[Samba] Where is krb5.keytab or equivalent?

Achim Gottinger achim at ag-web.biz
Thu Jun 30 09:42:15 UTC 2016

Am 30.06.2016 um 10:45 schrieb Mark Foley:
> To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
> Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
> file as required by Dovecot. I've also downloaded and installed Kerberos for access to
> the k* commands (ktutil, kinit, klist, ...).
> In my current setup, the Thunderbird client (WIN7 workstation) is not connecting.  The WIN7
> workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
> etc.  Thunderbird gives the following error:
> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check
> that you are logged in to the Kerberos/GSSAPI realm."
> One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a
> server at all, but rather the email address of the Thunderbird account.
> When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
> secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
> Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying:
> auth_mechanisms = plain login gssapi
> That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
> I think the problem is with Samba and handling the authentication.  I do not think my Samba4 is
> configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
> for single-sign-on using Kerberos. He had me put the following lines into that workstation's
> smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server:
> security = ADS
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
> I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
> message, "Samba detected misconfigured 'server role' and exited."
> He also had me put the following in /etc/nsswitch.conf:
> passwd:         compat winbind
> group:          compat winbind
> Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
> for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
> Need Help! Thanks --Mark
Add this line to your dovecot configuration.

auth_gssapi_hostname = "$ALL"

Create the keytab with

More information about the samba mailing list