samba - Jul 2016 - How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

On 16/07/16 19:09, Mark Foley wrote:
> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at
samba.org> wrote:
>
>> On 15/07/16 08:17, Rowland penny wrote:
>>> On 15/07/16 00:34, Andrew Bartlett wrote:
>>>> On Thu, 2016-07-14 at 22:05 +0100, Rowland penny wrote:
>>>>> On 14/07/16 21:52, Andrew Bartlett wrote:
>>>>>>    Rowland:
>>>>>>
>>>>>> Running samba-tool domain exportkeytab for a specific
user is quite
>>>>>> a
>>>>>> reasonable thing to do, and is entirely sensible to
recommand as
>>>>>> part
>>>>>> of adding a new user with an SPN.  They keytab can then
be deployed
>>>>>> as
>>>>>> required.
>>>>>>
>>>>>> Running the exportkeytab file is not the same as
loading up the DC
>>>>>> with
>>>>>> other services.  Not that this is a total disaster
(particularly
>>>>>> for
>>>>>> small sites trying to replace SBS), but we do try and
make folks
>>>>>> think
>>>>>> before creating mega-servers.
>>>>>>
>>>>>> I'm very happy for such information to be in our
wiki, as I do
>>>>>> refer to
>>>>>> it and refer others to the apache page, which shows the
same
>>>>>> pattern as
>>>>>> required for mod_auth_kerb.
>>>>>>
>>>>>>
https://wiki.samba.org/index.php/Authenticating_Apache_against_Acti
>>>>>> ve_D
>>>>>> irectory
>>>>>>
>>>>>> Indeed, we need to make this page easier to find.
>>>>>>
>>>>>> Andrew Bartlett
>>>>>>
>>>>> Andrew, I know all this, but in this instance. the OP is
going to
>>>>> run
>>>>> Dovecot on the DC. Now, if you are happy to say that Samba
is now
>>>>> recommending using the Samba AD DC as a fileserver etc, I
am quite
>>>>> happy
>>>>> to trawl the wiki, removing any references to not using the
DC as a
>>>>> fileserver etc, otherwise, I will go back to my plan of
creating a
>>>>> wiki
>>>>> page for Dovecot similar to the Apache one.
>>>> I didn't see anything in the instructions that were
specific to running
>>>> on a DC, and in any case, we can afford to be a little less
dogmatic
>>>> about this.  Please don't go trawling the wiki one way or
the other.
>>>>
>>>> To be clear: I'm happy with the statement currently on the
wiki:
>>>>
>>>> Whilst the Domain Controller seems capable of running as a full
file
>>>> server, it is suggested that organisations run a distinct file
server
>>>> to allow upgrades of each without disrupting the other. It is
also
>>>> suggested that medium-sized sites should run more than one DC.
It also
>>>> makes sense to have the DC's distinct from any file servers
that may
>>>> use the Domain Controllers. Additionally using distinct file
servers
>>>> avoids the idiosyncrasies in the winbindd configuration on the
Active
>>>> Directory Domain Controller. The Samba team does not recommend
using a
>>>> Samba-based Domain Controller as a file server, and recommend
that
>>>> users run a separate Domain Member with file shares.
>>>>
>>>> Thanks,
>>>>
>>>> Andrew Bartlett
>>>>
>>> OK, now we have sorted that out, I will put creating a wiki page
for
>>> Dovecot on my TODO list, it will be based around the Apache page
i.e.
>>> it will say what user & SPN to create and then say howto
transfer the
>>> resultant keytab to another machine, leaving it up to the sysadmin
to
>>> read between the lines.
>>>
>>> This is what I planned to do.
>>>
>>> Rowland
>>>
>>>
>> OK, just an update on the new wiki page for Dovecot, I started to write
>> it and realised there is a potential problem.
>>
>> The user created in AD is called 'dovecot' and the Dovecot
packages also
>> want to create a user called 'dovecot' in /etc/passwd, they
cannot both
>> exist.
> Actually, yes they can. *ALL* my domain users are also in /etc/passwd
because I use sendmail
> and procmail as MTA to deliver mail to the appropriate Maildir folders (as
defined in
> /etc/passwd for home directories) and I use /etc/shadow as Dovecot's
passdb for non-domain mail
> clients such as iPhone and Outlook (the latter simply because I haven't
figured out NTML
> authentication for Outlook yet).
Then, when you run 'getent passwd userA' which user do you get back ? 
and have you tried creating a new local Unix user lately if that user 
exists in AD already ?

