samba - Jul 2016 - How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

On Thu, 2016-07-14 at 16:20 +0100, Rowland penny wrote:
> I don't think the problem is with mentioning 'Dovecot', it is
with
> using 
> the DC for anything other than authentication.
> 
> Reading the Dovecot wiki page, creating the user & SPN on the DC is 
> okay, but once you start exporting the keytab to be used on the DC,
> you 
> are doing something that Samba doesn't recommend, but I have thought
> of 
> a way around this, phrase the page in the same way as the Apache page
> on 
> the wiki.
Rowland:

Running samba-tool domain exportkeytab for a specific user is quite a
reasonable thing to do, and is entirely sensible to recommand as part
of adding a new user with an SPN.  They keytab can then be deployed as
required. 

Running the exportkeytab file is not the same as loading up the DC with
other services.  Not that this is a total disaster (particularly for
small sites trying to replace SBS), but we do try and make folks think
before creating mega-servers. 

I'm very happy for such information to be in our wiki, as I do refer to
it and refer others to the apache page, which shows the same pattern as
required for mod_auth_kerb. 

https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_D
irectory

Indeed, we need to make this page easier to find.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 14/07/16 21:52, Andrew Bartlett wrote:
> On Thu, 2016-07-14 at 16:20 +0100, Rowland penny wrote:
>
>> I don't think the problem is with mentioning 'Dovecot', it
is with
>> using
>> the DC for anything other than authentication.
>>
>> Reading the Dovecot wiki page, creating the user & SPN on the DC is
>> okay, but once you start exporting the keytab to be used on the DC,
>> you
>> are doing something that Samba doesn't recommend, but I have
thought
>> of
>> a way around this, phrase the page in the same way as the Apache page
>> on
>> the wiki.
> Rowland:
>
> Running samba-tool domain exportkeytab for a specific user is quite a
> reasonable thing to do, and is entirely sensible to recommand as part
> of adding a new user with an SPN.  They keytab can then be deployed as
> required.
>
> Running the exportkeytab file is not the same as loading up the DC with
> other services.  Not that this is a total disaster (particularly for
> small sites trying to replace SBS), but we do try and make folks think
> before creating mega-servers.
>
> I'm very happy for such information to be in our wiki, as I do refer to
> it and refer others to the apache page, which shows the same pattern as
> required for mod_auth_kerb.
>
> https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_D
> irectory
>
> Indeed, we need to make this page easier to find.
>
> Andrew Bartlett
>
Andrew, I know all this, but in this instance. the OP is going to run 
Dovecot on the DC. Now, if you are happy to say that Samba is now 
recommending using the Samba AD DC as a fileserver etc, I am quite happy 
to trawl the wiki, removing any references to not using the DC as a 
fileserver etc, otherwise, I will go back to my plan of creating a wiki 
page for Dovecot similar to the Apache one.

Rowland

On Thu, 2016-07-14 at 22:05 +0100, Rowland penny wrote:
> On 14/07/16 21:52, Andrew Bartlett wrote:
> > 
> > Rowland:
> > 
> > Running samba-tool domain exportkeytab for a specific user is quite
> > a
> > reasonable thing to do, and is entirely sensible to recommand as
> > part
> > of adding a new user with an SPN.  They keytab can then be deployed
> > as
> > required.
> > 
> > Running the exportkeytab file is not the same as loading up the DC
> > with
> > other services.  Not that this is a total disaster (particularly
> > for
> > small sites trying to replace SBS), but we do try and make folks
> > think
> > before creating mega-servers.
> > 
> > I'm very happy for such information to be in our wiki, as I do
> > refer to
> > it and refer others to the apache page, which shows the same
> > pattern as
> > required for mod_auth_kerb.
> > 
> > https://wiki.samba.org/index.php/Authenticating_Apache_against_Acti
> > ve_D
> > irectory
> > 
> > Indeed, we need to make this page easier to find.
> > 
> > Andrew Bartlett
> > 
> 
> Andrew, I know all this, but in this instance. the OP is going to
> run 
> Dovecot on the DC. Now, if you are happy to say that Samba is now 
> recommending using the Samba AD DC as a fileserver etc, I am quite
> happy 
> to trawl the wiki, removing any references to not using the DC as a 
> fileserver etc, otherwise, I will go back to my plan of creating a
> wiki 
> page for Dovecot similar to the Apache one.
I didn't see anything in the instructions that were specific to running
on a DC, and in any case, we can afford to be a little less dogmatic
about this.  Please don't go trawling the wiki one way or the other. 

To be clear: I'm happy with the statement currently on the wiki:

Whilst the Domain Controller seems capable of running as a full file
server, it is suggested that organisations run a distinct file server
to allow upgrades of each without disrupting the other. It is also
suggested that medium-sized sites should run more than one DC. It also
makes sense to have the DC's distinct from any file servers that may
use the Domain Controllers. Additionally using distinct file servers
avoids the idiosyncrasies in the winbindd configuration on the Active
Directory Domain Controller. The Samba team does not recommend using a
Samba-based Domain Controller as a file server, and recommend that
users run a separate Domain Member with file shares. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba