[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Rowland penny rpenny at samba.org
Wed Jul 20 17:35:33 UTC 2016 

On 20/07/16 18:05, Mark Foley wrote:
> On Sun, 17 Jul 2016 08:32:28 +0100 Rowland penny <rpenny at samba.org> wrote:
> I will absolutely check this out! If I can do what I need without actually adding the user to
> /etc/passwd, that would be great. I'll post back results.
>
>> In your setup you could have a user 'USERA' in AD and on your mail
>> computer you could also have a 'USERA' in /etc/passwd,
> Well, that's basically what I have! :) It's just the mail computer *is* the AD/DC.
>
>> how do you keep the password for the two users in sync ? what happens if the AD
>> user changes their password ?
> They don't need to keep the passwords in sync since the AD password is the only one used for
> authentication. Users never log onto the AD/DC directly, certainly not at the command line.
> User logging into domain members, Linux or Windows, command line or not, use their AD
> credentials. Their /etc/passwd password on the DC in never involved.
>
> The DC's /etc/password entries are used solely for Sendmail/procmail to deliver mail to the
> user's target email folders.

OK, here is an idea, you only use /etc/passwd for sendmail/procmail, so 
don't use sendmail or procmail !

What, I hear you say, what do I use instead ? Did you know Dovecot can 
deliver mail to a mailbox ?

>
> It's kind of analogous to `samba-tool user create dovecot --ramdom-password`. The idea is
> simply to create an entry.
>   
> Having said that, if the user would need to sync or change their /etc/passwd password I have
> provided an application for them to do that which uses chpasswd on the AD/DC.  This also
> updates the Apache passwords (if any). This mechanism has not been needed in the 2 years since
> I created it.

Somebody will sooner or later want to change a password and then unless 
you have somewhere to store plain or ssha etc passwords (which is 
another point of entry to your systems), you are going to have problems.

>> My systems are setup correctly and I cannot create a local Unix user if
>> the user exists in AD, ...
> Well, perhaps a later version of Samba adds this check (I have 4.2.12). I really did nothing
> special to my samba set up. I followed the wiki for the smb.conf exactly. Samba itself came
> with my distro, no building needed on my part.
>
>> but this doesn't matter, because I do not need to.  If I want an AD user to also be a Unix
>> user, I just add the required RFC2307 attributes to the users object in AD.
>>
>> If I run this command on a Unix domain member:
>>
>> rowland at devstation:~$ cat /etc/passwd | grep rowland
>> rowland at devstation:~$
>>
>> I get nothing returned, so the user 'rowland' doesn't exist in
>> /etc/passwd, but if I then run this command:
>>
>> rowland at devstation:~$ getent passwd rowland
>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>>
>> Funny, I seem to have a Unix user called 'rowland', but he doesn't exist
>> in /etc/passwd and if I wanted to use this user with Dovecot, I could.
>>
>> Rowland
> Right, dovecot does not need the /etc/passwd now that I've implemented gssapi authentication
> (it did use it before with the PLAIN auth method). As I said, that entry is there soley for
> Sendmail/procmail to locate the user's target email folders. If sendmail could AD authenticate
> I wouldn't need /etc/passwd at all.

As you don't really need sendmail, then do you really need /etc/passwd.

>
> I'll definately check out that RFC2307 to see if that would takes care of the sendmail issue
> and I'll post back my findings.
>
> And before anyone asks ... no, we're not likely to get rid of sendmail any time soon!

Oh you should, you really should, why run another program, when one of 
the programs you are using can do the same thing.

Rowland

More information about the samba mailing list