User 'rowland' is in AD:

root at devstation:/home/rowland/dovecot# getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

If the 'root' user tries to create a local Unix user called
'rowland'

root at devstation:/home/rowland/dovecot# useradd rowland
useradd: user 'rowland' already exists

Still think it is a good idea having your users in /etc/passwd & AD ?

You don't need to anyway, Dovecot can use the mail or userPrincipalName 
attributes.

Rowland
>
> All domain members, Windows or Linux, authenticate users with their AD
credentials just fine.
>
> What I did do with AD users and did not do with the AD dovecot user is
create their /etc/passwd
> entry with the same UID:GID as the AD account. So, for the dovecot user I
could have:
You do need the local Unix users in AD then, just give them a 
'uidNumber' attribute.


Rowland

Am 16.07.2016 um 20:39 schrieb Rowland penny:
> On 16/07/16 19:09, Mark Foley wrote:
>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at
samba.org>
>> wrote:
>>
>>> On 15/07/16 08:17, Rowland penny wrote:
>>>> On 15/07/16 00:34, Andrew Bartlett wrote:
>>>>> On Thu, 2016-07-14 at 22:05 +0100, Rowland penny wrote:
>>>>>> On 14/07/16 21:52, Andrew Bartlett wrote:
>>>>>>>    Rowland:
>>>>>>>
>>>>>>> Running samba-tool domain exportkeytab for a
specific user is quite
>>>>>>> a
>>>>>>> reasonable thing to do, and is entirely sensible to
recommand as
>>>>>>> part
>>>>>>> of adding a new user with an SPN.  They keytab can
then be deployed
>>>>>>> as
>>>>>>> required.
>>>>>>>
>>>>>>> Running the exportkeytab file is not the same as
loading up the DC
>>>>>>> with
>>>>>>> other services.  Not that this is a total disaster
(particularly
>>>>>>> for
>>>>>>> small sites trying to replace SBS), but we do try
and make folks
>>>>>>> think
>>>>>>> before creating mega-servers.
>>>>>>>
>>>>>>> I'm very happy for such information to be in
our wiki, as I do
>>>>>>> refer to
>>>>>>> it and refer others to the apache page, which shows
the same
>>>>>>> pattern as
>>>>>>> required for mod_auth_kerb.
>>>>>>>
>>>>>>>
https://wiki.samba.org/index.php/Authenticating_Apache_against_Acti
>>>>>>> ve_D
>>>>>>> irectory
>>>>>>>
>>>>>>> Indeed, we need to make this page easier to find.
>>>>>>>
>>>>>>> Andrew Bartlett
>>>>>>>
>>>>>> Andrew, I know all this, but in this instance. the OP
is going to
>>>>>> run
>>>>>> Dovecot on the DC. Now, if you are happy to say that
Samba is now
>>>>>> recommending using the Samba AD DC as a fileserver etc,
I am quite
>>>>>> happy
>>>>>> to trawl the wiki, removing any references to not using
the DC as a
>>>>>> fileserver etc, otherwise, I will go back to my plan of
creating a
>>>>>> wiki
>>>>>> page for Dovecot similar to the Apache one.
>>>>> I didn't see anything in the instructions that were
specific to
>>>>> running
>>>>> on a DC, and in any case, we can afford to be a little less
dogmatic
>>>>> about this.  Please don't go trawling the wiki one way
or the other.
>>>>>
>>>>> To be clear: I'm happy with the statement currently on
the wiki:
>>>>>
>>>>> Whilst the Domain Controller seems capable of running as a
full file
>>>>> server, it is suggested that organisations run a distinct
file server
>>>>> to allow upgrades of each without disrupting the other. It
is also
>>>>> suggested that medium-sized sites should run more than one
DC. It
>>>>> also
>>>>> makes sense to have the DC's distinct from any file
servers that may
>>>>> use the Domain Controllers. Additionally using distinct
file servers
>>>>> avoids the idiosyncrasies in the winbindd configuration on
the Active
>>>>> Directory Domain Controller. The Samba team does not
recommend
>>>>> using a
>>>>> Samba-based Domain Controller as a file server, and
recommend that
>>>>> users run a separate Domain Member with file shares.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Andrew Bartlett
>>>>>
>>>> OK, now we have sorted that out, I will put creating a wiki
page for
>>>> Dovecot on my TODO list, it will be based around the Apache
page i.e.
>>>> it will say what user & SPN to create and then say howto
transfer the
>>>> resultant keytab to another machine, leaving it up to the
sysadmin to
>>>> read between the lines.
>>>>
>>>> This is what I planned to do.
>>>>
>>>> Rowland
>>>>
>>>>
>>> OK, just an update on the new wiki page for Dovecot, I started to
write
>>> it and realised there is a potential problem.
>>>
>>> The user created in AD is called 'dovecot' and the Dovecot
packages
>>> also
>>> want to create a user called 'dovecot' in /etc/passwd, they
cannot both
>>> exist.
>> Actually, yes they can. *ALL* my domain users are also in /etc/passwd 
>> because I use sendmail
>> and procmail as MTA to deliver mail to the appropriate Maildir 
>> folders (as defined in
>> /etc/passwd for home directories) and I use /etc/shadow as
Dovecot's
>> passdb for non-domain mail
>> clients such as iPhone and Outlook (the latter simply because I 
>> haven't figured out NTML
>> authentication for Outlook yet).
>
> Then, when you run 'getent passwd userA' which user do you get back
?
> and have you tried creating a new local Unix user lately if that user 
> exists in AD already ?
>
> User 'rowland' is in AD:
>
> root at devstation:/home/rowland/dovecot# getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> If the 'root' user tries to create a local Unix user called
'rowland'
>
> root at devstation:/home/rowland/dovecot# useradd rowland
> useradd: user 'rowland' already exists
>
> Still think it is a good idea having your users in /etc/passwd & AD ?
>
> You don't need to anyway, Dovecot can use the mail or 
> userPrincipalName attributes.
>
> Rowland
>
>>
>> All domain members, Windows or Linux, authenticate users with their 
>> AD credentials just fine.
>>
>> What I did do with AD users and did not do with the AD dovecot user 
>> is create their /etc/passwd
>> entry with the same UID:GID as the AD account. So, for the dovecot 
>> user I could have:
>
> You do need the local Unix users in AD then, just give them a 
> 'uidNumber' attribute.
>
>
> Rowland
>
As long as the nss order is files or compat and afterwards winbind. 
Using dovecot fpr the samba user does not hurt.
The samba dovecot uid is at no place required for kerberos authetification.

