Rowland penny
2016-Jul-16 18:39 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
On 16/07/16 19:09, Mark Foley wrote:> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> wrote: > >> On 15/07/16 08:17, Rowland penny wrote: >>> On 15/07/16 00:34, Andrew Bartlett wrote: >>>> On Thu, 2016-07-14 at 22:05 +0100, Rowland penny wrote: >>>>> On 14/07/16 21:52, Andrew Bartlett wrote: >>>>>> Rowland: >>>>>> >>>>>> Running samba-tool domain exportkeytab for a specific user is quite >>>>>> a >>>>>> reasonable thing to do, and is entirely sensible to recommand as >>>>>> part >>>>>> of adding a new user with an SPN. They keytab can then be deployed >>>>>> as >>>>>> required. >>>>>> >>>>>> Running the exportkeytab file is not the same as loading up the DC >>>>>> with >>>>>> other services. Not that this is a total disaster (particularly >>>>>> for >>>>>> small sites trying to replace SBS), but we do try and make folks >>>>>> think >>>>>> before creating mega-servers. >>>>>> >>>>>> I'm very happy for such information to be in our wiki, as I do >>>>>> refer to >>>>>> it and refer others to the apache page, which shows the same >>>>>> pattern as >>>>>> required for mod_auth_kerb. >>>>>> >>>>>> https://wiki.samba.org/index.php/Authenticating_Apache_against_Acti >>>>>> ve_D >>>>>> irectory >>>>>> >>>>>> Indeed, we need to make this page easier to find. >>>>>> >>>>>> Andrew Bartlett >>>>>> >>>>> Andrew, I know all this, but in this instance. the OP is going to >>>>> run >>>>> Dovecot on the DC. Now, if you are happy to say that Samba is now >>>>> recommending using the Samba AD DC as a fileserver etc, I am quite >>>>> happy >>>>> to trawl the wiki, removing any references to not using the DC as a >>>>> fileserver etc, otherwise, I will go back to my plan of creating a >>>>> wiki >>>>> page for Dovecot similar to the Apache one. >>>> I didn't see anything in the instructions that were specific to running >>>> on a DC, and in any case, we can afford to be a little less dogmatic >>>> about this. Please don't go trawling the wiki one way or the other. >>>> >>>> To be clear: I'm happy with the statement currently on the wiki: >>>> >>>> Whilst the Domain Controller seems capable of running as a full file >>>> server, it is suggested that organisations run a distinct file server >>>> to allow upgrades of each without disrupting the other. It is also >>>> suggested that medium-sized sites should run more than one DC. It also >>>> makes sense to have the DC's distinct from any file servers that may >>>> use the Domain Controllers. Additionally using distinct file servers >>>> avoids the idiosyncrasies in the winbindd configuration on the Active >>>> Directory Domain Controller. The Samba team does not recommend using a >>>> Samba-based Domain Controller as a file server, and recommend that >>>> users run a separate Domain Member with file shares. >>>> >>>> Thanks, >>>> >>>> Andrew Bartlett >>>> >>> OK, now we have sorted that out, I will put creating a wiki page for >>> Dovecot on my TODO list, it will be based around the Apache page i.e. >>> it will say what user & SPN to create and then say howto transfer the >>> resultant keytab to another machine, leaving it up to the sysadmin to >>> read between the lines. >>> >>> This is what I planned to do. >>> >>> Rowland >>> >>> >> OK, just an update on the new wiki page for Dovecot, I started to write >> it and realised there is a potential problem. >> >> The user created in AD is called 'dovecot' and the Dovecot packages also >> want to create a user called 'dovecot' in /etc/passwd, they cannot both >> exist. > Actually, yes they can. *ALL* my domain users are also in /etc/passwd because I use sendmail > and procmail as MTA to deliver mail to the appropriate Maildir folders (as defined in > /etc/passwd for home directories) and I use /etc/shadow as Dovecot's passdb for non-domain mail > clients such as iPhone and Outlook (the latter simply because I haven't figured out NTML > authentication for Outlook yet).Then, when you run 'getent passwd userA' which user do you get back ? and have you tried creating a new local Unix user lately if that