[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

Rowland penny rpenny at samba.org
Thu Jul 21 07:56:54 UTC 2016 

On 21/07/16 06:08, Mark Foley wrote:
> OK! I deleted the /etc/passwd entry for user mark and I modified my /etc/nsswitch.conf to:
>
> passwd: compat winbind
> group: compat winbind
>
> I couldn't get sendmail working with this at first -- I didn't know what to [re]start to get
> the new nsswitch config to take, so I rebooted. Probably I just had to restart sendmail, but oh
> well.
>
> And, it started working ... sort of. Email to that user was delivered OK; meaning
> sendmail/procmail were able to find the right IMAP folder to deliver mail.
>
> However, email from that sender is not working and I'm sure one of you geniuses can set me
> straight. Here's my getent before deleting the /etc/passwd entry and before nsswitch changes:
>
> $ getent passwd mark
> mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
>
> ... and after the changes:
>
> $ getent passwd mark
> HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false

OK, you are running into one of the problems of using a DC as a 
fileserver here, the only RFC2307 attributes used from AD are 
'uidNumber' & 'gidNumber'. You can get around the users home placement 
and shell with a couple of lines in smb.conf:

         template homedir = /home/%U
         template shell = /bin/bash

Restart Samba

There is another line, which works on a domain member:

     winbind use default domain = yes

This (on a domain member) removes the NetBIOS domain name, but it 
doesn't seem to work on an AD DC.

Rowland
>
> See the difference? And here are a few mail log messages:
>
> Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @ohprs.org using -r
> Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org... User address required
> Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: from="HPRS\\\\mark",
>
> Notice that it is now getting the userID as "HPRS\mark", i.e. domain\user, and the from address
> ends up being HPRS\mark at ohprs.org, which sendmail is not handling well.
>
> Any ideas how to fix that?
>
> I'll check with the sendmail people also.
>
> Almost there! When I get this sorted out, I can remove my AD users from /etc/passwd which
> should make Roland happy!
>
> --Mark
>
>

More information about the samba mailing list