On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org>
wrote:
>
> On 16/07/16 19:09, Mark Foley wrote:
> > On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at
samba.org> wrote:
> >
[lots of extraneous stuff deleted]
> >>>
> >>>
> >> OK, just an update on the new wiki page for Dovecot, I started to
write
> >> it and realised there is a potential problem.
> >>
> >> The user created in AD is called 'dovecot' and the Dovecot
packages also
> >> want to create a user called 'dovecot' in /etc/passwd,
they cannot both
> >> exist.
> >
> > Actually, yes they can. *ALL* my domain users are also in /etc/passwd
because I use sendmail
> > and procmail as MTA to deliver mail to the appropriate Maildir folders
(as defined in
> > /etc/passwd for home directories) and I use /etc/shadow as
Dovecot's passdb for non-domain mail
> > clients such as iPhone and Outlook (the latter simply because I
haven't figured out NTML
> > authentication for Outlook yet).
>
> Then, when you run 'getent passwd userA' which user do you get back
?
> and have you tried creating a new local Unix user lately if that user 
> exists in AD already ?
>
> User 'rowland' is in AD:
>
> root at devstation:/home/rowland/dovecot# getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> If the 'root' user tries to create a local Unix user called
'rowland'
>
> root at devstation:/home/rowland/dovecot# useradd rowland
> useradd: user 'rowland' already exists
Just yesterday I added a new AD user 'shay' via RSAT ADUC on Windows. 

