[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

[Rowland penny]

On 14/07/16 21:52, Andrew Bartlett wrote:
> On Thu, 2016-07-14 at 16:20 +0100, Rowland penny wrote:
>
>> I don't think the problem is with mentioning 'Dovecot', it is with
>> using
>> the DC for anything other than authentication.
>>
>> Reading the Dovecot wiki page, creating the user & SPN on the DC is
>> okay, but once you start exporting the keytab to be used on the DC,
>> you
>> are doing something that Samba doesn't recommend, but I have thought
>> of
>> a way around this, phrase the page in the same way as the Apache page
>> on
>> the wiki.
> Rowland:
>
> Running samba-tool domain exportkeytab for a specific user is quite a
> reasonable thing to do, and is entirely sensible to recommand as part
> of adding a new user with an SPN.  They keytab can then be deployed as
> required.
>
> Running the exportkeytab file is not the same as loading up the DC with
> other services.  Not that this is a total disaster (particularly for
> small sites trying to replace SBS), but we do try and make folks think
> before creating mega-servers.
>
> I'm very happy for such information to be in our wiki, as I do refer to
> it and refer others to the apache page, which shows the same pattern as
> required for mod_auth_kerb.
>
> https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_D
> irectory
>
> Indeed, we need to make this page easier to find.
>
> Andrew Bartlett
>

Andrew, I know all this, but in this instance. the OP is going to run 
Dovecot on the DC. Now, if you are happy to say that Samba is now 
recommending using the Samba AD DC as a fileserver etc, I am quite happy 
to trawl the wiki, removing any references to not using the DC as a 
fileserver etc, otherwise, I will go back to my plan of creating a wiki 
page for Dovecot similar to the Apache one.

Rowland