[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Data Control Systems - Mike Elkevizth mike at datacontrolsystems.com
Sun Jul 17 13:35:27 UTC 2016 

Hi Mark,

I think the reason you did not get the 'user already exists' message when
doing a useradd is because your nsswitch file doesn't include winbind on
the server you ran it on.  My system will give me the same warning as
Rowland's gives him with nsswitch setup like this:

passwd: compat winbind
group: compat winbind

My guess is that you had to add the users into /etc/passwd because of your
nsswitch file not using winbind.  Otherwise your MTA should work fine.
Mine does.

I do also have these lines in my smb.conf, but I'm not sure they are
necessary for the MTA to work.

winbind enum groups = yes
winbind enum users = yes

Mike E.

On Sun, Jul 17, 2016, 3:34 AM Rowland penny <rpenny at samba.org> wrote:

> On 17/07/16 07:12, Mark Foley wrote:
> > On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org>
> wrote:
> >> On 16/07/16 19:09, Mark Foley wrote:
> >>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org>
> wrote:
> >>>
> > [lots of extraneous stuff deleted]
> >
> >>>>>
> >>>> OK, just an update on the new wiki page for Dovecot, I started to
> write
> >>>> it and realised there is a potential problem.
> >>>>
> >>>> The user created in AD is called 'dovecot' and the Dovecot packages
> also
> >>>> want to create a user called 'dovecot' in /etc/passwd, they cannot
> both
> >>>> exist.
> >>> Actually, yes they can. *ALL* my domain users are also in /etc/passwd
> because I use sendmail
> >>> and procmail as MTA to deliver mail to the appropriate Maildir folders
> (as defined in
> >>> /etc/passwd for home directories) and I use /etc/shadow as Dovecot's
> passdb for non-domain mail
> >>> clients such as iPhone and Outlook (the latter simply because I
> haven't figured out NTML
> >>> authentication for Outlook yet).
> >> Then, when you run 'getent passwd userA' which user do you get back ?
> >> and have you tried creating a new local Unix user lately if that user
> >> exists in AD already ?
> >>
> >> User 'rowland' is in AD:
> >>
> >> root at devstation:/home/rowland/dovecot# getent passwd rowland
> >> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> >>
> >> If the 'root' user tries to create a local Unix user called 'rowland'
> >>
> >> root at devstation:/home/rowland/dovecot# useradd rowland
> >> useradd: user 'rowland' already exists
> > Just yesterday I added a new AD user 'shay' via RSAT ADUC on Windows.
> >
> > On the AD/DC I then ran wbinfo to verify the uid/gid:
> >
> > root at mail:~ # wbinfo -i shay
> > HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false
> >
> > Then I added that user to the AD/DC /etc/passwd for reasons mentioned
> above.  Here is the
> > actual command line still in root's bash command history:
> >
> > useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s /bin/bash -u
> 10010 shay
> >
> > I did not get the "useradd: user 'shay' already exists" message you got.
> >
> > My getent:
> >
> > root at mail:~ # getent passwd shay
> > shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash
> >
> > Running getent on this user from a domain member (where that user IS NOT
> in any local passwd file):
> >
> > mfoley at labrat:~ $ getent passwd shay
> > shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh
> >
> >> Still think it is a good idea having your users in /etc/passwd & AD ?
> >>
> >> You don't need to anyway, Dovecot can use the mail or userPrincipalName
> >> attributes.
> > The reason I think I need to (and I could be mistaken) is for my
> sendmail MTA to deliver
> > incoming mail to /home/HPRS/username/Maildir. To my knowledge, sendmail
> cannot otherwise
> > determine user or destination mail directories. Perhaps other MTAs can
> get this info from
> > Samba4, but I don't think sendmail can.
> >
> >>> All domain members, Windows or Linux, authenticate users with their AD
> credentials just fine.
> >>>
> >>> What I did do with AD users and did not do with the AD dovecot user is
> create their /etc/passwd
> >>> entry with the same UID:GID as the AD account. So, for the dovecot
> user I could have:
> >> You do need the local Unix users in AD then, just give them a
> >> 'uidNumber' attribute.
> > Not sure, but are you agreeing that it's OK to have AD users as both AD
> users and local users?
> >
> > --Mark
> >
>
> No, bit of a typo there :-)
>
> What I am trying to tell you is that you shouldn't have users in AD and
> /etc/passwd, in fact there is no need to.
> The whole point of AD is centralisation of user and group management,
> you can take your AD user and make it a Unix user by adding RFC2307
> attributes to the users object in AD.
>
> See here for the RFC:  https://www.ietf.org/rfc/rfc2307.txt
>
> In your setup you could have a user 'USERA' in AD and on your mail
> computer you could also have a 'USERA' in /etc/passwd, how do you keep
> the password for the two users in sync ? what happens if the AD user
> changes their password ?
>
> My systems are setup correctly and I cannot create a local Unix user if
> the user exists in AD, but this doesn't matter, because I do not need
> to. If I want an AD user to also be a Unix user, I just add the required
> RFC2307 attributes to the users object in AD.
>
> If I run this command on a Unix domain member:
>
> rowland at devstation:~$ cat /etc/passwd | grep rowland
> rowland at devstation:~$
>
> I get nothing returned, so the user 'rowland' doesn't exist in
> /etc/passwd, but if I then run this command:
>
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> Funny, I seem to have a Unix user called 'rowland', but he doesn't exist
> in /etc/passwd and if I wanted to use this user with Dovecot, I could.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list