Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On Aug 31, 2011, at 4:39 PM, Jason Gunthorpe wrote: On Wed, Aug 31, 2011 at 09:28:50AM -0600, Trever L. Adams wrote: I have only followed part of this. It the original poster's problem is that the LDAP database is not being able to be accessed with an SPN ticket, this is because SPNs are not allowed to log in in AD. You need to use a user account (including MACHINE$ accounts). It took me forever to figure this out. To use this, you need a cron job that creates/renews tickets from time to time for the user/machine account. Then you use Dovecot's environment setup configuration to set the KRB5_CC (or whatever it is called, my head is elsewhere) env variable to that Kerberos ticket cache that was created in the cronjob. This cache needs to be readable by dovecot and should be owned by its user. This all works a 1000% better if you use Samba to join the domain and create your keytab with the right SPNs. See my prior posts to this list for a formula. Using the MS kerberos compatability tools is painful, complicated and tends to make a mess. Samba will create a machine UPN and populate the system keytab appropriately. From a cron job you can use 'kinit -k' to maintain an active ticket for the machine UPN which dovecot can use for LDAP operations. I would agree with that is easier unless/until you are load balancing connections on a single hostname to multiple physical machines. In that scenario you can't add SPNs for the shared hostname to the machine accounts (since SPNs must be unique) and you're still looking at futzing with ktpass. Jason
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
Why such hostility? I beg you pardon, sir. Nothing personal, but to the question like My car does not move you provide the answer Try to wipe screen and kick wheels. How do you think, if one digs into source code, has not he attempted more simple ways? Yes, I have read the manuals and wiki's before posting here. And I know what is wireshark and how to use it. And I did answer your second question about how principal should looks like. The matter of my question was how does the string in form of service@host agree with keytab entries in form of service/host@REALM. Now I do know the answer. It is controlled by the argument GSS_C_NT_HOSTBASED_SERVICE of function gss_import_name. Maybe I wrong, not running yet 2.0. You are wrong. There were some minor changes. See here, for example: http://www.dovecot.org/list/dovecot-cvs/2010-June/017143.html Make sure your client requesting correct principal in first place. Yes, I am sure. I examined logs of my Mozilla Thunderbird client. They look like this: *** Thunderbird logs ** 3712[5a9e240]: nsAuthSSPI::Init 3712[5a9e240]: InitSSPI 3712[5a9e240]: Using SPN of [imap/efim.test.local] 3712[5a9e240]: AcquireCredentialsHandle() succeeded. 3712[5a9e240]: entering nsAuthSSPI::GetNextToken() 3712[5a9e240]: InitializeSecurityContext: continue. * Wrong principal in request, Usually means the principal in the system keytab for your system doesn't agree with the hostname or DNS name of the system. It does agree. My host is named efim.test.local. Here is the contents of my krb5.keytab: *** krb5.keytab *** slot KVNO Principal - 14 imap/efim.test.lo...@romashka.lan 25 pop/efim.test.lo...@romashka.lan 36 smtp/efim.test.lo...@romashka.lan * I have already found out, that denial is generated somewhere inside krb5 libraries, not in Dovecot's modules. But I see no way to trace or debug kerberos calls. Source codes of kerberos libs are too complex for me to analyze. If you are interested in, you may join the parallel discussion of the topic on iXBT forum here: http://forum.ixbt.com/topic.cgi?id=76:10089 With best regards, Stanislav Klinkov.
