[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Sat Jul 16 19:32:33 UTC 2016


Am 16.07.2016 um 20:39 schrieb Rowland penny:
> On 16/07/16 19:09, Mark Foley wrote:
>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> 
>> wrote:
>>
>>> On 15/07/16 08:17, Rowland penny wrote:
>>>> On 15/07/16 00:34, Andrew Bartlett wrote:
>>>>> On Thu, 2016-07-14 at 22:05 +0100, Rowland penny wrote:
>>>>>> On 14/07/16 21:52, Andrew Bartlett wrote:
>>>>>>>    Rowland:
>>>>>>>
>>>>>>> Running samba-tool domain exportkeytab for a specific user is quite
>>>>>>> a
>>>>>>> reasonable thing to do, and is entirely sensible to recommand as
>>>>>>> part
>>>>>>> of adding a new user with an SPN.  They keytab can then be deployed
>>>>>>> as
>>>>>>> required.
>>>>>>>
>>>>>>> Running the exportkeytab file is not the same as loading up the DC
>>>>>>> with
>>>>>>> other services.  Not that this is a total disaster (particularly
>>>>>>> for
>>>>>>> small sites trying to replace SBS), but we do try and make folks
>>>>>>> think
>>>>>>> before creating mega-servers.
>>>>>>>
>>>>>>> I'm very happy for such information to be in our wiki, as I do
>>>>>>> refer to
>>>>>>> it and refer others to the apache page, which shows the same
>>>>>>> pattern as
>>>>>>> required for mod_auth_kerb.
>>>>>>>
>>>>>>> https://wiki.samba.org/index.php/Authenticating_Apache_against_Acti
>>>>>>> ve_D
>>>>>>> irectory
>>>>>>>
>>>>>>> Indeed, we need to make this page easier to find.
>>>>>>>
>>>>>>> Andrew Bartlett
>>>>>>>
>>>>>> Andrew, I know all this, but in this instance. the OP is going to
>>>>>> run
>>>>>> Dovecot on the DC. Now, if you are happy to say that Samba is now
>>>>>> recommending using the Samba AD DC as a fileserver etc, I am quite
>>>>>> happy
>>>>>> to trawl the wiki, removing any references to not using the DC as a
>>>>>> fileserver etc, otherwise, I will go back to my plan of creating a
>>>>>> wiki
>>>>>> page for Dovecot similar to the Apache one.
>>>>> I didn't see anything in the instructions that were specific to 
>>>>> running
>>>>> on a DC, and in any case, we can afford to be a little less dogmatic
>>>>> about this.  Please don't go trawling the wiki one way or the other.
>>>>>
>>>>> To be clear: I'm happy with the statement currently on the wiki:
>>>>>
>>>>> Whilst the Domain Controller seems capable of running as a full file
>>>>> server, it is suggested that organisations run a distinct file server
>>>>> to allow upgrades of each without disrupting the other. It is also
>>>>> suggested that medium-sized sites should run more than one DC. It 
>>>>> also
>>>>> makes sense to have the DC's distinct from any file servers that may
>>>>> use the Domain Controllers. Additionally using distinct file servers
>>>>> avoids the idiosyncrasies in the winbindd configuration on the Active
>>>>> Directory Domain Controller. The Samba team does not recommend 
>>>>> using a
>>>>> Samba-based Domain Controller as a file server, and recommend that
>>>>> users run a separate Domain Member with file shares.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Andrew Bartlett
>>>>>
>>>> OK, now we have sorted that out, I will put creating a wiki page for
>>>> Dovecot on my TODO list, it will be based around the Apache page i.e.
>>>> it will say what user & SPN to create and then say howto transfer the
>>>> resultant keytab to another machine, leaving it up to the sysadmin to
>>>> read between the lines.
>>>>
>>>> This is what I planned to do.
>>>>
>>>> Rowland
>>>>
>>>>
>>> OK, just an update on the new wiki page for Dovecot, I started to write
>>> it and realised there is a potential problem.
>>>
>>> The user created in AD is called 'dovecot' and the Dovecot packages 
>>> also
>>> want to create a user called 'dovecot' in /etc/passwd, they cannot both
>>> exist.
>> Actually, yes they can. *ALL* my domain users are also in /etc/passwd 
>> because I use sendmail
>> and procmail as MTA to deliver mail to the appropriate Maildir 
>> folders (as defined in
>> /etc/passwd for home directories) and I use /etc/shadow as Dovecot's 
>> passdb for non-domain mail
>> clients such as iPhone and Outlook (the latter simply because I 
>> haven't figured out NTML
>> authentication for Outlook yet).
>
> Then, when you run 'getent passwd userA' which user do you get back ? 
> and have you tried creating a new local Unix user lately if that user 
> exists in AD already ?
>
> User 'rowland' is in AD:
>
> root at devstation:/home/rowland/dovecot# getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> If the 'root' user tries to create a local Unix user called 'rowland'
>
> root at devstation:/home/rowland/dovecot# useradd rowland
> useradd: user 'rowland' already exists
>
> Still think it is a good idea having your users in /etc/passwd & AD ?
>
> You don't need to anyway, Dovecot can use the mail or 
> userPrincipalName attributes.
>
> Rowland
>
>>
>> All domain members, Windows or Linux, authenticate users with their 
>> AD credentials just fine.
>>
>> What I did do with AD users and did not do with the AD dovecot user 
>> is create their /etc/passwd
>> entry with the same UID:GID as the AD account. So, for the dovecot 
>> user I could have:
>
> You do need the local Unix users in AD then, just give them a 
> 'uidNumber' attribute.
>
>
> Rowland
>
As long as the nss order is files or compat and afterwards winbind. 
Using dovecot fpr the samba user does not hurt.
The samba dovecot uid is at no place required for kerberos authetification.