On the AD/DC I then ran wbinfo to verify the uid/gid:

root at mail:~ # wbinfo -i shay
HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false

Then I added that user to the AD/DC /etc/passwd for reasons mentioned above. 
Here is the
actual command line still in root's bash command history:

useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s /bin/bash -u
10010 shay

I did not get the "useradd: user 'shay' already exists"
message you got.

My getent:

root at mail:~ # getent passwd shay
shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash

Running getent on this user from a domain member (where that user IS NOT in any
local passwd file):

mfoley at labrat:~ $ getent passwd shay
shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh
> Still think it is a good idea having your users in /etc/passwd & AD ?
>
> You don't need to anyway, Dovecot can use the mail or userPrincipalName
> attributes.
The reason I think I need to (and I could be mistaken) is for my sendmail MTA to
deliver
incoming mail to /home/HPRS/username/Maildir. To my knowledge, sendmail cannot
otherwise
determine user or destination mail directories. Perhaps other MTAs can get this
info from
Samba4, but I don't think sendmail can.
> >
> > All domain members, Windows or Linux, authenticate users with their AD
credentials just fine.
> >
> > What I did do with AD users and did not do with the AD dovecot user is
create their /etc/passwd
> > entry with the same UID:GID as the AD account. So, for the dovecot
user I could have:
>
> You do need the local Unix users in AD then, just give them a 
> 'uidNumber' attribute.
Not sure, but are you agreeing that it's OK to have AD users as both AD
users and local users?