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On Aug 31, 2011, at 8:27 AM, Stanislav Klinkov wrote: Why such hostility? I beg you pardon, sir. Nothing personal, but to the question like My car does not move you provide the answer Try to wipe screen and kick wheels. How do you think, if one digs into source code, has not he attempted more simple ways? Yes, I have read the manuals and wiki's before posting here. And I know what is wireshark and how to use it. And I did answer your second question about how principal should looks like. The matter of my question was how does the string in form of service@host agree with keytab entries in form of service/host@REALM. Now I do know the answer. It is controlled by the argument GSS_C_NT_HOSTBASED_SERVICE of function gss_import_name. Maybe I wrong, not running yet 2.0. You are wrong. There were some minor changes. See here, for example: http://www.dovecot.org/list/dovecot-cvs/2010-June/017143.html Make sure your client requesting correct principal in first place. Yes, I am sure. I examined logs of my Mozilla Thunderbird client. They look like this: *** Thunderbird logs ** 3712[5a9e240]: nsAuthSSPI::Init 3712[5a9e240]: InitSSPI 3712[5a9e240]: Using SPN of [imap/efim.test.local] 3712[5a9e240]: AcquireCredentialsHandle() succeeded. 3712[5a9e240]: entering nsAuthSSPI::GetNextToken() 3712[5a9e240]: InitializeSecurityContext: continue. * I take these Thunderbird log entries to mean your workstation was able to get a kerberos ticket for imap/efim.test.local Wrong principal in request, Usually means the principal in the system keytab for your system doesn't agree with the hostname or DNS name of the system. It does agree. My host is named efim.test.local. Here is the contents of my krb5.keytab: *** krb5.keytab *** slot KVNO Principal - 14 imap/efim.test.lo...@romashka.lan 25 pop/efim.test.lo...@romashka.lan 36 smtp/efim.test.lo...@romashka.lan * The fact that you have different KVNOs for multiple services on the same host seems curious. How did you generate those keys and put them into krb5.keytab? Are you using Active Directory for Kerberos? If I ran ktpass multiple times to generate a new key for imap and then smtp, I would get the wrong principal in request error. When I ran ktpass once for IMAP and added the SPN for smtp using LDAP/setspn and used ktutil on the dovecot host to add an entry to my keytab with the same key and kvno as ktpass generated the first time, then dovecot and smtp started working. I suppose that's weaker for security but chances are your mail SPNs (imap/pop/smtp) are tied to a single user or machine account anyway... I have already found out, that denial is generated somewhere inside krb5 libraries, not in Dovecot's modules. But I see no way to trace or debug kerberos calls. Source codes of kerberos libs are too complex for me to analyze. If you are interested in, you may join the parallel discussion of the topic on iXBT forum here: http://forum.ixbt.com/topic.cgi?id=76:10089 With best regards, Stanislav Klinkov.
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
How did you generate those keys and put them into krb5.keytab? I logged onto my domain controller via RDP and issued the following commands: keytabs generation * ktpass -princ imap/efim.test.lo...@romashka.lan -mapuser dovecot -pass megasuperpassword -ptype KRB5_NT_SRV_HST -out imap.keytab ktpass -princ pop/efim.test.lo...@romashka.lan -mapuser dovecot -pass megasuperpassword -ptype KRB5_NT_SRV_HST -out pop.keytab ktpass -princ smtp/efim.test.lo...@romashka.lan -mapuser dovecot -pass megasuperpassword -ptype KRB5_NT_SRV_HST -out smtp.keytab Then I moved imap.keytab, pop.keytab and smtp.keytab onto my dovecot server machine and merged them into single file with ktutil: ** ktutil commands ** rkt imap.keytab rkt pop.keytab rkt smtp.keytab wkt krb5.keytab quit Are you using Active Directory for Kerberos? Yes, I am. and added the SPN for smtp using LDAP/setspn and used ktutil on the dovecot host to add an entry to my keytab with the same key and kvno Sorry, I'm not sure in realizing what you mean. What is LDAP/setspn?
