samba - Jul 2016 - How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]

On 17/07/16 07:12, Mark Foley wrote:
> On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at
samba.org> wrote:
>> On 16/07/16 19:09, Mark Foley wrote:
>>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at
samba.org> wrote:
>>>
> [lots of extraneous stuff deleted]
>
>>>>>
>>>> OK, just an update on the new wiki page for Dovecot, I started
to write
>>>> it and realised there is a potential problem.
>>>>
>>>> The user created in AD is called 'dovecot' and the
Dovecot packages also
>>>> want to create a user called 'dovecot' in /etc/passwd,
they cannot both
>>>> exist.
>>> Actually, yes they can. *ALL* my domain users are also in
/etc/passwd because I use sendmail
>>> and procmail as MTA to deliver mail to the appropriate Maildir
folders (as defined in
>>> /etc/passwd for home directories) and I use /etc/shadow as
Dovecot's passdb for non-domain mail
>>> clients such as iPhone and Outlook (the latter simply because I
haven't figured out NTML
>>> authentication for Outlook yet).
>> Then, when you run 'getent passwd userA' which user do you get
back ?
>> and have you tried creating a new local Unix user lately if that user
>> exists in AD already ?
>>
>> User 'rowland' is in AD:
>>
>> root at devstation:/home/rowland/dovecot# getent passwd rowland
>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>>
>> If the 'root' user tries to create a local Unix user called
'rowland'
>>
>> root at devstation:/home/rowland/dovecot# useradd rowland
>> useradd: user 'rowland' already exists
> Just yesterday I added a new AD user 'shay' via RSAT ADUC on
Windows.
>
> On the AD/DC I then ran wbinfo to verify the uid/gid:
>
> root at mail:~ # wbinfo -i shay
> HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false
>
> Then I added that user to the AD/DC /etc/passwd for reasons mentioned
above.  Here is the
> actual command line still in root's bash command history:
>
> useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s
/bin/bash -u 10010 shay
>
> I did not get the "useradd: user 'shay' already exists"
message you got.
>
> My getent:
>
> root at mail:~ # getent passwd shay
> shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash
>
> Running getent on this user from a domain member (where that user IS NOT in
any local passwd file):
>
> mfoley at labrat:~ $ getent passwd shay
> shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh
>
>> Still think it is a good idea having your users in /etc/passwd & AD
?
>>
>> You don't need to anyway, Dovecot can use the mail or
userPrincipalName
>> attributes.
> The reason I think I need to (and I could be mistaken) is for my sendmail
MTA to deliver
> incoming mail to /home/HPRS/username/Maildir. To my knowledge, sendmail
cannot otherwise
> determine user or destination mail directories. Perhaps other MTAs can get
this info from
> Samba4, but I don't think sendmail can.
>
>>> All domain members, Windows or Linux, authenticate users with their
AD credentials just fine.
>>>
>>> What I did do with AD users and did not do with the AD dovecot user
is create their /etc/passwd
>>> entry with the same UID:GID as the AD account. So, for the dovecot
user I could have:
>> You do need the local Unix users in AD then, just give them a
>> 'uidNumber' attribute.
> Not sure, but are you agreeing that it's OK to have AD users as both AD
users and local users?
>
> --Mark
>
No, bit of a typo there :-)

What I am trying to tell you is that you shouldn't have users in AD and 
/etc/passwd, in fact there is no need to.
The whole point of AD is centralisation of user and group management, 
you can take your AD user and make it a Unix user by adding RFC2307 
attributes to the users object in AD.

See here for the RFC:  https://www.ietf.org/rfc/rfc2307.txt

In your setup you could have a user 'USERA' in AD and on your mail 
computer you could also have a 'USERA' in /etc/passwd, how do you keep 
the password for the two users in sync ? what happens if the AD user 
changes their password ?

My systems are setup correctly and I cannot create a local Unix user if 
the user exists in AD, but this doesn't matter, because I do not need 
to. If I want an AD user to also be a Unix user, I just add the required 
RFC2307 attributes to the users object in AD.

