Hello
So you have to install Samba? Michel De : <[email protected]> au nom de "[email protected]" <[email protected]> Répondre à : "[email protected]" <[email protected]> Date : dimanche 23 octobre 2022 à 19:22 À : "[email protected]" <[email protected]> Objet : Re: [SOGo] kerberos sogo The session key is a 32 bytes random string, all details are in: https://github.com/gssapi/mod_auth_gssapi You can also specify it inline but then it must be base64 encoded, e.g. makepasswd --chars=32 | base64 And in the apache conf: GssapiSessionKey key:<the base64 encoded key> In this case there is no file, hence no file permissions to think about. If your machine is a Samba domain member you can also use the default /etc/krb5.keytab just do: chgrp www-data /etc/krb5.keytab To make it accessible for apache. Do note that www-data is the group on Debian, other distros may use a different group name. If your machine is not a domain-member, it is a bit more work. You create a machine account in samba and create the principal: samba-tool computer create <hostname> # Set encryption types on the account net ads enctypes set <hostname> 28 # set a password on the computer account: PW=$(makepasswd --chars=32 | iconv -f UTF-8 -t UTF-16LE | base64 -w 0) echo "dn: <host DN>\nchangetype: modify\nreplace: unicodePwd\nunicodePwd::${PW}" | ldbmodify -H /var/lib/samba/private/sam.ldb PRINCIPAL="http/<host fqdn>" samba-tool spn add ${PRINCIPAL} <hostname> -H /var/lib/samba/private/sam.ldb samba-tool domain exportkeytab -d 8 --principal=${PRINCIPAL} <keytab_filename> Now copy the keytab filename to the target host and provide access to apache with: chgrp www-data /etc/krb5.keytab Done. On 22-10-2022 15:20, mich ([email protected]) wrote: Hello Kees Thanks for the approach. A tu tutorial more detailed, especially for the creation of keys gssapi_session.key, apache.keytab is I do not use LDAP to identify me during user connections, I use mysql. With the solution you asked for, Kerberos is used for authentication, not Mysql nor LDAP. Samba4 provides MS-AD functionality, which is a.o. Kerberos + LDAP. In the example below LDAP is used for authorization on top of the authentication provided by Kerberos (to get access a user must be member of a certain group, the "users_with_sogo_access" group). Sogo still requires a database to store the user profile. - Kees Michel De : <[email protected]> au nom de "[email protected]" <[email protected]> Répondre à : "[email protected]" <[email protected]> Date : vendredi 21 octobre 2022 à 11:43 À : "[email protected]" <[email protected]> Objet : Re: [SOGo] kerberos sogo You can let your webserver do the authentication, there it can do krb5/gssapi authentication. In sogo.conf st: SOGoTrustProxyAuthentication = YES; In Apache conf put something like: <Location /SOGo> AuthName "Login" AuthType GSSAPI GssapiSSLonly On GssapiLocalName On GssapiUseSessions On GssapiSessionKey file:/var/lib/apache2/secrets/gssapi_session.key GssapiCredStore keytab:/etc/keytab/apache.keytab GssapiDelegCcacheDir /run/apache2/krb5 GssapiBasicAuth on GssapiAllowedMech krb5 GssapiBasicAuthMech krb5 Session On SessionCookieName gssapi_session path=/private;httponly;secure; Require valid-user SetEnv proxy-nokeepalive 1 RewriteEngine On RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}] </Location> If you also want authorization with ldap group-membership then that can simply be added to the Apache config. Replace "Require valid-user" with: AuthLDAPURL "ldap://dc1.example.com dc2.example.com/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)" AuthLDAPRemoteUserAttribute sAMAccountName <RequireAll> Require valid-user Require ldap-attribute userAccountControl="512" Require ldap-filter memberof:1.2.840.113556.1.4.1941:=CN=<MY-AUTHORIZATION-GROUP>,OU=<AUTHORIZATION-GROUPS>,DC=example,DC=com </RequireAll> This example is for Samba4 (or AD). There is one side-effect of webserver authentication: the user's password is not available in Sogo. This means that you must have password-less login from Sogo to imap and smtp/submission. For example run Sogo on the same machine as Dovecot and add this to the dovecot config: passdb { args = nopassword=y allow_nets=127.0.0.1/32 driver = static } - Kees On 21-10-2022 11:04, Christian Mack ([email protected]) wrote: Hello SOGo itself does not know about Kerberos. But you can use its SAML interface in order to use it. For that to work you have to setup an "Identity Provider" which delivers Kerberos Tickets and a "Service Provider" for SOGo which handles authentication for it. Also your mail servers (IMAP + SMTP) have to either use kerberos for authentication, or you have to allow not authenticated access from the SOGo server. SAML settings are documented in the Installation Documentation of SOGo, but how to set up Identity and Service Providers is not. You will need additional expertise for that. How to enable and use Kerberos authentication with your mail server, you have to check on its documentation. Kind regards, Christian Mack Am 20.10.22 um 13:10 schrieb mich ([email protected]): Hello Is this solution "kerberos sogo" still actuality? Is also if it works online and not locally is there any documentation on the subject? Michel