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On Aug 31, 2011, at 9:35 AM, Stanislav Klinkov wrote: How did you generate those keys and put them into krb5.keytab? I logged onto my domain controller via RDP and issued the following commands: keytabs generation * ktpass -princ imap/efim.test.lo...@romashka.lan -mapuser dovecot -pass megasuperpassword -ptype KRB5_NT_SRV_HST -out imap.keytab ktpass -princ pop/efim.test.lo...@romashka.lan -mapuser dovecot -pass megasuperpassword -ptype KRB5_NT_SRV_HST -out pop.keytab ktpass -princ smtp/efim.test.lo...@romashka.lan -mapuser dovecot -pass megasuperpassword -ptype KRB5_NT_SRV_HST -out smtp.keytab Then I moved imap.keytab, pop.keytab and smtp.keytab onto my dovecot server machine and merged them into single file with ktutil: ** ktutil commands ** rkt imap.keytab rkt pop.keytab rkt smtp.keytab wkt krb5.keytab quit I did exactly what you did when I was trying to get IMAP and SMTP Kerberized with AD (although I used KRB5_NT_PRINCIPAL in ktpass) and got the same error you were getting. It seemed like running ktpass multiple times invalidated the previous keytabs. What I did to fix it was run ktpass once for imap/fqdn@REALM and copy the hex key, kvno and encryption type to a text file somewhere. (You could also get these from klist -Kek imap keytab) Then I used ktutil to rkt the imap keytab and did addent -key -p smtp/fqdn@REALM -k kvno -e enc type, probably arcfour-hmac and then paste the hex key I got from ktpass. Since you're not using +rndPass in ktpass, you may be able to use -password instead of key in the addent command in ktutil, but I haven't used that method before. Then wkt the ticket somewhere and klist -Kek keytab and make sure that all entries have the same KVNO, hex key, and enc type but different principals. Then use your preferred method (setspn.exe or some graphical interface to AD's LDAP) to add entries to your dovecot user's servicePrincipalName attribute for each new principal you added to your keytab. The first ktpass should've put something there for you, just follow that example. To make sure everything should work, hop on a box where you have a valid user Kerberos ticket and do kvno imap/efim.test.local and kvno smtp/efim.test.local. That should try to get tickets for each of those services. If that doesn't work, then something is probably wrong with the servicePrincipalName attribute. One thing I should mention: servicePrincipalNames must be unique in AD, but I don't believe there are any controls to prevent you from making duplicates since it's just an LDAP attribute. The effect of this (as you can probably guess) is that IMAP, POP and SMTP effectively end up as aliases to the dovecot user in AD, using a single key. Are you using Active Directory for Kerberos? Yes, I am. and added the SPN for smtp using LDAP/setspn and used ktutil on the dovecot host to add an entry to my keytab with the same key and kvno Sorry, I'm not sure in realizing what you mean. What is LDAP/setspn? I should've been more clear about LDAP/setspn. You can use setspn.exe command on one of your AD controllers, or Active Directory Users Computers or AD GP MMC interfaces (depending on if you have Win Server 2k3 or 2k8) to edit the servicePrincipalName attribute for your dovecot user in AD's LDAP store.
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
Thank you for sharing a very interesting experience, David. It seemed like running ktpass multiple times invalidated the previous keytabs. OK. Let us assume. But then how can you explain the fact that the setting auth_gssapi_hostname = $ALL in dovecot config solves all mentioned troubles at once? As well I just have run the following experiment. I re-generated one more keytab for service imap/test.efim.local only. So, it became the last-generated key. Then I copied it onto my dovecot server as the only krb.keytab file, and nothing changed. Also, I issued the following command on my AD domain controller: C:\Windows\system32setspn -L dovecot And the result was: * Registered ServicePrincipalNames for CN=dovecot,OU=Agents,DC=romashka,DC=lan: imap/efim.test.local smtp/efim.test.local pop/efim.test.local * Please note, that I have not apllied any magic to servicePrincipalName of AD user dovecot by setspn or other AD snap-ins. To make sure everything should work, hop on a box where you have a valid user Kerberos ticket and do kvno imap/efim.test.local and kvno smtp/efim.test.local. Sorry, I might have not mentioned above. I run Mozilla Thunderbird on my Windows XP workstation.
