Rowland penny
2016-Jul-17 07:32 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
On 17/07/16 07:12, Mark Foley wrote:> On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org> wrote: >> On 16/07/16 19:09, Mark Foley wrote: >>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> wrote: >>> > [lots of extraneous stuff deleted] > >>>>> >>>> OK, just an update on the new wiki page for Dovecot, I started to write >>>> it and realised there is a potential problem. >>>> >>>> The user created in AD is called 'dovecot' and the Dovecot packages also >>>> want to create a user called 'dovecot' in /etc/passwd, they cannot both >>>> exist. >>> Actually, yes they can. *ALL* my domain users are also in /etc/passwd because I use sendmail >>> and procmail as MTA to deliver mail to the appropriate Maildir folders (as defined in >>> /etc/passwd for home directories) and I use /etc/shadow as Dovecot's passdb for non-domain mail >>> clients such as iPhone and Outlook (the latter simply because I haven't figured out NTML >>> authentication for Outlook yet). >> Then, when you run 'getent passwd userA' which user do you get back ? >> and have you tried creating a new local Unix user lately if that user >> exists in AD already ? >> >> User 'rowland' is in AD: >> >> root at devstation:/home/rowland/dovecot# getent passwd rowland >> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash >> >> If the 'root' user tries to create a local Unix user called 'rowland' >> >> root at devstation:/home/rowland/dovecot# useradd rowland >> useradd: user 'rowland' already exists > Just yesterday I added a new AD user 'shay' via RSAT ADUC on Windows. > > On the AD/DC I then ran wbinfo to verify the uid/gid: > > root at mail:~ # wbinfo -i shay > HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false > > Then I added that user to the AD/DC /etc/passwd for reasons mentioned above. Here is the > actual command line still in root's bash command history: > > useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s /bin/bash -u 10010 shay > > I did not get the "useradd: user 'shay' already exists" message you got. > > My getent: > > root at mail:~ # getent passwd shay > shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash > > Running getent on this user from a domain member (where that user IS NOT in any local passwd file): > > mfoley at labrat:~ $ getent passwd shay > shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh > >> Still think it is a good idea having your users in /etc/passwd & AD ? >> >> You don't need to anyway, Dovecot can use the mail or userPrincipalName >> attributes. > The reason I think I need to (and I could be mistaken) is for my sendmail MTA to deliver > incoming mail to /home/HPRS/username/Maildir. To my knowledge, sendmail cannot otherwise > determine user or destination mail directories. Perhaps other MTAs can get this info from > Samba4, but I don't think sendmail can. > >>> All domain members, Windows or Linux, authenticate users with their AD credentials just fine. >>> >>> What I did do with AD users and did not do with the AD dovecot user is create their /etc/passwd >>> entry with the same UID:GID as the AD account. So, for the dovecot user I could have: >> You do need the local Unix users in AD then, just give them a >> 'uidNumber' attribute. > Not sure, but are you agreeing that it's OK to have AD users as both AD users and local users? > > --Mark >No, bit of a typo there :-) What I am trying to tell you is that you shouldn't have users in AD and /etc/passwd, in fact there is no need to. The whole point of AD is centralisation of user and group management, you can take your AD user and make it a Unix user by adding RFC2307 attributes to the users object in AD. See here for the RFC: https://www.ietf.org/rfc/rfc2307.txt In your setup you could have a user 'USERA' in AD and on your mail computer you could also have a 'USERA' in /etc/passwd, how do you keep the password for the two users in sync ? what happens if the AD user changes their password ? My systems are setup correctly and I cannot create a local Unix user if the user exists in AD, but this doesn't matter, because I do not need to. If I want an AD user to also be a Unix user, I just add the required RFC2307 attributes to the users object in AD. If I run this command on a Unix domain member: rowland at devstation:~$ cat /etc/passwd | grep rowland rowland at devstation:~$ I get nothing returned, so the user 'rowland' doesn't exist in /etc/passwd, but if I then run this command: rowland at devstation:~$ getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash Funny, I seem to have a Unix user called 'rowland', but he doesn't exist in /etc/passwd and if I wanted to use this user with Dovecot, I could. Rowland
Data Control Systems - Mike Elkevizth
2016-Jul-17 13:35 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
