Looking for NTLM config example

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
33 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Looking for NTLM config example

Mark Foley-2
Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take
another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.

With the help of the samba maillist folks I was able to set up NTLM authentication for domain
user login.  I should be able to do the same for email!

But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th
line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the
referenced link I found no reference to "NTLM password scheme".

The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM
authentication submethods are, tells you what password schemes are, tells you what the NTLM
client/server handshake is, but doesn't actually tell you how to configure dovecot config
files.  I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce,
MITM can't force downgrade" ...  whatever that means.

Anyway, probably it's my lack of understanding terminology.  I don't even know what a "nonce"
is.  But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML
and any other supporting settings or configs I need?

My current/working dovecot settings, which have been running perfectly for well over a year
now, are:

$ dovecot -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
userdb {
  driver = passwd
}
verbose_ssl = yes


Here's what I've tried so far as 10-auth.conf:

disable_plaintext_auth = no
auth_use_winbind = yes
info_log_path = /var/log/dovecot_info
auth_verbose = yes
auth_debug_passwords = yes
auth_verbose_passwords= plain
auth_winbind_helper_path = /usr/bin/ntlm_auth

auth_mechanisms = ntlm plain login

userdb {
  driver = passwd
  args = username_format=%n allow_all_users=yes

}


Which gives me a dovecot -n of:

$ dovecot -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = ntlm plain login
auth_use_winbind = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
userdb {
  args = username_format=%n allow_all_users=yes
  driver = passwd
}
verbose_ssl = yes


I configured Thunderbird for NTLM authentication, then tried sending a message, I got the
following in /var/log/dovecot_info:

Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>


On Thunderbird I got the error, "Sending of the message failed.  The Outlgoing server (SMTP)
my.server.name does not support the selected authentication method.  Please change the
'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."

Clearly, something is configured wrong, but I've no clue what.

Can I get some advice?

THX --Mark
Reply | Threaded
Open this post in threaded view
|

Re: Looking for NTLM config example

Mark Foley-2
I've asked this several times over the past year with essentially zero responses. I'll keep it simple:

Does NTLM authentication work in Dovecot?

I'll post this one last time. If I still have no responses I'll have to conclude that no one
has actually tried this authentication method and it therefore does not work.

Thanks, --Mark

-----Original Message-----
From: Mark Foley <[hidden email]>
Date: Fri, 22 Apr 2016 02:07:24 -0400
Organization: Ohio Highway Patrol Retirement System
To: [hidden email]
Subject: Looking for NTLM config example

> Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take
> another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
>
> With the help of the samba maillist folks I was able to set up NTLM authentication for domain
> user login.  I should be able to do the same for email!
>
> But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th
> line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the
> referenced link I found no reference to "NTLM password scheme".
>
> The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM
> authentication submethods are, tells you what password schemes are, tells you what the NTLM
> client/server handshake is, but doesn't actually tell you how to configure dovecot config
> files.  I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce,
> MITM can't force downgrade" ...  whatever that means.
>
> Anyway, probably it's my lack of understanding terminology.  I don't even know what a "nonce"
> is.  But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML
> and any other supporting settings or configs I need?
>
> My current/working dovecot settings, which have been running perfectly for well over a year
> now, are:
>
> $ dovecot -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>   driver = shadow
> }
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> userdb {
>   driver = passwd
> }
> verbose_ssl = yes
>
>
> Here's what I've tried so far as 10-auth.conf:
>
> disable_plaintext_auth = no
> auth_use_winbind = yes
> info_log_path = /var/log/dovecot_info
> auth_verbose = yes
> auth_debug_passwords = yes
> auth_verbose_passwords= plain
> auth_winbind_helper_path = /usr/bin/ntlm_auth
>
> auth_mechanisms = ntlm plain login
>
> userdb {
>   driver = passwd
>   args = username_format=%n allow_all_users=yes
>
> }
>
>
> Which gives me a dovecot -n of:
>
> $ dovecot -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = ntlm plain login
> auth_use_winbind = yes
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> userdb {
>   args = username_format=%n allow_all_users=yes
>   driver = passwd
> }
> verbose_ssl = yes
>
>
> I configured Thunderbird for NTLM authentication, then tried sending a message, I got the
> following in /var/log/dovecot_info:
>
> Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
>
>
> On Thunderbird I got the error, "Sending of the message failed.  The Outlgoing server (SMTP)
> my.server.name does not support the selected authentication method.  Please change the
> 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
>
> Clearly, something is configured wrong, but I've no clue what.
>
> Can I get some advice?
>
> THX --Mark
From [hidden email]  Fri Apr 22 02:07:47 2016
Return-Path: <[hidden email]>
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.98.6 at mail
X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on
        mail.hprs.local
X-Spam-Level:
X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST,
        USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__
X-Original-To: [hidden email]
Delivered-To: [hidden email]
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.98.6 at mail
From: Mark Foley <[hidden email]>
Date: Fri, 22 Apr 2016 02:07:24 -0400
Organization: Ohio Highway Patrol Retirement System
To: [hidden email]
Subject: Looking for NTLM config example
User-Agent: Heirloom mailx 12.5 7/5/10
Content-Type: text/plain; charset=us-ascii
X-BeenThere: [hidden email]
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Dovecot Mailing List <dovecot.dovecot.org>
List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
        <mailto:[hidden email]?subject=unsubscribe>
List-Archive: <http://dovecot.org/pipermail/dovecot/>
List-Post: <mailto:[hidden email]>
List-Help: <mailto:[hidden email]?subject=help>
List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
        <mailto:[hidden email]?subject=subscribe>
Errors-To: [hidden email]
Sender: "dovecot" <[hidden email]>
X-Spam-Report:
        * -100 USER_IN_WHITELIST From: address is in the user's white-list
        * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to'
Status: R

Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take
another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.

With the help of the samba maillist folks I was able to set up NTLM authentication for domain
user login.  I should be able to do the same for email!

But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th
line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the
referenced link I found no reference to "NTLM password scheme".

The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM
authentication submethods are, tells you what password schemes are, tells you what the NTLM
client/server handshake is, but doesn't actually tell you how to configure dovecot config
files.  I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce,
MITM can't force downgrade" ...  whatever that means.

Anyway, probably it's my lack of understanding terminology.  I don't even know what a "nonce"
is.  But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML
and any other supporting settings or configs I need?

My current/working dovecot settings, which have been running perfectly for well over a year
now, are:

$ dovecot -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
userdb {
  driver = passwd
}
verbose_ssl = yes


Here's what I've tried so far as 10-auth.conf:

disable_plaintext_auth = no
auth_use_winbind = yes
info_log_path = /var/log/dovecot_info
auth_verbose = yes
auth_debug_passwords = yes
auth_verbose_passwords= plain
auth_winbind_helper_path = /usr/bin/ntlm_auth

auth_mechanisms = ntlm plain login

userdb {
  driver = passwd
  args = username_format=%n allow_all_users=yes

}


Which gives me a dovecot -n of:

$ dovecot -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = ntlm plain login
auth_use_winbind = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
userdb {
  args = username_format=%n allow_all_users=yes
  driver = passwd
}
verbose_ssl = yes


I configured Thunderbird for NTLM authentication, then tried sending a message, I got the
following in /var/log/dovecot_info:

Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>


On Thunderbird I got the error, "Sending of the message failed.  The Outlgoing server (SMTP)
my.server.name does not support the selected authentication method.  Please change the
'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."

Clearly, something is configured wrong, but I've no clue what.

Can I get some advice?

THX --Mark
Reply | Threaded
Open this post in threaded view
|

Re: Looking for NTLM config example

Aki Tuomi-2
It should work. Although if you are using linux server you might want to use gssapi instead.

> On June 25, 2016 at 7:43 PM Mark Foley <[hidden email]> wrote:
>
>
> I've asked this several times over the past year with essentially zero responses. I'll keep it simple:
>
> Does NTLM authentication work in Dovecot?
>
> I'll post this one last time. If I still have no responses I'll have to conclude that no one
> has actually tried this authentication method and it therefore does not work.
>
> Thanks, --Mark
>
> -----Original Message-----
> From: Mark Foley <[hidden email]>
> Date: Fri, 22 Apr 2016 02:07:24 -0400
> Organization: Ohio Highway Patrol Retirement System
> To: [hidden email]
> Subject: Looking for NTLM config example
>
> > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take
> > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
> >
> > With the help of the samba maillist folks I was able to set up NTLM authentication for domain
> > user login.  I should be able to do the same for email!
> >
> > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th
> > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the
> > referenced link I found no reference to "NTLM password scheme".
> >
> > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM
> > authentication submethods are, tells you what password schemes are, tells you what the NTLM
> > client/server handshake is, but doesn't actually tell you how to configure dovecot config
> > files.  I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce,
> > MITM can't force downgrade" ...  whatever that means.
> >
> > Anyway, probably it's my lack of understanding terminology.  I don't even know what a "nonce"
> > is.  But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML
> > and any other supporting settings or configs I need?
> >
> > My current/working dovecot settings, which have been running perfectly for well over a year
> > now, are:
> >
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = plain login
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> >   driver = shadow
> > }
> > protocols = imap
> > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> >   driver = passwd
> > }
> > verbose_ssl = yes
> >
> >
> > Here's what I've tried so far as 10-auth.conf:
> >
> > disable_plaintext_auth = no
> > auth_use_winbind = yes
> > info_log_path = /var/log/dovecot_info
> > auth_verbose = yes
> > auth_debug_passwords = yes
> > auth_verbose_passwords= plain
> > auth_winbind_helper_path = /usr/bin/ntlm_auth
> >
> > auth_mechanisms = ntlm plain login
> >
> > userdb {
> >   driver = passwd
> >   args = username_format=%n allow_all_users=yes
> >
> > }
> >
> >
> > Which gives me a dovecot -n of:
> >
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = ntlm plain login
> > auth_use_winbind = yes
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > protocols = imap
> > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> >   args = username_format=%n allow_all_users=yes
> >   driver = passwd
> > }
> > verbose_ssl = yes
> >
> >
> > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the
> > following in /var/log/dovecot_info:
> >
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
> >
> >
> > On Thunderbird I got the error, "Sending of the message failed.  The Outlgoing server (SMTP)
> > my.server.name does not support the selected authentication method.  Please change the
> > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
> >
> > Clearly, something is configured wrong, but I've no clue what.
> >
> > Can I get some advice?
> >
> > THX --Mark
> From [hidden email]  Fri Apr 22 02:07:47 2016
> Return-Path: <[hidden email]>
> X-Virus-Status: Clean
> X-Virus-Scanned: clamav-milter 0.98.6 at mail
> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on
> mail.hprs.local
> X-Spam-Level:
> X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST,
> USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__
> X-Original-To: [hidden email]
> Delivered-To: [hidden email]
> X-Virus-Status: Clean
> X-Virus-Scanned: clamav-milter 0.98.6 at mail
> From: Mark Foley <[hidden email]>
> Date: Fri, 22 Apr 2016 02:07:24 -0400
> Organization: Ohio Highway Patrol Retirement System
> To: [hidden email]
> Subject: Looking for NTLM config example
> User-Agent: Heirloom mailx 12.5 7/5/10
> Content-Type: text/plain; charset=us-ascii
> X-BeenThere: [hidden email]
> X-Mailman-Version: 2.1.17
> Precedence: list
> List-Id: Dovecot Mailing List <dovecot.dovecot.org>
> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
> <mailto:[hidden email]?subject=unsubscribe>
> List-Archive: <http://dovecot.org/pipermail/dovecot/>
> List-Post: <mailto:[hidden email]>
> List-Help: <mailto:[hidden email]?subject=help>
> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
> <mailto:[hidden email]?subject=subscribe>
> Errors-To: [hidden email]
> Sender: "dovecot" <[hidden email]>
> X-Spam-Report:
> * -100 USER_IN_WHITELIST From: address is in the user's white-list
> * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to'
> Status: R
>
> Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take
> another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
>
> With the help of the samba maillist folks I was able to set up NTLM authentication for domain
> user login.  I should be able to do the same for email!
>
> But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th
> line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the
> referenced link I found no reference to "NTLM password scheme".
>
> The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM
> authentication submethods are, tells you what password schemes are, tells you what the NTLM
> client/server handshake is, but doesn't actually tell you how to configure dovecot config
> files.  I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce,
> MITM can't force downgrade" ...  whatever that means.
>
> Anyway, probably it's my lack of understanding terminology.  I don't even know what a "nonce"
> is.  But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML
> and any other supporting settings or configs I need?
>
> My current/working dovecot settings, which have been running perfectly for well over a year
> now, are:
>
> $ dovecot -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>   driver = shadow
> }
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> userdb {
>   driver = passwd
> }
> verbose_ssl = yes
>
>
> Here's what I've tried so far as 10-auth.conf:
>
> disable_plaintext_auth = no
> auth_use_winbind = yes
> info_log_path = /var/log/dovecot_info
> auth_verbose = yes
> auth_debug_passwords = yes
> auth_verbose_passwords= plain
> auth_winbind_helper_path = /usr/bin/ntlm_auth
>
> auth_mechanisms = ntlm plain login
>
> userdb {
>   driver = passwd
>   args = username_format=%n allow_all_users=yes
>
> }
>
>
> Which gives me a dovecot -n of:
>
> $ dovecot -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = ntlm plain login
> auth_use_winbind = yes
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> userdb {
>   args = username_format=%n allow_all_users=yes
>   driver = passwd
> }
> verbose_ssl = yes
>
>
> I configured Thunderbird for NTLM authentication, then tried sending a message, I got the
> following in /var/log/dovecot_info:
>
> Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
>
>
> On Thunderbird I got the error, "Sending of the message failed.  The Outlgoing server (SMTP)
> my.server.name does not support the selected authentication method.  Please change the
> 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
>
> Clearly, something is configured wrong, but I've no clue what.
>
> Can I get some advice?
>
> THX --Mark