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On 08/31/2011 07:35 AM, Stanislav Klinkov wrote: and added the SPN for smtp using LDAP/setspn and used ktutil on the dovecot host to add an entry to my keytab with the same key and kvno Sorry, I'm not sure in realizing what you mean. What is LDAP/setspn? I have only followed part of this. It the original poster's problem is that the LDAP database is not being able to be accessed with an SPN ticket, this is because SPNs are not allowed to log in in AD. You need to use a user account (including MACHINE$ accounts). It took me forever to figure this out. To use this, you need a cron job that creates/renews tickets from time to time for the user/machine account. Then you use Dovecot's environment setup configuration to set the KRB5_CC (or whatever it is called, my head is elsewhere) env variable to that Kerberos ticket cache that was created in the cronjob. This cache needs to be readable by dovecot and should be owned by its user. Trever -- First Law of System Requirements: Anything is possible if you don't know what you're talking about... -- Unknown signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On Aug 31, 2011, at 10:55 AM, Stanislav Klinkov wrote: Thank you for sharing a very interesting experience, David. It seemed like running ktpass multiple times invalidated the previous keytabs. OK. Let us assume. But then how can you explain the fact that the setting auth_gssapi_hostname = $ALL in dovecot config solves all mentioned troubles at once? That is a very good question that I sadly don't have the answer to and I fear I misunderstood the initial problem. It's my understanding that auth_gssapi_hostname controls which entries in the keytab file dovecot will allow itself to use. If you enable debug auth logging in dovecot, do you see anything about which entry in your keytab file it's attempting to use? Also, do you see anything in your AD logs when you get the invalid principal error from the IP of your dovecot host? As well I just have run the following experiment. I re-generated one more keytab for service imap/test.efim.local only. So, it became the last-generated key. Then I copied it onto my dovecot server as the only krb.keytab file, and nothing changed. Also, I issued the following command on my AD domain controller: C:\Windows\system32setspn -L dovecot And the result was: * Registered ServicePrincipalNames for CN=dovecot,OU=Agents,DC=romashka,DC=lan: imap/efim.test.local smtp/efim.test.local pop/efim.test.local * Please note, that I have not apllied any magic to servicePrincipalName of AD user dovecot by setspn or other AD snap-ins. To make sure everything should work, hop on a box where you have a valid user Kerberos ticket and do kvno imap/efim.test.local and kvno smtp/efim.test.local. Sorry, I might have not mentioned above. I run Mozilla Thunderbird on my Windows XP workstation.
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On 31.08.2011 18:55, Stanislav Klinkov wrote: Thank you for sharing a very interesting experience, David. It seemed like running ktpass multiple times invalidated the previous keytabs. OK. Let us assume. But then how can you explain the fact that the settingauth_gssapi_hostname = $ALL in dovecot config solves all mentioned troubles at once? As well I just have run the following experiment. I re-generated one more keytab for service imap/test.efim.local only. So, it became the last-generated key. Then I copied it onto my dovecot server as the only krb.keytab file, and nothing changed. Also, I issued the following command on my AD domain controller: C:\Windows\system32setspn -L dovecot And the result was: * Registered ServicePrincipalNames for CN=dovecot,OU=Agents,DC=romashka,DC=lan: imap/efim.test.local smtp/efim.test.local pop/efim.test.local * Please note, that I have not apllied any magic to servicePrincipalName of AD user dovecot by setspn or other AD snap-ins. Early versions of ktpass only allowed only 1 serviceprincipialnames, thus every time you generate new it was overwrite old one. ktpass from win2008 seems fix this. To make sure everything should work, hop on a box where you have a valid user Kerberos ticket and do kvno imap/efim.test.local and kvno smtp/efim.test.local. Sorry, I might have not mentioned above. I run Mozilla Thunderbird on my Windows XP workstation. Can you do kinit -k imap/imap/efim.test.lo...@romashka.lan and then klist, does it work for you? I do recommend tcpdump kerberos traffic between your client and server, this is usually helps me much better then any logging, flow easy to read in wireshark.
