[Dovecot] Samba AD and Dovecot
Jason Gunthorpe
jgunthorpe at obsidianresearch.com
Sun Feb 6 03:53:58 EET 2011
On Fri, Feb 04, 2011 at 01:47:31PM -0700, Trever L. Adams wrote:
> > There was a thread a month or so ago on how to do GSSAPI with AD and
> > dovecot kerberos. It works great, and I highly recommend it for AD
> > sites. Check the archives, it isn't really too hard.
> I am not finding this. Do you happen to remember the subject?
No, but it is pretty simple using latest everything (well, Debian
squeeze).. Basically from scratch.. Notice this also sets up NTLM,
which is supported by many roaming devices (ie phones).
1) Put this or similar in /etc/samba/smb.conf
[global]
workgroup = $NT_WORKGROUP$
realm = $REALM$
security = ads
kerberos method = secrets and keytab
2) Confirm that hostname gives an unqualified name and hostname -f
gives a fully qualified name. Confirm you have DNS setup properly
(eg dig -t SRV _kerberos._udp.$REALM$ works OK)
3) Join the machine to AD
$ net ads join -U 'user with AD privs'
$ kinit AD_USER
$ kvno host/`hostname -f`
4) Setup imap SPN:
$ net ads keytab add imap
$ net ads search cn=`hostname` | grep servicePrincipalName
$ klist -k
$ kvno imap/`hostname -f`
The last three should report imap/`hostname -f` entries.
5) Setup dovecot..
Set these things in the config
auth_use_winbind = yes
mechanisms = plain gssapi gss-spnego login ntlm
6) Setup exim..
$ net ads keytab add smtp
Use these in the dovecot config:
client {
path = /var/run/dovecot/auth-client
mode = 0660
group = Debian-exim
}
}
And this at the end of the exim.conf:
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id=PLAIN-${quote:$auth1}
dovecot_ntlm:
driver = dovecot
public_name = NTLM
server_socket = /var/run/dovecot/auth-client
server_set_id=NTLM-${quote:$auth1}
dovecot_gssapi:
driver = dovecot
public_name = GSSAPI
server_socket = /var/run/dovecot/auth-client
server_set_id=GSSAPI-${quote:$auth1}
dovecot_gssapi_spnego:
driver = dovecot
public_name = GSS-SPNEGO
server_socket = /var/run/dovecot/auth-client
server_set_id=GSS-SPNEGO-${quote:$auth1}
7) Setup openssh
in sshd_config
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
Jason
More information about the dovecot
mailing list