[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Achim Gottinger achim at ag-web.biz
Sun Jul 17 16:50:35 UTC 2016 


Am 17.07.2016 um 09:32 schrieb Rowland penny:
> On 17/07/16 07:12, Mark Foley wrote:
>> On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org> 
>> wrote:
>>> On 16/07/16 19:09, Mark Foley wrote:
>>>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> 
>>>> wrote:
>>>>
>> [lots of extraneous stuff deleted]
>>
>>>>>>
>>>>> OK, just an update on the new wiki page for Dovecot, I started to 
>>>>> write
>>>>> it and realised there is a potential problem.
>>>>>
>>>>> The user created in AD is called 'dovecot' and the Dovecot 
>>>>> packages also
>>>>> want to create a user called 'dovecot' in /etc/passwd, they cannot 
>>>>> both
>>>>> exist.
>>>> Actually, yes they can. *ALL* my domain users are also in 
>>>> /etc/passwd because I use sendmail
>>>> and procmail as MTA to deliver mail to the appropriate Maildir 
>>>> folders (as defined in
>>>> /etc/passwd for home directories) and I use /etc/shadow as 
>>>> Dovecot's passdb for non-domain mail
>>>> clients such as iPhone and Outlook (the latter simply because I 
>>>> haven't figured out NTML
>>>> authentication for Outlook yet).
>>> Then, when you run 'getent passwd userA' which user do you get back ?
>>> and have you tried creating a new local Unix user lately if that user
>>> exists in AD already ?
>>>
>>> User 'rowland' is in AD:
>>>
>>> root at devstation:/home/rowland/dovecot# getent passwd rowland
>>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>>>
>>> If the 'root' user tries to create a local Unix user called 'rowland'
>>>
>>> root at devstation:/home/rowland/dovecot# useradd rowland
>>> useradd: user 'rowland' already exists
>> Just yesterday I added a new AD user 'shay' via RSAT ADUC on Windows.
>>
>> On the AD/DC I then ran wbinfo to verify the uid/gid:
>>
>> root at mail:~ # wbinfo -i shay
>> HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false
>>
>> Then I added that user to the AD/DC /etc/passwd for reasons mentioned 
>> above.  Here is the
>> actual command line still in root's bash command history:
>>
>> useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s /bin/bash -u 
>> 10010 shay
>>
>> I did not get the "useradd: user 'shay' already exists" message you got.
>>
>> My getent:
>>
>> root at mail:~ # getent passwd shay
>> shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash
>>
>> Running getent on this user from a domain member (where that user IS 
>> NOT in any local passwd file):
>>
>> mfoley at labrat:~ $ getent passwd shay
>> shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh
>>
>>> Still think it is a good idea having your users in /etc/passwd & AD ?
>>>
>>> You don't need to anyway, Dovecot can use the mail or userPrincipalName
>>> attributes.
>> The reason I think I need to (and I could be mistaken) is for my 
>> sendmail MTA to deliver
>> incoming mail to /home/HPRS/username/Maildir. To my knowledge, 
>> sendmail cannot otherwise
>> determine user or destination mail directories. Perhaps other MTAs 
>> can get this info from
>> Samba4, but I don't think sendmail can.
>>
>>>> All domain members, Windows or Linux, authenticate users with their 
>>>> AD credentials just fine.
>>>>
>>>> What I did do with AD users and did not do with the AD dovecot user 
>>>> is create their /etc/passwd
>>>> entry with the same UID:GID as the AD account. So, for the dovecot 
>>>> user I could have:
>>> You do need the local Unix users in AD then, just give them a
>>> 'uidNumber' attribute.
>> Not sure, but are you agreeing that it's OK to have AD users as both 
>> AD users and local users?
>>
>> --Mark
>>
>
> No, bit of a typo there :-)
>
> What I am trying to tell you is that you shouldn't have users in AD 
> and /etc/passwd, in fact there is no need to.
> The whole point of AD is centralisation of user and group management, 
> you can take your AD user and make it a Unix user by adding RFC2307 
> attributes to the users object in AD.
>
> See here for the RFC:  https://www.ietf.org/rfc/rfc2307.txt
>
> In your setup you could have a user 'USERA' in AD and on your mail 
> computer you could also have a 'USERA' in /etc/passwd, how do you keep 
> the password for the two users in sync ? what happens if the AD user 
> changes their password ?
>
> My systems are setup correctly and I cannot create a local Unix user 
> if the user exists in AD, but this doesn't matter, because I do not 
> need to. If I want an AD user to also be a Unix user, I just add the 
> required RFC2307 attributes to the users object in AD.
>
> If I run this command on a Unix domain member:
>
> rowland at devstation:~$ cat /etc/passwd | grep rowland
> rowland at devstation:~$
>
> I get nothing returned, so the user 'rowland' doesn't exist in 
> /etc/passwd, but if I then run this command:
>
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> Funny, I seem to have a Unix user called 'rowland', but he doesn't 
> exist in /etc/passwd and if I wanted to use this user with Dovecot, I 
> could.
>
> Rowland
>
On my production server i use an user calle ldap for all the spn's. It 
works fine with dovecot for kerberos authentification since two years. 
So just use something like dovecot-krb and not dovecot as i recommended 
mark in one of my eralier mails in this thread. It i sless confusing 
that way.

More information about the samba mailing list