If I run this command on a Unix domain member:

rowland at devstation:~$ cat /etc/passwd | grep rowland
rowland at devstation:~$

I get nothing returned, so the user 'rowland' doesn't exist in 
/etc/passwd, but if I then run this command:

rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

Funny, I seem to have a Unix user called 'rowland', but he doesn't
exist
in /etc/passwd and if I wanted to use this user with Dovecot, I could.

Rowland

Hi Mark,

I think the reason you did not get the 'user already exists' message
when
doing a useradd is because your nsswitch file doesn't include winbind on
the server you ran it on.  My system will give me the same warning as
Rowland's gives him with nsswitch setup like this:

passwd: compat winbind
group: compat winbind

My guess is that you had to add the users into /etc/passwd because of your
nsswitch file not using winbind.  Otherwise your MTA should work fine.
Mine does.

I do also have these lines in my smb.conf, but I'm not sure they are
necessary for the MTA to work.

winbind enum groups = yes
winbind enum users = yes

Mike E.

On Sun, Jul 17, 2016, 3:34 AM Rowland penny <rpenny at samba.org> wrote:
> On 17/07/16 07:12, Mark Foley wrote:
> > On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at
samba.org>
> wrote:
> >> On 16/07/16 19:09, Mark Foley wrote:
> >>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at
samba.org>
> wrote:
> >>>
> > [lots of extraneous stuff deleted]
> >
> >>>>>
> >>>> OK, just an update on the new wiki page for Dovecot, I
started to
> write
> >>>> it and realised there is a potential problem.
> >>>>
> >>>> The user created in AD is called 'dovecot' and the
Dovecot packages
> also
> >>>> want to create a user called 'dovecot' in
/etc/passwd, they cannot
> both
> >>>> exist.
> >>> Actually, yes they can. *ALL* my domain users are also in
/etc/passwd
> because I use sendmail
> >>> and procmail as MTA to deliver mail to the appropriate Maildir
folders
> (as defined in
> >>> /etc/passwd for home directories) and I use /etc/shadow as
Dovecot's
> passdb for non-domain mail
> >>> clients such as iPhone and Outlook (the latter simply because
I
> haven't figured out NTML
> >>> authentication for Outlook yet).
> >> Then, when you run 'getent passwd userA' which user do you
get back ?
> >> and have you tried creating a new local Unix user lately if that
user
> >> exists in AD already ?
> >>
> >> User 'rowland' is in AD:
> >>
> >> root at devstation:/home/rowland/dovecot# getent passwd rowland
> >> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> >>
> >> If the 'root' user tries to create a local Unix user
called 'rowland'
> >>
> >> root at devstation:/home/rowland/dovecot# useradd rowland
> >> useradd: user 'rowland' already exists
> > Just yesterday I added a new AD user 'shay' via RSAT ADUC on
Windows.
> >
> > On the AD/DC I then ran wbinfo to verify the uid/gid:
> >
> > root at mail:~ # wbinfo -i shay
> > HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false
> >
> > Then I added that user to the AD/DC /etc/passwd for reasons mentioned
> above.  Here is the
> > actual command line still in root's bash command history:
> >
> > useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s
/bin/bash -u
> 10010 shay
> >
> > I did not get the "useradd: user 'shay' already
exists" message you got.
> >
> > My getent:
> >
> > root at mail:~ # getent passwd shay
> > shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash
> >
> > Running getent on this user from a domain member (where that user IS
NOT
> in any local passwd file):
> >
> > mfoley at labrat:~ $ getent passwd shay
> > shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh
> >
> >> Still think it is a good idea having your users in /etc/passwd
& AD ?
> >>
> >> You don't need to anyway, Dovecot can use the mail or
userPrincipalName
> >> attributes.
> > The reason I think I need to (and I could be mistaken) is for my
> sendmail MTA to deliver
> > incoming mail to /home/HPRS/username/Maildir. To my knowledge,
sendmail
> cannot otherwise
> > determine user or destination mail directories. Perhaps other MTAs can
> get this info from
> > Samba4, but I don't think sendmail can.
> >
> >>> All domain members, Windows or Linux, authenticate users with
their AD
> credentials just fine.
> >>>
> >>> What I did do with AD users and did not do with the AD dovecot
user is
> create their /etc/passwd
> >>> entry with the same UID:GID as the AD account. So, for the
dovecot
> user I could have:
> >> You do need the local Unix users in AD then, just give them a
> >> 'uidNumber' attribute.
> > Not sure, but are you agreeing that it's OK to have AD users as
both AD
> users and local users?
> >
> > --Mark
> >
>
> No, bit of a typo there :-)
>
> What I am trying to tell you is that you shouldn't have users in AD and
> /etc/passwd, in fact there is no need to.
> The whole point of AD is centralisation of user and group management,
> you can take your AD user and make it a Unix user by adding RFC2307
> attributes to the users object in AD.
>
> See here for the RFC:  https://www.ietf.org/rfc/rfc2307.txt
>
> In your setup you could have a user 'USERA' in AD and on your mail
> computer you could also have a 'USERA' in /etc/passwd, how do you
keep
> the password for the two users in sync ? what happens if the AD user
> changes their password ?
>
> My systems are setup correctly and I cannot create a local Unix user if
> the user exists in AD, but this doesn't matter, because I do not need
> to. If I want an AD user to also be a Unix user, I just add the required
> RFC2307 attributes to the users object in AD.
>
> If I run this command on a Unix domain member:
>
