[Samba] Where is krb5.keytab or equivalent?

Achim Gottinger achim at ag-web.biz
Thu Jun 30 09:51:34 UTC 2016

Am 30.06.2016 um 10:45 schrieb Mark Foley:
> To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
> Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
> file as required by Dovecot. I've also downloaded and installed Kerberos for access to
> the k* commands (ktutil, kinit, klist, ...).
> In my current setup, the Thunderbird client (WIN7 workstation) is not connecting.  The WIN7
> workstation is a domain member and works fine otherwise with Samba4 for AD user authentication,
> etc.  Thunderbird gives the following error:
> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check
> that you are logged in to the Kerberos/GSSAPI realm."
> One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a
> server at all, but rather the email address of the Thunderbird account.
> When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
> secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
> Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying:
> auth_mechanisms = plain login gssapi
> That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
> I think the problem is with Samba and handling the authentication.  I do not think my Samba4 is
> configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation
> for single-sign-on using Kerberos. He had me put the following lines into that workstation's
> smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server:
> security = ADS
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
> I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log
> message, "Samba detected misconfigured 'server role' and exited."
> He also had me put the following in /etc/nsswitch.conf:
> passwd:         compat winbind
> group:          compat winbind
> Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server
> for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
> Need Help! Thanks --Mark
Hello Mark,

This is what i used in debian wheezy few years back. I assume 
arcfour-hmac is unsafe these days but i did not yet investigate into 
other working encryption methods here.
If you need smtp (postfix with auth via dovecot) also add the smtp 
spn's. Use the password for user dovecot during keytab creation.

1. Create an user
samba-tool create user dovcot

2. Add the spn
samba-tool spn add  smtp/server.domain.local at DOMAIN.LOCAL dovecot
samba-tool spn add  imap/server.domain.local at DOMAIN.LOCAL dovecot

3. Create the keytab file
addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e 
addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e 
wkt /etc/dovecot/dovecot.keytab

4. Add this to your dovecot config

# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab

Hope it helps,

More information about the samba mailing list