---
Aki Tuomi
Reply | Threaded
Open this post in threaded view
|

Re: Looking for NTLM config example

Aki Tuomi-2
In reply to this post by Mark Foley-2

Also it seems we lack support for NTLMv2. If you want to use NTLM you need to permit use of NTLM(v1), which is usually not enabled by default.

Aki

> On June 25, 2016 at 7:43 PM Mark Foley <[hidden email]> wrote:
>
>
> I've asked this several times over the past year with essentially zero responses. I'll keep it simple:
>
> Does NTLM authentication work in Dovecot?
>
> I'll post this one last time. If I still have no responses I'll have to conclude that no one
> has actually tried this authentication method and it therefore does not work.
>
> Thanks, --Mark
>
> -----Original Message-----
> From: Mark Foley <[hidden email]>
> Date: Fri, 22 Apr 2016 02:07:24 -0400
> Organization: Ohio Highway Patrol Retirement System
> To: [hidden email]
> Subject: Looking for NTLM config example
>
> > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take
> > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
> >
> > With the help of the samba maillist folks I was able to set up NTLM authentication for domain
> > user login.  I should be able to do the same for email!
> >
> > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th
> > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the
> > referenced link I found no reference to "NTLM password scheme".
> >
> > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM
> > authentication submethods are, tells you what password schemes are, tells you what the NTLM
> > client/server handshake is, but doesn't actually tell you how to configure dovecot config
> > files.  I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce,
> > MITM can't force downgrade" ...  whatever that means.
> >
> > Anyway, probably it's my lack of understanding terminology.  I don't even know what a "nonce"
> > is.  But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML
> > and any other supporting settings or configs I need?
> >
> > My current/working dovecot settings, which have been running perfectly for well over a year
> > now, are:
> >
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = plain login
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> >   driver = shadow
> > }
> > protocols = imap
> > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> >   driver = passwd
> > }
> > verbose_ssl = yes
> >
> >
> > Here's what I've tried so far as 10-auth.conf:
> >
> > disable_plaintext_auth = no
> > auth_use_winbind = yes
> > info_log_path = /var/log/dovecot_info
> > auth_verbose = yes
> > auth_debug_passwords = yes
> > auth_verbose_passwords= plain
> > auth_winbind_helper_path = /usr/bin/ntlm_auth
> >
> > auth_mechanisms = ntlm plain login
> >
> > userdb {
> >   driver = passwd
> >   args = username_format=%n allow_all_users=yes
> >
> > }
> >
> >
> > Which gives me a dovecot -n of:
> >
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = ntlm plain login
> > auth_use_winbind = yes
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > protocols = imap
> > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> >   args = username_format=%n allow_all_users=yes
> >   driver = passwd
> > }
> > verbose_ssl = yes
> >
> >
> > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the
> > following in /var/log/dovecot_info:
> >
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
> >
> >
> > On Thunderbird I got the error, "Sending of the message failed.  The Outlgoing server (SMTP)
> > my.server.name does not support the selected authentication method.  Please change the
> > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
> >
> > Clearly, something is configured wrong, but I've no clue what.
> >
> > Can I get some advice?
> >
> > THX --Mark
> From [hidden email]  Fri Apr 22 02:07:47 2016
> Return-Path: <[hidden email]>
> X-Virus-Status: Clean
> X-Virus-Scanned: clamav-milter 0.98.6 at mail
> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on
> mail.hprs.local
> X-Spam-Level:
> X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST,
> USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__
> X-Original-To: [hidden email]
> Delivered-To: [hidden email]
> X-Virus-Status: Clean
> X-Virus-Scanned: clamav-milter 0.98.6 at mail
> From: Mark Foley <[hidden email]>
> Date: Fri, 22 Apr 2016 02:07:24 -0400
> Organization: Ohio Highway Patrol Retirement System
> To: [hidden email]
> Subject: Looking for NTLM config example
> User-Agent: Heirloom mailx 12.5 7/5/10
> Content-Type: text/plain; charset=us-ascii
> X-BeenThere: [hidden email]
> X-Mailman-Version: 2.1.17
> Precedence: list
> List-Id: Dovecot Mailing List <dovecot.dovecot.org>
> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
> <mailto:[hidden email]?subject=unsubscribe>
> List-Archive: <http://dovecot.org/pipermail/dovecot/>
> List-Post: <mailto:[hidden email]>
> List-Help: <mailto:[hidden email]?subject=help>
> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
> <mailto:[hidden email]?subject=subscribe>
> Errors-To: [hidden email]
> Sender: "dovecot" <[hidden email]>
> X-Spam-Report:
> * -100 USER_IN_WHITELIST From: address is in the user's white-list
> * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to'
> Status: R
>
> Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take
> another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
>
> With the help of the samba maillist folks I was able to set up NTLM authentication for domain
> user login.  I should be able to do the same for email!
>
> But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th
> line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the
> referenced link I found no reference to "NTLM password scheme".
>
> The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM
> authentication submethods are, tells you what password schemes are, tells you what the NTLM
> client/server handshake is, but doesn't actually tell you how to configure dovecot config
> files.  I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce,
> MITM can't force downgrade" ...  whatever that means.
>
> Anyway, probably it's my lack of understanding terminology.  I don't even know what a "nonce"
> is.  But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML
> and any other supporting settings or configs I need?
>
> My current/working dovecot settings, which have been running perfectly for well over a year
> now, are:
>
> $ dovecot -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>   driver = shadow
> }
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> userdb {
>   driver = passwd
> }
> verbose_ssl = yes
>
>
> Here's what I've tried so far as 10-auth.conf:
>
> disable_plaintext_auth = no
> auth_use_winbind = yes
> info_log_path = /var/log/dovecot_info
> auth_verbose = yes
> auth_debug_passwords = yes
> auth_verbose_passwords= plain
> auth_winbind_helper_path = /usr/bin/ntlm_auth
>
> auth_mechanisms = ntlm plain login
>
> userdb {
>   driver = passwd
>   args = username_format=%n allow_all_users=yes
>
> }
>
>
> Which gives me a dovecot -n of:
>
> $ dovecot -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = ntlm plain login
> auth_use_winbind = yes
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> userdb {
>   args = username_format=%n allow_all_users=yes
>   driver = passwd
> }
> verbose_ssl = yes
>
>
> I configured Thunderbird for NTLM authentication, then tried sending a message, I got the
> following in /var/log/dovecot_info:
>
> Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
>
>
> On Thunderbird I got the error, "Sending of the message failed.  The Outlgoing server (SMTP)
> my.server.name does not support the selected authentication method.  Please change the
> 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
>
> Clearly, something is configured wrong, but I've no clue what.
>
> Can I get some advice?
>
> THX --Mark

---
Aki Tuomi
Reply | Threaded
Open this post in threaded view
|

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

Mark Foley-2
In reply to this post by Aki Tuomi-2
Thanks for the reply.  When you say it [NTLM] "should" work, I understand you to be implying
you've not actually tried NTLM yourself, right? I've never gotten a response from someone
saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be
the problem, but email clients I've tried (Outlook, Thunderbird) don't really give a choice.

That's OK, I'd be glad to try something different that would work!!! I am trying your advice
for gssapi.  I've followed the instructions at
http://wiki2.dovecot.org/Authentication/Kerberos.  In my 10-auth.conf I changed the
auth_mechanism line to:

auth_mechanisms = plain login gssapi

Which is only different from before with the addition of "gssapi".  That's all I've done.  I'm
using the same userdb as before which is /etc/passwd.  My doveconf -n is:

----------SNIP------------
> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
          driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
          driver = passwd
}
verbose_ssl = yes
------------PINS-------------

I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a Slackware 14.1 AD/DC. I
selected "Kerberos/GSSAPI" as the authentication method on Tbird. When trying the connection I
got the following in my Dovecot log:

Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.99, lip=98.102.63.107, session=<Zk1rnzo2IADAqABj>

So, any idea why this is not working? I'll say up-front that I do not have the auth_krb5_keytab
configured in 10-auth.conf. I could find no such file on the host running Dovecot. Is that file
needed? If so, I've got a message in to the Samba4 folks asking where it is located.

I'm also using Dovecot 2.2.15. Too old?

Do you think auth_krb5_keytab is my problem or something deeper?

