Mark Foley
2016-Jul-20 17:26 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
Mike, excellent suggestion! I will definitely experiment with that nsswitch change. Rowland also mentioned adding RFC2307 to the AD settings for the user(s). If, as you say, my MTA will find the home directory with the nss windbind setting, that would be fantastic! I would definitely removed the AD users from /etc/passwd. I don't know if nsswitch.conf settings are now mentioned in the wiki, but they certainly weren't there (that I found) in August, 2014 when I configured my Samba4 AD/DC. If this works, this would be another important thing to put in the wiki. I did configure a domain member with winbind in the nsswitch.conf, but those settings were explicitly given to me by Rowland last summer, 2015 in our maillist correspondence on single sign on (see past thread, subject contains "Single-Sign-On". Based on our discussion and my successfully setting up a Linux domain member workstation, that wiki (https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member) does now have the nsswitch.conf info for winbind. Thanks for the idea. I'll post back results. --Mark -----Original Message-----> From: Data Control Systems - Mike Elkevizth <mike at datacontrolsystems.com> > Date: Sun, 17 Jul 2016 13:35:27 +0000 > To: Rowland penny <rpenny at samba.org>, samba at lists.samba.org > Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot > [formerly Where is krb5.keytab or equivalent?] > > Hi Mark, > > I think the reason you did not get the 'user already exists' message when > doing a useradd is because your nsswitch file doesn't include winbind on > the server you ran it on. My system will give me the same warning as > Rowland's gives him with nsswitch setup like this: > > passwd: compat winbind > group: compat winbind > > My guess is that you had to add the users into /etc/passwd because of your > nsswitch file not using winbind. Otherwise your MTA should work fine. > Mine does. > > I do also have these lines in my smb.conf, but I'm not sure they are > necessary for the MTA to work. > > winbind enum groups = yes > winbind enum users = yes > > Mike E. > > On Sun, Jul 17, 2016, 3:34 AM Rowland penny <rpenny at samba.org> wrote: > > > On 17/07/16 07:12, Mark Foley wrote: > > > On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org> > > wrote: > > >> On 16/07/16 19:09, Mark Foley wrote: > > >>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> > > wrote: > > >>> > > > [lots of extraneous stuff deleted] > > > > > >>>>> > > >>>> OK, just an update on the new wiki page for Dovecot, I started to > > write > > >>>> it and realised there is a potential problem. > > >>>> > > >>>> The user created in AD is called 'dovecot' and the Dovecot packages > > also > > >>>> want to create a user called 'dovecot' in /etc/passwd, they cannot > > both > > >>>> exist. > > >>> Actually, yes they can. *ALL* my domain users are also in /etc/passwd > > because I use sendmail > > >>> and procmail as MTA to deliver mail to the appropriate Maildir folders > > (as defined in > > >>> /etc/passwd for home directories) and I use /etc/shadow as Dovecot's > > passdb for non-domain mail > > >>> clients such as iPhone and Outlook (the latter simply because I > > haven't figured out NTML > > >>> authentication for Outlook yet). > > >> Then, when you run 'getent passwd userA' which user do you get back ? > > >> and have you tried creating a new local Unix user lately if that user > > >> exists in AD already ? > > >> > > >> User 'rowland' is in AD: > > >> > > >> root at devstation:/home/rowland/dovecot# getent passwd rowland > > >> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > >> > > >> If the 'root' user tries to create a local Unix user called 'rowland' > > >> > > >> root at devstation:/home/rowland/dovecot# useradd rowland > > >> useradd: user 'rowland' already exists > > > Just yesterday I added a new AD user 'shay' via RSAT ADUC on Windows. > > > > > > On the AD/DC I then ran wbinfo to verify the uid/gid: > > > > > > root at mail:~ # wbinfo -i shay > > > HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false > > > > > > Then I added that user to the AD/DC /etc/passwd for reasons mentioned > > above. Here is the > > > actual command line still in root's bash command history: > > > > > > useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s /bin/bash -u > > 10010 shay > > > > > > I did not get the "useradd: user 'shay' already exists" message you got. > > > > > > My getent: > > > > > > root at mail:~ # getent passwd shay > > > shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash > > > > > > Running getent on this user from a domain member (where that user IS NOT > > in any local passwd file): > > > > > > mfoley at labrat:~ $ getent passwd shay > > > shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh > > > > > >> Still think it is a good idea having your users in /etc/passwd & AD ? > > >> > > >> You don't need to anyway, Dovecot can use the mail or userPrincipalName > > >> attributes. > > > The reason I think I need to (and I could be mistaken) is for my > > sendmail MTA to deliver > > > incoming mail to /home/HPRS/username/Maildir. To my knowledge, sendmail > > cannot otherwise > > > determine user or destination mail directories. Perhaps other MTAs can > > get this info from > > > Samba4, but I don't think sendmail can. > > > > > >>> All domain members, Windows or Linux, authenticate users with their AD > > credentials just fine. > > >>> > > >>> What I did do with AD users and did not do with the AD dovecot user is > > create their /etc/passwd > > >>> entry with the same UID:GID as the AD account. So, for the dovecot > > user I could have: > > >> You do need the local Unix users in AD then, just give them a > > >> 'uidNumber' attribute. > > > Not sure, but are you agreeing that it's OK to have AD users as both AD > > users and local users? > > > > > > --Mark > > > > > > > No, bit of a typo there :-) > > > > What I am trying to tell you is that you shouldn't have users in AD and > > /etc/passwd, in fact there is no need to. > > The whole point of AD is centralisation of user and group management, > > you can take your AD user and make it a Unix user by adding RFC2307 > > attributes to the users object in AD. > > > > See here for the RFC: https://www.ietf.org/rfc/rfc2307.txt > > > > In your setup you could have a user 'USERA' in AD and on your mail > > computer you could also have a 'USERA' in /etc/passwd, how do you keep > > the password for the two users in sync ? what happens if the AD user > > changes their password ? > > > > My systems are setup correctly and I cannot create a local Unix user if > > the user exists in AD, but this doesn't matter, because I do not need > > to. If I want an AD user to also be a Unix user, I just add the required > > RFC2307 attributes to the users object in AD. > > > > If I run this command on a Unix domain member: > > > > rowland at devstation:~$ cat /etc/passwd | grep rowland > > rowland at devstation:~$ > > > > I get nothing returned, so the user 'rowland' doesn't exist in > > /etc/passwd, but if I then run this command: > > > > rowland at devstation:~$ getent passwd rowland > > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > > > Funny, I seem to have a Unix user called 'rowland', but he doesn't exist > > in /etc/passwd and if I wanted to use this user with Dovecot, I could. > > > > Rowland > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Mark Foley
2016-Jul-21 05:08 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
OK! I deleted the /etc/passwd entry for user mark and I modified my /etc/nsswitch.conf to: passwd: compat winbind group: compat winbind I couldn't get sendmail working with this at first -- I didn't know what to [re]start to get the new nsswitch config to take, so I rebooted. Probably I just had to restart sendmail, but oh well. And, it started working ... sort of. Email to that user was delivered OK; meaning sendmail/procmail were able to find the right IMAP folder to deliver mail. However, email from that sender is not working and I'm sure one of you geniuses can set me straight. Here's my getent before deleting the /etc/passwd entry and before nsswitch changes: $ getent passwd mark mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash ... and after the changes: $ getent passwd mark HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false See the difference? And here are a few mail log messages: Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @ohprs.org using -r Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org... User address required Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: from="HPRS\\\\mark", Notice that it is now getting the userID as "HPRS\mark", i.e. domain\user, and the from address ends up being HPRS\mark at ohprs.org, which sendmail is not handling well. Any ideas how to fix that? I'll check with the sendmail people also. Almost there! When I get this sorted out, I can remove my AD users from /etc/passwd which should make Roland happy! --Mark -----Original Message-----> From: Mark Foley <mfoley at ohprs.org> > Date: Wed, 20 Jul 2016 13:26:08 -0400 > Organization: Ohio Highway Patrol Retirement System > To: samba at lists.samba.org > Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot > [formerly Where is krb5.keytab or equivalent?] > > Mike, excellent suggestion! I will definitely experiment with that nsswitch change. Rowland > also mentioned adding RFC2307 to the AD settings for the user(s). > > If, as you say, my MTA will find the home directory with the nss windbind setting, that would > be fantastic! I would definitely removed the AD users from /etc/passwd. > > I don't know if nsswitch.conf settings are now mentioned in the wiki, but they certainly > weren't there (that I found) in August, 2014 