Hi Mark, I think the reason you did not get the 'user already exists' message when doing a useradd is because your nsswitch file doesn't include winbind on the server you ran it on. My system will give me the same warning as Rowland's gives him with nsswitch setup like this: passwd: compat winbind group: compat winbind My guess is that you had to add the users into /etc/passwd because of your nsswitch file not using winbind. Otherwise your MTA should work fine. Mine does. I do also have these lines in my smb.conf, but I'm not sure they are necessary for the MTA to work. winbind enum groups = yes winbind enum users = yes Mike E. On Sun, Jul 17, 2016, 3:34 AM Rowland penny <rpenny at samba.org> wrote:> On 17/07/16 07:12, Mark Foley wrote: > > On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org> > wrote: > >> On 16/07/16 19:09, Mark Foley wrote: > >>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> > wrote: > >>> > > [lots of extraneous stuff deleted] > > > >>>>> > >>>> OK, just an update on the new wiki page for Dovecot, I started to > write > >>>> it and realised there is a potential problem. > >>>> > >>>> The user created in AD is called 'dovecot' and the Dovecot packages > also > >>>> want to create a user called 'dovecot' in /etc/passwd, they cannot > both > >>>> exist. > >>> Actually, yes they can. *ALL* my domain users are also in /etc/passwd > because I use sendmail > >>> and procmail as MTA to deliver mail to the appropriate Maildir folders > (as defined in > >>> /etc/passwd for home directories) and I use /etc/shadow as Dovecot's > passdb for non-domain mail > >>> clients such as iPhone and Outlook (the latter simply because I > haven't figured out NTML > >>> authentication for Outlook yet). > >> Then, when you run 'getent passwd userA' which user do you get back ? > >> and have you tried creating a new local Unix user lately if that user > >> exists in AD already ? > >> > >> User 'rowland' is in AD: > >> > >> root at devstation:/home/rowland/dovecot# getent passwd rowland > >> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > >> > >> If the 'root' user tries to create a local Unix user called 'rowland' > >> > >> root at devstation:/home/rowland/dovecot# useradd rowland > >> useradd: user 'rowland' already exists > > Just yesterday I added a new AD user 'shay' via RSAT ADUC on Windows. > > > > On the AD/DC I then ran wbinfo to verify the uid/gid: > > > > root at mail:~ # wbinfo -i shay > > HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false > > > > Then I added that user to the AD/DC /etc/passwd for reasons mentioned > above. Here is the > > actual command line still in root's bash command history: > > > > useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s /bin/bash -u > 10010 shay > > > > I did not get the "useradd: user 'shay' already exists" message you got. > > > > My getent: > > > > root at mail:~ # getent passwd shay > > shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash > > > > Running getent on this user from a domain member (where that user IS NOT > in any local passwd file): > > > > mfoley at labrat:~ $ getent passwd shay > > shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh > > > >> Still think it is a good idea having your users in /etc/passwd & AD ? > >> > >> You don't need to anyway, Dovecot can use the mail or userPrincipalName > >> attributes. > > The reason I think I need to (and I could be mistaken) is for my > sendmail MTA to deliver > > incoming mail to /home/HPRS/username/Maildir. To my knowledge, sendmail > cannot otherwise > > determine user or destination mail directories. Perhaps other MTAs can > get this info from > > Samba4, but I don't think sendmail can. > > > >>> All domain members, Windows or Linux, authenticate users with their AD > credentials just fine. > >>> > >>> What I did do with AD users and did not do with the AD dovecot user is > create their /etc/passwd > >>> entry with the same UID:GID as the AD account. So, for the dovecot > user I could have: > >> You do need the local Unix users in AD then, just give them a > >> 'uidNumber' attribute. > > Not sure, but are you agreeing that it's OK to have AD users as both AD > users and local users? > > > > --Mark > > > > No, bit of a typo there :-) > > What I am trying to tell you is that you shouldn't have users in AD and > /etc/passwd, in fact there is no need to. > The whole point of AD is centralisation of user and group management, > you can take your AD user and make it a Unix user by adding RFC2307 > attributes to the users object in AD. > > See here for the RFC: https://www.ietf.org/rfc/rfc2307.txt > > In your setup you could have a user 'USERA' in AD and on your mail > computer you could also have a 'USERA' in /etc/passwd, how do you keep > the password for the two users in sync ? what happens if the AD user > changes their password ? > > My systems are setup correctly and I cannot create a local Unix user if > the user exists in AD, but this doesn't matter, because I do not need > to. If I want an AD user to also be a Unix user, I just add the required > RFC2307 attributes to the users object in AD. > > If I run this command on a Unix domain member: > > rowland at devstation:~$ cat /etc/passwd | grep rowland > rowland at devstation:~$ > > I get nothing returned, so the user 'rowland' doesn't exist in > /etc/passwd, but if I then run this command: > > rowland at devstation:~$ getent passwd rowland > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > Funny, I seem to have a Unix user called 'rowland', but he doesn't exist > in /etc/passwd and if I wanted to use this user with Dovecot, I could. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Achim Gottinger
