[Samba] Trouble with Kerberos authentication

Mark Foley mfoley at ohprs.org
Tue Jul 11 09:41:45 UTC 2017

I'm not sure whether this is a Dovecot issue or a Samba issue, but as it deals with
authentication I think it's worth trying the samba experts first.

Here's the scenario ...

I have an AD/DC running Samba 4.4.14.  I have 3 AD users: mark, sue, dennis.  Mark and Dennis
use both Windows 7 and Linux (also running PAM-enabled Samba 4.4.14) domain member
workstations.  Sue is Windows 7 only.  All are able to log onto the domain using their domain
credentials and all are able to connect the the Dovcot mail server (also running on the AD/DC)
from their workstations using Thunderbird and Kerberos/GSSAPI authentication. 

Dovecot authentication is set to auth_mechanisms = plain login gssapi. The first two mechanisms
use /etc/passwd for authentication. The gssapi presumably uses gssapi and kerberos to
authenticate via AD. I believe Dovecot tries these mechanisms in order, left-to-right.

As it turns out, user Dennis also had an entry in /etc/passwd - yes, I know it shouldn't be
there, but it was, although it did have the correct AD user and group IDs.  No problem, I
though, I'll just remove that entry. 

However, when I did that, Dennis was not longer able to authenticate from Thunderbird.  He
could still log into his Linux workstation.  Tbird would give the error

  "The Kerberos/GSSAPI ticket was not accepted by the IMAP server ...  please check that you are
  logged into the Kerberos/GSSAPI realm."

Wnen I put Dennis back in /etc/passwd, with the correct domain password, he is able to
authenticate from Thunderbird again.

I know next to nothing about how kerberos works, but my theory is that Dennis' kerberos
credentials somehow got associated with his /etc/passwd credentials, not his AD credentials and
when the /etc/passwd entry is removed kerberos authentication fails. This is true on both his
Linux and Windows workstations.

I need to fix this so Dennis' AD credentials alone are used for authentication. How can I do

btw, `getent passwd dennis` works just fine from Dennis' Linux workstation.

Thanks --Mark

More information about the samba mailing list