[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
Andrew Bartlett
abartlet at samba.org
Thu Jul 14 20:52:44 UTC 2016
On Thu, 2016-07-14 at 16:20 +0100, Rowland penny wrote:
> I don't think the problem is with mentioning 'Dovecot', it is with
> using
> the DC for anything other than authentication.
>
> Reading the Dovecot wiki page, creating the user & SPN on the DC is
> okay, but once you start exporting the keytab to be used on the DC,
> you
> are doing something that Samba doesn't recommend, but I have thought
> of
> a way around this, phrase the page in the same way as the Apache page
> on
> the wiki.
Rowland:
Running samba-tool domain exportkeytab for a specific user is quite a
reasonable thing to do, and is entirely sensible to recommand as part
of adding a new user with an SPN. They keytab can then be deployed as
required.
Running the exportkeytab file is not the same as loading up the DC with
other services. Not that this is a total disaster (particularly for
small sites trying to replace SBS), but we do try and make folks think
before creating mega-servers.
I'm very happy for such information to be in our wiki, as I do refer to
it and refer others to the apache page, which shows the same pattern as
required for mod_auth_kerb.
https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_D
irectory
Indeed, we need to make this page easier to find.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list