thr3ads.net - dovecot - [Dovecot] dovecot/Active Directory/KRB client (OT) [Aug 2005]

If this information is useful, please help other people find it:
Share via:

Jeff A. Earickson

2005-Aug-29 13:59 UTC

[Dovecot] dovecot/Active Directory/KRB client (OT)

Gang,

For those who asked about making a Solaris system a Kerberos
client to Active Directory, the magic document to have is:

http://www.connectathon.org/seam1.0/files/c0101.htm

See the section "How to Configure a SEAM Client Using a Windows 
2000 KDC".  SEAM was Sun's Kerberos client stuff in Solaris 8;
it is just there as part of Solaris 9 and 10.  These instructions
apply if one is using Solaris 9, 10, or a Windows 2003 KDC.
The instructions probably give insight for other UNIX versions.

The hard part is configuring the pam.conf file, and there are
significant differences between Solaris 9 and 10.  For dovecot, I
use the "other" service, in Solaris 9 pam.conf looks like:

other   auth    sufficient      /usr/lib/security/pam_unix.so.1 debug
other   auth    sufficient      /usr/lib/security/pam_krb5.so.1 try_first_pass
debug
other   account optional        /usr/lib/security/pam_unix.so.1 
other   account optional        /usr/lib/security/pam_krb5.so.1  debug
other   session required        /usr/lib/security/pam_unix.so.1
other   session optional        /usr/lib/security/pam_krb5.so.1  debug
other   password        required        /usr/lib/security/pam_unix.so.1

For Solaris 10, it looks like:

other   auth requisite          pam_authtok_get.so.1 debug
other   auth required           pam_dhkeys.so.1 debug
other   auth required           pam_unix_cred.so.1 debug
other   auth sufficient         pam_krb5.so.1 debug
other   auth required           pam_unix_auth.so.1 debug
other   account requisite       pam_roles.so.1 debug
other   account required        pam_unix_account.so.1 debug
other   account required        pam_krb5.so.1 debug
other   session required        pam_unix_session.so.1 debug
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password sufficient     pam_krb5.so.1
other   password required       pam_authtok_store.so.1

I hope this helps.

Jeff Earickson
Colby College

Lisandro Grullon

2005-Aug-29 14:03 UTC

head link

[Dovecot] dovecot/Active Directory/KRB client (OT)

Interesting, Thanks for sharing the info.

-----------------------------------------------------------------------------------------------------------------------
Lisandro Grullon
New York City College of Technology
Division of Continuing Education
Director of Network Operations
Lisandro Office:    1718-552-1178
Lisandro E-mail:   lgrullon at citytech.cuny.edu
"Unix is user-friendly. It's just very selective about who its friends
are."
>>> "Jeff A. Earickson" <jaearick at colby.edu>
08/29/05 9:59 AM >>>Gang,

For those who asked about making a Solaris system a Kerberos
client to Active Directory, the magic document to have is:

http://www.connectathon.org/seam1.0/files/c0101.htm 

See the section "How to Configure a SEAM Client Using a Windows 
2000 KDC".  SEAM was Sun's Kerberos client stuff in Solaris 8;
it is just there as part of Solaris 9 and 10.  These instructions
apply if one is using Solaris 9, 10, or a Windows 2003 KDC.
The instructions probably give insight for other UNIX versions.

The hard part is configuring the pam.conf file, and there are
significant differences between Solaris 9 and 10.  For dovecot, I
use the "other" service, in Solaris 9 pam.conf looks like:

other   auth    sufficient      /usr/lib/security/pam_unix.so.1 debug
other   auth    sufficient      /usr/lib/security/pam_krb5.so.1 try_first_pass
debug
other   account optional        /usr/lib/security/pam_unix.so.1 
other   account optional        /usr/lib/security/pam_krb5.so.1  debug
other   session required        /usr/lib/security/pam_unix.so.1
other   session optional        /usr/lib/security/pam_krb5.so.1  debug
other   password        required        /usr/lib/security/pam_unix.so.1

For Solaris 10, it looks like:

other   auth requisite          pam_authtok_get.so.1 debug
other   auth required           pam_dhkeys.so.1 debug
other   auth required           pam_unix_cred.so.1 debug
other   auth sufficient         pam_krb5.so.1 debug
other   auth required           pam_unix_auth.so.1 debug
other   account requisite       pam_roles.so.1 debug
other   account required        pam_unix_account.so.1 debug
other   account required        pam_krb5.so.1 debug
other   session required        pam_unix_session.so.1 debug
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password sufficient     pam_krb5.so.1
other   password required       pam_authtok_store.so.1

I hope this helps.

Jeff Earickson
Colby College

Apparently Analagous Threads

Search for more maybe matching threads

dovecot - Aug 2005 - dovecot/Active Directory/KRB client (OT)

[Dovecot] dovecot/Active Directory/KRB client (OT)

[Dovecot] dovecot/Active Directory/KRB client (OT)

Apparently Analagous Threads