2016-Jul-17 16:50 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
Am 17.07.2016 um 09:32 schrieb Rowland penny:> On 17/07/16 07:12, Mark Foley wrote: >> On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org> >> wrote: >>> On 16/07/16 19:09, Mark Foley wrote: >>>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> >>>> wrote: >>>> >> [lots of extraneous stuff deleted] >> >>>>>> >>>>> OK, just an update on the new wiki page for Dovecot, I started to >>>>> write >>>>> it and realised there is a potential problem. >>>>> >>>>> The user created in AD is called 'dovecot' and the Dovecot >>>>> packages also >>>>> want to create a user called 'dovecot' in /etc/passwd, they cannot >>>>> both >>>>> exist. >>>> Actually, yes they can. *ALL* my domain users are also in >>>> /etc/passwd because I use sendmail >>>> and procmail as MTA to deliver mail to the appropriate Maildir >>>> folders (as defined in >>>> /etc/passwd for home directories) and I use /etc/shadow as >>>> Dovecot's passdb for non-domain mail >>>> clients such as iPhone and Outlook (the latter simply because I >>>> haven't figured out NTML >>>> authentication for Outlook yet). >>> Then, when you run 'getent passwd userA' which user do you get back ? >>> and have you tried creating a new local Unix user lately if that user >>> exists in AD already ? >>> >>> User 'rowland' is in AD: >>> >>> root at devstation:/home/rowland/dovecot# getent passwd rowland >>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash >>> >>> If the 'root' user tries to create a local Unix user called 'rowland' >>> >>> root at devstation:/home/rowland/dovecot# useradd rowland >>> useradd: user 'rowland' already exists >> Just yesterday I added a new AD user 'shay' via RSAT ADUC on Windows. >> >> On the AD/DC I then ran wbinfo to verify the uid/gid: >> >> root at mail:~ # wbinfo -i shay >> HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false >> >> Then I added that user to the AD/DC /etc/passwd for reasons mentioned >> above. Here is the >> actual command line still in root's bash command history: >> >> useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s /bin/bash -u >> 10010 shay >> >> I did not get the "useradd: user 'shay' already exists" message you got. >> >> My getent: >> >> root at mail:~ # getent passwd shay >> shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash >> >> Running getent on this user from a domain member (where that user IS >> NOT in any local passwd file): >> >> mfoley at labrat:~ $ getent passwd shay >> shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh >> >>> Still think it is a good idea having your users in /etc/passwd & AD ? >>> >>> You don't need to anyway, Dovecot can use the mail or userPrincipalName >>> attributes. >> The reason I think I need to (and I could be mistaken) is for my >> sendmail MTA to deliver >> incoming mail to /home/HPRS/username/Maildir. To my knowledge, >> sendmail cannot otherwise >> determine user or destination mail directories. Perhaps other MTAs >> can get this info from >> Samba4, but I don't think sendmail can. >> >>>> All domain members, Windows or Linux, authenticate users with their >>>> AD credentials just fine. >>>> >>>> What I did do with AD users and did not do with the AD dovecot user >>>> is create their /etc/passwd >>>> entry with the same UID:GID as the AD account. So, for the dovecot >>>> user I could have: >>> You do need the local Unix users in AD then, just give them a >>> 'uidNumber' attribute. >> Not sure, but are you agreeing that it's OK to have AD users as both >> AD users and local users? >> >> --Mark >> > > No, bit of a typo there :-) > > What I am trying to tell you is that you shouldn't have users in AD > and /etc/passwd, in fact there is no need to. > The whole point of AD is centralisation of user and group management, > you can take your AD user and make it a Unix user by adding RFC2307 > attributes to the users object in AD. > > See here for the RFC: https://www.ietf.org/rfc/rfc2307.txt > > In your setup you could have a user 'USERA' in AD and on your mail > computer you could also have a 'USERA' in /etc/passwd, how do you keep > the password for the two users in sync ? what happens if the AD user > changes their password ? > > My systems are setup correctly and I cannot create a local Unix user > if the user exists in AD, but this doesn't matter, because I do not > need to. If I want an AD user to also be a Unix user, I just add the > required RFC2307 attributes to the users object in AD. > > If I run this command on a Unix domain member: > > rowland at devstation:~$ cat /etc/passwd | grep rowland > rowland at devstation:~$ > > I get nothing returned, so the user 'rowland' doesn't exist in > /etc/passwd, but if I then run this command: > > rowland at devstation:~$ getent passwd rowland > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > Funny, I seem to have a Unix user called 'rowland', but he doesn't > exist in /etc/passwd and if I wanted to use this user with Dovecot, I > could. > > Rowland >On my production server i use an user calle ldap for all the spn's. It works fine with dovecot for kerberos authentification since two years. So just use something like dovecot-krb and not dovecot as i recommended mark in one of my eralier mails in this thread. It i sless confusing that way.
