Looking for GSSAPI config [was: Looking for NTLM config example]

Mark Foley mfoley at ohprs.org
Fri Jul 1 17:37:48 UTC 2016 

Aki - comments interspersed below ...

--Mark

-----Original Message-----
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> To: dovecot at dovecot.org
> From: Aki Tuomi <aki.tuomi at dovecot.fi>
> Organization: Dovecot Oy
> Date: Fri, 1 Jul 2016 10:10:43 +0300
>
> The distinction is that kerberos principals are in form
>
> <service>/<hostname>@<REALM>
>
> the hostname bit *must* match to the host you are connecting to, exactly
> and verbatim. It can differ in case, I guess.
>
> The service is what service you are connecting to. These have special
> meanings and can be case sensitive (like http won't always work, it has
> to be HTTP).

The current IMAP "Principle" in my keytab is:

imap/mail.hprs.local at HPRS.LOCAL

Explicitly, are you saying it needs to look like:

IMAP/mail at HPRS.LOCAL

Meaning, capitalized "IMAP" and just hostname, no FDQN?

> host/ is always needed in at least system keytab. Not sure if it's
> needed now in the service tab. But I suspect that you need to have IMAP
> and not imap. Also make sure and double-check that the hostname is correct.

Confused.  What do you mean by "host/"? Can you give an example using my host and domain names?
I don't know where "host/" goes.  I assume this is not a synonym for "<service>/"?

This is the first I've head of a system keytab versus a service tab. What are they? Do I need
both?

> Once you've done the keytab you'll want to grab a cup of coffee and
> local newspaper or something and read it thru before trying, because it
> might take some time for it to work.

Really? I can reboot this evening.

> Also, your client *and* host needs to be able to access KDC (all of
> them) on 88/tcp.

There should be no problem with the intra-LAN firewall. Everything is permitted, but I'll
double-check on the WIN7 workstation I'm testing from.

Is there a way to know for sure my dovecot is enabled for gssapi?

> Aki
>
> On 01.07.2016 09:42, Mark Foley wrote:
> > My keytab now has:
> >
> > ktutil:  read_kt /etc/dovecot/dovecot.keytab
> > ktutil:  list
> > slot KVNO Principal
> > ---- ---- ---------------------------------------------------------------------
> >    1    1          smtp/mail.hprs.local at HPRS.LOCAL
> >    2    1          imap/mail.hprs.local at HPRS.LOCAL
> >
> > I added these in ktutil with:
> >
> > addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac
> >
> > Aki wrote:
> >
> >> I think the problem still is that your keytab file has no entry
> >> imap/hostname at DOMAIN and IMAP/hostname at DOMAIN
> >> you also have no host/hostname at DOMAIN
> > Not sure how to interpret your template. Are you suggesting I should ...
> >
> > addent -password -p IMAP/mail at HPRS.LOCAL -k 1 -e arcfour-hmac
> > addent -password -p imap/mail at HPRS.LOCAL -k 1 -e arcfour-hmac
> >
> > (one IMAP uppercase and one lowercase?)
> >
> > I don't get your distinction between host and hostname in your 3rd example: host/hostname at DOMAIN
> >
> > Meanwhile ...
> >
> > Tried a bunch of things.  No go so far.  In fact, I'm questioning if gssapi is enabled in my
> > dovecot.  I did rebuild and reinstall using `./configure --with-gssapi=yes`, but if I only
> > enable gssapi authentication, I get "No authenticators available" (mail client).  How can I
> > verify gssapi is really available? dovecot --build-options shows:
> >
> > Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192
> > Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail
> > SQL drivers:
> > Passdb: checkpassword passwd passwd-file shadow
> > Userdb: checkpassword nss passwd prefetch passwd-file
> >
> > should I see authentication methods there?
> >
> > --Mark
> >
> > -----Original Message-----
> > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> > To: dovecot at dovecot.org
> > From: Aki Tuomi <aki.tuomi at dovecot.fi>
> > Organization: Dovecot Oy
> > Date: Thu, 30 Jun 2016 09:58:14 +0300
> >
> > I think the problem still is that your keytab file has no entry
> > imap/hostname at DOMAIN and IMAP/hostname at DOMAIN
> >
> > you also have no host/hostname at DOMAIN
> >
> > Aki
> >
> > On 29.06.2016 18:40, Mark Foley wrote:
> >> Yes, I think that's exactly correct. I just made a similar reply to Edgar Pettijohn about that.
> >> The Thunderbird message is:
> >>
> >> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check
> >> that you are logged in to the Kerberos/GSSAPI realm."
> >>
> >> I made further comments in that message that I won't clutter the list by repeating here. Check
> >> out that message and see what you think could be wrong.
> >>
> >> Thanks for your help! I'm sure this is solvable!
> >>
> >> --Mark
> >>
> >> -----Original Message-----
> >>> Date: Wed, 29 Jun 2016 08:03:14 -0400
> >>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> >>> From: brendan kearney <bpk678 at gmail.com>
> >>> To: Mark Foley <mfoley at ohprs.org>
> >>> Cc: dovecot at dovecot.org
> >>>
> >>> The last log line shows "user=<>".  This indicates no credentials were
> >>> presented.  If the rip field matches the client ip you tested from, I would
> >>> bet the appropriate kerberos ticket (imap/host.domain.tld at REALM) was not
> >>> pulled for the authentication.
> >>> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfoley at ohprs.org> wrote:
> >> [deleted]
>

More information about the dovecot mailing list