> rowland at devstation:~$ cat /etc/passwd | grep rowland
> rowland at devstation:~$
>
> I get nothing returned, so the user 'rowland' doesn't exist in
> /etc/passwd, but if I then run this command:
>
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> Funny, I seem to have a Unix user called 'rowland', but he
doesn't exist
> in /etc/passwd and if I wanted to use this user with Dovecot, I could.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Am 17.07.2016 um 09:32 schrieb Rowland penny:
> On 17/07/16 07:12, Mark Foley wrote:
>> On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at
samba.org>
>> wrote:
>>> On 16/07/16 19:09, Mark Foley wrote:
>>>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at
samba.org>
>>>> wrote:
>>>>
>> [lots of extraneous stuff deleted]
>>
>>>>>>
>>>>> OK, just an update on the new wiki page for Dovecot, I
started to
>>>>> write
>>>>> it and realised there is a potential problem.
>>>>>
>>>>> The user created in AD is called 'dovecot' and the
Dovecot
>>>>> packages also
>>>>> want to create a user called 'dovecot' in
/etc/passwd, they cannot
>>>>> both
>>>>> exist.
>>>> Actually, yes they can. *ALL* my domain users are also in 
>>>> /etc/passwd because I use sendmail
>>>> and procmail as MTA to deliver mail to the appropriate Maildir 
>>>> folders (as defined in
>>>> /etc/passwd for home directories) and I use /etc/shadow as 
>>>> Dovecot's passdb for non-domain mail
>>>> clients such as iPhone and Outlook (the latter simply because I
>>>> haven't figured out NTML
>>>> authentication for Outlook yet).
>>> Then, when you run 'getent passwd userA' which user do you
get back ?
>>> and have you tried creating a new local Unix user lately if that
user
>>> exists in AD already ?
>>>
>>> User 'rowland' is in AD:
>>>
>>> root at devstation:/home/rowland/dovecot# getent passwd rowland
>>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>>>
>>> If the 'root' user tries to create a local Unix user called
'rowland'
>>>
>>> root at devstation:/home/rowland/dovecot# useradd rowland
>>> useradd: user 'rowland' already exists
>> Just yesterday I added a new AD user 'shay' via RSAT ADUC on
Windows.
>>
>> On the AD/DC I then ran wbinfo to verify the uid/gid:
>>
>> root at mail:~ # wbinfo -i shay
>> HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false
>>
>> Then I added that user to the AD/DC /etc/passwd for reasons mentioned 
>> above.  Here is the
>> actual command line still in root's bash command history:
>>
>> useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s
/bin/bash -u
>> 10010 shay
>>
>> I did not get the "useradd: user 'shay' already
exists" message you got.
>>
>> My getent:
>>
>> root at mail:~ # getent passwd shay
>> shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash
>>
>> Running getent on this user from a domain member (where that user IS 
>> NOT in any local passwd file):
>>
>> mfoley at labrat:~ $ getent passwd shay
>> shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh
>>
>>> Still think it is a good idea having your users in /etc/passwd
& AD ?
>>>
>>> You don't need to anyway, Dovecot can use the mail or
userPrincipalName
>>> attributes.
>> The reason I think I need to (and I could be mistaken) is for my 
>> sendmail MTA to deliver
>> incoming mail to /home/HPRS/username/Maildir. To my knowledge, 
>> sendmail cannot otherwise
>> determine user or destination mail directories. Perhaps other MTAs 
>> can get this info from
>> Samba4, but I don't think sendmail can.
>>
>>>> All domain members, Windows or Linux, authenticate users with
their
>>>> AD credentials just fine.
>>>>
>>>> What I did do with AD users and did not do with the AD dovecot
user
>>>> is create their /etc/passwd
>>>> entry with the same UID:GID as the AD account. So, for the
dovecot
>>>> user I could have:
>>> You do need the local Unix users in AD then, just give them a
>>> 'uidNumber' attribute.
>> Not sure, but are you agreeing that it's OK to have AD users as
both
>> AD users and local users?
>>
>> --Mark
>>
>
> No, bit of a typo there :-)
>
> What I am trying to tell you is that you shouldn't have users in AD 
> and /etc/passwd, in fact there is no need to.
> The whole point of AD is centralisation of user and group management, 
> you can take your AD user and make it a Unix user by adding RFC2307 
> attributes to the users object in AD.
>
> See here for the RFC:  https://www.ietf.org/rfc/rfc2307.txt
>
> In your setup you could have a user 'USERA' in AD and on your mail 
> computer you could also have a 'USERA' in /etc/passwd, how do you
keep
> the password for the two users in sync ? what happens if the AD user 
> changes their password ?
>
> My systems are setup correctly and I cannot create a local Unix user 
> if the user exists in AD, but this doesn't matter, because I do not 
> need to. If I want an AD user to also be a Unix user, I just add the 
> required RFC2307 attributes to the users object in AD.
>
> If I run this command on a Unix domain member:
>
> rowland at devstation:~$ cat /etc/passwd | grep rowland
> rowland at devstation:~$
>
> I get nothing returned, so the user 'rowland' doesn't exist in 
> /etc/passwd, but if I then run this command:
>
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> Funny, I seem to have a Unix user called 'rowland', but he
doesn't
> exist in /etc/passwd and if I wanted to use this user with Dovecot, I 
> could.
>
> Rowland
>
On my production server i use an user calle ldap for all the spn's. It 
works fine with dovecot for kerberos authentification since two years. 
So just use something like dovecot-krb and not dovecot as i recommended 
mark in one of my eralier mails in this thread. It i sless confusing 
that way.