user exists in AD already ? User 'rowland' is in AD: root at devstation:/home/rowland/dovecot# getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash If the 'root' user tries to create a local Unix user called 'rowland' root at devstation:/home/rowland/dovecot# useradd rowland useradd: user 'rowland' already exists Still think it is a good idea having your users in /etc/passwd & AD ? You don't need to anyway, Dovecot can use the mail or userPrincipalName attributes. Rowland> > All domain members, Windows or Linux, authenticate users with their AD credentials just fine. > > What I did do with AD users and did not do with the AD dovecot user is create their /etc/passwd > entry with the same UID:GID as the AD account. So, for the dovecot user I could have:You do need the local Unix users in AD then, just give them a 'uidNumber' attribute. Rowland
Achim Gottinger
2016-Jul-16 19:32 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
Am 16.07.2016 um 20:39 schrieb Rowland penny:> On 16/07/16 19:09, Mark Foley wrote: >> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> >> wrote: >> >>> On 15/07/16 08:17, Rowland penny wrote: >>>> On 15/07/16 00:34, Andrew Bartlett wrote: >>>>> On Thu, 2016-07-14 at 22:05 +0100, Rowland penny wrote: >>>>>> On 14/07/16 21:52, Andrew Bartlett wrote: >>>>>>> Rowland: >>>>>>> >>>>>>> Running samba-tool domain exportkeytab for a specific user is quite >>>>>>> a >>>>>>> reasonable thing to do, and is entirely sensible to recommand as >>>>>>> part >>>>>>> of adding a new user with an SPN. They keytab can then be deployed >>>>>>> as >>>>>>> required. >>>>>>> >>>>>>> Running the exportkeytab file is not the same as loading up the DC >>>>>>> with >>>>>>> other services. Not that this is a total disaster (particularly >>>>>>> for >>>>>>> small sites trying to replace SBS), but we do try and make folks >>>>>>> think >>>>>>> before creating mega-servers. >>>>>>> >>>>>>> I'm very happy for such information to be in our wiki, as I do >>>>>>> refer to >>>>>>> it and refer others to the apache page, which shows the same >>>>>>> pattern as >>>>>>> required for mod_auth_kerb. >>>>>>> >>>>>>> https://wiki.samba.org/index.php/Authenticating_Apache_against_Acti >>>>>>> ve_D >>>>>>> irectory >>>>>>> >>>>>>> Indeed, we need to make this page easier to find. >>>>>>> >>>>>>> Andrew Bartlett >>>>>>> >>>>>> Andrew, I know all this, but in this instance. the OP is going to >>>>>> run >>>>>> Dovecot on the DC. Now, if you are happy to say that Samba is now >>>>>> recommending using the Samba AD DC as a fileserver etc, I am quite >>>>>> happy >>>>>> to trawl the wiki, removing any references to not using the DC as a >>>>>> fileserver etc, otherwise, I will go back to my plan of creating a >>>>>> wiki >>>>>> page for Dovecot similar to the Apache one. >>>>> I didn't see anything in the instructions that were specific to >>>>> running >>>>> on a DC, and in any case, we can afford to be a little less dogmatic >>>>> about this. Please don't go trawling the wiki one way or the other. >>>>> >>>>> To be clear: I'm happy with the statement currently on the wiki: >>>>> >>>>> Whilst the Domain Controller seems capable of running as a full file >>>>> server, it is suggested that organisations run a distinct file server >>>>> to allow upgrades of each without disrupting the other. It is also >>>>> suggested that medium-sized sites should run more than one DC. It >>>>> also >>>>> makes sense to have the DC's distinct from any file servers that may >>>>> use the Domain Controllers. Additionally using distinct file servers >>>>> avoids the idiosyncrasies in the winbindd configuration on the Active >>>>> Directory Domain Controller. The Samba team does not recommend >>>>> using a >>>>> Samba-based Domain Controller as a file server, and recommend that >>>>> users run a separate Domain Member with file shares. >>>>> >>>>> Thanks, >>>>> >>>>> Andrew Bartlett >>>>> >>>> OK, now we have sorted that out, I will put creating a wiki page for >>>> Dovecot on my TODO list, it will be based around the Apache page i.e. >>>> it will say what user & SPN to create and then say howto transfer