THX --Mark

-----Original Message-----

> Date: Sun, 26 Jun 2016 14:00:49 +0300 (EEST)
> From: [hidden email]
> To: [hidden email]
> Subject: Re: Looking for NTLM config example
>
> It should work. Although if you are using linux server you might want to use gssapi instead.
>
> > On June 25, 2016 at 7:43 PM Mark Foley <[hidden email]> wrote:
> >
> >
> > I've asked this several times over the past year with essentially zero responses. I'll keep it simple:
> >
> > Does NTLM authentication work in Dovecot?
> >
> > I'll post this one last time. If I still have no responses I'll have to conclude that no one
> > has actually tried this authentication method and it therefore does not work.
> >
> > Thanks, --Mark
> >
> > -----Original Message-----
> > From: Mark Foley <[hidden email]>
> > Date: Fri, 22 Apr 2016 02:07:24 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: [hidden email]
> > Subject: Looking for NTLM config example
> >
> > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take
> > > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
> > >
> > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain
> > > user login.  I should be able to do the same for email!
> > >
> > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> > > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th
> > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the
> > > referenced link I found no reference to "NTLM password scheme".
> > >
> > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM
> > > authentication submethods are, tells you what password schemes are, tells you what the NTLM
> > > client/server handshake is, but doesn't actually tell you how to configure dovecot config
> > > files.  I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce,
> > > MITM can't force downgrade" ...  whatever that means.
> > >
> > > Anyway, probably it's my lack of understanding terminology.  I don't even know what a "nonce"
> > > is.  But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML
> > > and any other supporting settings or configs I need?
> > >
> > > My current/working dovecot settings, which have been running perfectly for well over a year
> > > now, are:
> > >
> > > $ dovecot -n
> > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > auth_debug_passwords = yes
> > > auth_mechanisms = plain login
> > > auth_verbose = yes
> > > auth_verbose_passwords = plain
> > > disable_plaintext_auth = no
> > > info_log_path = /var/log/dovecot_info
> > > mail_location = maildir:~/Maildir
> > > passdb {
> > >   driver = shadow
> > > }
> > > protocols = imap
> > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > > userdb {
> > >   driver = passwd
> > > }
> > > verbose_ssl = yes
> > >
> > >
> > > Here's what I've tried so far as 10-auth.conf:
> > >
> > > disable_plaintext_auth = no
> > > auth_use_winbind = yes
> > > info_log_path = /var/log/dovecot_info
> > > auth_verbose = yes
> > > auth_debug_passwords = yes
> > > auth_verbose_passwords= plain
> > > auth_winbind_helper_path = /usr/bin/ntlm_auth
> > >
> > > auth_mechanisms = ntlm plain login
> > >
> > > userdb {
> > >   driver = passwd
> > >   args = username_format=%n allow_all_users=yes
> > >
> > > }
> > >
> > >
> > > Which gives me a dovecot -n of:
> > >
> > > $ dovecot -n
> > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > auth_debug_passwords = yes
> > > auth_mechanisms = ntlm plain login
> > > auth_use_winbind = yes
> > > auth_verbose = yes
> > > auth_verbose_passwords = plain
> > > disable_plaintext_auth = no
> > > info_log_path = /var/log/dovecot_info
> > > mail_location = maildir:~/Maildir
> > > protocols = imap
> > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > > userdb {
> > >   args = username_format=%n allow_all_users=yes
> > >   driver = passwd
> > > }
> > > verbose_ssl = yes
> > >
> > >
> > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the
> > > following in /var/log/dovecot_info:
> > >
> > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
> > >
> > >
> > > On Thunderbird I got the error, "Sending of the message failed.  The Outlgoing server (SMTP)
> > > my.server.name does not support the selected authentication method.  Please change the
> > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
> > >
> > > Clearly, something is configured wrong, but I've no clue what.
> > >
> > > Can I get some advice?
> > >
> > > THX --Mark
> > From [hidden email]  Fri Apr 22 02:07:47 2016
> > Return-Path: <[hidden email]>
> > X-Virus-Status: Clean
> > X-Virus-Scanned: clamav-milter 0.98.6 at mail
> > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on
> > mail.hprs.local
> > X-Spam-Level:
> > X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST,
> > USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__
> > X-Original-To: [hidden email]
> > Delivered-To: [hidden email]
> > X-Virus-Status: Clean
> > X-Virus-Scanned: clamav-milter 0.98.6 at mail
> > From: Mark Foley <[hidden email]>
> > Date: Fri, 22 Apr 2016 02:07:24 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: [hidden email]
> > Subject: Looking for NTLM config example
> > User-Agent: Heirloom mailx 12.5 7/5/10
> > Content-Type: text/plain; charset=us-ascii
> > X-BeenThere: [hidden email]
> > X-Mailman-Version: 2.1.17
> > Precedence: list
> > List-Id: Dovecot Mailing List <dovecot.dovecot.org>
> > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
> > <mailto:[hidden email]?subject=unsubscribe>
> > List-Archive: <http://dovecot.org/pipermail/dovecot/>
> > List-Post: <mailto:[hidden email]>
> > List-Help: <mailto:[hidden email]?subject=help>
> > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
> > <mailto:[hidden email]?subject=subscribe>
> > Errors-To: [hidden email]
> > Sender: "dovecot" <[hidden email]>
> > X-Spam-Report:
> > * -100 USER_IN_WHITELIST From: address is in the user's white-list
> > * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to'
> > Status: R
> >
> > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take
> > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
> >
> > With the help of the samba maillist folks I was able to set up NTLM authentication for domain
> > user login.  I should be able to do the same for email!
> >
> > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th
> > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the
> > referenced link I found no reference to "NTLM password scheme".
> >
> > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM
> > authentication submethods are, tells you what password schemes are, tells you what the NTLM
> > client/server handshake is, but doesn't actually tell you how to configure dovecot config
> > files.  I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce,
> > MITM can't force downgrade" ...  whatever that means.
> >
> > Anyway, probably it's my lack of understanding terminology.  I don't even know what a "nonce"
> > is.  But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML
> > and any other supporting settings or configs I need?
> >
> > My current/working dovecot settings, which have been running perfectly for well over a year
> > now, are:
> >
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = plain login
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> >   driver = shadow
> > }
> > protocols = imap
> > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> >   driver = passwd
> > }
> > verbose_ssl = yes
> >
> >
> > Here's what I've tried so far as 10-auth.conf:
> >
> > disable_plaintext_auth = no
> > auth_use_winbind = yes
> > info_log_path = /var/log/dovecot_info
> > auth_verbose = yes
> > auth_debug_passwords = yes
> > auth_verbose_passwords= plain
> > auth_winbind_helper_path = /usr/bin/ntlm_auth
> >
> > auth_mechanisms = ntlm plain login
> >
> > userdb {
> >   driver = passwd
> >   args = username_format=%n allow_all_users=yes
> >
> > }
> >
> >
> > Which gives me a dovecot -n of:
> >
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = ntlm plain login
> > auth_use_winbind = yes
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > protocols = imap
> > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> >   args = username_format=%n allow_all_users=yes
> >   driver = passwd
> > }
> > verbose_ssl = yes
> >
> >
> > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the
> > following in /var/log/dovecot_info:
> >
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
> >
> >
> > On Thunderbird I got the error, "Sending of the message failed.  The Outlgoing server (SMTP)
> > my.server.name does not support the selected authentication method.  Please change the
> > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
> >
> > Clearly, something is configured wrong, but I've no clue what.
> >
> > Can I get some advice?
> >
> > THX --Mark
>
> ---
> Aki Tuomi
Reply | Threaded
Open this post in threaded view
|

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

Aki Tuomi-2


On 27.06.2016 07:31, Mark Foley wrote:

> Thanks for the reply.  When you say it [NTLM] "should" work, I understand you to be implying
> you've not actually tried NTLM yourself, right? I've never gotten a response from someone
> saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be
> the problem, but email clients I've tried (Outlook, Thunderbird) don't really give a choice.
>
> That's OK, I'd be glad to try something different that would work!!! I am trying your advice
> for gssapi.  I've followed the instructions at
> http://wiki2.dovecot.org/Authentication/Kerberos.  In my 10-auth.conf I changed the
> auth_mechanism line to:
>
> auth_mechanisms = plain login gssapi
>
> Which is only different from before with the addition of "gssapi".  That's all I've done.  I'm
> using the same userdb as before which is /etc/passwd.  My doveconf -n is:
>
> ----------SNIP------------
>> doveconf -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = plain login gssapi
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>  driver = shadow
> }
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> userdb {
>  driver = passwd
> }
> verbose_ssl = yes
> ------------PINS-------------
>
> I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a Slackware 14.1 AD/DC. I
> selected "Kerberos/GSSAPI" as the authentication method on Tbird. When trying the connection I
> got the following in my Dovecot log:
>
> Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.99, lip=98.102.63.107, session=<Zk1rnzo2IADAqABj>
>
> So, any idea why this is not working? I'll say up-front that I do not have the auth_krb5_keytab
> configured in 10-auth.conf. I could find no such file on the host running Dovecot. Is that file
> needed? If so, I've got a message in to the Samba4 folks asking where it is located.
>
> I'm also using Dovecot 2.2.15. Too old?
>
> Do you think auth_krb5_keytab is my problem or something deeper?
>
> THX --Mark
>

You need to set up keytab. I'll assume you know nothing about kerberos,
so please if you already knew all this, sorry.

For kerberos to work PROPERLY you need to have

1. Functional AD or Kerberos environment
2. Time synced against your KDC (which is your Domain Controller on Windows)
3. /etc/krb5.conf configured
4. Both forward / reverse DNS names correct for clients and servers.
Reverse is only mandatory for servers, but having them right will work
wonders. Most kerberos problems are about DNS problems.
5. You need a keytab. This keytab needs to hold entries like
IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
these on any Windows DC server (at least).

Only bullet 5. is about Dovecot really, but since this is usually rather
hard to gather information, I'll recap these things here:

2. Time sync

Install ntpd and configure it to use *your* *ad* *server*. (Not some
generic service).

3. /etc/krb5.conf

Here is a *SAMPLE* configuration:

[libdefaults]
        default_realm = YOUR.REALM
        dns_lookup_kdc = true
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        fcc-mit-ticketflags = true

[realms]
        YOUR.REALM = {
                default_domain = your.domain.name
                auth_to_local_names = {
                        Administrator = root
                }
        }
[domain_realm]
      your.domain.name = YOUR.REALM
# this is not a mistake
      .your.domain.name = YOUR.REALM
[login]
        krb4_convert = true
        krb4_get_tickets = false

Note that some windows environments require additional configuration to
get this working.

4. Forward/reverse DNS.

For your *server* this is *absolutely* must. It has to match for your
clients and your server. So if your server name is mail.example.org, and
it has IP 10.0.2.3, then 10.0.2.3 MUST resolve to mail.example.org. It
will give you strange and convoluted errors otherwise.

5. Keytab

This is bit tricky to generate, and there are various ways to do this.
You can install samba, join it to your domain and use the samba tools to
generate a keytab. It's not a bad idea, just remember to add the
required spn's (service principal names) to the machine account. setspn
-q is helpful here, also setspn command in general.

You can use either system keytab file (/etc/krb5.keytab), or you can put
the dovecot specific (mainly IMAP/something) into dedicated keytab for
the service. Either way you need to tell dovecot about it with
auth_krb5_keytab setting.

You should have at least following entries in your keytab file. You can
see them with klist -k /path/to/keytab. The KVNO can be different.

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   3 host/[hidden email]
   3 host/[hidden email]
   3 host/[hidden email]
   3 host/[hidden email]
   3 host/[hidden email]
   3 IMAP/[hidden email]
   3 host/[hidden email]
   3 host/[hidden email]
   3 host/[hidden email]
   3 host/[hidden email]
   3 host/[hidden email]
   3 IMAP/[hidden email]
   3 MAIL$@EXAMPLE.ORG
   3 MAIL$@EXAMPLE.ORG
   3 MAIL$@EXAMPLE.ORG
   3 MAIL$@EXAMPLE.ORG
   3 MAIL$@EXAMPLE.ORG

This will at least get you somewhere. Kerberos is notoriously hard to
debug, but it usually is about

a) DNS
b) Keytab
c) Mismatch of some name somewhere
d) Encryption type support

Also, note that kerberos can only act as AUTHENTICATION system. It
cannot act as USER DATABASE. For that you need to configure LDAP or
something else. With Active Directory LDAP is probably a damn good idea.

If you want to try with something else first, which I recommend for the
server in any case, is to see if you can get sssd working with Kerberos
and LDAP. If you get that working, it's not very difficult anymore to
get Dovecot running with it.

