[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
Achim Gottinger
achim at ag-web.biz
Sun Jul 17 16:50:35 UTC 2016
Am 17.07.2016 um 09:32 schrieb Rowland penny:
> On 17/07/16 07:12, Mark Foley wrote:
>> On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org>
>> wrote:
>>> On 16/07/16 19:09, Mark Foley wrote:
>>>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org>
>>>> wrote:
>>>>
>> [lots of extraneous stuff deleted]
>>
>>>>>>
>>>>> OK, just an update on the new wiki page for Dovecot, I started to
>>>>> write
>>>>> it and realised there is a potential problem.
>>>>>
>>>>> The user created in AD is called 'dovecot' and the Dovecot
>>>>> packages also
>>>>> want to create a user called 'dovecot' in /etc/passwd, they cannot
>>>>> both
>>>>> exist.
>>>> Actually, yes they can. *ALL* my domain users are also in
>>>> /etc/passwd because I use sendmail
>>>> and procmail as MTA to deliver mail to the appropriate Maildir
>>>> folders (as defined in
>>>> /etc/passwd for home directories) and I use /etc/shadow as
>>>> Dovecot's passdb for non-domain mail
>>>> clients such as iPhone and Outlook (the latter simply because I
>>>> haven't figured out NTML
>>>> authentication for Outlook yet).
>>> Then, when you run 'getent passwd userA' which user do you get back ?
>>> and have you tried creating a new local Unix user lately if that user
>>> exists in AD already ?
>>>
>>> User 'rowland' is in AD:
>>>
>>> root at devstation:/home/rowland/dovecot# getent passwd rowland
>>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>>>
>>> If the 'root' user tries to create a local Unix user called 'rowland'
>>>
>>> root at devstation:/home/rowland/dovecot# useradd rowland
>>> useradd: user 'rowland' already exists
>> Just yesterday I added a new AD user 'shay' via RSAT ADUC on Windows.
>>
>> On the AD/DC I then ran wbinfo to verify the uid/gid:
>>
>> root at mail:~ # wbinfo -i shay
>> HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false
>>
>> Then I added that user to the AD/DC /etc/passwd for reasons mentioned
>> above. Here is the
>> actual command line still in root's bash command history:
>>
>> useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s /bin/bash -u
>> 10010 shay
>>
>> I did not get the "useradd: user 'shay' already exists" message you got.
>>
>> My getent:
>>
>> root at mail:~ # getent passwd shay
>> shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash
>>
>> Running getent on this user from a domain member (where that user IS
>> NOT in any local passwd file):
>>
>> mfoley at labrat:~ $ getent passwd shay
>> shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh
>>
>>> Still think it is a good idea having your users in /etc/passwd & AD ?
>>>
>>> You don't need to anyway, Dovecot can use the mail or userPrincipalName
>>> attributes.
>> The reason I think I need to (and I could be mistaken) is for my
>> sendmail MTA to deliver
>> incoming mail to /home/HPRS/username/Maildir. To my knowledge,
>> sendmail cannot otherwise
>> determine user or destination mail directories. Perhaps other MTAs
>> can get this info from
>> Samba4, but I don't think sendmail can.
>>
>>>> All domain members, Windows or Linux, authenticate users with their
>>>> AD credentials just fine.
>>>>
>>>> What I did do with AD users and did not do with the AD dovecot user
>>>> is create their /etc/passwd
>>>> entry with the same UID:GID as the AD account. So, for the dovecot
>>>> user I could have:
>>> You do need the local Unix users in AD then, just give them a
>>> 'uidNumber' attribute.
>> Not sure, but are you agreeing that it's OK to have AD users as both
>> AD users and local users?
>>
>> --Mark
>>
>
> No, bit of a typo there :-)
>
> What I am trying to tell you is that you shouldn't have users in AD
> and /etc/passwd, in fact there is no need to.
> The whole point of AD is centralisation of user and group management,
> you can take your AD user and make it a Unix user by adding RFC2307
> attributes to the users object in AD.
>
> See here for the RFC: https://www.ietf.org/rfc/rfc2307.txt
>
> In your setup you could have a user 'USERA' in AD and on your mail
> computer you could also have a 'USERA' in /etc/passwd, how do you keep
> the password for the two users in sync ? what happens if the AD user
> changes their password ?
>
> My systems are setup correctly and I cannot create a local Unix user
> if the user exists in AD, but this doesn't matter, because I do not
> need to. If I want an AD user to also be a Unix user, I just add the
> required RFC2307 attributes to the users object in AD.
>
> If I run this command on a Unix domain member:
>
> rowland at devstation:~$ cat /etc/passwd | grep rowland
> rowland at devstation:~$
>
> I get nothing returned, so the user 'rowland' doesn't exist in
> /etc/passwd, but if I then run this command:
>
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> Funny, I seem to have a Unix user called 'rowland', but he doesn't
> exist in /etc/passwd and if I wanted to use this user with Dovecot, I
> could.
>
> Rowland
>
On my production server i use an user calle ldap for all the spn's. It
works fine with dovecot for kerberos authentification since two years.
So just use something like dovecot-krb and not dovecot as i recommended
mark in one of my eralier mails in this thread. It i sless confusing
that way.
More information about the samba
mailing list