when I configured my Samba4 AD/DC. If this works, > this would be another important thing to put in the wiki. > > I did configure a domain member with winbind in the nsswitch.conf, but those settings were > explicitly given to me by Rowland last summer, 2015 in our maillist correspondence on single > sign on (see past thread, subject contains "Single-Sign-On". Based on our discussion and my > successfully setting up a Linux domain member workstation, that wiki > (https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member) does now have the > nsswitch.conf info for winbind. > > Thanks for the idea. I'll post back results. > > --Mark > > -----Original Message----- > > From: Data Control Systems - Mike Elkevizth <mike at datacontrolsystems.com> > > Date: Sun, 17 Jul 2016 13:35:27 +0000 > > To: Rowland penny <rpenny at samba.org>, samba at lists.samba.org > > Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot > > [formerly Where is krb5.keytab or equivalent?] > > > > Hi Mark, > > > > I think the reason you did not get the 'user already exists' message when > > doing a useradd is because your nsswitch file doesn't include winbind on > > the server you ran it on. My system will give me the same warning as > > Rowland's gives him with nsswitch setup like this: > > > > passwd: compat winbind > > group: compat winbind > > > > My guess is that you had to add the users into /etc/passwd because of your > > nsswitch file not using winbind. Otherwise your MTA should work fine. > > Mine does. > > > > I do also have these lines in my smb.conf, but I'm not sure they are > > necessary for the MTA to work. > > > > winbind enum groups = yes > > winbind enum users = yes > > > > Mike E. > > > > On Sun, Jul 17, 2016, 3:34 AM Rowland penny <rpenny at samba.org> wrote: > > > > > On 17/07/16 07:12, Mark Foley wrote: > > > > On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org> > > > wrote: > > > >> On 16/07/16 19:09, Mark Foley wrote: > > > >>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> > > > wrote: > > > >>> > > > > [lots of extraneous stuff deleted] > > > > > > > >>>>> > > > >>>> OK, just an update on the new wiki page for Dovecot, I started to > > > write > > > >>>> it and realised there is a potential problem. > > > >>>> > > > >>>> The user created in AD is called 'dovecot' and the Dovecot packages > > > also > > > >>>> want to create a user called 'dovecot' in /etc/passwd, they cannot > > > both > > > >>>> exist. > > > >>> Actually, yes they can. *ALL* my domain users are also in /etc/passwd > > > because I use sendmail > > > >>> and procmail as MTA to deliver mail to the appropriate Maildir folders > > > (as defined in > > > >>> /etc/passwd for home directories) and I use /etc/shadow as Dovecot's > > > passdb for non-domain mail > > > >>> clients such as iPhone and Outlook (the latter simply because I > > > haven't figured out NTML > > > >>> authentication for Outlook yet). > > > >> Then, when you run 'getent passwd userA' which user do you get back ? > > > >> and have you tried creating a new local Unix user lately if that user > > > >> exists in AD already ? > > > >> > > > >> User 'rowland' is in AD: > > > >> > > > >> root at devstation:/home/rowland/dovecot# getent passwd rowland > > > >> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > > >> > > > >> If the 'root' user tries to create a local Unix user called 'rowland' > > > >> > > > >> root at devstation:/home/rowland/dovecot# useradd rowland > > > >> useradd: user 'rowland' already exists > > > > Just yesterday I added a new AD user 'shay' via RSAT ADUC on Windows. > > > > > > > > On the AD/DC I then ran wbinfo to verify the uid/gid: > > > > > > > > root at mail:~ # wbinfo -i shay > > > > HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false > > > > > > > > Then I added that user to the AD/DC /etc/passwd for reasons mentioned > > > above. Here is the > > > > actual command line still in root's bash command history: > > > > > > > > useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s /bin/bash -u > > > 10010 shay > > > > > > > > I did not get the "useradd: user 'shay' already exists" message you got. > > > > > > > > My getent: > > > > > > > > root at mail:~ # getent passwd shay > > > > shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash > > > > > > > > Running getent on this user from a domain member (where that user IS NOT > > > in any local passwd file): > > > > > > > > mfoley at labrat:~ $ getent passwd shay > > > > shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh > > > > > > > >> Still think it is a good idea having your users in /etc/passwd & AD ? > > > >> > > > >> You don't need to anyway, Dovecot can use the mail or userPrincipalName > > > >> attributes. > > > > The reason I think I need to (and I could be mistaken) is for my > > > sendmail MTA to deliver > > > > incoming mail to /home/HPRS/username/Maildir. To my knowledge, sendmail > > > cannot