----
Aki Tuomi
Dovecot oy
Reply | Threaded
Open this post in threaded view
|

Re: Looking for NTLM config example

Mark Foley-2
In reply to this post by Aki Tuomi-2
While continuing to test gssapi, I thought I check out your suggestion on NTLM v1. I did set
Thunderbird to NTLM v1 and modified the Dovecot config:

auth_debug_passwords = yes
auth_mechanisms = plain login ntlm
auth_use_winbind = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
          args = username_format=%n allow_all_users=yes
            driver = passwd
}
verbose_ssl = yes

No joy. My dovecot log:

Jun 27 02:34:50 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Jun 27 02:34:50 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Jun 27 02:34:58 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Jun 27 02:34:58 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 26 secs): user=<>, rip=192.168.0.54, lip=192.168.0.2, session=<mNEutzw28QDAqAA2>
Jun 27 02:34:58 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 8 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<WugeuDw2AADAqAA6>
Jun 27 02:34:58 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Jun 27 02:34:58 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges

This looks quite similar to the output I got with the gssapi test. It seems there is nothing I
can do to get AD authentication working with Dovecot. Do you (or anyone) have any ideas?

What does "disconnected before auth was ready" mean?

Has anyone on Planet Earth actually used either NTLM or GSSAPI successfully with Dovecot?
Please speak up! Let me know you exist!

--Mark

-----Original Message-----

> Date: Sun, 26 Jun 2016 15:08:03 +0300 (EEST)
> From: [hidden email]
> To: [hidden email], Mark Foley <[hidden email]>
> Subject: Re: Looking for NTLM config example
>
> Also it seems we lack support for NTLMv2. If you want to use NTLM you need to permit use of NTLM(v1), which is usually not enabled by default.
>
> Aki
>
> > On June 25, 2016 at 7:43 PM Mark Foley <[hidden email]> wrote:
> >
> >
> > I've asked this several times over the past year with essentially zero responses. I'll keep it simple:
> >
> > Does NTLM authentication work in Dovecot?
> >
> > I'll post this one last time. If I still have no responses I'll have to conclude that no one
> > has actually tried this authentication method and it therefore does not work.
> >
> > Thanks, --Mark
> >
> > -----Original Message-----
> > From: Mark Foley <[hidden email]>
> > Date: Fri, 22 Apr 2016 02:07:24 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: [hidden email]
> > Subject: Looking for NTLM config example
> >
> > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take
> > > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
> > >
> > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain
> > > user login.  I should be able to do the same for email!
> > >
> > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> > > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th
> > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the
> > > referenced link I found no reference to "NTLM password scheme".
> > >
> > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM
> > > authentication submethods are, tells you what password schemes are, tells you what the NTLM
> > > client/server handshake is, but doesn't actually tell you how to configure dovecot config
> > > files.  I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce,
> > > MITM can't force downgrade" ...  whatever that means.
> > >
> > > Anyway, probably it's my lack of understanding terminology.  I don't even know what a "nonce"
> > > is.  But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML
> > > and any other supporting settings or configs I need?
> > >
> > > My current/working dovecot settings, which have been running perfectly for well over a year
> > > now, are:
> > >
> > > $ dovecot -n
> > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > auth_debug_passwords = yes
> > > auth_mechanisms = plain login
> > > auth_verbose = yes
> > > auth_verbose_passwords = plain
> > > disable_plaintext_auth = no
> > > info_log_path = /var/log/dovecot_info
> > > mail_location = maildir:~/Maildir
> > > passdb {
> > >   driver = shadow
> > > }
> > > protocols = imap
> > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > > userdb {
> > >   driver = passwd
> > > }
> > > verbose_ssl = yes
> > >
> > >
> > > Here's what I've tried so far as 10-auth.conf:
> > >
> > > disable_plaintext_auth = no
> > > auth_use_winbind = yes
> > > info_log_path = /var/log/dovecot_info
> > > auth_verbose = yes
> > > auth_debug_passwords = yes
> > > auth_verbose_passwords= plain
> > > auth_winbind_helper_path = /usr/bin/ntlm_auth
> > >
> > > auth_mechanisms = ntlm plain login
> > >
> > > userdb {
> > >   driver = passwd
> > >   args = username_format=%n allow_all_users=yes
> > >
> > > }
> > >
> > >
> > > Which gives me a dovecot -n of:
> > >
> > > $ dovecot -n
> > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > auth_debug_passwords = yes
> > > auth_mechanisms = ntlm plain login
> > > auth_use_winbind = yes
> > > auth_verbose = yes
> > > auth_verbose_passwords = plain
> > > disable_plaintext_auth = no
> > > info_log_path = /var/log/dovecot_info
> > > mail_location = maildir:~/Maildir
> > > protocols = imap
> > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > > userdb {
> > >   args = username_format=%n allow_all_users=yes
> > >   driver = passwd
> > > }
> > > verbose_ssl = yes
> > >
> > >
> > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the
> > > following in /var/log/dovecot_info:
> > >
> > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
> > >
> > >
> > > On Thunderbird I got the error, "Sending of the message failed.  The Outlgoing server (SMTP)
> > > my.server.name does not support the selected authentication method.  Please change the
> > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
> > >
> > > Clearly, something is configured wrong, but I've no clue what.
> > >
> > > Can I get some advice?
> > >
> > > THX --Mark
> > From [hidden email]  Fri Apr 22 02:07:47 2016
> > Return-Path: <[hidden email]>
> > X-Virus-Status: Clean
> > X-Virus-Scanned: clamav-milter 0.98.6 at mail
> > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on
> > mail.hprs.local
> > X-Spam-Level:
> > X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST,
> > USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__
> > X-Original-To: [hidden email]
> > Delivered-To: [hidden email]
> > X-Virus-Status: Clean
> > X-Virus-Scanned: clamav-milter 0.98.6 at mail
> > From: Mark Foley <[hidden email]>
> > Date: Fri, 22 Apr 2016 02:07:24 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: [hidden email]
> > Subject: Looking for NTLM config example
> > User-Agent: Heirloom mailx 12.5 7/5/10
> > Content-Type: text/plain; charset=us-ascii
> > X-BeenThere: [hidden email]
> > X-Mailman-Version: 2.1.17
> > Precedence: list
> > List-Id: Dovecot Mailing List <dovecot.dovecot.org>
> > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
> > <mailto:[hidden email]?subject=unsubscribe>
> > List-Archive: <http://dovecot.org/pipermail/dovecot/>
> > List-Post: <mailto:[hidden email]>
> > List-Help: <mailto:[hidden email]?subject=help>
> > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
> > <mailto:[hidden email]?subject=subscribe>
> > Errors-To: [hidden email]
> > Sender: "dovecot" <[hidden email]>
> > X-Spam-Report:
> > * -100 USER_IN_WHITELIST From: address is in the user's white-list
> > * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to'
> > Status: R
> >
> > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take
> > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
> >
> > With the help of the samba maillist folks I was able to set up NTLM authentication for domain
> > user login.  I should be able to do the same for email!
> >
> > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th
> > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the
> > referenced link I found no reference to "NTLM password scheme".
> >
> > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM
> > authentication submethods are, tells you what password schemes are, tells you what the NTLM
> > client/server handshake is, but doesn't actually tell you how to configure dovecot config
> > files.  I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce,
> > MITM can't force downgrade" ...  whatever that means.
> >
> > Anyway, probably it's my lack of understanding terminology.  I don't even know what a "nonce"
> > is.  But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML
> > and any other supporting settings or configs I need?
> >
> > My current/working dovecot settings, which have been running perfectly for well over a year
> > now, are:
> >
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = plain login
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> >   driver = shadow
> > }
> > protocols = imap
> > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> >   driver = passwd
> > }
> > verbose_ssl = yes
> >
> >
> > Here's what I've tried so far as 10-auth.conf:
> >
> > disable_plaintext_auth = no
> > auth_use_winbind = yes
> > info_log_path = /var/log/dovecot_info
> > auth_verbose = yes
> > auth_debug_passwords = yes
> > auth_verbose_passwords= plain
> > auth_winbind_helper_path = /usr/bin/ntlm_auth
> >
> > auth_mechanisms = ntlm plain login
> >
> > userdb {
> >   driver = passwd
> >   args = username_format=%n allow_all_users=yes
> >
> > }
> >
> >
> > Which gives me a dovecot -n of:
> >
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = ntlm plain login
> > auth_use_winbind = yes
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > protocols = imap
> > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> >   args = username_format=%n allow_all_users=yes
> >   driver = passwd
> > }
> > verbose_ssl = yes
> >
> >
> > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the
> > following in /var/log/dovecot_info:
> >
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
> >
> >
> > On Thunderbird I got the error, "Sending of the message failed.  The Outlgoing server (SMTP)
> > my.server.name does not support the selected authentication method.  Please change the
> > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
> >
> > Clearly, something is configured wrong, but I've no clue what.
> >
> > Can I get some advice?
> >
> > THX --Mark
>
> ---
> Aki Tuomi
Reply | Threaded
Open this post in threaded view
|

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

Mark Foley-2
In reply to this post by Aki Tuomi-2
Aki, again, thanks A LOT for your reply. Concerning your checklist:

> 1. Functional AD or Kerberos environment

Check!

> 2. Time synced against your KDC (which is your Domain Controller on Windows)

Check! (needed for AD/DC anyway)

> 3. /etc/krb5.conf configured

NO

> 4. Both forward / reverse DNS names correct for clients and servers.

> Reverse is only mandatory for servers, but having them right will work
> wonders. Most kerberos problems are about DNS problems.

Check!

> 5. You need a keytab. This keytab needs to hold entries like
> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
> these on any Windows DC server (at least).

NO

So, I'm apparently lacking in the kerberos stuff. Here's the problem -- Samba4 uses Heimdal
Kerberos and when I provisioned my domain apparently none of these needed kerberos files were
set up. I can, however, kerberos authenticate from domain workstations both WIN7 and Linux.

I will (and have already) contacted the Samba list to see what needs to be done.

I'll post back what I find.

Maybe I can finally get to the bottom of this problem.

