[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Rowland penny rpenny at samba.org
Sun Jul 17 07:32:28 UTC 2016 

On 17/07/16 07:12, Mark Foley wrote:
> On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org> wrote:
>> On 16/07/16 19:09, Mark Foley wrote:
>>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> wrote:
>>>
> [lots of extraneous stuff deleted]
>
>>>>>
>>>> OK, just an update on the new wiki page for Dovecot, I started to write
>>>> it and realised there is a potential problem.
>>>>
>>>> The user created in AD is called 'dovecot' and the Dovecot packages also
>>>> want to create a user called 'dovecot' in /etc/passwd, they cannot both
>>>> exist.
>>> Actually, yes they can. *ALL* my domain users are also in /etc/passwd because I use sendmail
>>> and procmail as MTA to deliver mail to the appropriate Maildir folders (as defined in
>>> /etc/passwd for home directories) and I use /etc/shadow as Dovecot's passdb for non-domain mail
>>> clients such as iPhone and Outlook (the latter simply because I haven't figured out NTML
>>> authentication for Outlook yet).
>> Then, when you run 'getent passwd userA' which user do you get back ?
>> and have you tried creating a new local Unix user lately if that user
>> exists in AD already ?
>>
>> User 'rowland' is in AD:
>>
>> root at devstation:/home/rowland/dovecot# getent passwd rowland
>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>>
>> If the 'root' user tries to create a local Unix user called 'rowland'
>>
>> root at devstation:/home/rowland/dovecot# useradd rowland
>> useradd: user 'rowland' already exists
> Just yesterday I added a new AD user 'shay' via RSAT ADUC on Windows.
>
> On the AD/DC I then ran wbinfo to verify the uid/gid:
>
> root at mail:~ # wbinfo -i shay
> HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false
>
> Then I added that user to the AD/DC /etc/passwd for reasons mentioned above.  Here is the
> actual command line still in root's bash command history:
>
> useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s /bin/bash -u 10010 shay
>
> I did not get the "useradd: user 'shay' already exists" message you got.
>
> My getent:
>
> root at mail:~ # getent passwd shay
> shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash
>
> Running getent on this user from a domain member (where that user IS NOT in any local passwd file):
>
> mfoley at labrat:~ $ getent passwd shay
> shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh
>
>> Still think it is a good idea having your users in /etc/passwd & AD ?
>>
>> You don't need to anyway, Dovecot can use the mail or userPrincipalName
>> attributes.
> The reason I think I need to (and I could be mistaken) is for my sendmail MTA to deliver
> incoming mail to /home/HPRS/username/Maildir. To my knowledge, sendmail cannot otherwise
> determine user or destination mail directories. Perhaps other MTAs can get this info from
> Samba4, but I don't think sendmail can.
>
>>> All domain members, Windows or Linux, authenticate users with their AD credentials just fine.
>>>
>>> What I did do with AD users and did not do with the AD dovecot user is create their /etc/passwd
>>> entry with the same UID:GID as the AD account. So, for the dovecot user I could have:
>> You do need the local Unix users in AD then, just give them a
>> 'uidNumber' attribute.
> Not sure, but are you agreeing that it's OK to have AD users as both AD users and local users?
>
> --Mark
>

No, bit of a typo there :-)

What I am trying to tell you is that you shouldn't have users in AD and 
/etc/passwd, in fact there is no need to.
The whole point of AD is centralisation of user and group management, 
you can take your AD user and make it a Unix user by adding RFC2307 
attributes to the users object in AD.

See here for the RFC:  https://www.ietf.org/rfc/rfc2307.txt

In your setup you could have a user 'USERA' in AD and on your mail 
computer you could also have a 'USERA' in /etc/passwd, how do you keep 
the password for the two users in sync ? what happens if the AD user 
changes their password ?

My systems are setup correctly and I cannot create a local Unix user if 
the user exists in AD, but this doesn't matter, because I do not need 
to. If I want an AD user to also be a Unix user, I just add the required 
RFC2307 attributes to the users object in AD.

If I run this command on a Unix domain member:

rowland at devstation:~$ cat /etc/passwd | grep rowland
rowland at devstation:~$

I get nothing returned, so the user 'rowland' doesn't exist in 
/etc/passwd, but if I then run this command:

rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

Funny, I seem to have a Unix user called 'rowland', but he doesn't exist 
in /etc/passwd and if I wanted to use this user with Dovecot, I could.

Rowland

More information about the samba mailing list