the >>>> resultant keytab to another machine, leaving it up to the sysadmin to >>>> read between the lines. >>>> >>>> This is what I planned to do. >>>> >>>> Rowland >>>> >>>> >>> OK, just an update on the new wiki page for Dovecot, I started to write >>> it and realised there is a potential problem. >>> >>> The user created in AD is called 'dovecot' and the Dovecot packages >>> also >>> want to create a user called 'dovecot' in /etc/passwd, they cannot both >>> exist. >> Actually, yes they can. *ALL* my domain users are also in /etc/passwd >> because I use sendmail >> and procmail as MTA to deliver mail to the appropriate Maildir >> folders (as defined in >> /etc/passwd for home directories) and I use /etc/shadow as Dovecot's >> passdb for non-domain mail >> clients such as iPhone and Outlook (the latter simply because I >> haven't figured out NTML >> authentication for Outlook yet). > > Then, when you run 'getent passwd userA' which user do you get back ? > and have you tried creating a new local Unix user lately if that user > exists in AD already ? > > User 'rowland' is in AD: > > root at devstation:/home/rowland/dovecot# getent passwd rowland > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > If the 'root' user tries to create a local Unix user called 'rowland' > > root at devstation:/home/rowland/dovecot# useradd rowland > useradd: user 'rowland' already exists > > Still think it is a good idea having your users in /etc/passwd & AD ? > > You don't need to anyway, Dovecot can use the mail or > userPrincipalName attributes. > > Rowland > >> >> All domain members, Windows or Linux, authenticate users with their >> AD credentials just fine. >> >> What I did do with AD users and did not do with the AD dovecot user >> is create their /etc/passwd >> entry with the same UID:GID as the AD account. So, for the dovecot >> user I could have: > > You do need the local Unix users in AD then, just give them a > 'uidNumber' attribute. > > > Rowland >As long as the nss order is files or compat and afterwards winbind. Using dovecot fpr the samba user does not hurt. The samba dovecot uid is at no place required for kerberos authetification.
Mark Foley
2016-Jul-17 06:12 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org> wrote:> > On 16/07/16 19:09, Mark Foley wrote: > > On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> wrote: > >[lots of extraneous stuff deleted]> >>> > >>> > >> OK, just an update on the new wiki page for Dovecot, I started to write > >> it and realised there is a potential problem. > >> > >> The user created in AD is called 'dovecot' and the Dovecot packages also > >> want to create a user called 'dovecot' in /etc/passwd, they cannot both > >> exist. > > > > Actually, yes they can. *ALL* my domain users are also in /etc/passwd because I use sendmail > > and procmail as MTA to deliver mail to the appropriate Maildir folders (as defined in > > /etc/passwd for home directories) and I use /etc/shadow as Dovecot's passdb for non-domain mail > > clients such as iPhone and Outlook (the latter simply because I haven't figured out NTML > > authentication for Outlook yet). > > Then, when you run 'getent passwd userA' which user do you get back ? > and have you tried creating a new local Unix user lately if that user > exists in AD already ? > > User 'rowland' is in AD: > > root at devstation:/home/rowland/dovecot# getent passwd rowland > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > If the 'root' user tries to create a local Unix user called 'rowland' > > root at devstation:/home/rowland/dovecot# useradd rowland > useradd: user 'rowland' already existsJust yesterday I added a new AD user 'shay' via RSAT ADUC on Windows. On the AD/DC I then ran wbinfo to verify the uid/gid: root at mail:~ # wbinfo -i shay HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false Then I added that user to the AD/DC /etc/passwd for reasons mentioned above. Here is the actual command line still in root's bash command history: useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s /bin/bash -u 10010 shay I did not get the "useradd: user 'shay' already