[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
Rowland penny
rpenny at samba.org
Sat Jul 16 07:28:14 UTC 2016
On 15/07/16 08:17, Rowland penny wrote:
> On 15/07/16 00:34, Andrew Bartlett wrote:
>> On Thu, 2016-07-14 at 22:05 +0100, Rowland penny wrote:
>>> On 14/07/16 21:52, Andrew Bartlett wrote:
>>>> Rowland:
>>>>
>>>> Running samba-tool domain exportkeytab for a specific user is quite
>>>> a
>>>> reasonable thing to do, and is entirely sensible to recommand as
>>>> part
>>>> of adding a new user with an SPN. They keytab can then be deployed
>>>> as
>>>> required.
>>>>
>>>> Running the exportkeytab file is not the same as loading up the DC
>>>> with
>>>> other services. Not that this is a total disaster (particularly
>>>> for
>>>> small sites trying to replace SBS), but we do try and make folks
>>>> think
>>>> before creating mega-servers.
>>>>
>>>> I'm very happy for such information to be in our wiki, as I do
>>>> refer to
>>>> it and refer others to the apache page, which shows the same
>>>> pattern as
>>>> required for mod_auth_kerb.
>>>>
>>>> https://wiki.samba.org/index.php/Authenticating_Apache_against_Acti
>>>> ve_D
>>>> irectory
>>>>
>>>> Indeed, we need to make this page easier to find.
>>>>
>>>> Andrew Bartlett
>>>>
>>> Andrew, I know all this, but in this instance. the OP is going to
>>> run
>>> Dovecot on the DC. Now, if you are happy to say that Samba is now
>>> recommending using the Samba AD DC as a fileserver etc, I am quite
>>> happy
>>> to trawl the wiki, removing any references to not using the DC as a
>>> fileserver etc, otherwise, I will go back to my plan of creating a
>>> wiki
>>> page for Dovecot similar to the Apache one.
>> I didn't see anything in the instructions that were specific to running
>> on a DC, and in any case, we can afford to be a little less dogmatic
>> about this. Please don't go trawling the wiki one way or the other.
>>
>> To be clear: I'm happy with the statement currently on the wiki:
>>
>> Whilst the Domain Controller seems capable of running as a full file
>> server, it is suggested that organisations run a distinct file server
>> to allow upgrades of each without disrupting the other. It is also
>> suggested that medium-sized sites should run more than one DC. It also
>> makes sense to have the DC's distinct from any file servers that may
>> use the Domain Controllers. Additionally using distinct file servers
>> avoids the idiosyncrasies in the winbindd configuration on the Active
>> Directory Domain Controller. The Samba team does not recommend using a
>> Samba-based Domain Controller as a file server, and recommend that
>> users run a separate Domain Member with file shares.
>>
>> Thanks,
>>
>> Andrew Bartlett
>>
>
> OK, now we have sorted that out, I will put creating a wiki page for
> Dovecot on my TODO list, it will be based around the Apache page i.e.
> it will say what user & SPN to create and then say howto transfer the
> resultant keytab to another machine, leaving it up to the sysadmin to
> read between the lines.
>
> This is what I planned to do.
>
> Rowland
>
>
OK, just an update on the new wiki page for Dovecot, I started to write
it and realised there is a potential problem.
The user created in AD is called 'dovecot' and the Dovecot packages also
want to create a user called 'dovecot' in /etc/passwd, they cannot both
exist.
Not have having posting rights on the Dovecot list (and I don't want to
sign up to ask one question), I have asked Marc to ask Dovecot if we can
use a different name in AD.
Rowland
More information about the samba
mailing list