Thanks again -- Mark

-----Original Message----

> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> To: [hidden email]
> From: Aki Tuomi <[hidden email]>
> Organization: Dovecot Oy
> Date: Mon, 27 Jun 2016 09:18:54 +0300
>
> On 27.06.2016 07:31, Mark Foley wrote:
> > Thanks for the reply.  When you say it [NTLM] "should" work, I understand you to be implying
> > you've not actually tried NTLM yourself, right? I've never gotten a response from someone
> > saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be
> > the problem, but email clients I've tried (Outlook, Thunderbird) don't really give a choice.
> >
> > That's OK, I'd be glad to try something different that would work!!! I am trying your advice
> > for gssapi.  I've followed the instructions at
> > http://wiki2.dovecot.org/Authentication/Kerberos.  In my 10-auth.conf I changed the
> > auth_mechanism line to:
> >
> > auth_mechanisms = plain login gssapi
> >
> > Which is only different from before with the addition of "gssapi".  That's all I've done.  I'm
> > using the same userdb as before which is /etc/passwd.  My doveconf -n is:
> >
> > ----------SNIP------------
> >> doveconf -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = plain login gssapi
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> >  driver = shadow
> > }
> > protocols = imap
> > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> > userdb {
> >  driver = passwd
> > }
> > verbose_ssl = yes
> > ------------PINS-------------
> >
> > I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a Slackware 14.1 AD/DC. I
> > selected "Kerberos/GSSAPI" as the authentication method on Tbird. When trying the connection I
> > got the following in my Dovecot log:
> >
> > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> > Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> > Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.99, lip=98.102.63.107, session=<Zk1rnzo2IADAqABj>
> >
> > So, any idea why this is not working? I'll say up-front that I do not have the auth_krb5_keytab
> > configured in 10-auth.conf. I could find no such file on the host running Dovecot. Is that file
> > needed? If so, I've got a message in to the Samba4 folks asking where it is located.
> >
> > I'm also using Dovecot 2.2.15. Too old?
> >
> > Do you think auth_krb5_keytab is my problem or something deeper?
> >
> > THX --Mark
> >
>
> You need to set up keytab. I'll assume you know nothing about kerberos,
> so please if you already knew all this, sorry.
>
> For kerberos to work PROPERLY you need to have
>
> 1. Functional AD or Kerberos environment
> 2. Time synced against your KDC (which is your Domain Controller on Windows)
> 3. /etc/krb5.conf configured
> 4. Both forward / reverse DNS names correct for clients and servers.
> Reverse is only mandatory for servers, but having them right will work
> wonders. Most kerberos problems are about DNS problems.
> 5. You need a keytab. This keytab needs to hold entries like
> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
> these on any Windows DC server (at least).
>
> Only bullet 5. is about Dovecot really, but since this is usually rather
> hard to gather information, I'll recap these things here:
>
> 2. Time sync
>
> Install ntpd and configure it to use *your* *ad* *server*. (Not some
> generic service).
>
> 3. /etc/krb5.conf
>
> Here is a *SAMPLE* configuration:
>
> [libdefaults]
>         default_realm = YOUR.REALM
>         dns_lookup_kdc = true
>         krb4_config = /etc/krb.conf
>         krb4_realms = /etc/krb.realms
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
>         fcc-mit-ticketflags = true
>
> [realms]
>         YOUR.REALM = {
>                 default_domain = your.domain.name
>                 auth_to_local_names = {
>                         Administrator = root
>                 }
>         }
> [domain_realm]
>       your.domain.name = YOUR.REALM
> # this is not a mistake
>       .your.domain.name = YOUR.REALM
> [login]
>         krb4_convert = true
>         krb4_get_tickets = false
>
> Note that some windows environments require additional configuration to
> get this working.
>
> 4. Forward/reverse DNS.
>
> For your *server* this is *absolutely* must. It has to match for your
> clients and your server. So if your server name is mail.example.org, and
> it has IP 10.0.2.3, then 10.0.2.3 MUST resolve to mail.example.org. It
> will give you strange and convoluted errors otherwise.
>
> 5. Keytab
>
> This is bit tricky to generate, and there are various ways to do this.
> You can install samba, join it to your domain and use the samba tools to
> generate a keytab. It's not a bad idea, just remember to add the
> required spn's (service principal names) to the machine account. setspn
> -q is helpful here, also setspn command in general.
>
> You can use either system keytab file (/etc/krb5.keytab), or you can put
> the dovecot specific (mainly IMAP/something) into dedicated keytab for
> the service. Either way you need to tell dovecot about it with
> auth_krb5_keytab setting.
>
> You should have at least following entries in your keytab file. You can
> see them with klist -k /path/to/keytab. The KVNO can be different.
>
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    3 host/[hidden email]
>    3 host/[hidden email]
>    3 host/[hidden email]
>    3 host/[hidden email]
>    3 host/[hidden email]
>    3 IMAP/[hidden email]
>    3 host/[hidden email]
>    3 host/[hidden email]
>    3 host/[hidden email]
>    3 host/[hidden email]
>    3 host/[hidden email]
>    3 IMAP/[hidden email]
>    3 MAIL$@EXAMPLE.ORG
>    3 MAIL$@EXAMPLE.ORG
>    3 MAIL$@EXAMPLE.ORG
>    3 MAIL$@EXAMPLE.ORG
>    3 MAIL$@EXAMPLE.ORG
>
> This will at least get you somewhere. Kerberos is notoriously hard to
> debug, but it usually is about
>
> a) DNS
> b) Keytab
> c) Mismatch of some name somewhere
> d) Encryption type support
>
> Also, note that kerberos can only act as AUTHENTICATION system. It
> cannot act as USER DATABASE. For that you need to configure LDAP or
> something else. With Active Directory LDAP is probably a damn good idea.
>
> If you want to try with something else first, which I recommend for the
> server in any case, is to see if you can get sssd working with Kerberos
> and LDAP. If you get that working, it's not very difficult anymore to
> get Dovecot running with it.
>
> ----
> Aki Tuomi
> Dovecot oy
Reply | Threaded
Open this post in threaded view
|

Re: Looking for NTLM config example

Tom Talpey-3
In reply to this post by Mark Foley-2
On 6/27/2016 2:45 AM, Mark Foley wrote:
> While continuing to test gssapi, I thought I check out your suggestion on NTLM v1. I did set
> Thunderbird to NTLM v1 ...

You are aware, I hope, that NTLM v1 is well over 20 years old and
is trivially compromised today. Basically, it's about as secure as
sending plaintext passwords. Since you're supporting SSL on your
Dovecot server, why not require it, and not bother with NTLM auth?
Reply | Threaded
Open this post in threaded view
|

Re: Looking for NTLM config example

Gregory Sloop


TT> On 6/27/2016 2:45 AM, Mark Foley wrote:
>> While continuing to test gssapi, I thought I check out your suggestion on NTLM v1. I did set
>> Thunderbird to NTLM v1 ...

TT> You are aware, I hope, that NTLM v1 is well over 20 years old and
TT> is trivially compromised today. Basically, it's about as secure as
TT> sending plaintext passwords. Since you're supporting SSL on your
TT> Dovecot server, why not require it, and not bother with NTLM auth?

I can't speak for the OP, but I suspect he'd like to use a SSO for dovecot, utilizing the same credentials as is in their Samba AD infrastructure. [Thus, have Dovecot submit authentications for dovecot to the AD domain and get an ack/nak on success.] So, he's not eager to use NTLMv1, but isn't getting much love in how to setup proxy auth against AD. [I suspect asking on the Samba list isn't a bad idea, but I'm surprised he hasn't gotten some good pointers here. There really ought to be a FAQ of white-paper on it, and I'm dismayed there isn't.]

-Greg
Reply | Threaded
Open this post in threaded view
|

Re: Looking for NTLM config example

Aki Tuomi-2

> On June 27, 2016 at 8:50 PM Gregory Sloop <[hidden email]> wrote:
>
>
>
>
> TT> On 6/27/2016 2:45 AM, Mark Foley wrote:
> >> While continuing to test gssapi, I thought I check out your suggestion on NTLM v1. I did set
> >> Thunderbird to NTLM v1 ...
>
> TT> You are aware, I hope, that NTLM v1 is well over 20 years old and
> TT> is trivially compromised today. Basically, it's about as secure as
> TT> sending plaintext passwords. Since you're supporting SSL on your
> TT> Dovecot server, why not require it, and not bother with NTLM auth?
>
> I can't speak for the OP, but I suspect he'd like to use a SSO for dovecot, utilizing the same credentials as is in their Samba AD infrastructure. [Thus, have Dovecot submit authentications for dovecot to the AD domain and get an ack/nak on success.] So, he's not eager to use NTLMv1, but isn't getting much love in how to setup proxy auth against AD. [I suspect asking on the Samba list isn't a bad idea, but I'm surprised he hasn't gotten some good pointers here. There really ought to be a FAQ of white-paper on it, and I'm dismayed there isn't.]
>
> -Greg

It's not very used feature as most with AD probably are using Exchange. I'll have a look at the NTLM authentication and see if we can improve it's documentation.

---
Aki Tuomi
Dovecot oy
Reply | Threaded
Open this post in threaded view
|

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

Jan Jurkus
In reply to this post by Mark Foley-2
Hi,

On 27-06-2016 08:58, Mark Foley wrote:

> So, I'm apparently lacking in the kerberos stuff. Here's the problem -- Samba4 uses Heimdal
> Kerberos and when I provisioned my domain apparently none of these needed kerberos files were
> set up. I can, however, kerberos authenticate from domain workstations both WIN7 and Linux.

You don't need any Samba4 stuff, to get it working. Samba is great, but
can be hard to get right. I tend to steer clear of Samba when I don't
really need it.

My first experience was with an OTRS helpdesk install, and trying to get
it to do SSO. I was helped a great deal by wireshark, and this website:
http://www.grolmsnet.de/kerbtut/

On a sidenote: mod_auth_kerb is rather ancient, in computer-terms. You'd
be better off with mod_auth_gssapi.
In the case of Dovecot we are not using Apache, of course.

With Dovecot I got the SSO working with Kerberos, and this part is
working great. Other parts (shared mailboxes, that sort of stuff) aren't
working for me yet. This is my own fault, not a dovecot one, haven't
looked into it enough. Anyway, the SSO is working great.

One of the tricky bits is you need a kerberos keytab with two services.
I used ktutil:
# ktutil
   ktutil: read_kt mail-imap.keytab
   ktutil: read_kt mail-smtp.keytab
   ktutil: write_kt mail.keytab
   ktutil: quit

I'm using a windows 2003 r2 server as domain controller, to create a
keytab file you need the windows 2003 support tools.

ktpass.exe -princ imap/[hidden email]
-mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234
-ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab

ktpass.exe -princ smtp/[hidden email]
-mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234
-ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab

Most instructions on the internet do not quite work out that well.
RC4-HMAC-NT crypto is needed if you still have Windows XP machines. It
should work with a newer crypto but have not tested that.
FYI: Kerberos service names (imap, smtp) are sometimes capitalised,
mostly when using HTTP. Great, isn't it?

On the dovecot server I had to install a kerberos package:
# yum install krb5-workstation
(I am using CentOS7, but it should not be too hard to translate this to
your own distro)

My kerberos configuration:
# vi /etc/krb5.conf
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
  rdns = false
  default_realm = GCECAD-SERVICE.LOCAL
  default_keytab_file = /etc/krb5.keytab
  default_ccache_name = KEYRING:persistent:%{uid}
  allow_weak_crypto = true
  default_tkt_enctypes = arcfour-hmac-md5
  default_tgs_enctypes = arcfour-hmac-md5
  permitted_enctypes = arcfour-hmac-md5

[appdefaults]
  pam = {
   debug = false
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true
   krb4_convert = false
  }

[realms]
  GCECAD-SERVICE.LOCAL = {
   kdc = this.is.the.dns.name.of.your.kdc
   admin_server = this.is.the.dns.name.of.your.kdc
  }

[domain_realm]
  .gcecad-service.local = GCECAD-SERVICE.LOCAL
  gcecad-service.local = GCECAD-SERVICE.LOCAL
  .gcecad-service.nl = GCECAD-SERVICE.LOCAL
  gcecad-service.nl = GCECAD-SERVICE.LOCAL


Dovecot config, the needed parts:
In /etc/dovecot/conf.d/10-auth.conf :
auth_krb5_keytab = /etc/dovecot/mail.keytab
auth_mechanisms = plain gssapi

In /etc/dovecot/conf.d/auth-system.conf.ext :
passdb {
   driver = pam
}
userdb {
   driver = static
   args = uid=2000 gid=2000 home=/var/vmail/%Ln allow_all_users=yes
}

In /etc/pam.d/dovecot :
#%PAM-1.0
auth       sufficient   pam_krb5.so no_user_check validate
account    sufficient   pam_permit.so

I'm not entirely happy with the static userdb, because of the
limitations with kerberos/pam, but this can of course be changed rather
easily. The hardest part is to get the SSO working.
One of the limitiations is stated here:
http://wiki.dovecot.org/UserDatabase/Static

Postfix SMTP auth is using LMTP, reading from my notes.

I hope you can get a clearer picture with this rather long and chaotic
reply.