exists" message you got. My getent: root at mail:~ # getent passwd shay shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash Running getent on this user from a domain member (where that user IS NOT in any local passwd file): mfoley at labrat:~ $ getent passwd shay shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh> Still think it is a good idea having your users in /etc/passwd & AD ? > > You don't need to anyway, Dovecot can use the mail or userPrincipalName > attributes.The reason I think I need to (and I could be mistaken) is for my sendmail MTA to deliver incoming mail to /home/HPRS/username/Maildir. To my knowledge, sendmail cannot otherwise determine user or destination mail directories. Perhaps other MTAs can get this info from Samba4, but I don't think sendmail can.> > > > All domain members, Windows or Linux, authenticate users with their AD credentials just fine. > > > > What I did do with AD users and did not do with the AD dovecot user is create their /etc/passwd > > entry with the same UID:GID as the AD account. So, for the dovecot user I could have: > > You do need the local Unix users in AD then, just give them a > 'uidNumber' attribute.Not sure, but are you agreeing that it's OK to have AD users as both AD users and local users? --Mark
Mark Foley
2016-Jul-17 06:26 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
On Sat, 16 Jul 2016 21:32:33 +0200 Achim Gottinger <achim at ag-web.biz> wrote:> Am 16.07.2016 um 20:39 schrieb Rowland penny: > > On 16/07/16 19:09, Mark Foley wrote: > >> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> > >> wrote: > >> > >>> On 15/07/16 08:17, Rowland penny wrote: > >>>> On 15/07/16 00:34, Andrew Bartlett wrote: > >>>>> On Thu, 2016-07-14 at 22:05 +0100, Rowland penny wrote: > >>>>>> On 14/07/16 21:52, Andrew Bartlett wrote: > >>>>>>> Rowland: > >>>>>>> > >>>>>>> Running samba-tool domain exportkeytab for a specific user is quite > >>>>>>> a > >>>>>>> reasonable thing to do, and is entirely sensible to recommand as > >>>>>>> part > >>>>>>> of adding a new user with an SPN. They keytab can then be deployed > >>>>>>> as > >>>>>>> required. > >>>>>>> > >>>>>>> Running the exportkeytab file is not the same as loading up the DC > >>>>>>> with > >>>>>>> other services. Not that this is a total disaster (particularly > >>>>>>> for > >>>>>>> small sites trying to replace SBS), but we do try and make folks > >>>>>>> think > >>>>>>> before creating mega-servers. > >>>>>>> > >>>>>>> I'm very happy for such information to be in our wiki, as I do > >>>>>>> refer to > >>>>>>> it and refer others to the apache page, which shows the same > >>>>>>> pattern as > >>>>>>> required for mod_auth_kerb. > >>>>>>> > >>>>>>> https://wiki.samba.org/index.php/Authenticating_Apache_against_Acti > >>>>>>> ve_D > >>>>>>> irectory > >>>>>>> > >>>>>>> Indeed, we need to make this page easier to find. > >>>>>>> > >>>>>>> Andrew Bartlett > >>>>>>> > >>>>>> Andrew, I know all this, but in this instance. the OP is going to > >>>>>> run > >>>>>> Dovecot on the DC. Now, if you are happy to say that Samba is now > >>>>>> recommending using the Samba AD DC as a fileserver etc, I am quite > >>>>>> happy > >>>>>> to trawl the wiki, removing any references to not using the DC as a > >>>>>> fileserver etc, otherwise, I will go back to my plan of creating a > >>>>>> wiki > >>>>>> page for Dovecot similar to the Apache one. > >>>>> I didn't see anything in the instructions that were specific to > >>>>> running > >>>>> on a DC, and in any case, we can afford to be a little less dogmatic > >>>>> about this. Please don't go trawling the wiki one way or the other. > >>>>> > >>>>> To be clear: I'm happy with the statement currently on the wiki: > >>>>> > >>>>> Whilst the Domain Controller seems capable of running as a full file > >>>>> server, it is suggested that organisations run a distinct file server > >>>>> to allow upgrades of each without disrupting the other. It is also > >>>>> suggested that medium-sized sites should run more than one DC. It > >>>>> also > >>>>> makes sense to have the DC's distinct from any file servers that may > >>>>> use the Domain