You need a KDC for Kerberos, Samba provides it but there are some other
possible solutions, such as Active Directory or Redhat's IDM.
Op ma 24 okt. 2022 01:53 schreef mich :
> Hello
>
>
>
> So you have to install Samba?
>
>
>
> Michel
>
>
>
> *De : * au nom de "users@sogo.nu"
> *Répondre à : *"users@sogo.nu"
> *Date : *dimanche 23 octobre 2022 à 19:22
> *À : *"users@sogo.nu"
> *Objet : *Re: [SOGo] kerberos sogo
>
>
>
>
>
> The session key is a 32 bytes random string, all details are in:
> https://github.com/gssapi/mod_auth_gssapi
> You can also specify it inline but then it must be base64 encoded, e.g.
>
> makepasswd --chars=32 | base64
>
> And in the apache conf:
>
> GssapiSessionKey key:
>
> In this case there is no file, hence no file permissions to think about.
>
> If your machine is a Samba domain member you can also use the default
> /etc/krb5.keytab just do:
>
> chgrp www-data /etc/krb5.keytab
>
> To make it accessible for apache.
> Do note that www-data is the group on Debian, other distros may use a
> different group name.
>
> If your machine is not a domain-member, it is a bit more work.
>
> You create a machine account in samba and create the principal:
>
> samba-tool computer create
> # Set encryption types on the account
> net ads enctypes set 28
> # set a password on the computer account:
> PW=$(makepasswd --chars=32 | iconv -f UTF-8 -t UTF-16LE | base64 -w 0)
> echo "dn: \nchangetype: modify\nreplace:
> unicodePwd\nunicodePwd::${PW}" | ldbmodify -H /var/lib/samba/private/sam.ldb
>
> PRINCIPAL="http/"
> samba-tool spn add ${PRINCIPAL} -H
> /var/lib/samba/private/sam.ldb
> samba-tool domain exportkeytab -d 8 --principal=${PRINCIPAL}
>
>
> Now copy the keytab filename to the target host and provide access to
> apache with:
>
> chgrp www-data /etc/krb5.keytab
>
> Done.
>
> On 22-10-2022 15:20, mich (supp...@foxnet.be) wrote:
>
> Hello Kees
>
>
>
> Thanks for the approach.
>
>
>
> A tu tutorial more detailed, especially for the creation of keys
> gssapi_session.key, apache.keytab is I do not use LDAP to identify me
> during user connections, I use mysql.
>
> With the solution you asked for, Kerberos is used for authentication, not
> Mysql nor LDAP.
>
> Samba4 provides MS-AD functionality, which is a.o. Kerberos + LDAP. In the
> example below LDAP is used for authorization on top of the authentication
> provided by Kerberos (to get access a user must be member of a certain
> group, the "users_with_sogo_access" group).
>
> Sogo still requires a database to store the user profile.
>
> - Kees
>
>
>
> Michel
>
>
>
> *De : * au nom de
> "users@sogo.nu"
> *Répondre à : *"users@sogo.nu"
>
> *Date : *vendredi 21 octobre 2022 à 11:43
> *À : *"users@sogo.nu"
> *Objet : *Re: [SOGo] kerberos sogo
>
>
>
> You can let your webserver do the authentication, there it can do
> krb5/gssapi authentication.
>
> In sogo.conf st:
>
> SOGoTrustProxyAuthentication = YES;
>
> In Apache conf put something like:
>
>
> AuthName "Login"
> AuthType GSSAPI
> GssapiSSLonly On
> GssapiLocalName On
> GssapiUseSessions On
> GssapiSessionKey file:/var/lib/apache2/secrets/gssapi_session.key
> GssapiCredStore keytab:/etc/keytab/apache.keytab
> GssapiDelegCcacheDir /run/apache2/krb5
> GssapiBasicAuth on
> GssapiAllowedMech krb5
> GssapiBasicAuthMech krb5
> Session On
> SessionCookieName gssapi_session path=/private;httponly;secure;
> Require valid-user
> SetEnv proxy-nokeepalive 1
> RewriteEngine On
> RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
>
>
> If you also want authorization with ldap group-membership then that can
> simply be added to the Apache config. Replace "Require valid-user" with:
>
> AuthLDAPURL "ldap://dc1.example.com
> dc2.example.com/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)"
> AuthLDAPRemoteUserAttribute sAMAccountName
>
> Require valid-user
> Require ldap-attribute userAccountControl="512"
> Require ldap-filter
> memberof:1.2.840.113556.1.4.1941:=CN=,OU=,DC=example,DC=com
>
>
> This example is for Samba4 (or AD).
>
> There is one side-effect of webserver authentication: the user's password
> is not available in Sogo. This means that you must have password-less login
> from Sogo to imap and smtp/submission.
>
> For example run Sogo on the same machine as Dovecot and add this to the
> dovecot config:
>
> passdb {
> args = nopassword=y allow_nets=127.0.0.1/32
> driver = static
> }
>
> - Kees
>
>
>
> On 21-10-2022 11:04, Christian Mack (christian.m...@uni-konstanz.de)
> wrote:
>
> Hello
>
> SOGo itself does not know about Kerberos.
> But you can use its SAML interface in order to use it.
> For that to work you have to setup an "Identity Provider" which delivers
> Kerberos Tickets and a "Service Provider" for SOGo which handles
> authentication for it.
> Also your mail servers (IMAP + SMTP) have to either use kerberos for
> authentication, or you have to allow not authenticated access from the SO