--
Jan Jurkus | ICT Beheerder | GCE cad-service B.V.
Postbus 12, 3220 AA Hellevoetsluis
Daltonweg 9, 3225 LR Hellevoetsluis
tel: 0181-336955 | fax: 0181-311899
[hidden email] | www.gcecad-service.nl
Reply | Threaded
Open this post in threaded view
|

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

Aki Tuomi-2

> On June 28, 2016 at 12:02 AM Jan Jurkus <[hidden email]> wrote:
>
>
> Hi,
>
> I'm not entirely happy with the static userdb, because of the
> limitations with kerberos/pam, but this can of course be changed rather
> easily. The hardest part is to get the SSO working.
> One of the limitiations is stated here:
> http://wiki.dovecot.org/UserDatabase/Static
>
> Postfix SMTP auth is using LMTP, reading from my notes.
>
> I hope you can get a clearer picture with this rather long and chaotic
> reply.
>

As mentioned before, you can use ldap as userdb instead of static userdb. Username matching in AD environment should be done against userPrincipalName attribute.

This should let you get rid of pam as well.

---
Aki Tuomi
Dovecot oy

> --
> Jan Jurkus | ICT Beheerder | GCE cad-service B.V.
> Postbus 12, 3220 AA Hellevoetsluis
> Daltonweg 9, 3225 LR Hellevoetsluis
> tel: 0181-336955 | fax: 0181-311899
> [hidden email] | www.gcecad-service.nl
Reply | Threaded
Open this post in threaded view
|

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

Mark Foley-2
In reply to this post by Jan Jurkus
Jan, thanks for your helpful reply. You wrote:

> With Dovecot I got the SSO working with Kerberos, and this part is
> working great. Other parts (shared mailboxes, that sort of stuff) aren't
> working for me yet. ...

I'm the opposite. My mailbox setup has been working great for a year and a half, though I've
not bothered with shared mailboxes yet.

I've attempted to follow your instructions, but still having problems. First, my errors:

Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Jun 28 01:04:49 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Jun 28 01:04:49 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Jun 28 01:04:49 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<Zg2Nk082LgDAqAA6>

Now, your instructions:

> One of the tricky bits is you need a kerberos keytab with two services.
> I used ktutil:
> # ktutil
>    ktutil: read_kt mail-imap.keytab
>    ktutil: read_kt mail-smtp.keytab
>    ktutil: write_kt mail.keytab
>    ktutil: quit
>
> I'm using a windows 2003 r2 server as domain controller, to create a
> keytab file you need the windows 2003 support tools.
>
> ktpass.exe -princ imap/[hidden email]
> -mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234
> -ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab
>
> ktpass.exe -princ smtp/[hidden email]
> -mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234
> -ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab

I ran ktutil, but the commands "read_kt mail-imap.keytab" and "read_kt mail-smtp.keytab"
returned: No such file or directory while reading keytab "mail-imap.keytab"

Perhaps your subsequent ktpass commands are meant to create those. I do not have a ktpass
command. I therefore do not have these files. I suppose that could be part of my problem. Can
you share the actual contents of these file? I could create them by-hand. Does Dovecot and/or
kerberos know where to look for these?

> On the dovecot server I had to install a kerberos package:

Likewise, I installed kerberos for slackware. It tested OK. I was able to do a kinit and klist
per the instruction at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos

> My kerberos configuration:
> # vi /etc/krb5.conf
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log

I added the [logging] section.  Of note, these log file do not exists after multiple attempts
with my gssapi connection.  Probably a bad sign.  

> [libdefaults]
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>   ticket_lifetime = 24h
>   renew_lifetime = 7d
>   forwardable = true
>   rdns = false
>   default_realm = GCECAD-SERVICE.LOCAL
>   default_keytab_file = /etc/krb5.keytab
>   default_ccache_name = KEYRING:persistent:%{uid}
>   allow_weak_crypto = true
>   default_tkt_enctypes = arcfour-hmac-md5
>   default_tgs_enctypes = arcfour-hmac-md5
>   permitted_enctypes = arcfour-hmac-md5
 
I added all these as well, changing your GCECAD-SERVICE.LOCAL to my HPRS.LOCAL

> [appdefaults]
>   pam = {
>    debug = false
>    ticket_lifetime = 24h
>    renew_lifetime = 7d
>    forwardable = true
>    krb4_convert = false
>   }

I also added this [appdefaults] section.

>
> [realms]
>   GCECAD-SERVICE.LOCAL = {
>    kdc = this.is.the.dns.name.of.your.kdc
>    admin_server = this.is.the.dns.name.of.your.kdc
>   }

I tried with and without this section. Not sure what this.is.the.dns.name.of.your.kdc is
supposed to be. I changed mine to the domain FDQN of the server:

[realms]
  HPRS.LOCAL = {
    kdc = mail.hprs.local
    admin_server = mail.hprs.local
  }

>
> [domain_realm]
>   .gcecad-service.local = GCECAD-SERVICE.LOCAL
>   gcecad-service.local = GCECAD-SERVICE.LOCAL
>   .gcecad-service.nl = GCECAD-SERVICE.LOCAL
>   gcecad-service.nl = GCECAD-SERVICE.LOCAL
>

I also tried with and without this section. Again, not sure what should go there. I tried:

[domain_realm]
  .hprs.local = HPRS.LOCAL
  hprs.local = HPRS.LOCAL
  .hprs.nl = HPRS.LOCAL
  hprs.nl = HPRS.LOCAL

I'm a bit skeptical on the above as .nl your public top level domain.

In fact, after adding these sections I got no error logged in dovecot_log, but did get a
message pop up on Thunderbird saying, "Could not connect to mail server [hidden email]; the
connection was refused."

> Dovecot config, the needed parts:
> In /etc/dovecot/conf.d/10-auth.conf :
> auth_krb5_keytab = /etc/dovecot/mail.keytab
> auth_mechanisms = plain gssapi

I added those.

> In /etc/dovecot/conf.d/auth-system.conf.ext :
> passdb {
>    driver = pam
> }
> userdb {
>    driver = static
>    args = uid=2000 gid=2000 home=/var/vmail/%Ln allow_all_users=yes
> }

I used my same userdb and passdb settings (although I understand that passdb is not used by gssapi?)

passdb {
  driver = shadow
}
userdb {
  driver = passwd
}

> In /etc/pam.d/dovecot :
> #%PAM-1.0
> auth       sufficient   pam_krb5.so no_user_check validate
> account    sufficient   pam_permit.so

The /etc/pam.d directory did not exist so I created it and added the dovecot file as shown.
The permissions are a+r.

So, no go so far, but I am encouraged that you have it working. Perhaps you can point out what
I might have missing or am otherwise done wrong?

THX --Mark
Reply | Threaded
Open this post in threaded view
|

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

Mark Foley-2
In reply to this post by Aki Tuomi-2
[hidden email] wrote:

> As mentioned before, you can use ldap as userdb instead of static userdb. Username matching in AD environment should be done against userPrincipalName attribute.

Do you see any problem with my continuing to use:

userdb {
    driver = passwd
}

... with gssapi? (providing I get other configs correct)

--Mark

-----Original Message-----

> Date: Tue, 28 Jun 2016 00:19:45 +0300 (EEST)
> From: [hidden email]
> To: [hidden email]
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>
> > On June 28, 2016 at 12:02 AM Jan Jurkus <[hidden email]> wrote:
> >
> >
> > Hi,
> >
> > I'm not entirely happy with the static userdb, because of the
> > limitations with kerberos/pam, but this can of course be changed rather
> > easily. The hardest part is to get the SSO working.
> > One of the limitiations is stated here:
> > http://wiki.dovecot.org/UserDatabase/Static
> >
> > Postfix SMTP auth is using LMTP, reading from my notes.
> >
> > I hope you can get a clearer picture with this rather long and chaotic
> > reply.
> >
>
> As mentioned before, you can use ldap as userdb instead of static userdb. Username matching in AD environment should be done against userPrincipalName attribute.
>
> This should let you get rid of pam as well.
>
> ---
> Aki Tuomi
> Dovecot oy
>
> > --
> > Jan Jurkus | ICT Beheerder | GCE cad-service B.V.
> > Postbus 12, 3220 AA Hellevoetsluis
> > Daltonweg 9, 3225 LR Hellevoetsluis
> > tel: 0181-336955 | fax: 0181-311899
> > [hidden email] | www.gcecad-service.nl
Reply | Threaded
Open this post in threaded view
|

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

Mark Foley-2
In reply to this post by Aki Tuomi-2
Aki,

To review your 5 points:

On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <[hidden email]> wrote:

> 1. Functional AD or Kerberos environment
> 2. Time synced against your KDC (which is your Domain Controller on Windows)
> 3. /etc/krb5.conf configured
> 4. Both forward / reverse DNS names correct for clients and servers.
> Reverse is only mandatory for servers, but having them right will work
> wonders. Most kerberos problems are about DNS problems.
> 5. You need a keytab. This keytab needs to hold entries like
> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
> these on any Windows DC server (at least).

I believe I am good on 1,2 and 4.  I downloaded and installed kerberos and tested it with kinit
and klist according to the instructions at
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos

As to the the keytab (#5) I did the following:

$ samba-tool domain exportkeytab /etc/krb5.keytab

which created the file.  I made this owned and readable by group dovecot, per instructions at
http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k /etc/krb5.keytab` shows me
configuration listing all the users and computers in the domain, mostly in triplicate.  A
partial list:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  18 COMMON$@HPRS.LOCAL
  18 COMMON$@HPRS.LOCAL
  18 COMMON$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 [hidden email]
   1 [hidden email]
   1 [hidden email]

where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing,
but am assuming it is OK.

> setspn -q is helpful here, also setspn command in general.

I have no such command in my system. Is that a Windows thing?


As to the /etc/krb5.conf, the default one generated by samba is:

[libdefaults]
        default_realm = HPRS.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true

I'd like to modify that to your suggestions, but I need more help. You have (with my questions):

> Here is a *SAMPLE* configuration:
>
> [libdefaults]
>         default_realm = YOUR.REALM
>         dns_lookup_kdc = true
>         krb4_config = /etc/krb.conf
>         krb4_realms = /etc/krb.realms

Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have:

        krb5_config = /etc/krb5.conf

Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there?

>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
>         fcc-mit-ticketflags = true
>
> [realms]
>         YOUR.REALM = {
>                 default_domain = your.domain.name
>                 auth_to_local_names = {
>                         Administrator = root
>                 }
>         }

I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD
server: mail.hprs.local, or is it just hprs.local? (or something else!)

> [domain_realm]
>       your.domain.name = YOUR.REALM
> # this is not a mistake
>       .your.domain.name = YOUR.REALM
> [login]
>         krb4_convert = true
>         krb4_get_tickets = false

Likewise here a question on the whole krb4 versus krb5 thing.

Your closing comment:

> Also, note that kerberos can only act as AUTHENTICATION system. It
> cannot act as USER DATABASE. For that you need to configure LDAP or
> something else. With Active Directory LDAP is probably a damn good idea.

I have the following doveconf -n:

# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
  driver = passwd
}
verbose_ssl = yes

I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in
any case I still have all but this test workstation NOT using gssapi, so I still need to
accomodate them.

Thanks, --Mark
Reply | Threaded
Open this post in threaded view
|

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

Aki Tuomi-2


On 28.06.2016 09:27, Mark Foley wrote:

> Aki,
>
> To review your 5 points:
>
> On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <[hidden email]> wrote:
>
>> 1. Functional AD or Kerberos environment
>> 2. Time synced against your KDC (which is your Domain Controller on Windows)
>> 3. /etc/krb5.conf configured
>> 4. Both forward / reverse DNS names correct for clients and servers.
>> Reverse is only mandatory for servers, but having them right will work
>> wonders. Most kerberos problems are about DNS problems.
>> 5. You need a keytab. This keytab needs to hold entries like
>> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
>> these on any Windows DC server (at least).
> I believe I am good on 1,2 and 4.  I downloaded and installed kerberos and tested it with kinit
> and klist according to the instructions at
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
>
> As to the the keytab (#5) I did the following:
>
> $ samba-tool domain exportkeytab /etc/krb5.keytab
>
> which created the file.  I made this owned and readable by group dovecot, per instructions at
> http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k /etc/krb5.keytab` shows me
> configuration listing all the users and computers in the domain, mostly in triplicate.  A
> partial list:
>
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    18 COMMON$@HPRS.LOCAL
>    18 COMMON$@HPRS.LOCAL
>    18 COMMON$@HPRS.LOCAL
>     1 MAIL$@HPRS.LOCAL
>     1 MAIL$@HPRS.LOCAL
>     1 MAIL$@HPRS.LOCAL
>     1 [hidden email]
>     1 [hidden email]
>     1 [hidden email]
>
> where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing,
> but am assuming it is OK.

