IMAP server with Samba4 authentication

Colin Simpson Colin.Simpson at
Sun Apr 7 11:11:53 MDT 2013

Personally I'd Kerberise this. That way users will get Single Sign On and not get challenged for a password for their mail programs, plus storing passwords in mail programs tends to be frowned upon (our internal auditors leap on that one).

I haven't tried this myself but looks relatively straight forward.

It appears to be documented here:

Look like you just need an AD object and an associated keytab pretty much like my Apache example:

So I'd guess if IMAP is just required, the following should be required on the Samba 4 server:

samba-tool user create --random-password imap-servername
samba-tool spn add imap/servername.domainname at YOUR_REALM_NAME.TLD imap-servername
samba-tool domain exportkeytab /root/dovecot.keytab --principal=imap/servername.domainname at YOUR_REALM_NAME.TLD

Copy this  /root/dovecot.keytab to a suitable location on your IMAP server and point Dovecot at this with auth_krb5_keytab configuration option (well that's what their Wiki says). You need to ensure this file is readable by the user dovecot runs as (just root as I remember). You'll also needs working forward and reverse DNS entries for the Dovecot box, in the Wiki too.

By reading this page, it looks like you can add in, drop back to password authentication (though I'd guess that means the box will need a suitable Winbind setup with pam configured).

I always think encouraging Kerberos is the way forward, as it really is the future (now the present!) of Samba authentication.

Just my 2 pence....


From: samba-technical-bounces at [samba-technical-bounces at] on behalf of Zbigniew Góra [zbyszek.gora at]
Sent: 07 April 2013 16:02
To: samba-technical at
Subject: IMAP server with Samba4 authentication

Hello everybody,

Is it possible to setup mail server, something like postfix+fetchmail+IMAP
(dovecot or courier for Outlook clients) with Samba4 users authentication?

Thanks for any suggestions.
Zbyszek Góra
Tel.: +48693308757


This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify the sender and delete the original.

More information about the samba-technical mailing list