[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Rowland penny rpenny at samba.org
Fri Jul 15 07:17:11 UTC 2016 

On 15/07/16 00:34, Andrew Bartlett wrote:
> On Thu, 2016-07-14 at 22:05 +0100, Rowland penny wrote:
>> On 14/07/16 21:52, Andrew Bartlett wrote:
>>>   
>>> Rowland:
>>>
>>> Running samba-tool domain exportkeytab for a specific user is quite
>>> a
>>> reasonable thing to do, and is entirely sensible to recommand as
>>> part
>>> of adding a new user with an SPN.  They keytab can then be deployed
>>> as
>>> required.
>>>
>>> Running the exportkeytab file is not the same as loading up the DC
>>> with
>>> other services.  Not that this is a total disaster (particularly
>>> for
>>> small sites trying to replace SBS), but we do try and make folks
>>> think
>>> before creating mega-servers.
>>>
>>> I'm very happy for such information to be in our wiki, as I do
>>> refer to
>>> it and refer others to the apache page, which shows the same
>>> pattern as
>>> required for mod_auth_kerb.
>>>
>>> https://wiki.samba.org/index.php/Authenticating_Apache_against_Acti
>>> ve_D
>>> irectory
>>>
>>> Indeed, we need to make this page easier to find.
>>>
>>> Andrew Bartlett
>>>
>> Andrew, I know all this, but in this instance. the OP is going to
>> run
>> Dovecot on the DC. Now, if you are happy to say that Samba is now
>> recommending using the Samba AD DC as a fileserver etc, I am quite
>> happy
>> to trawl the wiki, removing any references to not using the DC as a
>> fileserver etc, otherwise, I will go back to my plan of creating a
>> wiki
>> page for Dovecot similar to the Apache one.
> I didn't see anything in the instructions that were specific to running
> on a DC, and in any case, we can afford to be a little less dogmatic
> about this.  Please don't go trawling the wiki one way or the other.
>
> To be clear: I'm happy with the statement currently on the wiki:
>
> Whilst the Domain Controller seems capable of running as a full file
> server, it is suggested that organisations run a distinct file server
> to allow upgrades of each without disrupting the other. It is also
> suggested that medium-sized sites should run more than one DC. It also
> makes sense to have the DC's distinct from any file servers that may
> use the Domain Controllers. Additionally using distinct file servers
> avoids the idiosyncrasies in the winbindd configuration on the Active
> Directory Domain Controller. The Samba team does not recommend using a
> Samba-based Domain Controller as a file server, and recommend that
> users run a separate Domain Member with file shares.
>
> Thanks,
>
> Andrew Bartlett
>

OK, now we have sorted that out, I will put creating a wiki page for 
Dovecot on my TODO list, it will be based around the Apache page i.e. it 
will say what user & SPN to create and then say howto transfer the 
resultant keytab to another machine, leaving it up to the sysadmin to 
read between the lines.

This is what I planned to do.

Rowland

More information about the samba mailing list