This looks pretty clear.
https://wiki.dovecot.org/Authentication/Kerberos
The symlink might not be needed.
# You have 2 options todo this.
# option 1 ( with a "service user" )
# my way like on the site.
samba-tool user create dovecot --description="Unprivileged user for
TSIG-GSSAPI Dovecot Services" --random-password
#Now set the users password to never expire
samba-tool user setexpiry dovecot --noexpiry
# Add Service Principal Names (SPNs) and create keytab
$ samba-tool spn add imap/host.domain.com dovecot
$ samba-tool domain exportkeytab --principal imap/host.domain.com
/etc/dovecot/dovecot.keytab
Dovecot needs to be able to read the keytab
chgrp dovecot /etc/dovecot/dovecot.keytab
chmod g+r /etc/dovecot/dovecot.keytab
Make sure your keytab has entry for imap/host.domain.name at REALM.
$ klist -Kek /etc/dovecot/dovecot.keytab
Keytab name: FILE:/etc/dovecot/dovecot.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 imap/host.domain.name at REALM (des-cbc-crc)
1 imap/host.domain.name at REALM (des-cbc-md5)
1 imap/host.domain.name at REALM (arcfour-hmac)
# option 2 ( the computer$ name "IS" the "service user" )
#
# Option 2a the keytab setup.
#
# with separated keytab file for dovecot
KRB5_KTNAME=/etc/dovecot/dovecot.keytab
export KRB5_KTNAME
# option 2b with /etc/krb5.keytab setup, without above export of KRB5_KTNAME
net ads keytab add_update_ads imap/$(hostname -f) -U Administrator
This adds the spn in AD in the hostname$ and keytab file local
chgrp dovecot /etc/dovecot/dovecot.keytab
chmod g+r /etc/dovecot/dovecot.keytab
Whats best i dont know, i dont use dovecot personaly, yes, uh. 17y ago.. ;-)
It depends a bit on your setup and what your using and want as options.
On postfix. (debian since i mostly do debian)
https://wiki.debian.org/PostfixAndSASL
Is still valid as far i can tell.
And a handy SPN list.
Services IN MAIN Packages
Currently supported via Default Service principals name
openssh GSSAPI host/fqdn at REALM
openldap SASL ldap/fqdn at REALM
samba (as a cifs server) cifs/fqdn at REALM host/fqdn at REALM
postfix SASL smtp/fqdn at REALM
dovecot GSSAPI imap/fqdn at REALM pop/fqdn at REALM
cupsys GSSAPI IPP/fqdn at REALM
postgresql GSSAPI postgres/fqdn at REALM
apache2 mod-auth-krb5 HTTP/fqdn at REALM HTTP/short_fqdn at REALM
freeradius via freeradius-krb5 module radius/fqdn at REALM
ipsec-tools (racoon) GSSAPI
And if you use debian
apt install pam-krb5
update-pam-auth
Is in most of the times sufficient to enable kerberos auth in pam.
I hope you can use it.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland penny via samba
> Verzonden: vrijdag 18 september 2020 21:01
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Mailserver + Samba4
>
> On 18/09/2020 19:37, Philip Offermans via samba wrote:
> > Hi,
> > I want to install a dovecot mail server with postfix. And
> want to be able to use kerberos for authentication. Has
> someone experience with this. And maybe some links to info.
> > Is there also someone with experience with SoGo?
> >
> > Philip
> >
> You could try an internet search on iredmail
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>