Strange that you do not have any host/ entries. Maybe it works without.

>> setspn -q is helpful here, also setspn command in general.
> I have no such command in my system. Is that a Windows thing?
>

Yes, but you can do those kind of things in Samba too.

> As to the /etc/krb5.conf, the default one generated by samba is:
>
> [libdefaults]
>          default_realm = HPRS.LOCAL
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>
> I'd like to modify that to your suggestions, but I need more help. You have (with my questions):
>
>> Here is a *SAMPLE* configuration:
>>
>> [libdefaults]
>>          default_realm = YOUR.REALM
>>          dns_lookup_kdc = true
>>          krb4_config = /etc/krb.conf
>>          krb4_realms = /etc/krb.realms
> Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have:

You can remove the krb4_ stuff

> krb5_config = /etc/krb5.conf
>
> Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there?
You don't necessarely require that.

>>          kdc_timesync = 1
>>          ccache_type = 4
>>          forwardable = true
>>          proxiable = true
>>          fcc-mit-ticketflags = true
>>
>> [realms]
>>          YOUR.REALM = {
>>                  default_domain = your.domain.name
>>                  auth_to_local_names = {
>>                          Administrator = root
>>                  }
>>          }
> I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD
> server: mail.hprs.local, or is it just hprs.local? (or something else!)

HPRS.LOCAL is your REALM, hprs.local is your domain name.

>
>> [domain_realm]
>>        your.domain.name = YOUR.REALM
>> # this is not a mistake
>>        .your.domain.name = YOUR.REALM
>> [login]
>>          krb4_convert = true
>>          krb4_get_tickets = false
> Likewise here a question on the whole krb4 versus krb5 thing.
>
> Your closing comment:
>
>> Also, note that kerberos can only act as AUTHENTICATION system. It
>> cannot act as USER DATABASE. For that you need to configure LDAP or
>> something else. With Active Directory LDAP is probably a damn good idea.
> I have the following doveconf -n:
>
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_krb5_keytab = /etc/krb5.keytab
> auth_mechanisms = plain login gssapi
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>    driver = shadow
> }
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> userdb {
>    driver = passwd
> }
> verbose_ssl = yes
>
> I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in
> any case I still have all but this test workstation NOT using gssapi, so I still need to
> accomodate them.
>
> Thanks, --Mark
passwd driver is fine, yes, if you ensure that users can be found.

Aki
Reply | Threaded
Open this post in threaded view
|

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

Mark Foley-2
In reply to this post by Mark Foley-2
Aki - made your suggested changes, but no joy :(

My /etc/krb5.conf:

------SNIP--------
[libdefaults]
  default_realm = HPRS.LOCAL
  dns_lookup_realm = false
  dns_lookup_kdc = true

[libdefaults]
  default_realm = HPRS.LOCAL
  dns_lookup_kdc = true
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true
  fcc-mit-ticketflags = true

[realms]
  HPRS.LOCAL = {
    default_domain = hprs.local
    auth_to_local_names = {
    Administrator = root
  }
}

[domain_realm]
    hprs.local = HPRS.LOCAL
# this is not a mistake
    .hprs.local = HPRS.LOCAL
------PINS-----------

you wrote:
> You can remove the krb4_ stuff

I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether.
Question on [realms]Administrator: should that really be root or should it be my AD Administrator?

my doveconf -n is exactly the same as posted below, but in particular:

auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = plain login gssapi

When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using
plain/ssl, no one yet configured for gssapi).

In /var/log/maillog I got (repeatedly):

Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2>
Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi'
Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs
Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh>

This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"?

Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd
finally able to get AD authentication going for Dovecot. Not ready to give up though!

Suggestions?

THX -- Mark

-----original Message-----

> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> To: [hidden email]
> From: Aki Tuomi <[hidden email]>
> Date: Tue, 28 Jun 2016 15:13:11 +0300
>
> On 28.06.2016 09:27, Mark Foley wrote:
> > Aki,
> >
> > To review your 5 points:
> >
> > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <[hidden email]> wrote:
> >
> >> 1. Functional AD or Kerberos environment
> >> 2. Time synced against your KDC (which is your Domain Controller on Windows)
> >> 3. /etc/krb5.conf configured
> >> 4. Both forward / reverse DNS names correct for clients and servers.
> >> Reverse is only mandatory for servers, but having them right will work
> >> wonders. Most kerberos problems are about DNS problems.
> >> 5. You need a keytab. This keytab needs to hold entries like
> >> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
> >> these on any Windows DC server (at least).
> > I believe I am good on 1,2 and 4.  I downloaded and installed kerberos and tested it with kinit
> > and klist according to the instructions at
> > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> >
> > As to the the keytab (#5) I did the following:
> >
> > $ samba-tool domain exportkeytab /etc/krb5.keytab
> >
> > which created the file.  I made this owned and readable by group dovecot, per instructions at
> > http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k /etc/krb5.keytab` shows me
> > configuration listing all the users and computers in the domain, mostly in triplicate.  A
> > partial list:
> >
> > Keytab name: FILE:/etc/krb5.keytab
> > KVNO Principal
> > ---- --------------------------------------------------------------------------
> >    18 COMMON$@HPRS.LOCAL
> >    18 COMMON$@HPRS.LOCAL
> >    18 COMMON$@HPRS.LOCAL
> >     1 MAIL$@HPRS.LOCAL
> >     1 MAIL$@HPRS.LOCAL
> >     1 MAIL$@HPRS.LOCAL
> >     1 [hidden email]
> >     1 [hidden email]
> >     1 [hidden email]
> >
> > where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing,
> > but am assuming it is OK.
>
> Strange that you do not have any host/ entries. Maybe it works without.
>
> >> setspn -q is helpful here, also setspn command in general.
> > I have no such command in my system. Is that a Windows thing?
> >
>
> Yes, but you can do those kind of things in Samba too.
>
> > As to the /etc/krb5.conf, the default one generated by samba is:
> >
> > [libdefaults]
> >          default_realm = HPRS.LOCAL
> >          dns_lookup_realm = false
> >          dns_lookup_kdc = true
> >
> > I'd like to modify that to your suggestions, but I need more help. You have (with my questions):
> >
> >> Here is a *SAMPLE* configuration:
> >>
> >> [libdefaults]
> >>          default_realm = YOUR.REALM
> >>          dns_lookup_kdc = true
> >>          krb4_config = /etc/krb.conf
> >>          krb4_realms = /etc/krb.realms
> > Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have:
>
> You can remove the krb4_ stuff
>
> > krb5_config = /etc/krb5.conf
> >
> > Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there?
> You don't necessarely require that.
>
> >>          kdc_timesync = 1
> >>          ccache_type = 4
> >>          forwardable = true
> >>          proxiable = true
> >>          fcc-mit-ticketflags = true
> >>
> >> [realms]
> >>          YOUR.REALM = {
> >>                  default_domain = your.domain.name
> >>                  auth_to_local_names = {
> >>                          Administrator = root
> >>                  }
> >>          }
> > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD
> > server: mail.hprs.local, or is it just hprs.local? (or something else!)
>
> HPRS.LOCAL is your REALM, hprs.local is your domain name.
> >
> >> [domain_realm]
> >>        your.domain.name = YOUR.REALM
> >> # this is not a mistake
> >>        .your.domain.name = YOUR.REALM
> >> [login]
> >>          krb4_convert = true
> >>          krb4_get_tickets = false
> > Likewise here a question on the whole krb4 versus krb5 thing.
> >
> > Your closing comment:
> >
> >> Also, note that kerberos can only act as AUTHENTICATION system. It
> >> cannot act as USER DATABASE. For that you need to configure LDAP or
> >> something else. With Active Directory LDAP is probably a damn good idea.
> > I have the following doveconf -n:
> >
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_krb5_keytab = /etc/krb5.keytab
> > auth_mechanisms = plain login gssapi
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> >    driver = shadow
> > }
> > protocols = imap
> > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> > userdb {
> >    driver = passwd
> > }
> > verbose_ssl = yes
> >
> > I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in
> > any case I still have all but this test workstation NOT using gssapi, so I still need to
> > accomodate them.
> >
> > Thanks, --Mark
> passwd driver is fine, yes, if you ensure that users can be found.
>
> Aki
>
Reply | Threaded
Open this post in threaded view
|