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On 08/31/2011 10:30 AM, Nikolay Shopik wrote: Can you do kinit -k imap/imap/efim.test.lo...@romashka.lan and then klist, does it work for you? I do recommend tcpdump kerberos traffic between your client and server, this is usually helps me much better then any logging, flow easy to read in wireshark. Under active directory, you cannot kinit as an SPN, only UPN (including MACHINE$ accounts). At least this is my experience. Trever -- Selfishness is really self-destruction in slow motion. -— Elder Neal A. Maxwell - Ensign, May 1999, 23 signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On Wed, Aug 31, 2011 at 09:28:50AM -0600, Trever L. Adams wrote: I have only followed part of this. It the original poster's problem is that the LDAP database is not being able to be accessed with an SPN ticket, this is because SPNs are not allowed to log in in AD. You need to use a user account (including MACHINE$ accounts). It took me forever to figure this out. To use this, you need a cron job that creates/renews tickets from time to time for the user/machine account. Then you use Dovecot's environment setup configuration to set the KRB5_CC (or whatever it is called, my head is elsewhere) env variable to that Kerberos ticket cache that was created in the cronjob. This cache needs to be readable by dovecot and should be owned by its user. This all works a 1000% better if you use Samba to join the domain and create your keytab with the right SPNs. See my prior posts to this list for a formula. Using the MS kerberos compatability tools is painful, complicated and tends to make a mess. Samba will create a machine UPN and populate the system keytab appropriately. From a cron job you can use 'kinit -k' to maintain an active ticket for the machine UPN which dovecot can use for LDAP operations. Jason
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On Wed, 31 Aug 2011 14:39:56 -0600 Jason Gunthorpe articulated: On Wed, Aug 31, 2011 at 09:28:50AM -0600, Trever L. Adams wrote: I have only followed part of this. It the original poster's problem is that the LDAP database is not being able to be accessed with an SPN ticket, this is because SPNs are not allowed to log in in AD. You need to use a user account (including MACHINE$ accounts). It took me forever to figure this out. To use this, you need a cron job that creates/renews tickets from time to time for the user/machine account. Then you use Dovecot's environment setup configuration to set the KRB5_CC (or whatever it is called, my head is elsewhere) env variable to that Kerberos ticket cache that was created in the cronjob. This cache needs to be readable by dovecot and should be owned by its user. This all works a 1000% better if you use Samba to join the domain and create your keytab with the right SPNs. See my prior posts to this list for a formula. Using the MS kerberos compatability tools is painful, complicated and tends to make a mess. Samba will create a machine UPN and populate the system keytab appropriately. From a cron job you can use 'kinit -k' to maintain an active ticket for the machine UPN which dovecot can use for LDAP operations. I just got this link from a friend who uses Kerberos on several systems. http://www.microsoft.com/download/en/details.aspx?displaylang=enid=8350 I have no idea if it will work or help you or not. -- Jerry ✌ dovecot.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ Everlasting peace will come to the world when the last man has slain the last but one. Adolf Hitler
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On 30.08.2011 9:24, Stanislav Klinkov wrote: Your principial in keytab should look like this - imap/mail.example@example.com Make sure your realm name are all CAPS, otherwise it won't work. Thank you, Captain Obvious. Why such hostility? A lot people miss that, nothing special here. And I did answer your second question about how principal should looks like. Because mech-gssapi.c wasn't changed in years, so I doubt anything changed in 2.0 version compare to 1.2 series in GSSAPI. Maybe I wrong, not running yet 2.0. Make sure your client requesting correct principal in first place. Wrong principal in request, Usually means the principal in the system keytab for your system doesn't agree with the hostname or DNS name of the system.
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On 08/30/2011 12:50 PM, Nikolay Shopik wrote: On 30.08.2011 9:24, Stanislav Klinkov wrote: Your principial in keytab should look like this - imap/mail.example@example.com Make sure your realm name are all CAPS, otherwise it won't work. Thank you, Captain Obvious. Why such hostility? A lot people miss that, nothing special here. And I did answer your second question about how principal should looks like. Agreed. I am unlikely to help with this problem now due to lack of common courtesy.
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On 29.08.2011 17:39, Stanislav Klinkov wrote: So, according to source code, Dovecot tries to find in krb5.keytab a principal named imap@hostname. However wiki says to create the principal named imap/hostname@REALM. Please, clarify where is the error: in source code, in wiki, or I have misunderstood something. Your principial in keytab should look like this - imap/mail.example@example.com Make sure your realm name are all CAPS, otherwise it won't work.
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
Your principial in keytab should look like this - imap/mail.example@example.com Make sure your realm name are all CAPS, otherwise it won't work. Thank you, Captain Obvious.