[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
Rowland penny
rpenny at samba.org
Thu Jul 14 15:20:22 UTC 2016
On 14/07/16 15:53, Mark Foley wrote:
> Yes, they did add it to the dovecot wiki: http://wiki2.dovecot.org/Authentication/Kerberos
>
> Certainly, check with Marc. I wouldn't advocate doing things against policy (but changing the
> policy a bit?) Even though this is about dovecot specifically, in general, one should be able
> to authenticate locally, as you mention in your email of July 4, 21:30:
>
> "Samba only recommends using the DC for authentication, ... I never said that [kerberos
> authentication is restricted to domain members], you can have kerberos authentication on a DC,"
>
> The instructions on letting dovecot authenticate on the DC is a paradigm example. Users could
> easily extrapolate that to other tools that need to authenticate. Perhaps the instructions
> could be generalized and leaving of the dovecot config stuff, and changing the domain user and
> keytab name to something not specifically saying "dovecot".
>
> Thanks for all you help!
>
> --Mark
>
I don't think the problem is with mentioning 'Dovecot', it is with using
the DC for anything other than authentication.
Reading the Dovecot wiki page, creating the user & SPN on the DC is
okay, but once you start exporting the keytab to be used on the DC, you
are doing something that Samba doesn't recommend, but I have thought of
a way around this, phrase the page in the same way as the Apache page on
the wiki.
By the way, did you know that 'samba-tool user create' has a switch to
create a random password for you: '--random-password'
Rowland
Rowland
More information about the samba
mailing list