On Sun, 17 Jul 2016 08:32:28 +0100 Rowland penny <rpenny at samba.org>
wrote:
> On 17/07/16 07:12, Mark Foley wrote:
> > On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at
samba.org> wrote:
> >> On 16/07/16 19:09, Mark Foley wrote:
> >>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at
samba.org> wrote:
> >>>
> > [lots of extraneous stuff deleted]
> >
> >>>>>
> >>>> OK, just an update on the new wiki page for Dovecot, I
started to write
> >>>> it and realised there is a potential problem.
> >>>>
> >>>> The user created in AD is called 'dovecot' and the
Dovecot packages also
> >>>> want to create a user called 'dovecot' in
/etc/passwd, they cannot both
> >>>> exist.
> >>> Actually, yes they can. *ALL* my domain users are also in
/etc/passwd because I use sendmail
> >>> and procmail as MTA to deliver mail to the appropriate Maildir
folders (as defined in
> >>> /etc/passwd for home directories) and I use /etc/shadow as
Dovecot's passdb for non-domain mail
> >>> clients such as iPhone and Outlook (the latter simply because
I haven't figured out NTML
> >>> authentication for Outlook yet).
> >> Then, when you run 'getent passwd userA' which user do you
get back ?
> >> and have you tried creating a new local Unix user lately if that
user
> >> exists in AD already ?
> >>
> >> User 'rowland' is in AD:
> >>
> >> root at devstation:/home/rowland/dovecot# getent passwd rowland
> >> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> >>
> >> If the 'root' user tries to create a local Unix user
called 'rowland'
> >>
> >> root at devstation:/home/rowland/dovecot# useradd rowland
> >> useradd: user 'rowland' already exists
> > Just yesterday I added a new AD user 'shay' via RSAT ADUC on
Windows.
> >
> > On the AD/DC I then ran wbinfo to verify the uid/gid:
> >
> > root at mail:~ # wbinfo -i shay
> > HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false
> >
> > Then I added that user to the AD/DC /etc/passwd for reasons mentioned
above.  Here is the
> > actual command line still in root's bash command history:
> >
> > useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s
/bin/bash -u 10010 shay
> >
> > I did not get the "useradd: user 'shay' already
exists" message you got.
> >
> > My getent:
> >
> > root at mail:~ # getent passwd shay
> > shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash
> >
> > Running getent on this user from a domain member (where that user IS
NOT in any local passwd file):
> >
> > mfoley at labrat:~ $ getent passwd shay
> > shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh
> >
> >> Still think it is a good idea having your users in /etc/passwd
& AD ?
> >>
> >> You don't need to anyway, Dovecot can use the mail or
userPrincipalName
> >> attributes.
> > The reason I think I need to (and I could be mistaken) is for my
sendmail MTA to deliver
> > incoming mail to /home/HPRS/username/Maildir. To my knowledge,
sendmail cannot otherwise
> > determine user or destination mail directories. Perhaps other MTAs can
get this info from
> > Samba4, but I don't think sendmail can.
> >
> >>> All domain members, Windows or Linux, authenticate users with
their AD credentials just fine.
> >>>
> >>> What I did do with AD users and did not do with the AD dovecot
user is create their /etc/passwd
> >>> entry with the same UID:GID as the AD account. So, for the
dovecot user I could have:
> >> You do need the local Unix users in AD then, just give them a
> >> 'uidNumber' attribute.
> > Not sure, but are you agreeing that it's OK to have AD users as
both AD users and local users?
> >
> > --Mark
> >
>
> No, bit of a typo there :-)
>
> What I am trying to tell you is that you shouldn't have users in AD and
> /etc/passwd, in fact there is no need to.
> The whole point of AD is centralisation of user and group management, 
> you can take your AD user and make it a Unix user by adding RFC2307 
> attributes to the users object in AD.
>
> See here for the RFC:  https://www.ietf.org/rfc/rfc2307.txt
I will absolutely check this out! If I can do what I need without actually
adding the user to
/etc/passwd, that would be great. I'll post back results.
> In your setup you could have a user 'USERA' in AD and on your mail 
> computer you could also have a 'USERA' in /etc/passwd, 
Well, that's basically what I have! :) It's just the mail computer *is*
the AD/DC.
> how do you keep the password for the two users in sync ? what happens if
the AD
> user changes their password ?
They don't need to keep the passwords in sync since the AD password is the
only one used for
authentication. Users never log onto the AD/DC directly, certainly not at the
command line.
User logging into domain members, Linux or Windows, command line or not, use
their AD
credentials. Their /etc/passwd password on the DC in never involved.

