[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
Mark Foley
mfoley at ohprs.org
Sun Jul 17 06:12:48 UTC 2016
On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org> wrote:
>
> On 16/07/16 19:09, Mark Foley wrote:
> > On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> wrote:
> >
[lots of extraneous stuff deleted]
> >>>
> >>>
> >> OK, just an update on the new wiki page for Dovecot, I started to write
> >> it and realised there is a potential problem.
> >>
> >> The user created in AD is called 'dovecot' and the Dovecot packages also
> >> want to create a user called 'dovecot' in /etc/passwd, they cannot both
> >> exist.
> >
> > Actually, yes they can. *ALL* my domain users are also in /etc/passwd because I use sendmail
> > and procmail as MTA to deliver mail to the appropriate Maildir folders (as defined in
> > /etc/passwd for home directories) and I use /etc/shadow as Dovecot's passdb for non-domain mail
> > clients such as iPhone and Outlook (the latter simply because I haven't figured out NTML
> > authentication for Outlook yet).
>
> Then, when you run 'getent passwd userA' which user do you get back ?
> and have you tried creating a new local Unix user lately if that user
> exists in AD already ?
>
> User 'rowland' is in AD:
>
> root at devstation:/home/rowland/dovecot# getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> If the 'root' user tries to create a local Unix user called 'rowland'
>
> root at devstation:/home/rowland/dovecot# useradd rowland
> useradd: user 'rowland' already exists
Just yesterday I added a new AD user 'shay' via RSAT ADUC on Windows.
On the AD/DC I then ran wbinfo to verify the uid/gid:
root at mail:~ # wbinfo -i shay
HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false
Then I added that user to the AD/DC /etc/passwd for reasons mentioned above. Here is the
actual command line still in root's bash command history:
useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s /bin/bash -u 10010 shay
I did not get the "useradd: user 'shay' already exists" message you got.
My getent:
root at mail:~ # getent passwd shay
shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash
Running getent on this user from a domain member (where that user IS NOT in any local passwd file):
mfoley at labrat:~ $ getent passwd shay
shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh
> Still think it is a good idea having your users in /etc/passwd & AD ?
>
> You don't need to anyway, Dovecot can use the mail or userPrincipalName
> attributes.
The reason I think I need to (and I could be mistaken) is for my sendmail MTA to deliver
incoming mail to /home/HPRS/username/Maildir. To my knowledge, sendmail cannot otherwise
determine user or destination mail directories. Perhaps other MTAs can get this info from
Samba4, but I don't think sendmail can.
> >
> > All domain members, Windows or Linux, authenticate users with their AD credentials just fine.
> >
> > What I did do with AD users and did not do with the AD dovecot user is create their /etc/passwd
> > entry with the same UID:GID as the AD account. So, for the dovecot user I could have:
>
> You do need the local Unix users in AD then, just give them a
> 'uidNumber' attribute.
Not sure, but are you agreeing that it's OK to have AD users as both AD users and local users?
--Mark
More information about the samba
mailing list