[Dovecot] Samba AD and Dovecot

Jason Gunthorpe jgunthorpe at obsidianresearch.com
Sun Feb 6 03:53:58 EET 2011 

On Fri, Feb 04, 2011 at 01:47:31PM -0700, Trever L. Adams wrote:
> > There was a thread a month or so ago on how to do GSSAPI with AD and
> > dovecot kerberos. It works great, and I highly recommend it for AD
> > sites. Check the archives, it isn't really too hard.

> I am not finding this. Do you happen to remember the subject?

No, but it is pretty simple using latest everything (well, Debian
squeeze).. Basically from scratch.. Notice this also sets up NTLM,
which is supported by many roaming devices (ie phones).

1) Put this or similar in /etc/samba/smb.conf

[global]
workgroup = $NT_WORKGROUP$
realm = $REALM$
security = ads
kerberos method = secrets and keytab

2) Confirm that hostname gives an unqualified name and hostname -f
   gives a fully qualified name. Confirm you have DNS setup properly
   (eg dig -t SRV _kerberos._udp.$REALM$ works OK)

3) Join the machine to AD

$ net ads join -U 'user with AD privs'

$ kinit AD_USER
$ kvno host/`hostname -f`

4) Setup imap SPN:

$ net ads keytab add imap

$ net ads search cn=`hostname` | grep servicePrincipalName
$ klist -k
$ kvno imap/`hostname -f`
   
   The last three should report imap/`hostname -f` entries.

5) Setup dovecot..

Set these things in the config

auth_use_winbind = yes

  mechanisms = plain gssapi gss-spnego login ntlm

6) Setup exim..

$ net ads keytab add smtp

Use these in the dovecot config:

  client {
      path = /var/run/dovecot/auth-client
      mode = 0660
      group = Debian-exim
    }
  }

And this at the end of the exim.conf:

dovecot_plain:
    driver = dovecot
    public_name = PLAIN
    server_socket = /var/run/dovecot/auth-client
    server_set_id=PLAIN-${quote:$auth1}

dovecot_ntlm:
    driver = dovecot
    public_name = NTLM
    server_socket = /var/run/dovecot/auth-client
    server_set_id=NTLM-${quote:$auth1}

dovecot_gssapi:
    driver = dovecot
    public_name = GSSAPI
    server_socket = /var/run/dovecot/auth-client
    server_set_id=GSSAPI-${quote:$auth1}

dovecot_gssapi_spnego:
    driver = dovecot
    public_name = GSS-SPNEGO
    server_socket = /var/run/dovecot/auth-client
    server_set_id=GSS-SPNEGO-${quote:$auth1}

7) Setup openssh

in sshd_config

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes

Jason

More information about the dovecot mailing list