The DC's /etc/password entries are used solely for Sendmail/procmail to
deliver mail to the
user's target email folders. 

It's kind of analogous to `samba-tool user create dovecot
--ramdom-password`. The idea is
simply to create an entry.
 
Having said that, if the user would need to sync or change their /etc/passwd
password I have
provided an application for them to do that which uses chpasswd on the AD/DC. 
This also
updates the Apache passwords (if any). This mechanism has not been needed in the
2 years since
I created it.
> My systems are setup correctly and I cannot create a local Unix user if 
> the user exists in AD, ...
Well, perhaps a later version of Samba adds this check (I have 4.2.12). I really
did nothing
special to my samba set up. I followed the wiki for the smb.conf exactly. Samba
itself came
with my distro, no building needed on my part.
> but this doesn't matter, because I do not need to.  If I want an AD
user to also be a Unix
> user, I just add the required RFC2307 attributes to the users object in AD.
>
> If I run this command on a Unix domain member:
>
> rowland at devstation:~$ cat /etc/passwd | grep rowland
> rowland at devstation:~$
>
> I get nothing returned, so the user 'rowland' doesn't exist in 
> /etc/passwd, but if I then run this command:
>
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> Funny, I seem to have a Unix user called 'rowland', but he
doesn't exist
> in /etc/passwd and if I wanted to use this user with Dovecot, I could.
>
> Rowland
Right, dovecot does not need the /etc/passwd now that I've implemented
gssapi authentication
(it did use it before with the PLAIN auth method). As I said, that entry is
there soley for
Sendmail/procmail to locate the user's target email folders. If sendmail
could AD authenticate
I wouldn't need /etc/passwd at all.

I'll definately check out that RFC2307 to see if that would takes care of
the sendmail issue
and I'll post back my findings.

And before anyone asks ... no, we're not likely to get rid of sendmail any
time soon!

--Mark

Mike, excellent suggestion!  I will definitely experiment with that nsswitch
change.  Rowland
also mentioned adding RFC2307 to the AD settings for the user(s). 

If, as you say, my MTA will find the home directory with the nss windbind
setting, that would
be fantastic! I would definitely removed the AD users from /etc/passwd.

I don't know if nsswitch.conf settings are now mentioned in the wiki, but
they certainly
weren't there (that I found) in August, 2014 when I configured my Samba4
AD/DC. If this works,
this would be another important thing to put in the wiki.

I did configure a domain member with winbind in the nsswitch.conf, but those
settings were
explicitly given to me by Rowland last summer, 2015 in our maillist
correspondence on single
sign on (see past thread, subject contains "Single-Sign-On".  Based on
our discussion and my
successfully setting up a Linux domain member workstation, that wiki
(https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member) does now
have the
nsswitch.conf info for winbind. 

Thanks for the idea. I'll post back results.