Mark Foley
2016-Jul-20 17:05 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
On Sun, 17 Jul 2016 08:32:28 +0100 Rowland penny <rpenny at samba.org> wrote:> On 17/07/16 07:12, Mark Foley wrote: > > On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org> wrote: > >> On 16/07/16 19:09, Mark Foley wrote: > >>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> wrote: > >>> > > [lots of extraneous stuff deleted] > > > >>>>> > >>>> OK, just an update on the new wiki page for Dovecot, I started to write > >>>> it and realised there is a potential problem. > >>>> > >>>> The user created in AD is called 'dovecot' and the Dovecot packages also > >>>> want to create a user called 'dovecot' in /etc/passwd, they cannot both > >>>> exist. > >>> Actually, yes they can. *ALL* my domain users are also in /etc/passwd because I use sendmail > >>> and procmail as MTA to deliver mail to the appropriate Maildir folders (as defined in > >>> /etc/passwd for home directories) and I use /etc/shadow as Dovecot's passdb for non-domain mail > >>> clients such as iPhone and Outlook (the latter simply because I haven't figured out NTML > >>> authentication for Outlook yet). > >> Then, when you run 'getent passwd userA' which user do you get back ? > >> and have you tried creating a new local Unix user lately if that user > >> exists in AD already ? > >> > >> User 'rowland' is in AD: > >> > >> root at devstation:/home/rowland/dovecot# getent passwd rowland > >> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > >> > >> If the 'root' user tries to create a local Unix user called 'rowland' > >> > >> root at devstation:/home/rowland/dovecot# useradd rowland > >> useradd: user 'rowland' already exists > > Just yesterday I added a new AD user 'shay' via RSAT ADUC on Windows. > > > > On the AD/DC I then ran wbinfo to verify the uid/gid: > > > > root at mail:~ # wbinfo -i shay > > HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false > > > > Then I added that user to the AD/DC /etc/passwd for reasons mentioned above. Here is the > > actual command line still in root's bash command history: > > > > useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s /bin/bash -u 10010 shay > > > > I did not get the "useradd: user 'shay' already exists" message you got. > > > > My getent: > > > > root at mail:~ # getent passwd shay > > shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash > > > > Running getent on this user from a domain member (where that user IS NOT in any local passwd file): > > > > mfoley at labrat:~ $ getent passwd shay > > shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh > > > >> Still think it is a good idea having your users in /etc/passwd & AD ? > >> > >> You don't need to anyway, Dovecot can use the mail or userPrincipalName > >> attributes. > > The reason I think I need to (and I could be mistaken) is for my sendmail MTA to deliver > > incoming mail to /home/HPRS/username/Maildir. To my knowledge, sendmail cannot otherwise > > determine user or destination mail directories. Perhaps other MTAs can get this info from > > Samba4, but I don't think sendmail can. > > > >>> All domain members, Windows or Linux, authenticate users with their AD credentials just fine. > >>> > >>> What I did do with AD users and did not do with the AD dovecot user is create their /etc/passwd > >>> entry with the same UID:GID as the AD account. So, for the dovecot user I could have: > >> You do need the local Unix users in AD then, just give them a > >> 'uidNumber' attribute. > > Not sure, but are you agreeing that it's OK to have AD users as both AD users and local users? > > > > --Mark > > > > No, bit of a typo there :-) > > What I am trying to tell you is that you shouldn't have users in AD and > /etc/passwd, in fact there is no need to. > The whole point of AD is centralisation of user and group management, > you can take your AD user and make it a Unix user by adding RFC2307 > attributes to the users object in AD. > > See here for the RFC: https://www.ietf.org/rfc/rfc2307.txtI will absolutely check this out! If I can do what I need without actually adding the user to /etc/passwd, that would be great. I'll post back results.> In your setup you could have a user 'USERA' in AD and on your mail > computer you could also have a 'USERA' in /etc/passwd,Well, that's basically what I have! :) It's just the mail computer *is* the AD/DC.