[Samba] GSSAPI/Kerberos authenticate with Dovecot

L.P.H. van Belle belle at bazuin.nl
Wed Dec 12 14:51:31 UTC 2018


Whats set for the server in its delegation? 

sudo samba-tool delegation show dovecot\$
Run this on the DC, or add the -S YourDC.hostname

You need something like this: 
samba-tool delegation for-any-service dovecot\$ on
Or setup for only imap, but cifs/nfs automounts may need this to. 
After you've set it, i suggest, export the imap keytab again. 
Not really sure if its needed, but if it does not work, try it. 
And use stop and start command not restart/reload. 


Greetz, 

Louis
 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> basti via samba
> Verzonden: woensdag 12 december 2018 15:31
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] GSSAPI/Kerberos authenticate with Dovecot
> 
> Hello,
> 
> I try to setup Dovecot with Kerberos/GSSAPI and use this howto:
> https://wiki.samba.org/index.php/Authenticating_Dovecot_agains
> t_Active_Directory#Create_the_Dovecot_user_and_keytab
> 
> I also try https://wiki.dovecot.org/Authentication/Kerberos
> 
> I can login as windows user on win7 and access shares.
> When I open Thunderbird I get the message:
> 
> "kerberos/gssapi ticket was not accepted"
> 
> For debuging I use Kerbtray.
> 
> The Tickets I get are:
> 
> MY.FQDN.COM
> |-- cifs/dc1.my.fqdn.com
> |-- cifs/files.my.fqdn.com
> |-- krbtgt/MY.FQDN.COM
> |-- krbtgt/MY.FQDN.COM
> |-- LDAP/dc1.my.fqdn.com/my.fqdn.com
> 
> There is *no* imap ticket.
> 
> root at dovecot:~# ktutil
> ktutil:  rkt /etc/dovecot/dovecot.keytab
> ktutil:  l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
>    1    2 imap/dovecot.my.fqdn.com at MY.FQDN.COM
>    2    2 imap/dovecot.my.fqdn.com at MY.FQDN.COM
>    3    2 imap/dovecot.my.fqdn.com at MY.FQDN.COM
> ktutil:  q
> root at dovecot:~#
> 
> Best Regards,
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 




More information about the samba mailing list