--Mark

-----Original Message-----
> From: Data Control Systems - Mike Elkevizth <mike at
datacontrolsystems.com>
> Date: Sun, 17 Jul 2016 13:35:27 +0000
> To: Rowland penny <rpenny at samba.org>, samba at lists.samba.org
> Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot
>  [formerly Where is krb5.keytab or equivalent?]
>
> Hi Mark,
>
> I think the reason you did not get the 'user already exists'
message when
> doing a useradd is because your nsswitch file doesn't include winbind
on
> the server you ran it on.  My system will give me the same warning as
> Rowland's gives him with nsswitch setup like this:
>
> passwd: compat winbind
> group: compat winbind
>
> My guess is that you had to add the users into /etc/passwd because of your
> nsswitch file not using winbind.  Otherwise your MTA should work fine.
> Mine does.
>
> I do also have these lines in my smb.conf, but I'm not sure they are
> necessary for the MTA to work.
>
> winbind enum groups = yes
> winbind enum users = yes
>
> Mike E.
>
> On Sun, Jul 17, 2016, 3:34 AM Rowland penny <rpenny at samba.org>
wrote:
>
> > On 17/07/16 07:12, Mark Foley wrote:
> > > On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at
samba.org>
> > wrote:
> > >> On 16/07/16 19:09, Mark Foley wrote:
> > >>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny
<rpenny at samba.org>
> > wrote:
> > >>>
> > > [lots of extraneous stuff deleted]
> > >
> > >>>>>
> > >>>> OK, just an update on the new wiki page for Dovecot,
I started to
> > write
> > >>>> it and realised there is a potential problem.
> > >>>>
> > >>>> The user created in AD is called 'dovecot'
and the Dovecot packages
> > also
> > >>>> want to create a user called 'dovecot' in
/etc/passwd, they cannot
> > both
> > >>>> exist.
> > >>> Actually, yes they can. *ALL* my domain users are also in
/etc/passwd
> > because I use sendmail
> > >>> and procmail as MTA to deliver mail to the appropriate
Maildir folders
> > (as defined in
> > >>> /etc/passwd for home directories) and I use /etc/shadow
as Dovecot's
> > passdb for non-domain mail
> > >>> clients such as iPhone and Outlook (the latter simply
because I
> > haven't figured out NTML
> > >>> authentication for Outlook yet).
> > >> Then, when you run 'getent passwd userA' which user
do you get back ?
> > >> and have you tried creating a new local Unix user lately if
that user
> > >> exists in AD already ?
> > >>
> > >> User 'rowland' is in AD:
> > >>
> > >> root at devstation:/home/rowland/dovecot# getent passwd
rowland
> > >> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> > >>
> > >> If the 'root' user tries to create a local Unix user
called 'rowland'
> > >>
> > >> root at devstation:/home/rowland/dovecot# useradd rowland
> > >> useradd: user 'rowland' already exists
> > > Just yesterday I added a new AD user 'shay' via RSAT ADUC
on Windows.
> > >
> > > On the AD/DC I then ran wbinfo to verify the uid/gid:
> > >
> > > root at mail:~ # wbinfo -i shay
> > > HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false
> > >
> > > Then I added that user to the AD/DC /etc/passwd for reasons
mentioned
> > above.  Here is the
> > > actual command line still in root's bash command history:
> > >
> > > useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m
-s /bin/bash -u
> > 10010 shay
> > >
> > > I did not get the "useradd: user 'shay' already
exists" message you got.
> > >
> > > My getent:
> > >
> > > root at mail:~ # getent passwd shay
> > > shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash
> > >
> > > Running getent on this user from a domain member (where that user
IS NOT
> > in any local passwd file):
> > >
> > > mfoley at labrat:~ $ getent passwd shay
> > > shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh
> > >