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

Aki Tuomi-2

> On June 28, 2016 at 5:17 PM Mark Foley <[hidden email]> wrote:
>
>
> Aki - made your suggested changes, but no joy :(
>
> My /etc/krb5.conf:
>
> ------SNIP--------
> [libdefaults]
>   default_realm = HPRS.LOCAL
>   dns_lookup_realm = false
>   dns_lookup_kdc = true
>
> [libdefaults]
>   default_realm = HPRS.LOCAL
>   dns_lookup_kdc = true
>   kdc_timesync = 1
>   ccache_type = 4
>   forwardable = true
>   proxiable = true
>   fcc-mit-ticketflags = true
>
> [realms]
>   HPRS.LOCAL = {
>     default_domain = hprs.local
>     auth_to_local_names = {
>     Administrator = root
>   }
> }
>
> [domain_realm]
>     hprs.local = HPRS.LOCAL
> # this is not a mistake
>     .hprs.local = HPRS.LOCAL
> ------PINS-----------
>
> you wrote:
> > You can remove the krb4_ stuff
>
> I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether.
> Question on [realms]Administrator: should that really be root or should it be my AD Administrator?
>
> my doveconf -n is exactly the same as posted below, but in particular:
>
> auth_krb5_keytab = /etc/krb5.keytab
> auth_mechanisms = plain login gssapi
>
> When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using
> plain/ssl, no one yet configured for gssapi).
>
> In /var/log/maillog I got (repeatedly):
>
> Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2>
> Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi'
> Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs
> Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh>
>
> This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"?
>
> Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd
> finally able to get AD authentication going for Dovecot. Not ready to give up though!
>
> Suggestions?
>
> THX -- Mark
>
> -----original Message-----
> > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> > To: [hidden email]
> > From: Aki Tuomi <[hidden email]>
> > Date: Tue, 28 Jun 2016 15:13:11 +0300
> >
> > On 28.06.2016 09:27, Mark Foley wrote:
> > > Aki,
> > >
> > > To review your 5 points:
> > >
> > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <[hidden email]> wrote:
> > >
> > >> 1. Functional AD or Kerberos environment
> > >> 2. Time synced against your KDC (which is your Domain Controller on Windows)
> > >> 3. /etc/krb5.conf configured
> > >> 4. Both forward / reverse DNS names correct for clients and servers.
> > >> Reverse is only mandatory for servers, but having them right will work
> > >> wonders. Most kerberos problems are about DNS problems.
> > >> 5. You need a keytab. This keytab needs to hold entries like
> > >> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
> > >> these on any Windows DC server (at least).
> > > I believe I am good on 1,2 and 4.  I downloaded and installed kerberos and tested it with kinit
> > > and klist according to the instructions at
> > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> > >
> > > As to the the keytab (#5) I did the following:
> > >
> > > $ samba-tool domain exportkeytab /etc/krb5.keytab
> > >
> > > which created the file.  I made this owned and readable by group dovecot, per instructions at
> > > http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k /etc/krb5.keytab` shows me
> > > configuration listing all the users and computers in the domain, mostly in triplicate.  A
> > > partial list:
> > >
> > > Keytab name: FILE:/etc/krb5.keytab
> > > KVNO Principal
> > > ---- --------------------------------------------------------------------------
> > >    18 COMMON$@HPRS.LOCAL
> > >    18 COMMON$@HPRS.LOCAL
> > >    18 COMMON$@HPRS.LOCAL
> > >     1 MAIL$@HPRS.LOCAL
> > >     1 MAIL$@HPRS.LOCAL
> > >     1 MAIL$@HPRS.LOCAL
> > >     1 [hidden email]
> > >     1 [hidden email]
> > >     1 [hidden email]
> > >
> > > where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing,
> > > but am assuming it is OK.
> >
> > Strange that you do not have any host/ entries. Maybe it works without.
> >
> > >> setspn -q is helpful here, also setspn command in general.
> > > I have no such command in my system. Is that a Windows thing?
> > >
> >
> > Yes, but you can do those kind of things in Samba too.
> >
> > > As to the /etc/krb5.conf, the default one generated by samba is:
> > >
> > > [libdefaults]
> > >          default_realm = HPRS.LOCAL
> > >          dns_lookup_realm = false
> > >          dns_lookup_kdc = true
> > >
> > > I'd like to modify that to your suggestions, but I need more help. You have (with my questions):
> > >
> > >> Here is a *SAMPLE* configuration:
> > >>
> > >> [libdefaults]
> > >>          default_realm = YOUR.REALM
> > >>          dns_lookup_kdc = true
> > >>          krb4_config = /etc/krb.conf
> > >>          krb4_realms = /etc/krb.realms
> > > Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have:
> >
> > You can remove the krb4_ stuff
> >
> > > krb5_config = /etc/krb5.conf
> > >
> > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there?
> > You don't necessarely require that.
> >
> > >>          kdc_timesync = 1
> > >>          ccache_type = 4
> > >>          forwardable = true
> > >>          proxiable = true
> > >>          fcc-mit-ticketflags = true
> > >>
> > >> [realms]
> > >>          YOUR.REALM = {
> > >>                  default_domain = your.domain.name
> > >>                  auth_to_local_names = {
> > >>                          Administrator = root
> > >>                  }
> > >>          }
> > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD
> > > server: mail.hprs.local, or is it just hprs.local? (or something else!)
> >
> > HPRS.LOCAL is your REALM, hprs.local is your domain name.
> > >
> > >> [domain_realm]
> > >>        your.domain.name = YOUR.REALM
> > >> # this is not a mistake
> > >>        .your.domain.name = YOUR.REALM
> > >> [login]
> > >>          krb4_convert = true
> > >>          krb4_get_tickets = false
> > > Likewise here a question on the whole krb4 versus krb5 thing.
> > >
> > > Your closing comment:
> > >
> > >> Also, note that kerberos can only act as AUTHENTICATION system. It
> > >> cannot act as USER DATABASE. For that you need to configure LDAP or
> > >> something else. With Active Directory LDAP is probably a damn good idea.
> > > I have the following doveconf -n:
> > >
> > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > auth_debug_passwords = yes
> > > auth_krb5_keytab = /etc/krb5.keytab
> > > auth_mechanisms = plain login gssapi
> > > auth_verbose = yes
> > > auth_verbose_passwords = plain
> > > disable_plaintext_auth = no
> > > info_log_path = /var/log/dovecot_info
> > > mail_location = maildir:~/Maildir
> > > passdb {
> > >    driver = shadow
> > > }
> > > protocols = imap
> > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> > > userdb {
> > >    driver = passwd
> > > }
> > > verbose_ssl = yes
> > >
> > > I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in
> > > any case I still have all but this test workstation NOT using gssapi, so I still need to
> > > accomodate them.
> > >
> > > Thanks, --Mark
> > passwd driver is fine, yes, if you ensure that users can be found.
> >
> > Aki
> >

Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself?

I'll try to check status of NTLM this week.

Aki
Reply | Threaded
Open this post in threaded view
|

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

Mark Foley-2
Aki, you wrote:

> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself?
>
> I'll try to check status of NTLM this week.

I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.

I do have the Dovecot sources and will peruse the possible options after I send this.  I am on
version 2.2.15 and I see that the current downloadable version is 2.2.24.  Should I upgrade? Do
you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious
realated to gssapi)

--Mark

-----Original Message-----

> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST)
> From: [hidden email]
> To: [hidden email]
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>
> > On June 28, 2016 at 5:17 PM Mark Foley <[hidden email]> wrote:
> >
> >
> > Aki - made your suggested changes, but no joy :(
> >
> > My /etc/krb5.conf:
> >
> > ------SNIP--------
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_realm = false
> >   dns_lookup_kdc = true
> >
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_kdc = true
> >   kdc_timesync = 1
> >   ccache_type = 4
> >   forwardable = true
> >   proxiable = true
> >   fcc-mit-ticketflags = true
> >
> > [realms]
> >   HPRS.LOCAL = {
> >     default_domain = hprs.local
> >     auth_to_local_names = {
> >     Administrator = root
> >   }
> > }
> >
> > [domain_realm]
> >     hprs.local = HPRS.LOCAL
> > # this is not a mistake
> >     .hprs.local = HPRS.LOCAL
> > ------PINS-----------
> >
> > you wrote:
> > > You can remove the krb4_ stuff
> >
> > I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether.
> > Question on [realms]Administrator: should that really be root or should it be my AD Administrator?
> >
> > my doveconf -n is exactly the same as posted below, but in particular:
> >
> > auth_krb5_keytab = /etc/krb5.keytab
> > auth_mechanisms = plain login gssapi
> >
> > When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using
> > plain/ssl, no one yet configured for gssapi).
> >
> > In /var/log/maillog I got (repeatedly):
> >
> > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session=<Jy/e0lY2WADAqAA2>
> > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi'
> > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs
> > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session=</GXn0lY22wCmqhuh>
> >
> > This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"?
> >
> > Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd
> > finally able to get AD authentication going for Dovecot. Not ready to give up though!
> >
> > Suggestions?
> >
> > THX -- Mark
> >
> > -----original Message-----
> > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> > > To: [hidden email]
> > > From: Aki Tuomi <[hidden email]>
> > > Date: Tue, 28 Jun 2016 15:13:11 +0300
> > >
> > > On 28.06.2016 09:27, Mark Foley wrote:
> > > > Aki,
> > > >
> > > > To review your 5 points:
> > > >
> > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <[hidden email]> wrote:
> > > >
> > > >> 1. Functional AD or Kerberos environment
> > > >> 2. Time synced against your KDC (which is your Domain Controller on Windows)
> > > >> 3. /etc/krb5.conf configured
> > > >> 4. Both forward / reverse DNS names correct for clients and servers.
> > > >> Reverse is only mandatory for servers, but having them right will work
> > > >> wonders. Most kerberos problems are about DNS problems.
> > > >> 5. You need a keytab. This keytab needs to hold entries like
> > > >> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
> > > >> these on any Windows DC server (at least).
> > > > I believe I am good on 1,2 and 4.  I downloaded and installed kerberos and tested it with kinit
> > > > and klist according to the instructions at
> > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> > > >
> > > > As to the the keytab (#5) I did the following:
> > > >
> > > > $ samba-tool domain exportkeytab /etc/krb5.keytab
> > > >
> > > > which created the file.  I made this owned and readable by group dovecot, per instructions at
> > > > http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k /etc/krb5.keytab` shows me
> > > > configuration listing all the users and computers in the domain, mostly in triplicate.  A
> > > > partial list:
> > > >
> > > > Keytab name: FILE:/etc/krb5.keytab
> > > > KVNO Principal
> > > > ---- --------------------------------------------------------------------------
> > > >    18 COMMON$@HPRS.LOCAL
> > > >    18 COMMON$@HPRS.LOCAL
> > > >    18 COMMON$@HPRS.LOCAL
> > > >     1 MAIL$@HPRS.LOCAL
> > > >     1 MAIL$@HPRS.LOCAL
> > > >     1 MAIL$@HPRS.LOCAL
> > > >     1 [hidden email]
> > > >     1 [hidden email]
> > > >     1 [hidden email]
> > > >
> > > > where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing,
> > > > but am assuming it is OK.
> > >
> > > Strange that you do not have any host/ entries. Maybe it works without.
> > >
> > > >> setspn -q is helpful here, also setspn command in general.
> > > > I have no such command in my system. Is that a Windows thing?
> > > >
> > >
> > > Yes, but you can do those kind of things in Samba too.
> > >
> > > > As to the /etc/krb5.conf, the default one generated by samba is:
> > > >
> > > > [libdefaults]
> > > >          default_realm = HPRS.LOCAL
> > > >          dns_lookup_realm = false
> > > >          dns_lookup_kdc = true
> > > >
> > > > I'd like to modify that to your suggestions, but I need more help. You have (with my questions):
> > > >
> > > >> Here is a *SAMPLE* configuration:
> > > >>
> > > >> [libdefaults]
> > > >>          default_realm = YOUR.REALM
> > > >>          dns_lookup_kdc = true
> > > >>          krb4_config = /etc/krb.conf
> > > >>          krb4_realms = /etc/krb.realms
> > > > Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have:
> > >
> > > You can remove the krb4_ stuff
> > >
> > > > krb5_config = /etc/krb5.conf
> > > >
> > > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there?
> > > You don't necessarely require that.
> > >
> > > >>          kdc_timesync = 1
> > > >>          ccache_type = 4
> > > >>          forwardable = true
> > > >>          proxiable = true
> > > >>          fcc-mit-ticketflags = true
> > > >>
> > > >> [realms]
> > > >>          YOUR.REALM = {
> > > >>                  default_domain = your.domain.name
> > > >>                  auth_to_local_names = {
> > > >>                          Administrator = root
> > > >>                  }
> > > >>          }
> > > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD
> > > > server: mail.hprs.local, or is it just hprs.local? (or something else!)
> > >
> > > HPRS.LOCAL is your REALM, hprs.local is your domain name.
> > > >
> > > >> [domain_realm]
> > > >>        your.domain.name = YOUR.REALM
> > > >> # this is not a mistake
> > > >>        .your.domain.name = YOUR.REALM
> > > >> [login]
> > > >>          krb4_convert = true
> > > >>          krb4_get_tickets = false
> > > > Likewise here a question on the whole krb4 versus krb5 thing.
> > > >
> > > > Your closing comment:
> > > >
> > > >> Also, note that kerberos can only act as AUTHENTICATION system. It
> > > >> cannot act as USER DATABASE. For that you need to configure LDAP or
> > > >> something else. With Active Directory LDAP is probably a damn good idea.
> > > > I have the following doveconf -n:
> > > >
> > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > > auth_debug_passwords = yes
> > > > auth_krb5_keytab = /etc/krb5.keytab
> > > > auth_mechanisms = plain login gssapi
> > > > auth_verbose = yes
> > > > auth_verbose_passwords = plain
> > > > disable_plaintext_auth = no
> > > > info_log_path = /var/log/dovecot_info
> > > > mail_location = maildir:~/Maildir
> > > > passdb {
> > > >    driver = shadow
> > > > }
> > > > protocols = imap
> > > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> > > > userdb {
> > > >    driver = passwd
> > > > }
> > > > verbose_ssl = yes
> > > >
> > > > I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in
> > > > any case I still have all but this test workstation NOT using gssapi, so I still need to
> > > > accomodate them.
> > > >
> > > > Thanks, --Mark
> > > passwd driver is fine, yes, if you ensure that users can be found.
> > >
> > > Aki
> > >
>
> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself?
>
> I'll try to check status of NTLM this week.
>
> Aki
>
12