> how do you keep the password for the two users in sync ? what happens if the AD > user changes their password ?They don't need to keep the passwords in sync since the AD password is the only one used for authentication. Users never log onto the AD/DC directly, certainly not at the command line. User logging into domain members, Linux or Windows, command line or not, use their AD credentials. Their /etc/passwd password on the DC in never involved. The DC's /etc/password entries are used solely for Sendmail/procmail to deliver mail to the user's target email folders. It's kind of analogous to `samba-tool user create dovecot --ramdom-password`. The idea is simply to create an entry. Having said that, if the user would need to sync or change their /etc/passwd password I have provided an application for them to do that which uses chpasswd on the AD/DC. This also updates the Apache passwords (if any). This mechanism has not been needed in the 2 years since I created it.> My systems are setup correctly and I cannot create a local Unix user if > the user exists in AD, ...Well, perhaps a later version of Samba adds this check (I have 4.2.12). I really did nothing special to my samba set up. I followed the wiki for the smb.conf exactly. Samba itself came with my distro, no building needed on my part.> but this doesn't matter, because I do not need to. If I want an AD user to also be a Unix > user, I just add the required RFC2307 attributes to the users object in AD. > > If I run this command on a Unix domain member: > > rowland at devstation:~$ cat /etc/passwd | grep rowland > rowland at devstation:~$ > > I get nothing returned, so the user 'rowland' doesn't exist in > /etc/passwd, but if I then run this command: > > rowland at devstation:~$ getent passwd rowland > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > Funny, I seem to have a Unix user called 'rowland', but he doesn't exist > in /etc/passwd and if I wanted to use this user with Dovecot, I could. > > RowlandRight, dovecot does not need the /etc/passwd now that I've implemented gssapi authentication (it did use it before with the PLAIN auth method). As I said, that entry is there soley for Sendmail/procmail to locate the user's target email folders. If sendmail could AD authenticate I wouldn't need /etc/passwd at all. I'll definately check out that RFC2307 to see if that would takes care of the sendmail issue and I'll post back my findings. And before anyone asks ... no, we're not likely to get rid of sendmail any time soon! --Mark
Mark Foley
2016-Jul-20 17:26 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
Mike, excellent suggestion! I will definitely experiment with that nsswitch change. Rowland also mentioned adding RFC2307 to the AD settings for the user(s). If, as you say, my MTA will find the home directory with the nss windbind setting, that would be fantastic! I would definitely removed the AD users from /etc/passwd. I don't know if nsswitch.conf settings are now mentioned in the wiki, but they certainly weren't there (that I found) in August, 2014 when I configured my Samba4 AD/DC. If this works, this would be another important thing to put in the wiki. I did configure a domain member with winbind in the nsswitch.conf, but those settings were explicitly given to me by Rowland last summer, 2015 in our maillist correspondence on single sign on (see past thread, subject contains "Single-Sign-On". Based on our discussion and my successfully setting up a Linux domain member workstation, that wiki (https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member) does now have the nsswitch.conf info for winbind. Thanks for the idea. I'll post back results. --Mark -----Original Message-----> From: Data Control Systems - Mike Elkevizth <mike at datacontrolsystems.com> > Date: Sun, 17 Jul 2016 13:35:27 +0000 > To: Rowland penny <rpenny at samba.org>, samba at lists.samba.org > Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot > [formerly Where is krb5.keytab or equivalent?] > > Hi Mark, > > I think the reason you did not get the 'user already exists' message when > doing a useradd is because your nsswitch file doesn't include winbind on > the server you ran it on. My system will give me the same warning as > Rowland's gives him with nsswitch setup like this: > > passwd: compat winbind > group: compat winbind > > My guess is that you had to add the users into /etc/passwd because of your > nsswitch file not using winbind. Otherwise your MTA should work fine. > Mine does. > > I do also have these lines in my smb.conf, but I'm not sure they are > necessary for the MTA to work. > > winbind enum groups = yes > winbind enum users = yes > > Mike E. > > On Sun, Jul 17, 2016, 3:34 AM Rowland penny <rpenny at samba.org> wrote: > > > On 17/07/16 07:12, Mark Foley wrote: > > > On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org> > > wrote: > > >> On 16/07/16 19:09, Mark Foley wrote: > > >>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> > > wrote: > > >>> > > > [lots of extraneous stuff deleted] > > > > > >>>>> > > >>>> OK, just an update on the new wiki page for Dovecot, I started to > > write > > >>>> it and realised there is a potential problem. > > >>>> > > >>>> The user created in AD is called 'dovecot' and the Dovecot packages > > also > > >>>> want to create a user called 'dovecot' in /etc/passwd, they cannot > > both > > >>>> exist. > > >>> Actually, yes they can. *ALL* my domain users are also in /etc/passwd > > because I use sendmail > > >>> and procmail as MTA to deliver mail to the appropriate Maildir folders > > (as defined in > > >>> /etc/passwd for home directories) and I use /etc/shadow as Dovecot's > > passdb for non-domain mail > > >>> clients such as iPhone and Outlook (the latter simply because I > > haven't figured out NTML > > >>> authentication for Outlook yet). > > >> Then, when you run 'getent passwd userA' which user do you get back ? > > >> and have you tried creating a new local Unix user lately if that user > > >> exists in AD already ? > > >> > > >> User 'rowland' is in AD: > > >> > > >> root at devstation:/home/rowland/dovecot# getent passwd rowland > > >> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > >> > > >> If the 'root' user tries to create a local Unix user called 'rowland' > > >> > > >> root at devstation:/home/rowland/dovecot# useradd rowland > > >> useradd: user 'rowland' already exists > > > Just yesterday I added a new AD user 'shay' via RSAT ADUC on Windows. > > > > > > On the AD/DC I then ran wbinfo to verify the uid/gid: > > > > > > root at mail:~ # wbinfo -i shay > > > HPRS\shay:*:10010:10000:Susan Hay:/home/HPRS/shay:/bin/false > > > > > > Then I added that user to the AD/DC /etc/passwd for reasons mentioned > > above. Here is the > > > actual command line still in root's bash command history: > > > > > > useradd -c "Susan Hay" -d /home/HPRS/shay -g 10000 -m -s /bin/bash -u > > 10010 shay > > > > > > I did not get the "useradd: user 'shay' already exists" message you got. > > > > > > My getent: > > > > > > root at mail:~ # getent passwd shay > > > shay:x:10010:10000:Susan Hay:/home/HPRS/shay:/bin/bash > > > > > > Running getent on this user from a domain member (where that user IS NOT > > in any local passwd file): > > > > > > mfoley at labrat:~ $ getent passwd shay > > > shay:*:10010:10000:Susan Hay:/home/shay:/bin/sh > > > > > >> Still think it is a good idea having your users in /etc/passwd & AD ? > > >> > > >> You don't need to anyway, Dovecot can use the mail or userPrincipalName > > >> attributes. > > > The reason I think I need to (and I could be mistaken) is for my > > sendmail MTA to deliver > > > incoming mail to /home/HPRS/username/Maildir. To my knowledge, sendmail > > cannot otherwise > > > determine user or destination mail directories. Perhaps other MTAs can > > get this info from > > > Samba4, but I don't think sendmail can. > > > > > >>> All domain members, Windows or Linux, authenticate users with their AD > > credentials just fine. > > >>> > > >>> What I did do with AD users and did not do with the AD dovecot user is > > create their /etc/passwd > > >>> entry with the same UID:GID as the AD account. So, for the dovecot > > user I could have: > > >> You do need the local Unix users in AD then, just give them a > > >> 'uidNumber' attribute. > > > Not sure, but are you agreeing that it's OK to have AD users as both AD > > users and local users? > > > > > > --Mark > > > > > > > No, bit of a typo there :-) > > > > What I am trying to tell you is that you shouldn't have users in AD and > > /etc/passwd, in fact there is no need to. > > The whole point of AD is centralisation of user and group management, > > you can take your AD user and make it a Unix user by adding RFC2307 > > attributes to the users object in AD. > > > > See here for the RFC: https://www.ietf.org/rfc/rfc2307.txt > > > > In your setup you could have a user 'USERA' in AD and on your mail > > computer you could also have a 'USERA' in /etc/passwd, how do you keep > > the password for the two users in sync ? what happens if the AD user > > changes their password ? > > > > My systems are setup correctly and I cannot create a local Unix user if > > the user exists in AD, but this doesn't matter, because I do not need > > to. If I want an AD user to also be a Unix user, I just add the required > > RFC2307 attributes to the users object in AD. > > > > If I run this command on a Unix domain member: > > > > rowland at devstation:~$ cat /etc/passwd | grep rowland > > rowland at devstation:~$ > > > > I get nothing returned, so the user 'rowland' doesn't exist in > > /etc/passwd, but if I then run this command: > > > > rowland at devstation:~$ getent passwd rowland > > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > > > Funny, I seem to have a Unix user called 'rowland', but he doesn't exist > > in /etc/passwd and if I wanted to use this user with Dovecot, I could. > > > > Rowland > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland penny
