[Samba] Trouble with Kerberos authentication
- Date: Tue, 11 Jul 2017 05:41:45 -0400
- From: Mark Foley via samba <samba@xxxxxxxxxxxxxxx>
- Subject: [Samba] Trouble with Kerberos authentication
I'm not sure whether this is a Dovecot issue or a Samba issue, but as it deals with
authentication I think it's worth trying the samba experts first.
Here's the scenario ...
I have an AD/DC running Samba 4.4.14. I have 3 AD users: mark, sue, dennis. Mark and Dennis
use both Windows 7 and Linux (also running PAM-enabled Samba 4.4.14) domain member
workstations. Sue is Windows 7 only. All are able to log onto the domain using their domain
credentials and all are able to connect the the Dovcot mail server (also running on the AD/DC)
from their workstations using Thunderbird and Kerberos/GSSAPI authentication.
Dovecot authentication is set to auth_mechanisms = plain login gssapi. The first two mechanisms
use /etc/passwd for authentication. The gssapi presumably uses gssapi and kerberos to
authenticate via AD. I believe Dovecot tries these mechanisms in order, left-to-right.
As it turns out, user Dennis also had an entry in /etc/passwd - yes, I know it shouldn't be
there, but it was, although it did have the correct AD user and group IDs. No problem, I
though, I'll just remove that entry.
However, when I did that, Dennis was not longer able to authenticate from Thunderbird. He
could still log into his Linux workstation. Tbird would give the error
"The Kerberos/GSSAPI ticket was not accepted by the IMAP server ... please check that you are
logged into the Kerberos/GSSAPI realm."
Wnen I put Dennis back in /etc/passwd, with the correct domain password, he is able to
authenticate from Thunderbird again.
I know next to nothing about how kerberos works, but my theory is that Dennis' kerberos
credentials somehow got associated with his /etc/passwd credentials, not his AD credentials and
when the /etc/passwd entry is removed kerberos authentication fails. This is true on both his
Linux and Windows workstations.
I need to fix this so Dennis' AD credentials alone are used for authentication. How can I do
btw, `getent passwd dennis` works just fine from Dennis' Linux workstation.
To unsubscribe from this list go to the following URL and read the