On Fri, 1 Jul 2016 10:37:51 +0200 Achim Gottinger <
ac...@ag-web.biz> wrote:
> It's getting abit offtopic for the samba list :-)
Maybe, but I am concurrently talking to people on the Dovecot list who seem to be able to do
Kerberos authentication, but none are using Samba4. They are also suggesting different
principles for the keytab file and other divergences from your suggestions.
I've dealt with a whole universe of OS's, networks and system over my long and checkered
career, but this Kerberos stuff is the most esoteric bag of Voodoo I've run across. I am
totally lost with what all these settings do or mean. Anyway ...
My results from that:
--------BEGIN---------
$ telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI] Dovecot ready.
$ openssl s_client -connect localhost:993
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, CN =
mail.ohprs.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN =
mail.ohprs.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, CN =
mail.ohprs.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=
mail.ohprs.org
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=
http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
[deleted - lots more stuff]
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI] Dovecot ready.
a capability
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI
a OK Pre-login capabilities listed, post-login capabilities have more.
a authenticate GSSAPI
+
--------END---------
The telnet test seemed to work. I got the "OK Dovecot ready" message. The openssl test does
have the "CONNECTED(00000003)" at the beginning and "OK ... Dovecot Ready" at the end, but
disconcerting stuff in the middle ("unable to get local issuer certificate", "certificate not
trusted", etc.)
The 'a' commands returned the GSSAPI capability and the positive for the "authenticate GSSAPI".
All that I think is good.
Now, "The Test", as that page puts it ... unfortunately, as with much documentation, there is
a lot of assumed knowledge on the part of the author who is all too familiar with his topic (to
be fair, the testing section of this page does day "this section required cleanup"). So ... the
test instructions (if you're tired of reading at this point, skip to my IMAP/HOSTNAME comments):
"Setup mutt in /etc/Muttrc to use kerberos using gssapi and imap configuration
this is done with set imap_authenticators="gssapi"
Did that, although my mutt doesn't seem to use it. I have to do '-F /etc/Muttrc' to use that
config.
"run kinit (type in password for kerb)
run command mutt
If you get error No Authentication Method"
Who/what is 'kerb'? This is not mentioned at all in the document up to this point. I assume it
is supposed to be a user account. I ran all these tests as root, but root does not have an IMAP
account. My "test" worked for root (but it is not IMAP), when I ran
I did get "No authenticators available", same as yesterday. (ma...@HPRS.LOCAL is in the klist).
The instructions go on:
"run command klist (list all kerberos keys) should show imap/HOSTNAME
/etc/hosts has to be set properly so that kerberos can find server."
This is now the 3rd variation on the klist settings I've gotten from various sources. I
currently have:
smtp/mail.hp...@HPRS.LOCAL
imap/mail.hp...@HPRS.LOCAL
The dovecotListers are suggesting (I think, needs more clarification)
IMAP/ma...@HPRS.LOCAL
i.e. IMAP must be capitalized and hostname only, no FDQN. This webpage we are looking at
appears to be suggesting
imap/MAIL
with "imap" in lowercase, hostname only in uppercase, no FDQN, no realm. That doesn't really
look right to me and is perhaps part of the "required cleanup" bit -- on the other hand, I know
nothing about any of this. The comment on "/etc/hosts has to be set properly" is a
space-waster without defining what "properly" means.
Like I said, Voodoo.
I will continue to experiment with these various suggestions, but I'm growing more skeptical
that Samba4/kerberos/Dovecot can work together. Rowland Penny set me up with with single sign
on authentication from a Ubuntu client which apparently uses kerberos, but that is
Samba-to-Samba, not Dovecot-Samba.
Another part of this could be confusion as to what FDQN I should be using. The local LAN is
hprs.local, which is how I have keytab configured, but the cert it checks against is
ohprs.org.
Which should I be using?
> If i run the telnet authenticated test and klist afterwards contains the
> imap keys.
Could you post your klist so I can see what format you have?