurt to show an 
>>> example keytab beneath your
>>> "Make sure your keytab has entry for ...". Just in case people don't 
>>> exactly know how to "make sure:
>>>
>>> $ klist -Kek /etc/dovecot/dovecot.keytab
>>> Keytab name: FILE:/etc/dovecot/dovecot.keytab
>>> KVNO Principal
>>> ---- 
>>> --------------------------------------------------------------------------
>>>     1 imap/host.domain.name at MYREALM (des-cbc-crc) (0x232616c2a4fd08f7)
>>>     1 imap/host.domain.name at MYREALM (des-cbc-md5) (0x232616c2a4fd08f7)
>>>     1 imap/host.domain.name at MYREALM (arcfour-hmac) 
>>> (0x9dae89a221dc374a39f560833
>>>
>>> --Mark
>>>
>>> -----Original Message-----
>>> From: Mark Foley <mfoley at ohprs.org>
>>> Date: Mon, 04 Jul 2016 03:23:30 -0400
>>> Organization: Ohio Highway Patrol Retirement System
>>> To: dovecot at dovecot.org
>>> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for 
>>> GSSAPI config]
>>>
>>> On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> 
>>> wrote:
>>>
>>>>> http://wiki2.dovecot.org/Authentication/Kerberos
>>>> It has been now updated.
>>> Excellent! That was quick!
>>>
>>> Although, you used my actual local domain in your example: 
>>> mail.hprs.local.  Not that I care,
>>> no one can get to that, but it might be clearer to those of us who 
>>> uncomprehendingly
>>> monkey-type things from wiki's when we don't fully understand. 
>>> Perhaps something more generic
>>> would be clearer: myhost.myrealm, or myhost.mydom.local, or 
>>> myLocalFDQN -- something like that.
>>> Not sure what is best; just don't want to imply that they HAVE TO 
>>> use mail.hprs.local.
>>>
>>>> I had a look at the NTLM mechanism, it *should* support SSP and 
>>>> NTLMv2.
>>>> I have to set up some kind of test environment to find out why it 
>>>> bugs.
>>> I'm going to give my brain a rest for a bit before I resume tilting 
>>> at the NTML windmill! I'll
>>> check back with the list to see if you've come up with anything.
>>>
>>>> Aki
>>> Again, thanks for all your help.
>>>
>>> --Mark
>>>
>>> -----Original Message-----
>>>> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for 
>>>> GSSAPI config]
>>>> To: dovecot at dovecot.org
>>>> From: Aki Tuomi <aki.tuomi at dovecot.fi>
>>>> Organization: Dovecot Oy
>>>> Date: Mon, 4 Jul 2016 08:54:27 +0300
>>>> On 04.07.2016 07:44, Mark Foley wrote:
>>>>> After a over a year and a half struggling to get Dovecot to do 
>>>>> either NTLM or GSSAPI
>>>>> authentication with Samba4 AD/DC, I believe I've finally got it! 
>>>>> Thanks to all those in this
>>>>> list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom 
>>>>> Talpey especially Aki Tuomi;
>>>>> and infinite thanks to Achim Gottinger on the SambaList for his 
>>>>> patience in working this
>>>>> through with me.  Although my purpose was for Dovecot to 
>>>>> authenticate mail clients, the
>>>>> configuration settings needed were on the Samba side.  I hope a 
>>>>> variation of these instructions
>>>>> can eventually make it into:
>>>>>
>>>>> http://wiki2.dovecot.org/Authentication/Kerberos
>>>>>
>>>>>
>>>> It has been now updated.
>>>>
>>>> I had a look at the NTLM mechanism, it *should* support SSP and 
>>>> NTLMv2.
>>>> I have to set up some kind of test environment to find out why it 
>>>> bugs.
>>>>
>>>> Aki
>>>>
>> i have a document that i had written, recording each of the changes 
>> needed to each of the files to be modified, in order to have dovecot 
>> authenticate against kerberos and authorize against ldap.  in 
>> addition, the use of nfs for maildir mailboxes and load balanced 
>> nuances are covered.  the doc is in odt format (libre office writer), 
>> and i have attempted to post it to this mailing list, but it was 
>> quarantined.
>>
>> if there is any interest in the doc, reach out to me.  i welcome 
>> input and feedback on it.
>>
>> brendan
>
> I would very much like to have a copy, please.
>
> Aki
replied off list, as my doc is quarantined due to size.