IMAP server with Samba4 authentication

David Mansfield samba at
Mon Apr 8 07:33:51 MDT 2013

On 04/07/2013 01:11 PM, Colin Simpson wrote:
> Personally I'd Kerberise this. That way users will get Single Sign On and not get challenged for a password for their mail programs, plus storing passwords in mail programs tends to be frowned upon (our internal auditors leap on that one).
> I haven't tried this myself but looks relatively straight forward.
> It appears to be documented here:
> Look like you just need an AD object and an associated keytab pretty much like my Apache example:
> So I'd guess if IMAP is just required, the following should be required on the Samba 4 server:
> samba-tool user create --random-password imap-servername
> samba-tool spn add imap/servername.domainname at YOUR_REALM_NAME.TLD imap-servername
> samba-tool domain exportkeytab /root/dovecot.keytab --principal=imap/servername.domainname at YOUR_REALM_NAME.TLD
> Copy this  /root/dovecot.keytab to a suitable location on your IMAP server and point Dovecot at this with auth_krb5_keytab configuration option (well that's what their Wiki says). You need to ensure this file is readable by the user dovecot runs as (just root as I remember). You'll also needs working forward and reverse DNS entries for the Dovecot box, in the Wiki too.

This is how I did in (except with cyrus-imapd and postfix) and it works 
great.  Although instead of creating a user called imap-servername, I 
created a "machine account" for the host (which could be the exact same 
thing, except for if you want to later winbind the thing it won't have 
two accounts).

All thunderbird clients are fully SSO on windows and linux, because the 
linux workstations use winbind to authenticate with samba4, and in 
/etc/security/pam_winbind.conf some minor tweaks were done.

One thing I haven't figured out is how to create a machine account 
directly with samba-tool, so I used the windows "Active Directory Users 
and Computers Management Console".  If someone can tell me how to create 
a "machine" account directly that would remove one more windows dependency.

More information about the samba-technical mailing list