--Mark

On Sat, 16 Jul 2016 21:32:33 +0200 Achim Gottinger <achim at ag-web.biz>
wrote:
> Am 16.07.2016 um 20:39 schrieb Rowland penny:
> > On 16/07/16 19:09, Mark Foley wrote:
> >> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at
samba.org>
> >> wrote:
> >>
> >>> On 15/07/16 08:17, Rowland penny wrote:
> >>>> On 15/07/16 00:34, Andrew Bartlett wrote:
> >>>>> On Thu, 2016-07-14 at 22:05 +0100, Rowland penny
wrote:
> >>>>>> On 14/07/16 21:52, Andrew Bartlett wrote:
> >>>>>>>    Rowland:
> >>>>>>>
> >>>>>>> Running samba-tool domain exportkeytab for a
specific user is quite
> >>>>>>> a
> >>>>>>> reasonable thing to do, and is entirely
sensible to recommand as
> >>>>>>> part
> >>>>>>> of adding a new user with an SPN.  They keytab
can then be deployed
> >>>>>>> as
> >>>>>>> required.
> >>>>>>>
> >>>>>>> Running the exportkeytab file is not the same
as loading up the DC
> >>>>>>> with
> >>>>>>> other services.  Not that this is a total
disaster (particularly
> >>>>>>> for
> >>>>>>> small sites trying to replace SBS), but we do
try and make folks
> >>>>>>> think
> >>>>>>> before creating mega-servers.
> >>>>>>>
> >>>>>>> I'm very happy for such information to be
in our wiki, as I do
> >>>>>>> refer to
> >>>>>>> it and refer others to the apache page, which
shows the same
> >>>>>>> pattern as
> >>>>>>> required for mod_auth_kerb.
> >>>>>>>
> >>>>>>>
https://wiki.samba.org/index.php/Authenticating_Apache_against_Acti
> >>>>>>> ve_D
> >>>>>>> irectory
> >>>>>>>
> >>>>>>> Indeed, we need to make this page easier to
find.
> >>>>>>>
> >>>>>>> Andrew Bartlett
> >>>>>>>
> >>>>>> Andrew, I know all this, but in this instance. the
OP is going to
> >>>>>> run
> >>>>>> Dovecot on the DC. Now, if you are happy to say
that Samba is now
> >>>>>> recommending using the Samba AD DC as a fileserver
etc, I am quite
> >>>>>> happy
> >>>>>> to trawl the wiki, removing any references to not
using the DC as a
> >>>>>> fileserver etc, otherwise, I will go back to my
plan of creating a
> >>>>>> wiki
> >>>>>> page for Dovecot similar to the Apache one.
> >>>>> I didn't see anything in the instructions that
were specific to
> >>>>> running
> >>>>> on a DC, and in any case, we can afford to be a little
less dogmatic
> >>>>> about this.  Please don't go trawling the wiki one
way or the other.
> >>>>>
> >>>>> To be clear: I'm happy with the statement
currently on the wiki:
> >>>>>
> >>>>> Whilst the Domain Controller seems capable of running
as a full file
> >>>>> server, it is suggested that organisations run a
distinct file server
> >>>>> to allow upgrades of each without disrupting the
other. It is also
> >>>>> suggested that medium-sized sites should run more than
one DC. It
> >>>>> also
> >>>>> makes sense to have the DC's distinct from any
file servers that may
> >>>>> use the Domain Controllers. Additionally using
distinct file servers
> >>>>> avoids the idiosyncrasies in the winbindd
configuration on the Active
> >>>>> Directory Domain Controller. The Samba team does not
recommend
> >>>>> using a
> >>>>> Samba-based Domain Controller as a file server, and
recommend that
> >>>>> users run a separate Domain Member with file shares.
> >>>>>
> >>>>> Thanks,
> >>>>>
> >>>>> Andrew Bartlett
> >>>>>
> >>>> OK, now we have sorted that out, I will put creating a
wiki page for
> >>>> Dovecot on my TODO list, it will be based around the
Apache page i.e.
> >>>> it will say what user & SPN to create and then say
howto transfer the
> >>>> resultant keytab to another machine, leaving it up to the
sysadmin to
> >>>> read between the lines.
> >>>>
> >>>> This is what I planned to do.
> >>>>
> >>>> Rowland
> >>>>
> >>>>
> >>> OK, just an update on the new wiki page for Dovecot, I started
to write
> >>> it and realised there is a potential problem.
> >>>
> >>> The user created in AD is called 'dovecot' and the
Dovecot packages
> >>> also
> >>> want to create a user called 'dovecot' in /etc/passwd,
they cannot both
> >>> exist.
> >> Actually, yes they can. *ALL* my domain users are also in
/etc/passwd
> >> because I use sendmail
> >> and procmail as MTA to deliver mail to the appropriate Maildir 
> >> folders (as defined in
> >> /etc/passwd for home directories) and I use /etc/shadow as
Dovecot's
> >> passdb for non-domain mail
> >> clients such as iPhone and Outlook (the latter simply because I 
> >> haven't figured out NTML
> >> authentication for Outlook yet).
> >
> > Then, when you run 'getent passwd userA' which user do you get
back ?
> > and have you tried creating a new local Unix user lately if that user 
> > exists in AD already ?
> >
> > User 'rowland' is in AD:
> >
> > root at devstation:/home/rowland/dovecot# getent passwd rowland
> > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> >
> > If the 'root' user tries to create a local Unix user called
'rowland'
> >
> > root at devstation:/home/rowland/dovecot# useradd rowland
> > useradd: user 'rowland' already exists
> >
> > Still think it is a good idea having your users in /etc/passwd &
AD ?
> >
> > You don't need to anyway, Dovecot can use the mail or 
> > userPrincipalName attributes.
> >
> > Rowland
> >
> >>
> >> All domain members, Windows or Linux, authenticate users with
their
> >> AD credentials just fine.
> >>
> >> What I did do with AD users and did not do with the AD dovecot
user
> >> is create their /etc/passwd
> >> entry with the same UID:GID as the AD account. So, for the dovecot
> >> user I could have:
> >
> > You do need the local Unix users in AD then, just give them a 
> > 'uidNumber' attribute.
> >
> >
> > Rowland
> >
> As long as the nss order is files or compat and afterwards winbind. 
> Using dovecot fpr the samba user does not hurt.
> The samba dovecot uid is at no place required for kerberos authetification.
>
I've made no change at all to my /etc/nsswitch.conf since the last time I
scratch installed
Linux on the AD/DC Dovecot host in January, 2015. The as-shipped must be fine.
Mine is:

passwd:         compat
group:          compat

hosts:          files dns
networks:       files

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
bootparams:     files

automount:      files
aliases:        files

No winbind on the AD/DC, but windbind is in the domain members'
nsswitch.conf:

