[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Rowland penny rpenny at samba.org
Mon Jul 4 20:30:50 UTC 2016 

On 04/07/16 21:15, Mark Foley wrote:
> On Mon, 4 Jul 2016 08:18:11 +0100 Rowland penny <rpenny at samba.org> wrote:
>
>> The problem is that Samba doesn't recommend using the DC as a fileserver
>> etc This is why it isn't mentioned,
> Well, I don't see that the DC is being used as an actual file server simply by hosting an email
> server.  There is no share defined in smb.conf to accomodate this.  Furthermore, I think it is
> common practice for the AD/DC to also be the mail server.  Certainly that has been my
> experience, esp. coming from the Microsoft universe with the typical small business
> configuration of SBS and Exchange on the same host; now replaced by Samba4 and Dovecot/IMAP.
> Since Dovecot is only trying to authenticate, I don't see how this could possibly be a NOT
> RECOMMENDED configuration.

Samba only recommends using the DC for authentication, now I live in the 
real world and know that people will use it for other purposes. The wiki 
used to be littered with how to this , that and the other on the DC, 
there were other pages that had similar info for domain members and 
quite frankly, it was a mess. Marc Muhelfeld sorted out the wiki, basing 
it around Samba's recommendations, I am not going to start undoing all 
Marc's hard work.

>> on a correctly set up domain member, the keytab is created during the join.
> Probably true for a domain member, but not for the AD/DC. I disagree that you should restrict
> kerberos authentication to domain members.

I never said that, you can have kerberos authentication on a DC, I just 
said that when you join a domain member, you get a keytab.

>
>>> Someone please put at least the required samba-tool commands into the wiki for other poor
>>> schmucks like me.
>>>
>>> --Mark
>> Will do, but it will be phrased in the context of using a domain member
>> not a DC.
> Your the boss, but I don't think that covers the issue.  You helped me set up a domain member
> for single-sign-on about a year ago and that required nothing special on the AD/DC.  I think
> Samba/Kerberos works for domain members, but not for authentication on the same host running
> the DC.  I think it's fallacious to assume the mail server will be on a standalone host/domain
> member.  Maybe in the Microsoft world, but Linux certainly has the horsepower to handle AD/DC
> and Mailserver on the same box.
>
> --Mark
>
>

Samba doesn't say 'you cannot', it just recommends you not to, but it is 
your DC and you can do whatever you like with it.

Rowland

More information about the samba mailing list