otherwise > > > > determine user or destination mail directories. Perhaps other MTAs can > > > get this info from > > > > Samba4, but I don't think sendmail can. > > > > > > > >>> All domain members, Windows or Linux, authenticate users with their AD > > > credentials just fine. > > > >>> > > > >>> What I did do with AD users and did not do with the AD dovecot user is > > > create their /etc/passwd > > > >>> entry with the same UID:GID as the AD account. So, for the dovecot > > > user I could have: > > > >> You do need the local Unix users in AD then, just give them a > > > >> 'uidNumber' attribute. > > > > Not sure, but are you agreeing that it's OK to have AD users as both AD > > > users and local users? > > > > > > > > --Mark > > > > > > > > > > No, bit of a typo there :-) > > > > > > What I am trying to tell you is that you shouldn't have users in AD and > > > /etc/passwd, in fact there is no need to. > > > The whole point of AD is centralisation of user and group management, > > > you can take your AD user and make it a Unix user by adding RFC2307 > > > attributes to the users object in AD. > > > > > > See here for the RFC: https://www.ietf.org/rfc/rfc2307.txt > > > > > > In your setup you could have a user 'USERA' in AD and on your mail > > > computer you could also have a 'USERA' in /etc/passwd, how do you keep > > > the password for the two users in sync ? what happens if the AD user > > > changes their password ? > > > > > > My systems are setup correctly and I cannot create a local Unix user if > > > the user exists in AD, but this doesn't matter, because I do not need > > > to. If I want an AD user to also be a Unix user, I just add the required > > > RFC2307 attributes to the users object in AD. > > > > > > If I run this command on a Unix domain member: > > > > > > rowland at devstation:~$ cat /etc/passwd | grep rowland > > > rowland at devstation:~$ > > > > > > I get nothing returned, so the user 'rowland' doesn't exist in > > > /etc/passwd, but if I then run this command: > > > > > > rowland at devstation:~$ getent passwd rowland > > > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > > > > > Funny, I seem to have a Unix user called 'rowland', but he doesn't exist > > > in /etc/passwd and if I wanted to use this user with Dovecot, I could. > > > > > > Rowland > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland penny
2016-Jul-21 07:56 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
On 21/07/16 06:08, Mark Foley wrote:> OK! I deleted the /etc/passwd entry for user mark and I modified my /etc/nsswitch.conf to: > > passwd: compat winbind > group: compat winbind > > I couldn't get sendmail working with this at first -- I didn't know what to [re]start to get > the new nsswitch config to take, so I rebooted. Probably I just had to restart sendmail, but oh > well. > > And, it started working ... sort of. Email to that user was delivered OK; meaning > sendmail/procmail were able to find the right IMAP folder to deliver mail. > > However, email from that sender is not working and I'm sure one of you geniuses can set me > straight. Here's my getent before deleting the /etc/passwd entry and before nsswitch changes: > > $ getent passwd mark > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash > > ... and after the changes: > > $ getent passwd mark > HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/falseOK, you are running into one of the problems of using a DC as a fileserver here, the only RFC2307 attributes used from AD are 'uidNumber' & 'gidNumber'. You can get around the users home placement and shell with a couple of lines in smb.conf: template homedir = /home/%U template shell = /bin/bash Restart Samba There is another line, which works on a domain member: winbind use default domain = yes This (on a domain member) removes the NetBIOS domain name, but it doesn't seem to work on an AD DC. Rowland> > See the difference? And here are a few mail log messages: > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @ohprs.org using -r > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org... User address required > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: from="HPRS\\\\mark", > > Notice that it is now getting the userID as "HPRS\mark", i.e. domain\user, and the from address > ends up being HPRS\mark at ohprs.org, which sendmail is not handling well. > > Any ideas how to fix that? > > I'll check with the sendmail people also. > > Almost there! When I get this sorted out, I can remove my AD users from /etc/passwd which > should make Roland happy! > > --Mark > >
Apparently Analagous Threads
- sendmail getting domain\user as email userId [formerly: How to GSSAPI/Kerberos authenticate with Dovecot]
- sendmail getting domain\user as email userId
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- sendmail getting domain\user as email userId [formerly: How to GSSAPI/Kerberos authenticate with Dovecot]