[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Sat Jul 16 18:39:21 UTC 2016

On 16/07/16 19:09, Mark Foley wrote:
> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> wrote:
>
>> On 15/07/16 08:17, Rowland penny wrote:
>>> On 15/07/16 00:34, Andrew Bartlett wrote:
>>>> On Thu, 2016-07-14 at 22:05 +0100, Rowland penny wrote:
>>>>> On 14/07/16 21:52, Andrew Bartlett wrote:
>>>>>>    Rowland:
>>>>>>
>>>>>> Running samba-tool domain exportkeytab for a specific user is quite
>>>>>> a
>>>>>> reasonable thing to do, and is entirely sensible to recommand as
>>>>>> part
>>>>>> of adding a new user with an SPN.  They keytab can then be deployed
>>>>>> as
>>>>>> required.
>>>>>>
>>>>>> Running the exportkeytab file is not the same as loading up the DC
>>>>>> with
>>>>>> other services.  Not that this is a total disaster (particularly
>>>>>> for
>>>>>> small sites trying to replace SBS), but we do try and make folks
>>>>>> think
>>>>>> before creating mega-servers.
>>>>>>
>>>>>> I'm very happy for such information to be in our wiki, as I do
>>>>>> refer to
>>>>>> it and refer others to the apache page, which shows the same
>>>>>> pattern as
>>>>>> required for mod_auth_kerb.
>>>>>>
>>>>>> https://wiki.samba.org/index.php/Authenticating_Apache_against_Acti
>>>>>> ve_D
>>>>>> irectory
>>>>>>
>>>>>> Indeed, we need to make this page easier to find.
>>>>>>
>>>>>> Andrew Bartlett
>>>>>>
>>>>> Andrew, I know all this, but in this instance. the OP is going to
>>>>> run
>>>>> Dovecot on the DC. Now, if you are happy to say that Samba is now
>>>>> recommending using the Samba AD DC as a fileserver etc, I am quite
>>>>> happy
>>>>> to trawl the wiki, removing any references to not using the DC as a
>>>>> fileserver etc, otherwise, I will go back to my plan of creating a
>>>>> wiki
>>>>> page for Dovecot similar to the Apache one.
>>>> I didn't see anything in the instructions that were specific to running
>>>> on a DC, and in any case, we can afford to be a little less dogmatic
>>>> about this.  Please don't go trawling the wiki one way or the other.
>>>>
>>>> To be clear: I'm happy with the statement currently on the wiki:
>>>>
>>>> Whilst the Domain Controller seems capable of running as a full file
>>>> server, it is suggested that organisations run a distinct file server
>>>> to allow upgrades of each without disrupting the other. It is also
>>>> suggested that medium-sized sites should run more than one DC. It also
>>>> makes sense to have the DC's distinct from any file servers that may
>>>> use the Domain Controllers. Additionally using distinct file servers
>>>> avoids the idiosyncrasies in the winbindd configuration on the Active
>>>> Directory Domain Controller. The Samba team does not recommend using a
>>>> Samba-based Domain Controller as a file server, and recommend that
>>>> users run a separate Domain Member with file shares.
>>>>
>>>> Thanks,
>>>>
>>>> Andrew Bartlett
>>>>
>>> OK, now we have sorted that out, I will put creating a wiki page for
>>> Dovecot on my TODO list, it will be based around the Apache page i.e.
>>> it will say what user & SPN to create and then say howto transfer the
>>> resultant keytab to another machine, leaving it up to the sysadmin to
>>> read between the lines.
>>>
>>> This is what I planned to do.
>>>
>>> Rowland
>>>
>>>
>> OK, just an update on the new wiki page for Dovecot, I started to write
>> it and realised there is a potential problem.
>>
>> The user created in AD is called 'dovecot' and the Dovecot packages also
>> want to create a user called 'dovecot' in /etc/passwd, they cannot both
>> exist.
> Actually, yes they can. *ALL* my domain users are also in /etc/passwd because I use sendmail
> and procmail as MTA to deliver mail to the appropriate Maildir folders (as defined in
> /etc/passwd for home directories) and I use /etc/shadow as Dovecot's passdb for non-domain mail
> clients such as iPhone and Outlook (the latter simply because I haven't figured out NTML
> authentication for Outlook yet).

Then, when you run 'getent passwd userA' which user do you get back ? 
and have you tried creating a new local Unix user lately if that user 
exists in AD already ?

User 'rowland' is in AD:

root at devstation:/home/rowland/dovecot# getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

If the 'root' user tries to create a local Unix user called 'rowland'

root at devstation:/home/rowland/dovecot# useradd rowland
useradd: user 'rowland' already exists

Still think it is a good idea having your users in /etc/passwd & AD ?

You don't need to anyway, Dovecot can use the mail or userPrincipalName 
attributes.

Rowland

>
> All domain members, Windows or Linux, authenticate users with their AD credentials just fine.
>
> What I did do with AD users and did not do with the AD dovecot user is create their /etc/passwd
> entry with the same UID:GID as the AD account. So, for the dovecot user I could have:

You do need the local Unix users in AD then, just give them a 
'uidNumber' attribute.

Rowland