[Samba] Where is krb5.keytab or equivalent?

Mark Foley mfoley at ohprs.org
Thu Jun 30 20:34:39 UTC 2016


Danielm Yes! Exactly! What config settings do I need for samba to accomplish this?

What Dovecot settings do I need? Would you mind sharing your config files.

BTW - you are the first person in over a year who has actually said they have this setup running! 

Thanks --Mark

-----Original Message-----
> From: "Mueller" <mueller at tropenklinik.de>
> To: "'Mark Foley'" <mfoley at ohprs.org>, <samba at lists.samba.org>
> Subject: AW: [Samba] Where is krb5.keytab or equivalent?
> Date: Thu, 30 Jun 2016 11:18:52 +0200
> Organization: Tropenklinik Paul-Lechler-Krankenhaus
>
> I myself have dovecot running and auth is against a samba4 dc running on the same host.
> Perhaps it can help you to let samba do the authentification.
>
> Greetings
> Daniel
>
>
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen 
> Tel.: 07071/206-463, Fax: 07071/206-499
>  Email: mueller at tropenklinik.de
>  www.tropenklinik.de
>  www.bauen-sie-mit.tropenklinik.de                                                                                                                                               
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Mark Foley [mailto:mfoley at ohprs.org] 
> Gesendet: Donnerstag, 30. Juni 2016 10:45
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Where is krb5.keytab or equivalent?
>
> To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab file as required by Dovecot. I've also downloaded and installed Kerberos for access to the k* commands (ktutil, kinit, klist, ...).
>
> In my current setup, the Thunderbird client (WIN7 workstation) is not connecting.  The WIN7 workstation is a domain member and works fine otherwise with Samba4 for AD user authentication, etc.  Thunderbird gives the following error:
>
> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm."
>
> One disconcerting bit about that message is the named IMAP server "mark at ohprs.org" is not a server at all, but rather the email address of the Thunderbird account. 
>
> When attempting to connect, the Dovecot log simply has "Disconnected (no auth attempts in 18
> secs): user=<>". No message at all appears in the samba log although I have auth:10 level set.
> Dovecot's 'configuration' for GSSAPI consists of nothing more than specifying:
>
> auth_mechanisms = plain login gssapi
>
> That's it (the other mechanism work just fine, BTW). Not much I can mess with there.
>
> I think the problem is with Samba and handling the authentication.  I do not think my Samba4 is configured correctly. Over a year ago Rowland Penny helped me configure a Ubuntu workstation for single-sign-on using Kerberos. He had me put the following lines into that workstation's smb.conf file, none of which appear in the provisioned smb.conf on the Samba4 AD/DC server:
>
> security = ADS
> dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind nss info = rfc2307 winbind trusted domains only = no winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes
>
> I've tried sticking all of these in the AD/DC smb.conf and, when restarting Samba, I get a log message, "Samba detected misconfigured 'server role' and exited."
>
> He also had me put the following in /etc/nsswitch.conf:
>
> passwd:         compat winbind
> group:          compat winbind
>
> Do I possibly need some of these (or others?) settings in these conf files on the AD/DC server for Dovecot to authenticate? Obviously, blindly throwing them all into smb.conf doesn't work.
>
> Need Help! Thanks --Mark
>
> -----Original Message-----
> > Subject: Re: [Samba] Where is krb5.keytab or equivalent?
> > To: Mark Foley <mfoley at ohprs.org>
> > From: Rowland penny <rpenny at samba.org>
> > Date: Mon, 27 Jun 2016 20:50:28 +0100
> >
> > On 27/06/16 20:13, Mark Foley wrote:
> > > Rowland penny <rpenny at samba.org> wrote:
> > >
> > >> The easiest way to find out what is in your keytab is with ktutil:
> > > Probably, but as I replied to Mathias' message, I have none of the k* command installed on my system, including kutil. I'm researching as to how I can get these now.
> > >
> > > Thanks, Mark
> >
> > apt-get install krb5-user
> >
> > Or the equivalent on red-hat (except I think the required package is
> > krb5-workstation)
> >
> > Rowland
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list