2016-Jul-20 17:35 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
On 20/07/16 18:05, Mark Foley wrote:> On Sun, 17 Jul 2016 08:32:28 +0100 Rowland penny <rpenny at samba.org> wrote: > I will absolutely check this out! If I can do what I need without actually adding the user to > /etc/passwd, that would be great. I'll post back results. > >> In your setup you could have a user 'USERA' in AD and on your mail >> computer you could also have a 'USERA' in /etc/passwd, > Well, that's basically what I have! :) It's just the mail computer *is* the AD/DC. > >> how do you keep the password for the two users in sync ? what happens if the AD >> user changes their password ? > They don't need to keep the passwords in sync since the AD password is the only one used for > authentication. Users never log onto the AD/DC directly, certainly not at the command line. > User logging into domain members, Linux or Windows, command line or not, use their AD > credentials. Their /etc/passwd password on the DC in never involved. > > The DC's /etc/password entries are used solely for Sendmail/procmail to deliver mail to the > user's target email folders.OK, here is an idea, you only use /etc/passwd for sendmail/procmail, so don't use sendmail or procmail ! What, I hear you say, what do I use instead ? Did you know Dovecot can deliver mail to a mailbox ?> > It's kind of analogous to `samba-tool user create dovecot --ramdom-password`. The idea is > simply to create an entry. > > Having said that, if the user would need to sync or change their /etc/passwd password I have > provided an application for them to do that which uses chpasswd on the AD/DC. This also > updates the Apache passwords (if any). This mechanism has not been needed in the 2 years since > I created it.Somebody will sooner or later want to change a password and then unless you have somewhere to store plain or ssha etc passwords (which is another point of entry to your systems), you are going to have problems.>> My systems are setup correctly and I cannot create a local Unix user if >> the user exists in AD, ... > Well, perhaps a later version of Samba adds this check (I have 4.2.12). I really did nothing > special to my samba set up. I followed the wiki for the smb.conf exactly. Samba itself came > with my distro, no building needed on my part. > >> but this doesn't matter, because I do not need to. If I want an AD user to also be a Unix >> user, I just add the required RFC2307 attributes to the users object in AD. >> >> If I run this command on a Unix domain member: >> >> rowland at devstation:~$ cat /etc/passwd | grep rowland >> rowland at devstation:~$ >> >> I get nothing returned, so the user 'rowland' doesn't exist in >> /etc/passwd, but if I then run this command: >> >> rowland at devstation:~$ getent passwd rowland >> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash >> >> Funny, I seem to have a Unix user called 'rowland', but he doesn't exist >> in /etc/passwd and if I wanted to use this user with Dovecot, I could. >> >> Rowland > Right, dovecot does not need the /etc/passwd now that I've implemented gssapi authentication > (it did use it before with the PLAIN auth method). As I said, that entry is there soley for > Sendmail/procmail to locate the user's target email folders. If sendmail could AD authenticate > I wouldn't need /etc/passwd at all.As you don't really need sendmail, then do you really need /etc/passwd.> > I'll definately check out that RFC2307 to see if that would takes care of the sendmail issue > and I'll post back my findings. > > And before anyone asks ... no, we're not likely to get rid of sendmail any time soon!Oh you should, you really should, why run another program, when one of the programs you are using can do the same thing. Rowland
Possibly Parallel Threads
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- sendmail getting domain\user as email userId [formerly: How to GSSAPI/Kerberos authenticate with Dovecot]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]