> > >> Still think it is a good idea having your users in
/etc/passwd & AD ?
> > >>
> > >> You don't need to anyway, Dovecot can use the mail or
userPrincipalName
> > >> attributes.
> > > The reason I think I need to (and I could be mistaken) is for my
> > sendmail MTA to deliver
> > > incoming mail to /home/HPRS/username/Maildir. To my knowledge,
sendmail
> > cannot otherwise
> > > determine user or destination mail directories. Perhaps other
MTAs can
> > get this info from
> > > Samba4, but I don't think sendmail can.
> > >
> > >>> All domain members, Windows or Linux, authenticate users
with their AD
> > credentials just fine.
> > >>>
> > >>> What I did do with AD users and did not do with the AD
dovecot user is
> > create their /etc/passwd
> > >>> entry with the same UID:GID as the AD account. So, for
the dovecot
> > user I could have:
> > >> You do need the local Unix users in AD then, just give them a
> > >> 'uidNumber' attribute.
> > > Not sure, but are you agreeing that it's OK to have AD users
as both AD
> > users and local users?
> > >
> > > --Mark
> > >
> >
> > No, bit of a typo there :-)
> >
> > What I am trying to tell you is that you shouldn't have users in
AD and
> > /etc/passwd, in fact there is no need to.
> > The whole point of AD is centralisation of user and group management,
> > you can take your AD user and make it a Unix user by adding RFC2307
> > attributes to the users object in AD.
> >
> > See here for the RFC:  https://www.ietf.org/rfc/rfc2307.txt
> >
> > In your setup you could have a user 'USERA' in AD and on your
mail
> > computer you could also have a 'USERA' in /etc/passwd, how do
you keep
> > the password for the two users in sync ? what happens if the AD user
> > changes their password ?
> >
> > My systems are setup correctly and I cannot create a local Unix user
if
> > the user exists in AD, but this doesn't matter, because I do not
need
> > to. If I want an AD user to also be a Unix user, I just add the
required
> > RFC2307 attributes to the users object in AD.
> >
> > If I run this command on a Unix domain member:
> >
> > rowland at devstation:~$ cat /etc/passwd | grep rowland
> > rowland at devstation:~$
> >
> > I get nothing returned, so the user 'rowland' doesn't
exist in
> > /etc/passwd, but if I then run this command:
> >
> > rowland at devstation:~$ getent passwd rowland
> > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> >
> > Funny, I seem to have a Unix user called 'rowland', but he
doesn't exist
> > in /etc/passwd and if I wanted to use this user with Dovecot, I could.
> >
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 20/07/16 18:05, Mark Foley wrote:
> On Sun, 17 Jul 2016 08:32:28 +0100 Rowland penny <rpenny at
samba.org> wrote:
> I will absolutely check this out! If I can do what I need without actually
adding the user to
> /etc/passwd, that would be great. I'll post back results.
>
>> In your setup you could have a user 'USERA' in AD and on your
mail
>> computer you could also have a 'USERA' in /etc/passwd,
> Well, that's basically what I have! :) It's just the mail computer
*is* the AD/DC.
>
>> how do you keep the password for the two users in sync ? what happens
if the AD
>> user changes their password ?
> They don't need to keep the passwords in sync since the AD password is
the only one used for
> authentication. Users never log onto the AD/DC directly, certainly not at
the command line.
> User logging into domain members, Linux or Windows, command line or not,
use their AD
> credentials. Their /etc/passwd password on the DC in never involved.
>
> The DC's /etc/password entries are used solely for Sendmail/procmail to
deliver mail to the
> user's target email folders.
OK, here is an idea, you only use /etc/passwd for sendmail/procmail, so 
don't use sendmail or procmail !

