[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Sat Jul 16 12:56:53 UTC 2016

Am 16.07.2016 um 09:28 schrieb Rowland penny:
> On 15/07/16 08:17, Rowland penny wrote:
>> On 15/07/16 00:34, Andrew Bartlett wrote:
>>> On Thu, 2016-07-14 at 22:05 +0100, Rowland penny wrote:
>>>> On 14/07/16 21:52, Andrew Bartlett wrote:
>>>>>   Rowland:
>>>>>
>>>>> Running samba-tool domain exportkeytab for a specific user is quite
>>>>> a
>>>>> reasonable thing to do, and is entirely sensible to recommand as
>>>>> part
>>>>> of adding a new user with an SPN.  They keytab can then be deployed
>>>>> as
>>>>> required.
>>>>>
>>>>> Running the exportkeytab file is not the same as loading up the DC
>>>>> with
>>>>> other services.  Not that this is a total disaster (particularly
>>>>> for
>>>>> small sites trying to replace SBS), but we do try and make folks
>>>>> think
>>>>> before creating mega-servers.
>>>>>
>>>>> I'm very happy for such information to be in our wiki, as I do
>>>>> refer to
>>>>> it and refer others to the apache page, which shows the same
>>>>> pattern as
>>>>> required for mod_auth_kerb.
>>>>>
>>>>> https://wiki.samba.org/index.php/Authenticating_Apache_against_Acti
>>>>> ve_D
>>>>> irectory
>>>>>
>>>>> Indeed, we need to make this page easier to find.
>>>>>
>>>>> Andrew Bartlett
>>>>>
>>>> Andrew, I know all this, but in this instance. the OP is going to
>>>> run
>>>> Dovecot on the DC. Now, if you are happy to say that Samba is now
>>>> recommending using the Samba AD DC as a fileserver etc, I am quite
>>>> happy
>>>> to trawl the wiki, removing any references to not using the DC as a
>>>> fileserver etc, otherwise, I will go back to my plan of creating a
>>>> wiki
>>>> page for Dovecot similar to the Apache one.
>>> I didn't see anything in the instructions that were specific to running
>>> on a DC, and in any case, we can afford to be a little less dogmatic
>>> about this.  Please don't go trawling the wiki one way or the other.
>>>
>>> To be clear: I'm happy with the statement currently on the wiki:
>>>
>>> Whilst the Domain Controller seems capable of running as a full file
>>> server, it is suggested that organisations run a distinct file server
>>> to allow upgrades of each without disrupting the other. It is also
>>> suggested that medium-sized sites should run more than one DC. It also
>>> makes sense to have the DC's distinct from any file servers that may
>>> use the Domain Controllers. Additionally using distinct file servers
>>> avoids the idiosyncrasies in the winbindd configuration on the Active
>>> Directory Domain Controller. The Samba team does not recommend using a
>>> Samba-based Domain Controller as a file server, and recommend that
>>> users run a separate Domain Member with file shares.
>>>
>>> Thanks,
>>>
>>> Andrew Bartlett
>>>
>>
>> OK, now we have sorted that out, I will put creating a wiki page for 
>> Dovecot on my TODO list, it will be based around the Apache page i.e. 
>> it will say what user & SPN to create and then say howto transfer the 
>> resultant keytab to another machine, leaving it up to the sysadmin to 
>> read between the lines.
>>
>> This is what I planned to do.
>>
>> Rowland
>>
>>
>
> OK, just an update on the new wiki page for Dovecot, I started to 
> write it and realised there is a potential problem.
>
> The user created in AD is called 'dovecot' and the Dovecot packages 
> also want to create a user called 'dovecot' in /etc/passwd, they 
> cannot both exist.
>
> Not have having posting rights on the Dovecot list (and I don't want 
> to sign up to ask one question), I have asked Marc to ask Dovecot if 
> we can use a different name in AD.
>
> Rowland
>
>
Hi Rowland,

That was my mistak, of course you can use any username you want on the 
samba side. only the spn names are essential.

achim~