You can specify which principal you want in your keytab with samba-tool, check the manual. You can check which principal is in your keytab using klist: klist -k or klist -ke /path/to/keytab 2016-06-27 9:09 GMT+02:00 Rowland penny <rpenny at samba.org>:> On 27/06/16 04:27, Mark Foley wrote: > >> I am running Samba 4.1.23 as an AD/DC. It has been running file for more >> than 1 1/2 years as a >> AD/DC for mostly Windows workstations. >> >> I'm trying to setup Dovecot with gssapi authentication. The config needs >> the location of the service >> keys located in the keytab file. The default location it looks for is: >> >> /etc/krb5.keytab >> >> There is no such file there, nor is there a so-named file on the AD/DC at >> all. I do find: >> >> /etc/samba/private/secrets.keytab >> /etc/samba/private/dns.keytab >> >> Is one of these what I can use for the Dovecot required config? >> >> THX --Mark >> >> > Hi, you don't get the /etc/krb5.keytab by default on a DC, you will need > to create it: > > samba-tool domain exportkeytab /etc/krb5.keytab > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 2016-06-27 11:18 GMT+02:00 mathias dufresne wrote:> You can check which principal is in your keytab using klist: klist -k or > klist -ke /path/to/keytabMathias, thank you. I've created the /etc/krb5.keytab per Rowland's instructions. And, per older instruction from when I first installed Samba4 2 years ago I've done: ln -s /etc/samba/private/krb5.conf /etc/krb5.conf The contents of which are: [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true I don't know if I need that file or not, but the Dovecot people say I do. I now have those files (krb5.keytab and krb5.conf) in /etc. Now, the problem is I cannot do your suggested `klist` command, nor the `kinit` as described in https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos I don't seem to have these commands. Do these come with the Samba4 installation or are they supposed to already be on the system, or to be downloaded separately? --Mark -----Original Message-----> From: mathias dufresne <infractory at gmail.com> > Date: Mon, 27 Jun 2016 11:18:39 +0200 > Cc: samba <samba at lists.samba.org> > Subject: Re: [Samba] Where is krb5.keytab or equivalent? > > You can specify which principal you want in your keytab with samba-tool, > check the manual. > You can check which principal is in your keytab using klist: klist -k or > klist -ke /path/to/keytab > > > > On 27/06/16 04:27, Mark Foley wrote: > > > >> I am running Samba 4.1.23 as an AD/DC. It has been running file for more > >> than 1 1/2 years as a > >> AD/DC for mostly Windows workstations. > >> > >> I'm trying to setup Dovecot with gssapi authentication. The config needs > >> the location of the service > >> keys located in the keytab file. The default location it looks for is: > >> > >> /etc/krb5.keytab > >> > >> There is no such file there, nor is there a so-named file on the AD/DC at > >> all. I do find: > >> > >> /etc/samba/private/secrets.keytab > >> /etc/samba/private/dns.keytab > >> > >> Is one of these what I can use for the Dovecot required config? > >> > >> THX --Mark > >> > >> > > Hi, you don't get the /etc/krb5.keytab by default on a DC, you will need > > to create it: > > > > samba-tool domain exportkeytab /etc/krb5.keytab > > > > Rowland > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 27/06/16 19:59, Mark Foley wrote:> On 2016-06-27 11:18 GMT+02:00 mathias dufresne wrote: > >> You can check which principal is in your keytab using klist: klist -k or >> klist -ke /path/to/keytab > Mathias, thank you. I've created the /etc/krb5.keytab per Rowland's instructions. And, per > older instruction from when I first installed Samba4 2 years ago I've done: > > ln -s /etc/samba/private/krb5.conf /etc/krb5.conf > > The contents of which are: > > [libdefaults] > default_realm = HPRS.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > I don't know if I need that file or not, but the Dovecot people say I do. I now have those > files (krb5.keytab and krb5.conf) in /etc. > > Now, the problem is I cannot do your suggested `klist` command, nor the `kinit` as described in > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > I don't seem to have these commands. Do these come with the Samba4 installation or are they > supposed to already be on the system, or to be downloaded separately? > > >No they don't come with Samba, you will need to install krb5-user, but all klist will do is list the contents of a kerberos cache after a user runs 'kinit' Rowland
Apparently Analagous Threads
- Where is krb5.keytab or equivalent?
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]