passwd:         compat winbind
group:          compat winbind

--Mark

On 17/07/16 07:12, Mark Foley wrote:
> On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at
samba.org> wrote:
>> On 16/07/16 19:09, Mark Foley wrote:
>>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at
samba.org> wrote:
>>>
> [lots of extraneous stuff deleted]
>
>>>>>
>>>> OK, just an update on the new wiki page for Dovecot, I started
to write
>>>> it and realised there is a potential problem.
>>>>
>>>> The user created in AD is called 'dovecot' and the
Dovecot packages also
>>>> want to create a user called 'dovecot' in /etc/passwd,
they cannot both
>>>> exist.
>>> Actually, yes they can. *ALL* my domain users are also in
/etc/passwd because I use sendmail
>>> and procmail as MTA to deliver mail to the appropriate Maildir
folders (as defined in
>>> /etc/passwd for home directories) and I use /etc/shadow as
Dovecot's passdb for non-domain mail
>>> clients such as iPhone and Outlook (the latter simply because I
haven't figured out NTML
>>> authentication for Outlook yet).
>> Then, when you run 'getent passwd userA' which user do you get
back ?
>> and have you tried creating a new local Unix user lately if that user
>> exists in AD already ?
>>
>> User 'rowland' is in AD:
>>
>> root at devstation:/home/rowland/dovecot# getent passwd rowland
>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>>
>> If the 'root' user tries to create a local Unix user called
'rowland'
>>
>> root at devstation:/home/rowland/dovecot# useradd rowland
>> useradd: user 'rowland' already exists
> Just yesterday I added a new AD user 'shay' via RSAT ADUC on
Windows.
>
> On the AD/DC I then ran wbinfo to verify the uid/gid:
>
> root at mail:~ # wbinfo -i shay
> HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false
>
> Then I added that user to the AD/DC /etc/passwd for reasons mentioned
above.  Here is the
> actual command line still in root's bash command history:
>
> useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s
/bin/bash -u 10010 shay
>
> I did not get the "useradd: user 'shay' already exists"
message you got.
>
> My getent:
>
> root at mail:~ # getent passwd shay
> shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash
>
> Running getent on this user from a domain member (where that user IS NOT in
any local passwd file):
>
> mfoley at labrat:~ $ getent passwd shay
> shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh
>
>> Still think it is a good idea having your users in /etc/passwd & AD
?
>>
>> You don't need to anyway, Dovecot can use the mail or
userPrincipalName
>> attributes.
> The reason I think I need to (and I could be mistaken) is for my sendmail
MTA to deliver
> incoming mail to /home/HPRS/username/Maildir. To my knowledge, sendmail
cannot otherwise
> determine user or destination mail directories. Perhaps other MTAs can get
this info from
> Samba4, but I don't think sendmail can.
>
>>> All domain members, Windows or Linux, authenticate users with their
AD credentials just fine.
>>>
>>> What I did do with AD users and did not do with the AD dovecot user
is create their /etc/passwd
>>> entry with the same UID:GID as the AD account. So, for the dovecot
user I could have:
>> You do need the local Unix users in AD then, just give them a
>> 'uidNumber' attribute.
> Not sure, but are you agreeing that it's OK to have AD users as both AD
users and local users?
>
> --Mark
>
No, bit of a typo there :-)

What I am trying to tell you is that you shouldn't have users in AD and 
/etc/passwd, in fact there is no need to.
The whole point of AD is centralisation of user and group management, 
you can take your AD user and make it a Unix user by adding RFC2307 
attributes to the users object in AD.

See here for the RFC:  https://www.ietf.org/rfc/rfc2307.txt

In your setup you could have a user 'USERA' in AD and on your mail 
computer you could also have a 'USERA' in /etc/passwd, how do you keep 
the password for the two users in sync ? what happens if the AD user 
changes their password ?

My systems are setup correctly and I cannot create a local Unix user if 
the user exists in AD, but this doesn't matter, because I do not need 
to. If I want an AD user to also be a Unix user, I just add the required 
RFC2307 attributes to the users object in AD.

If I run this command on a Unix domain member:

rowland at devstation:~$ cat /etc/passwd | grep rowland
rowland at devstation:~$

I get nothing returned, so the user 'rowland' doesn't exist in 
/etc/passwd, but if I then run this command:

rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

Funny, I seem to have a Unix user called 'rowland', but he doesn't
exist
in /etc/passwd and if I wanted to use this user with Dovecot, I could.

Rowland