Looking for GSSAPI config [was: Looking for NTLM config example]

Mark Foley mfoley at ohprs.org
Mon Jun 27 04:31:14 UTC 2016 

Thanks for the reply.  When you say it [NTLM] "should" work, I understand you to be implying
you've not actually tried NTLM yourself, right? I've never gotten a response from someone
saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be
the problem, but email clients I've tried (Outlook, Thunderbird) don't really give a choice.

That's OK, I'd be glad to try something different that would work!!! I am trying your advice
for gssapi.  I've followed the instructions at
http://wiki2.dovecot.org/Authentication/Kerberos.  In my 10-auth.conf I changed the
auth_mechanism line to:

auth_mechanisms = plain login gssapi

Which is only different from before with the addition of "gssapi".  That's all I've done.  I'm
using the same userdb as before which is /etc/passwd.  My doveconf -n is:

----------SNIP------------
> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
	  driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
	  driver = passwd
}
verbose_ssl = yes
------------PINS-------------

I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a Slackware 14.1 AD/DC. I
selected "Kerberos/GSSAPI" as the authentication method on Tbird. When trying the connection I
got the following in my Dovecot log:

Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.99, lip=98.102.63.107, session=<Zk1rnzo2IADAqABj>

So, any idea why this is not working? I'll say up-front that I do not have the auth_krb5_keytab
configured in 10-auth.conf. I could find no such file on the host running Dovecot. Is that file
needed? If so, I've got a message in to the Samba4 folks asking where it is located.

I'm also using Dovecot 2.2.15. Too old?

Do you think auth_krb5_keytab is my problem or something deeper?

THX --Mark

-----Original Message-----
> Date: Sun, 26 Jun 2016 14:00:49 +0300 (EEST)
> From: aki.tuomi at dovecot.fi
> To: dovecot at dovecot.org
> Subject: Re: Looking for NTLM config example
>
> It should work. Although if you are using linux server you might want to use gssapi instead. 
>
> > On June 25, 2016 at 7:43 PM Mark Foley <mfoley at ohprs.org> wrote:
> > 
> > 
> > I've asked this several times over the past year with essentially zero responses. I'll keep it simple:
> > 
> > Does NTLM authentication work in Dovecot?
> > 
> > I'll post this one last time. If I still have no responses I'll have to conclude that no one
> > has actually tried this authentication method and it therefore does not work.
> > 
> > Thanks, --Mark
> > 
> > -----Original Message-----
> > From: Mark Foley <mfoley at ohprs.org>
> > Date: Fri, 22 Apr 2016 02:07:24 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: dovecot at dovecot.org
> > Subject: Looking for NTLM config example
> > 
> > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take
> > > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. 
> > >
> > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain
> > > user login.  I should be able to do the same for email!
> > >
> > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> > > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th
> > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the
> > > referenced link I found no reference to "NTLM password scheme".
> > >
> > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM
> > > authentication submethods are, tells you what password schemes are, tells you what the NTLM
> > > client/server handshake is, but doesn't actually tell you how to configure dovecot config
> > > files.  I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce,
> > > MITM can't force downgrade" ...  whatever that means. 
> > >
> > > Anyway, probably it's my lack of understanding terminology.  I don't even know what a "nonce"
> > > is.  But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML
> > > and any other supporting settings or configs I need?
> > >
> > > My current/working dovecot settings, which have been running perfectly for well over a year
> > > now, are:
> > >
> > > $ dovecot -n
> > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > auth_debug_passwords = yes
> > > auth_mechanisms = plain login
> > > auth_verbose = yes
> > > auth_verbose_passwords = plain
> > > disable_plaintext_auth = no
> > > info_log_path = /var/log/dovecot_info
> > > mail_location = maildir:~/Maildir
> > > passdb {
> > >   driver = shadow
> > > }
> > > protocols = imap
> > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > > userdb {
> > >   driver = passwd
> > > }
> > > verbose_ssl = yes
> > >
> > >
> > > Here's what I've tried so far as 10-auth.conf:
> > >
> > > disable_plaintext_auth = no
> > > auth_use_winbind = yes
> > > info_log_path = /var/log/dovecot_info
> > > auth_verbose = yes
> > > auth_debug_passwords = yes
> > > auth_verbose_passwords= plain
> > > auth_winbind_helper_path = /usr/bin/ntlm_auth
> > >
> > > auth_mechanisms = ntlm plain login
> > >
> > > userdb {
> > >   driver = passwd
> > >   args = username_format=%n allow_all_users=yes
> > >
> > > }
> > >
> > >
> > > Which gives me a dovecot -n of:
> > >
> > > $ dovecot -n
> > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > auth_debug_passwords = yes
> > > auth_mechanisms = ntlm plain login
> > > auth_use_winbind = yes
> > > auth_verbose = yes
> > > auth_verbose_passwords = plain
> > > disable_plaintext_auth = no
> > > info_log_path = /var/log/dovecot_info
> > > mail_location = maildir:~/Maildir
> > > protocols = imap
> > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > > userdb {
> > >   args = username_format=%n allow_all_users=yes
> > >   driver = passwd
> > > }
> > > verbose_ssl = yes
> > >
> > >
> > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the
> > > following in /var/log/dovecot_info:
> > >
> > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
> > >
> > >
> > > On Thunderbird I got the error, "Sending of the message failed.  The Outlgoing server (SMTP)
> > > my.server.name does not support the selected authentication method.  Please change the
> > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
> > >
> > > Clearly, something is configured wrong, but I've no clue what.
> > >
> > > Can I get some advice?
> > >
> > > THX --Mark
> > From dovecot-bounces at dovecot.org  Fri Apr 22 02:07:47 2016
> > Return-Path: <dovecot-bounces at dovecot.org>
> > X-Virus-Status: Clean
> > X-Virus-Scanned: clamav-milter 0.98.6 at mail
> > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on
> > 	mail.hprs.local
> > X-Spam-Level: 
> > X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST,
> > 	USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__
> > X-Original-To: dovecot at dovecot.org
> > Delivered-To: dovecot at dovecot.org
> > X-Virus-Status: Clean
> > X-Virus-Scanned: clamav-milter 0.98.6 at mail
> > From: Mark Foley <mfoley at ohprs.org>
> > Date: Fri, 22 Apr 2016 02:07:24 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: dovecot at dovecot.org
> > Subject: Looking for NTLM config example
> > User-Agent: Heirloom mailx 12.5 7/5/10
> > Content-Type: text/plain; charset=us-ascii
> > X-BeenThere: dovecot at dovecot.org
> > X-Mailman-Version: 2.1.17
> > Precedence: list
> > List-Id: Dovecot Mailing List <dovecot.dovecot.org>
> > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
> > 	<mailto:dovecot-request at dovecot.org?subject=unsubscribe>
> > List-Archive: <http://dovecot.org/pipermail/dovecot/>
> > List-Post: <mailto:dovecot at dovecot.org>
> > List-Help: <mailto:dovecot-request at dovecot.org?subject=help>
> > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
> > 	<mailto:dovecot-request at dovecot.org?subject=subscribe>
> > Errors-To: dovecot-bounces at dovecot.org
> > Sender: "dovecot" <dovecot-bounces at dovecot.org>
> > X-Spam-Report: 
> > 	* -100 USER_IN_WHITELIST From: address is in the user's white-list
> > 	* -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to'
> > Status: R
> > 
> > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take
> > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. 
> > 
> > With the help of the samba maillist folks I was able to set up NTLM authentication for domain
> > user login.  I should be able to do the same for email!
> > 
> > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th
> > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the
> > referenced link I found no reference to "NTLM password scheme".
> > 
> > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM
> > authentication submethods are, tells you what password schemes are, tells you what the NTLM
> > client/server handshake is, but doesn't actually tell you how to configure dovecot config
> > files.  I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce,
> > MITM can't force downgrade" ...  whatever that means. 
> > 
> > Anyway, probably it's my lack of understanding terminology.  I don't even know what a "nonce"
> > is.  But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML
> > and any other supporting settings or configs I need?
> > 
> > My current/working dovecot settings, which have been running perfectly for well over a year
> > now, are:
> > 
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = plain login
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> >   driver = shadow
> > }
> > protocols = imap
> > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> >   driver = passwd
> > }
> > verbose_ssl = yes
> > 
> > 
> > Here's what I've tried so far as 10-auth.conf:
> > 
> > disable_plaintext_auth = no
> > auth_use_winbind = yes
> > info_log_path = /var/log/dovecot_info
> > auth_verbose = yes
> > auth_debug_passwords = yes
> > auth_verbose_passwords= plain
> > auth_winbind_helper_path = /usr/bin/ntlm_auth
> > 
> > auth_mechanisms = ntlm plain login
> > 
> > userdb {
> >   driver = passwd
> >   args = username_format=%n allow_all_users=yes
> > 
> > }
> > 
> > 
> > Which gives me a dovecot -n of:
> > 
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = ntlm plain login
> > auth_use_winbind = yes
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > protocols = imap
> > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> >   args = username_format=%n allow_all_users=yes
> >   driver = passwd
> > }
> > verbose_ssl = yes
> > 
> > 
> > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the
> > following in /var/log/dovecot_info:
> > 
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
> > 
> > 
> > On Thunderbird I got the error, "Sending of the message failed.  The Outlgoing server (SMTP)
> > my.server.name does not support the selected authentication method.  Please change the
> > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
> > 
> > Clearly, something is configured wrong, but I've no clue what.
> > 
> > Can I get some advice?
> > 
> > THX --Mark
>
> ---
> Aki Tuomi

More information about the dovecot mailing list