similar to: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]

On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > http://wiki2.dovecot.org/Authentication/Kerberos > > It has been now updated. Excellent! That was quick! Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, no one can get to that, but it might be clearer to those of us who uncomprehendingly monkey-type

On 07/04/2016 03:30 AM, Mark Foley wrote: > Actually, I see that you used host.domain.name further down. That's a good substitute for mail.hprs.local. > > Also, not to be a literary critic, but it might not hurt to show an example keytab beneath your > "Make sure your keytab has entry for ...". Just in case people don't exactly know how to "make sure: > > $

Am 04.07.2016 um 01:34 schrieb Mark Foley: > After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with > Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his > patience in working this through with me. Although my purpose was for Dovecot to authenticate > mail clients, the configuration settings needed were on

On 04/07/16 21:21, Mark Foley wrote: >> To: samba at lists.samba.org >> From: Achim Gottinger <achim at ag-web.biz> >> Date: Mon, 4 Jul 2016 09:29:02 +0200 >> Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot >> >> Am 04.07.2016 um 01:34 schrieb Mark Foley: >>> After a nearly 2-year struggle to get Dovecot to do either NTLM or

On 04/07/16 00:34, Mark Foley wrote: > After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with > Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his > patience in working this through with me. Although my purpose was for Dovecot to authenticate > mail clients, the configuration settings needed were on the

> To: samba at lists.samba.org > From: Achim Gottinger <achim at ag-web.biz> > Date: Mon, 4 Jul 2016 09:29:02 +0200 > Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot > > Am 04.07.2016 um 01:34 schrieb Mark Foley: > > After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with > > Samba4 AD/DC, I believe

> To: samba at lists.samba.org > From: Rowland penny <rpenny at samba.org> > Date: Mon, 4 Jul 2016 21:43:46 +0100 > Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot > [formerly Where is krb5.keytab or equivalent?] > > On 04/07/16 21:21, Mark Foley wrote: > >> To: samba at lists.samba.org > >> From: Achim Gottinger <achim at

On Mon, 4 Jul 2016 08:18:11 +0100 Rowland penny <rpenny at samba.org> wrote: > The problem is that Samba doesn't recommend using the DC as a fileserver > etc This is why it isn't mentioned, Well, I don't see that the DC is being used as an actual file server simply by hosting an email server. There is no share defined in smb.conf to accomodate this. Furthermore, I

After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his patience in working this through with me. Although my purpose was for Dovecot to authenticate mail clients, the configuration settings needed were on the Samba side. I hope these instructions can eventually make

Hi, On 27-06-2016 08:58, Mark Foley wrote: > So, I'm apparently lacking in the kerberos stuff. Here's the problem -- Samba4 uses Heimdal > Kerberos and when I provisioned my domain apparently none of these needed kerberos files were > set up. I can, however, kerberos authenticate from domain workstations both WIN7 and Linux. You don't need any Samba4 stuff, to get it

> Date: Thu, 21 Jul 2016 08:56:54 +0100 > From: Rowland penny <rpenny at samba.org> > On 21/07/16 06:08, Mark Foley wrote: > > OK! I deleted the /etc/passwd entry for user mark and I modified my /etc/nsswitch.conf to: > > > > passwd: compat winbind > > group: compat winbind > > > > I couldn't get sendmail working with this at first -- I

Thanks Mike. I'll investigate ssd although it shouldn't be too hard to have sendmail rewrite the userID to remove the domain. I'm investigating this now and will post results. --Mark -----Original Message----- > From: Data Control Systems - Mike Elkevizth <mike at datacontrolsystems.com> > Date: Thu, 21 Jul 2016 12:30:19 -0400 > Subject: Re: [Samba] sendmail getting

> On Jun 28, 2016, at 10:32 PM, Mark Foley <mfoley at ohprs.org> wrote: > > Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and restarted. Now I > don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, and mail is > delivered successfully to the other domain users having PLAIN authentication. That's a

On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org> wrote: > > On 16/07/16 19:09, Mark Foley wrote: > > On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> wrote: > > [lots of extraneous stuff deleted] > >>> > >>> > >> OK, just an update on the new wiki page for Dovecot, I started to write >

The last log line shows "user=<>". This indicates no credentials were presented. If the rip field matches the client ip you tested from, I would bet the appropriate kerberos ticket (imap/host.domain.tld at REALM) was not pulled for the authentication. On Jun 28, 2016 11:33 PM, "Mark Foley" <mfoley at ohprs.org> wrote: > Aki - partial success! I rebuilt my

OK! I deleted the /etc/passwd entry for user mark and I modified my /etc/nsswitch.conf to: passwd: compat winbind group: compat winbind I couldn't get sendmail working with this at first -- I didn't know what to [re]start to get the new nsswitch config to take, so I rebooted. Probably I just had to restart sendmail, but oh well. And, it started working ... sort of. Email to that user

Hi Mark, I think the reason you did not get the 'user already exists' message when doing a useradd is because your nsswitch file doesn't include winbind on the server you ran it on. My system will give me the same warning as Rowland's gives him with nsswitch setup like this: passwd: compat winbind group: compat winbind My guess is that you had to add the users into /etc/passwd

On 21/07/16 06:08, Mark Foley wrote: > OK! I deleted the /etc/passwd entry for user mark and I modified my /etc/nsswitch.conf to: > > passwd: compat winbind > group: compat winbind > > I couldn't get sendmail working with this at first -- I didn't know what to [re]start to get > the new nsswitch config to take, so I rebooted. Probably I just had to restart sendmail,

On Sun, 17 Jul 2016 08:32:28 +0100 Rowland penny <rpenny at samba.org> wrote: > On 17/07/16 07:12, Mark Foley wrote: > > On Sat, 16 Jul 2016 19:39:21 +0100 Rowland penny <rpenny at samba.org> wrote: > >> On 16/07/16 19:09, Mark Foley wrote: > >>> On Sat, 16 Jul 2016 08:28:14 +0100 Rowland penny <rpenny at samba.org> wrote: > >>> > >

On 14/07/16 21:52, Andrew Bartlett wrote: > On Thu, 2016-07-14 at 16:20 +0100, Rowland penny wrote: > >> I don't think the problem is with mentioning 'Dovecot', it is with >> using >> the DC for anything other than authentication. >> >> Reading the Dovecot wiki page, creating the user & SPN on the DC is >> okay, but once you start exporting