[Samba] Where is krb5.keytab or equivalent?

Mark Foley mfoley at ohprs.org
Thu Jun 30 08:45:28 UTC 2016

To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
file as required by Dovecot. I've also downloaded and installed Kerberos for access to
the k* commands (ktutil, kinit, klist, ...).

In my current setup, the Thunderbird client (WIN7 workstation) is not connecting.  The WIN7
workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
etc.  Thunderbird gives the following error:

"The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check
that you are logged in to the Kerberos/GSSAPI realm."

One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a
server at all, but rather the email address of the Thunderbird account. 

When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying:

auth_mechanisms = plain login gssapi

That's it (the other mechanism work just fine, BTW). Not much I can mess with there.

I think the problem is with Samba and handling the authentication.  I do not think my Samba4 is
configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
for single-sign-on using Kerberos. He had me put the following lines into that workstation's
smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server:

security = ADS 
dedicated keytab file = /etc/krb5.keytab 
kerberos method = secrets and keytab 
winbind nss info = rfc2307 
winbind trusted domains only = no 
winbind enum users = yes 
winbind enum groups = yes 
winbind refresh tickets = Yes

I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
message, "Samba detected misconfigured 'server role' and exited."

He also had me put the following in /etc/nsswitch.conf:

passwd:         compat winbind
group:          compat winbind

Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.

Need Help! Thanks --Mark

-----Original Message-----
> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
> To: Mark Foley <mfoley at ohprs.org>
> From: Rowland penny <rpenny at samba.org>
> Date: Mon, 27 Jun 2016 20:50:28 +0100
> On 27/06/16 20:13, Mark Foley wrote:
> > Rowland penny <rpenny at samba.org> wrote:
> >
> >> The easiest way to find out what is in your keytab is with ktutil:
> > Probably, but as I replied to Mathias' message, I have none of the k* command installed on my system, including kutil. I'm researching as to how I can get these now.
> >
> > Thanks, Mark
> apt-get install krb5-user
> Or the equivalent on red-hat (except I think the required package is 
> krb5-workstation)
> Rowland

More information about the samba mailing list