Controllers. Additionally using distinct file servers > >>>>> avoids the idiosyncrasies in the winbindd configuration on the Active > >>>>> Directory Domain Controller. The Samba team does not recommend > >>>>> using a > >>>>> Samba-based Domain Controller as a file server, and recommend that > >>>>> users run a separate Domain Member with file shares. > >>>>> > >>>>> Thanks, > >>>>> > >>>>> Andrew Bartlett > >>>>> > >>>> OK, now we have sorted that out, I will put creating a wiki page for > >>>> Dovecot on my TODO list, it will be based around the Apache page i.e. > >>>> it will say what user & SPN to create and then say howto transfer the > >>>> resultant keytab to another machine, leaving it up to the sysadmin to > >>>> read between the lines. > >>>> > >>>> This is what I planned to do. > >>>> > >>>> Rowland > >>>> > >>>> > >>> OK, just an update on the new wiki page for Dovecot, I started to write > >>> it and realised there is a potential problem. > >>> > >>> The user created in AD is called 'dovecot' and the Dovecot packages > >>> also > >>> want to create a user called 'dovecot' in /etc/passwd, they cannot both > >>> exist. > >> Actually, yes they can. *ALL* my domain users are also in /etc/passwd > >> because I use sendmail > >> and procmail as MTA to deliver mail to the appropriate Maildir > >> folders (as defined in > >> /etc/passwd for home directories) and I use /etc/shadow as Dovecot's > >> passdb for non-domain mail > >> clients such as iPhone and Outlook (the latter simply because I > >> haven't figured out NTML > >> authentication for Outlook yet). > > > > Then, when you run 'getent passwd userA' which user do you get back ? > > and have you tried creating a new local Unix user lately if that user > > exists in AD already ? > > > > User 'rowland' is in AD: > > > > root at devstation:/home/rowland/dovecot# getent passwd rowland > > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > > > If the 'root' user tries to create a local Unix user called 'rowland' > > > > root at devstation:/home/rowland/dovecot# useradd rowland > > useradd: user 'rowland' already exists > > > > Still think it is a good idea having your users in /etc/passwd & AD ? > > > > You don't need to anyway, Dovecot can use the mail or > > userPrincipalName attributes. > > > > Rowland > > > >> > >> All domain members, Windows or Linux, authenticate users with their > >> AD credentials just fine. > >> > >> What I did do with AD users and did not do with the AD dovecot user > >> is create their /etc/passwd > >> entry with the same UID:GID as the AD account. So, for the dovecot > >> user I could have: > > > > You do need the local Unix users in AD then, just give them a > > 'uidNumber' attribute. > > > > > > Rowland > > > As long as the nss order is files or compat and afterwards winbind. > Using dovecot fpr the samba user does not hurt. > The samba dovecot uid is at no place required for kerberos authetification. >I've made no change at all to my /etc/nsswitch.conf since the last time I scratch installed Linux on the AD/DC Dovecot host in January, 2015. The as-shipped must be fine. Mine is: passwd: compat group: compat hosts: files dns networks: files services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files bootparams: files automount: files aliases: files No winbind on the AD/DC, but windbind is in the domain members' nsswitch.conf: passwd: compat winbind group: compat winbind --Mark
Rowland penny
2016-Jul-17 07:32 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