What, I hear you say, what do I use instead ? Did you know Dovecot can 
deliver mail to a mailbox ?
>
> It's kind of analogous to `samba-tool user create dovecot
--ramdom-password`. The idea is
> simply to create an entry.
>   
> Having said that, if the user would need to sync or change their
/etc/passwd password I have
> provided an application for them to do that which uses chpasswd on the
AD/DC.  This also
> updates the Apache passwords (if any). This mechanism has not been needed
in the 2 years since
> I created it.
Somebody will sooner or later want to change a password and then unless 
you have somewhere to store plain or ssha etc passwords (which is 
another point of entry to your systems), you are going to have problems.
>> My systems are setup correctly and I cannot create a local Unix user if
>> the user exists in AD, ...
> Well, perhaps a later version of Samba adds this check (I have 4.2.12). I
really did nothing
> special to my samba set up. I followed the wiki for the smb.conf exactly.
Samba itself came
> with my distro, no building needed on my part.
>
>> but this doesn't matter, because I do not need to.  If I want an AD
user to also be a Unix
>> user, I just add the required RFC2307 attributes to the users object in
AD.
>>
>> If I run this command on a Unix domain member:
>>
>> rowland at devstation:~$ cat /etc/passwd | grep rowland
>> rowland at devstation:~$
>>
>> I get nothing returned, so the user 'rowland' doesn't exist
in
>> /etc/passwd, but if I then run this command:
>>
>> rowland at devstation:~$ getent passwd rowland
>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>>
>> Funny, I seem to have a Unix user called 'rowland', but he
doesn't exist
>> in /etc/passwd and if I wanted to use this user with Dovecot, I could.
>>
>> Rowland
> Right, dovecot does not need the /etc/passwd now that I've implemented
gssapi authentication
> (it did use it before with the PLAIN auth method). As I said, that entry is
there soley for
> Sendmail/procmail to locate the user's target email folders. If
sendmail could AD authenticate
> I wouldn't need /etc/passwd at all.
As you don't really need sendmail, then do you really need /etc/passwd.
>
> I'll definately check out that RFC2307 to see if that would takes care
of the sendmail issue
> and I'll post back my findings.
>
> And before anyone asks ... no, we're not likely to get rid of sendmail
any time soon!
Oh you should, you really should, why run another program, when one of 
the programs you are using can do the same thing.

Rowland