[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Mark Foley mfoley at ohprs.org
Sat Jul 16 18:09:13 UTC 2016


On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> wrote:

> On 15/07/16 08:17, Rowland penny wrote:
> > On 15/07/16 00:34, Andrew Bartlett wrote:
> >> On Thu, 2016-07-14 at 22:05 +0100, Rowland penny wrote:
> >>> On 14/07/16 21:52, Andrew Bartlett wrote:
> >>>>   Rowland:
> >>>>
> >>>> Running samba-tool domain exportkeytab for a specific user is quite
> >>>> a
> >>>> reasonable thing to do, and is entirely sensible to recommand as
> >>>> part
> >>>> of adding a new user with an SPN.  They keytab can then be deployed
> >>>> as
> >>>> required.
> >>>>
> >>>> Running the exportkeytab file is not the same as loading up the DC
> >>>> with
> >>>> other services.  Not that this is a total disaster (particularly
> >>>> for
> >>>> small sites trying to replace SBS), but we do try and make folks
> >>>> think
> >>>> before creating mega-servers.
> >>>>
> >>>> I'm very happy for such information to be in our wiki, as I do
> >>>> refer to
> >>>> it and refer others to the apache page, which shows the same
> >>>> pattern as
> >>>> required for mod_auth_kerb.
> >>>>
> >>>> https://wiki.samba.org/index.php/Authenticating_Apache_against_Acti
> >>>> ve_D
> >>>> irectory
> >>>>
> >>>> Indeed, we need to make this page easier to find.
> >>>>
> >>>> Andrew Bartlett
> >>>>
> >>> Andrew, I know all this, but in this instance. the OP is going to
> >>> run
> >>> Dovecot on the DC. Now, if you are happy to say that Samba is now
> >>> recommending using the Samba AD DC as a fileserver etc, I am quite
> >>> happy
> >>> to trawl the wiki, removing any references to not using the DC as a
> >>> fileserver etc, otherwise, I will go back to my plan of creating a
> >>> wiki
> >>> page for Dovecot similar to the Apache one.
> >> I didn't see anything in the instructions that were specific to running
> >> on a DC, and in any case, we can afford to be a little less dogmatic
> >> about this.  Please don't go trawling the wiki one way or the other.
> >>
> >> To be clear: I'm happy with the statement currently on the wiki:
> >>
> >> Whilst the Domain Controller seems capable of running as a full file
> >> server, it is suggested that organisations run a distinct file server
> >> to allow upgrades of each without disrupting the other. It is also
> >> suggested that medium-sized sites should run more than one DC. It also
> >> makes sense to have the DC's distinct from any file servers that may
> >> use the Domain Controllers. Additionally using distinct file servers
> >> avoids the idiosyncrasies in the winbindd configuration on the Active
> >> Directory Domain Controller. The Samba team does not recommend using a
> >> Samba-based Domain Controller as a file server, and recommend that
> >> users run a separate Domain Member with file shares.
> >>
> >> Thanks,
> >>
> >> Andrew Bartlett
> >>
> >
> > OK, now we have sorted that out, I will put creating a wiki page for 
> > Dovecot on my TODO list, it will be based around the Apache page i.e. 
> > it will say what user & SPN to create and then say howto transfer the 
> > resultant keytab to another machine, leaving it up to the sysadmin to 
> > read between the lines.
> >
> > This is what I planned to do.
> >
> > Rowland
> >
> >
>
> OK, just an update on the new wiki page for Dovecot, I started to write 
> it and realised there is a potential problem.
>
> The user created in AD is called 'dovecot' and the Dovecot packages also 
> want to create a user called 'dovecot' in /etc/passwd, they cannot both 
> exist.

Actually, yes they can. *ALL* my domain users are also in /etc/passwd because I use sendmail
and procmail as MTA to deliver mail to the appropriate Maildir folders (as defined in
/etc/passwd for home directories) and I use /etc/shadow as Dovecot's passdb for non-domain mail
clients such as iPhone and Outlook (the latter simply because I haven't figured out NTML
authentication for Outlook yet). 

All domain members, Windows or Linux, authenticate users with their AD credentials just fine.

What I did do with AD users and did not do with the AD dovecot user is create their /etc/passwd
entry with the same UID:GID as the AD account. So, for the dovecot user I could have:

samba-tool user add dovecot --random-password --uid-number=151 --gid-number=151

I did not do that for the AD dovecot user, but it doesn't seem to have mattered.  I suppose,
given than you can use --random-password, no dovecot or AD components need to "log in" as the
dovecot user.  The dovecot user is in the AD only to facilitate creation of the SPNs. 

Whether or not this is recomended, I have been running with this setup flawlessly now for
nearly 2 years.  ...  nor do I recall specifically reading anywhere that AD users CAN NOT be in
/etc/passwd -- back when I was first setting up the AD/DC that would have given me pause. 

--Mark

>
> Not have having posting rights on the Dovecot list (and I don't want to 
> sign up to ask one question), I have asked Marc to ask Dovecot if we can 
> use a different name in AD.
>
> Rowland
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



More information about the samba mailing list