[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Mark Foley mfoley at ohprs.org
Sun Jul 17 06:26:39 UTC 2016 

On Sat, 16 Jul 2016 21:32:33 +0200 Achim Gottinger <achim at ag-web.biz> wrote:
> Am 16.07.2016 um 20:39 schrieb Rowland penny:
> > On 16/07/16 19:09, Mark Foley wrote:
> >> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> 
> >> wrote:
> >>
> >>> On 15/07/16 08:17, Rowland penny wrote:
> >>>> On 15/07/16 00:34, Andrew Bartlett wrote:
> >>>>> On Thu, 2016-07-14 at 22:05 +0100, Rowland penny wrote:
> >>>>>> On 14/07/16 21:52, Andrew Bartlett wrote:
> >>>>>>>    Rowland:
> >>>>>>>
> >>>>>>> Running samba-tool domain exportkeytab for a specific user is quite
> >>>>>>> a
> >>>>>>> reasonable thing to do, and is entirely sensible to recommand as
> >>>>>>> part
> >>>>>>> of adding a new user with an SPN.  They keytab can then be deployed
> >>>>>>> as
> >>>>>>> required.
> >>>>>>>
> >>>>>>> Running the exportkeytab file is not the same as loading up the DC
> >>>>>>> with
> >>>>>>> other services.  Not that this is a total disaster (particularly
> >>>>>>> for
> >>>>>>> small sites trying to replace SBS), but we do try and make folks
> >>>>>>> think
> >>>>>>> before creating mega-servers.
> >>>>>>>
> >>>>>>> I'm very happy for such information to be in our wiki, as I do
> >>>>>>> refer to
> >>>>>>> it and refer others to the apache page, which shows the same
> >>>>>>> pattern as
> >>>>>>> required for mod_auth_kerb.
> >>>>>>>
> >>>>>>> https://wiki.samba.org/index.php/Authenticating_Apache_against_Acti
> >>>>>>> ve_D
> >>>>>>> irectory
> >>>>>>>
> >>>>>>> Indeed, we need to make this page easier to find.
> >>>>>>>
> >>>>>>> Andrew Bartlett
> >>>>>>>
> >>>>>> Andrew, I know all this, but in this instance. the OP is going to
> >>>>>> run
> >>>>>> Dovecot on the DC. Now, if you are happy to say that Samba is now
> >>>>>> recommending using the Samba AD DC as a fileserver etc, I am quite
> >>>>>> happy
> >>>>>> to trawl the wiki, removing any references to not using the DC as a
> >>>>>> fileserver etc, otherwise, I will go back to my plan of creating a
> >>>>>> wiki
> >>>>>> page for Dovecot similar to the Apache one.
> >>>>> I didn't see anything in the instructions that were specific to 
> >>>>> running
> >>>>> on a DC, and in any case, we can afford to be a little less dogmatic
> >>>>> about this.  Please don't go trawling the wiki one way or the other.
> >>>>>
> >>>>> To be clear: I'm happy with the statement currently on the wiki:
> >>>>>
> >>>>> Whilst the Domain Controller seems capable of running as a full file
> >>>>> server, it is suggested that organisations run a distinct file server
> >>>>> to allow upgrades of each without disrupting the other. It is also
> >>>>> suggested that medium-sized sites should run more than one DC. It 
> >>>>> also
> >>>>> makes sense to have the DC's distinct from any file servers that may
> >>>>> use the Domain Controllers. Additionally using distinct file servers
> >>>>> avoids the idiosyncrasies in the winbindd configuration on the Active
> >>>>> Directory Domain Controller. The Samba team does not recommend 
> >>>>> using a
> >>>>> Samba-based Domain Controller as a file server, and recommend that
> >>>>> users run a separate Domain Member with file shares.
> >>>>>
> >>>>> Thanks,
> >>>>>
> >>>>> Andrew Bartlett
> >>>>>
> >>>> OK, now we have sorted that out, I will put creating a wiki page for
> >>>> Dovecot on my TODO list, it will be based around the Apache page i.e.
> >>>> it will say what user & SPN to create and then say howto transfer the
> >>>> resultant keytab to another machine, leaving it up to the sysadmin to
> >>>> read between the lines.
> >>>>
> >>>> This is what I planned to do.
> >>>>
> >>>> Rowland
> >>>>
> >>>>
> >>> OK, just an update on the new wiki page for Dovecot, I started to write
> >>> it and realised there is a potential problem.
> >>>
> >>> The user created in AD is called 'dovecot' and the Dovecot packages 
> >>> also
> >>> want to create a user called 'dovecot' in /etc/passwd, they cannot both
> >>> exist.
> >> Actually, yes they can. *ALL* my domain users are also in /etc/passwd 
> >> because I use sendmail
> >> and procmail as MTA to deliver mail to the appropriate Maildir 
> >> folders (as defined in
> >> /etc/passwd for home directories) and I use /etc/shadow as Dovecot's 
> >> passdb for non-domain mail
> >> clients such as iPhone and Outlook (the latter simply because I 
> >> haven't figured out NTML
> >> authentication for Outlook yet).
> >
> > Then, when you run 'getent passwd userA' which user do you get back ? 
> > and have you tried creating a new local Unix user lately if that user 
> > exists in AD already ?
> >
> > User 'rowland' is in AD:
> >
> > root at devstation:/home/rowland/dovecot# getent passwd rowland
> > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> >
> > If the 'root' user tries to create a local Unix user called 'rowland'
> >
> > root at devstation:/home/rowland/dovecot# useradd rowland
> > useradd: user 'rowland' already exists
> >
> > Still think it is a good idea having your users in /etc/passwd & AD ?
> >
> > You don't need to anyway, Dovecot can use the mail or 
> > userPrincipalName attributes.
> >
> > Rowland
> >
> >>
> >> All domain members, Windows or Linux, authenticate users with their 
> >> AD credentials just fine.
> >>
> >> What I did do with AD users and did not do with the AD dovecot user 
> >> is create their /etc/passwd
> >> entry with the same UID:GID as the AD account. So, for the dovecot 
> >> user I could have:
> >
> > You do need the local Unix users in AD then, just give them a 
> > 'uidNumber' attribute.
> >
> >
> > Rowland
> >
> As long as the nss order is files or compat and afterwards winbind. 
> Using dovecot fpr the samba user does not hurt.
> The samba dovecot uid is at no place required for kerberos authetification.
>

I've made no change at all to my /etc/nsswitch.conf since the last time I scratch installed
Linux on the AD/DC Dovecot host in January, 2015. The as-shipped must be fine. Mine is:

passwd:         compat
group:          compat

hosts:          files dns
networks:       files

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
bootparams:     files

automount:      files
aliases:        files

No winbind on the AD/DC, but windbind is in the domain members' nsswitch.conf:

passwd:         compat winbind
group:          compat winbind

--Mark

More information about the samba mailing list