[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Mark Foley mfoley at ohprs.org
Wed Jul 20 17:05:26 UTC 2016


On Sun, 17 Jul 2016 08:32:28 +0100 Rowland penny <rpenny at samba.org> wrote:
> On 17/07/16 07:12, Mark Foley wrote:
> > On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org> wrote:
> >> On 16/07/16 19:09, Mark Foley wrote:
> >>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> wrote:
> >>>
> > [lots of extraneous stuff deleted]
> >
> >>>>>
> >>>> OK, just an update on the new wiki page for Dovecot, I started to write
> >>>> it and realised there is a potential problem.
> >>>>
> >>>> The user created in AD is called 'dovecot' and the Dovecot packages also
> >>>> want to create a user called 'dovecot' in /etc/passwd, they cannot both
> >>>> exist.
> >>> Actually, yes they can. *ALL* my domain users are also in /etc/passwd because I use sendmail
> >>> and procmail as MTA to deliver mail to the appropriate Maildir folders (as defined in
> >>> /etc/passwd for home directories) and I use /etc/shadow as Dovecot's passdb for non-domain mail
> >>> clients such as iPhone and Outlook (the latter simply because I haven't figured out NTML
> >>> authentication for Outlook yet).
> >> Then, when you run 'getent passwd userA' which user do you get back ?
> >> and have you tried creating a new local Unix user lately if that user
> >> exists in AD already ?
> >>
> >> User 'rowland' is in AD:
> >>
> >> root at devstation:/home/rowland/dovecot# getent passwd rowland
> >> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> >>
> >> If the 'root' user tries to create a local Unix user called 'rowland'
> >>
> >> root at devstation:/home/rowland/dovecot# useradd rowland
> >> useradd: user 'rowland' already exists
> > Just yesterday I added a new AD user 'shay' via RSAT ADUC on Windows.
> >
> > On the AD/DC I then ran wbinfo to verify the uid/gid:
> >
> > root at mail:~ # wbinfo -i shay
> > HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false
> >
> > Then I added that user to the AD/DC /etc/passwd for reasons mentioned above.  Here is the
> > actual command line still in root's bash command history:
> >
> > useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s /bin/bash -u 10010 shay
> >
> > I did not get the "useradd: user 'shay' already exists" message you got.
> >
> > My getent:
> >
> > root at mail:~ # getent passwd shay
> > shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash
> >
> > Running getent on this user from a domain member (where that user IS NOT in any local passwd file):
> >
> > mfoley at labrat:~ $ getent passwd shay
> > shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh
> >
> >> Still think it is a good idea having your users in /etc/passwd & AD ?
> >>
> >> You don't need to anyway, Dovecot can use the mail or userPrincipalName
> >> attributes.
> > The reason I think I need to (and I could be mistaken) is for my sendmail MTA to deliver
> > incoming mail to /home/HPRS/username/Maildir. To my knowledge, sendmail cannot otherwise
> > determine user or destination mail directories. Perhaps other MTAs can get this info from
> > Samba4, but I don't think sendmail can.
> >
> >>> All domain members, Windows or Linux, authenticate users with their AD credentials just fine.
> >>>
> >>> What I did do with AD users and did not do with the AD dovecot user is create their /etc/passwd
> >>> entry with the same UID:GID as the AD account. So, for the dovecot user I could have:
> >> You do need the local Unix users in AD then, just give them a
> >> 'uidNumber' attribute.
> > Not sure, but are you agreeing that it's OK to have AD users as both AD users and local users?
> >
> > --Mark
> >
>
> No, bit of a typo there :-)
>
> What I am trying to tell you is that you shouldn't have users in AD and 
> /etc/passwd, in fact there is no need to.
> The whole point of AD is centralisation of user and group management, 
> you can take your AD user and make it a Unix user by adding RFC2307 
> attributes to the users object in AD.
>
> See here for the RFC:  https://www.ietf.org/rfc/rfc2307.txt

I will absolutely check this out! If I can do what I need without actually adding the user to
/etc/passwd, that would be great. I'll post back results.

> In your setup you could have a user 'USERA' in AD and on your mail 
> computer you could also have a 'USERA' in /etc/passwd, 

Well, that's basically what I have! :) It's just the mail computer *is* the AD/DC.

> how do you keep the password for the two users in sync ? what happens if the AD 
> user changes their password ?

They don't need to keep the passwords in sync since the AD password is the only one used for
authentication. Users never log onto the AD/DC directly, certainly not at the command line.
User logging into domain members, Linux or Windows, command line or not, use their AD
credentials. Their /etc/passwd password on the DC in never involved.

The DC's /etc/password entries are used solely for Sendmail/procmail to deliver mail to the
user's target email folders. 

It's kind of analogous to `samba-tool user create dovecot --ramdom-password`. The idea is
simply to create an entry.
 
Having said that, if the user would need to sync or change their /etc/passwd password I have
provided an application for them to do that which uses chpasswd on the AD/DC.  This also
updates the Apache passwords (if any). This mechanism has not been needed in the 2 years since
I created it.

> My systems are setup correctly and I cannot create a local Unix user if 
> the user exists in AD, ...

Well, perhaps a later version of Samba adds this check (I have 4.2.12). I really did nothing
special to my samba set up. I followed the wiki for the smb.conf exactly. Samba itself came
with my distro, no building needed on my part.

> but this doesn't matter, because I do not need to.  If I want an AD user to also be a Unix
> user, I just add the required RFC2307 attributes to the users object in AD. 
>
> If I run this command on a Unix domain member:
>
> rowland at devstation:~$ cat /etc/passwd | grep rowland
> rowland at devstation:~$
>
> I get nothing returned, so the user 'rowland' doesn't exist in 
> /etc/passwd, but if I then run this command:
>
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> Funny, I seem to have a Unix user called 'rowland', but he doesn't exist 
> in /etc/passwd and if I wanted to use this user with Dovecot, I could.
>
> Rowland

Right, dovecot does not need the /etc/passwd now that I've implemented gssapi authentication
(it did use it before with the PLAIN auth method). As I said, that entry is there soley for
Sendmail/procmail to locate the user's target email folders. If sendmail could AD authenticate
I wouldn't need /etc/passwd at all.

I'll definately check out that RFC2307 to see if that would takes care of the sendmail issue
and I'll post back my findings.

And before anyone asks ... no, we're not likely to get rid of sendmail any time soon!

--Mark



More information about the samba mailing list