gssapi without passdb

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

gssapi without passdb

Dovecot mailing list
Good afternoon.


I'm configuring dovecot to authenticate users against a samba server
running as an active directory domain controller. I followed the
instructions as stated in the page
https://wiki.dovecot.org/Authentication/Kerberos and considering the
sentence that states [...]The Kerberos authentication mechanism doesn't
require having a passdb, but you do need a userdb[...] I produced a
configuration file that looked like this

> auth_gssapi_hostname = $ALL
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = gssapi
> auth_username_format = %u
> mail_location =
> maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
> extracttext
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> plugin {
>   sieve = file:~/sieve;active=~/.dovecot.sieve
> }
> protocols = imap
> ssl_ca = /etc/ssl/certs/cacertificate.crt
> ssl_cert = </etc/ssl/certs/certificate.crt
> ssl_key = # hidden, use -P to show it
> userdb {
>   args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes
>   driver = static
> }

When I ran these settings I would get an error that read

> Nov  8 17:00:00 mail dovecot: auth: Error:
> gssapi(user@KERBEROSPRINCIPAL,192.168.182.137,<IQMcOtuWI+3AqLaJ>): All
> password databases were skipped
> Nov  8 17:00:02 mail dovecot: imap-login: Disconnected (auth service
> reported temporary failure): user=<user@KERBEROSPRINCIPAL>,
> method=GSSAPI, rip=192.168.182.137, lip=192.168.182.4, TLS,
> session=<IQMcOtuWI+3AqLaJ>

After Trying many things I finally modified my config

> auth_gssapi_hostname = $ALL
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = gssapi
> auth_username_format = %u
> mail_location =
> maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
> extracttext
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> plugin {
>   sieve = file:~/sieve;active=~/.dovecot.sieve
> }
> protocols = imap
> ssl_ca = /etc/ssl/certs/cacertificate.crt
> ssl_cert = </etc/ssl/certs/certificate.crt
> ssl_key = # hidden, use -P to show it
> userdb {
>   args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes
>   driver = static
> }
The dovecot-ldap.conf.ext file looks like this

> hosts = dc1:3268
> tls = yes
> auth_bind = yes
> auth_bind_userdn = %u
> base =

With this configuration I can authenticate to the imap server sending
user@KERBEROSPRINCIPAL as my username and without setting a password so
I'm wondering if the wiki page needs to be updated or if there is
something wrong with my first setup.


Thanks in advance.

Best regards,

David Wells.


Reply | Threaded
Open this post in threaded view
|

Re: gssapi without passdb

Dovecot mailing list
Good afternoon.

Shouldn't at least the wiki page be updated so that it avoids someone in
the future having to struggle like I did?

El 08/11/2019 a las 17:13, David Wells via dovecot escribió:

> Good afternoon.
>
>
> I'm configuring dovecot to authenticate users against a samba server
> running as an active directory domain controller. I followed the
> instructions as stated in the page
> https://wiki.dovecot.org/Authentication/Kerberos and considering the
> sentence that states [...]The Kerberos authentication mechanism
> doesn't require having a passdb, but you do need a userdb[...] I
> produced a configuration file that looked like this
>
>> auth_gssapi_hostname = $ALL
>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
>> auth_mechanisms = gssapi
>> auth_username_format = %u
>> mail_location =
>> maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8
>> managesieve_notify_capability = mailto
>> managesieve_sieve_capability = fileinto reject envelope
>> encoded-character vacation subaddress comparator-i;ascii-numeric
>> relational regex imap4flags copy include variables body enotify
>> environment mailbox date index ihave duplicate mime foreverypart
>> extracttext
>> namespace inbox {
>>   inbox = yes
>>   location =
>>   mailbox Drafts {
>>     special_use = \Drafts
>>   }
>>   mailbox Junk {
>>     special_use = \Junk
>>   }
>>   mailbox Sent {
>>     special_use = \Sent
>>   }
>>   mailbox "Sent Messages" {
>>     special_use = \Sent
>>   }
>>   mailbox Trash {
>>     special_use = \Trash
>>   }
>>   prefix =
>> }
>> plugin {
>>   sieve = file:~/sieve;active=~/.dovecot.sieve
>> }
>> protocols = imap
>> ssl_ca = /etc/ssl/certs/cacertificate.crt
>> ssl_cert = </etc/ssl/certs/certificate.crt
>> ssl_key = # hidden, use -P to show it
>> userdb {
>>   args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes
>>   driver = static
>> }
>
> When I ran these settings I would get an error that read
>
>> Nov  8 17:00:00 mail dovecot: auth: Error:
>> gssapi(user@KERBEROSPRINCIPAL,192.168.182.137,<IQMcOtuWI+3AqLaJ>):
>> All password databases were skipped
>> Nov  8 17:00:02 mail dovecot: imap-login: Disconnected (auth service
>> reported temporary failure): user=<user@KERBEROSPRINCIPAL>,
>> method=GSSAPI, rip=192.168.182.137, lip=192.168.182.4, TLS,
>> session=<IQMcOtuWI+3AqLaJ>
>
> After Trying many things I finally modified my config
>
>> auth_gssapi_hostname = $ALL
>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
>> auth_mechanisms = gssapi
>> auth_username_format = %u
>> mail_location =
>> maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8
>> managesieve_notify_capability = mailto
>> managesieve_sieve_capability = fileinto reject envelope
>> encoded-character vacation subaddress comparator-i;ascii-numeric
>> relational regex imap4flags copy include variables body enotify
>> environment mailbox date index ihave duplicate mime foreverypart
>> extracttext
>> namespace inbox {
>>   inbox = yes
>>   location =
>>   mailbox Drafts {
>>     special_use = \Drafts
>>   }
>>   mailbox Junk {
>>     special_use = \Junk
>>   }
>>   mailbox Sent {
>>     special_use = \Sent
>>   }
>>   mailbox "Sent Messages" {
>>     special_use = \Sent
>>   }
>>   mailbox Trash {
>>     special_use = \Trash
>>   }
>>   prefix =
>> }
>> passdb {
>>   args = /etc/dovecot/dovecot-ldap.conf.ext
>>   driver = ldap
>> }
>> plugin {
>>   sieve = file:~/sieve;active=~/.dovecot.sieve
>> }
>> protocols = imap
>> ssl_ca = /etc/ssl/certs/cacertificate.crt
>> ssl_cert = </etc/ssl/certs/certificate.crt
>> ssl_key = # hidden, use -P to show it
>> userdb {
>>   args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes
>>   driver = static
>> }
> The dovecot-ldap.conf.ext file looks like this
>
>> hosts = dc1:3268
>> tls = yes
>> auth_bind = yes
>> auth_bind_userdn = %u
>> base =
>
> With this configuration I can authenticate to the imap server sending
> user@KERBEROSPRINCIPAL as my username and without setting a password
> so I'm wondering if the wiki page needs to be updated or if there is
> something wrong with my first setup.
>
>
> Thanks in advance.
>
> Best regards,
>
> David Wells.
>
>