[Samba] Mailserver + Samba4

L.P.H. van Belle belle at bazuin.nl
Fri Sep 18 22:21:43 UTC 2020

This looks pretty clear. 


The symlink might not be needed. 
# You have 2 options todo this. 

# option 1 ( with a "service user" ) 
# my way like on the site. 
samba-tool user create dovecot --description="Unprivileged user for TSIG-GSSAPI Dovecot Services" --random-password

#Now set the users password to never expire
samba-tool user setexpiry dovecot --noexpiry 

# Add Service Principal Names (SPNs) and create keytab

$ samba-tool spn add imap/host.domain.com dovecot
$ samba-tool domain exportkeytab --principal imap/host.domain.com /etc/dovecot/dovecot.keytab
Dovecot needs to be able to read the keytab
chgrp dovecot /etc/dovecot/dovecot.keytab
chmod g+r /etc/dovecot/dovecot.keytab
Make sure your keytab has entry for imap/host.domain.name at REALM.

$ klist -Kek /etc/dovecot/dovecot.keytab
Keytab name: FILE:/etc/dovecot/dovecot.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 imap/host.domain.name at REALM (des-cbc-crc)
   1 imap/host.domain.name at REALM (des-cbc-md5)
   1 imap/host.domain.name at REALM (arcfour-hmac)

# option 2 ( the computer$ name "IS" the "service user" ) 
# Option 2a the keytab setup. 
# with separated keytab file for dovecot
export KRB5_KTNAME

# option 2b with /etc/krb5.keytab setup, without above export of KRB5_KTNAME
net ads keytab add_update_ads imap/$(hostname -f) -U Administrator
This adds the spn in AD in the hostname$ and keytab file local

chgrp dovecot /etc/dovecot/dovecot.keytab
chmod g+r /etc/dovecot/dovecot.keytab

Whats best i dont know, i dont use dovecot personaly, yes, uh. 17y ago.. ;-) 
It depends a bit on your setup and what your using and want as options. 

On postfix. (debian since i mostly do debian) 
Is still valid as far i can tell. 

And a handy SPN list. 
Services	IN MAIN	Packages
Currently supported via	Default Service principals name

openssh		GSSAPI		host/fqdn at REALM
openldap		SASL		ldap/fqdn at REALM
samba (as a cifs server)	cifs/fqdn at REALM host/fqdn at REALM
postfix		SASL		smtp/fqdn at REALM
dovecot		GSSAPI		imap/fqdn at REALM pop/fqdn at REALM
cupsys		GSSAPI		IPP/fqdn at REALM
postgresql		GSSAPI		postgres/fqdn at REALM
apache2     	mod-auth-krb5	HTTP/fqdn at REALM HTTP/short_fqdn at REALM
freeradius		via freeradius-krb5 module radius/fqdn at REALM
ipsec-tools (racoon)	GSSAPI

And if you use debian
apt install pam-krb5

Is in most of the times sufficient to enable kerberos auth in pam.

I hope you can use it. 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: vrijdag 18 september 2020 21:01
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Mailserver + Samba4
> On 18/09/2020 19:37, Philip Offermans via samba wrote:
> > Hi,
> > I want to install a dovecot mail server with postfix. And 
> want to be able to use kerberos for authentication. Has 
> someone experience with this. And maybe some links to info.
> > Is there also someone with experience with SoGo?
> >
> > Philip
> >
> You could try an internet search on iredmail
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list