On 17/07/16 07:12, Mark Foley wrote:> On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org> wrote: >> On 16/07/16 19:09, Mark Foley wrote: >>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> wrote: >>> > [lots of extraneous stuff deleted] > >>>>> >>>> OK, just an update on the new wiki page for Dovecot, I started to write >>>> it and realised there is a potential problem. >>>> >>>> The user created in AD is called 'dovecot' and the Dovecot packages also >>>> want to create a user called 'dovecot' in /etc/passwd, they cannot both >>>> exist. >>> Actually, yes they can. *ALL* my domain users are also in /etc/passwd because I use sendmail >>> and procmail as MTA to deliver mail to the appropriate Maildir folders (as defined in >>> /etc/passwd for home directories) and I use /etc/shadow as Dovecot's passdb for non-domain mail >>> clients such as iPhone and Outlook (the latter simply because I haven't figured out NTML >>> authentication for Outlook yet). >> Then, when you run 'getent passwd userA' which user do you get back ? >> and have you tried creating a new local Unix user lately if that user >> exists in AD already ? >> >> User 'rowland' is in AD: >> >> root at devstation:/home/rowland/dovecot# getent passwd rowland >> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash >> >> If the 'root' user tries to create a local Unix user called 'rowland' >> >> root at devstation:/home/rowland/dovecot# useradd rowland >> useradd: user 'rowland' already exists > Just yesterday I added a new AD user 'shay' via RSAT ADUC on Windows. > > On the AD/DC I then ran wbinfo to verify the uid/gid: > > root at mail:~ # wbinfo -i shay > HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false > > Then I added that user to the AD/DC /etc/passwd for reasons mentioned above. Here is the > actual command line still in root's bash command history: > > useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s /bin/bash -u 10010 shay > > I did not get the "useradd: user 'shay' already exists" message you got. > > My getent: > > root at mail:~ # getent passwd shay > shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash > > Running getent on this user from a domain member (where that user IS NOT in any local passwd file): > > mfoley at labrat:~ $ getent passwd shay > shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh > >> Still think it is a good idea having your users in /etc/passwd & AD ? >> >> You don't need to anyway, Dovecot can use the mail or userPrincipalName >> attributes. > The reason I think I need to (and I could be mistaken) is for my sendmail MTA to deliver > incoming mail to /home/HPRS/username/Maildir. To my knowledge, sendmail cannot otherwise > determine user or destination mail directories. Perhaps other MTAs can get this info from > Samba4, but I don't think sendmail can. > >>> All domain members, Windows or Linux, authenticate users with their AD credentials just fine. >>> >>> What I did do with AD users and did not do with the AD dovecot user is create their /etc/passwd >>> entry with the same UID:GID as the AD account. So, for the dovecot user I could have: >> You do need the local Unix users in AD then, just give them a >> 'uidNumber' attribute. > Not sure, but are you agreeing that it's OK to have AD users as both AD users and local users? > > --Mark >No, bit of a typo there :-) What I am trying to tell you is that you shouldn't have users in AD and /etc/passwd, in fact there is no need to. The whole point of AD is centralisation of user and group management, you can take your AD user and make it a Unix user by adding RFC2307 attributes to the users object in AD. See here for the RFC: https://www.ietf.org/rfc/rfc2307.txt In your setup you could have a user 'USERA' in AD and on your mail computer you could also have a 'USERA' in /etc/passwd, how do you keep the password for the two users in sync ? what happens if the AD user changes their password ? My systems are setup correctly and I cannot create a local Unix user if the user exists in AD, but this doesn't matter, because I do not need to. If I want an AD user to also be a Unix user, I just add the required RFC2307 attributes to the users object in AD. If I run this command on a Unix domain member: rowland at devstation:~$ cat /etc/passwd | grep rowland rowland at devstation:~$ I get nothing returned, so the user 'rowland' doesn't exist in /etc/passwd, but if I then run this command: rowland at devstation:~$ getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash Funny, I seem to have a Unix user called 'rowland', but he doesn't exist in /etc/passwd and if I wanted to use this user with Dovecot, I could. Rowland
Possibly Parallel Threads
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]