Authenticating Dovecot against Active Directory

From SambaWiki

Kerberos Authentication

If you need Dovecot to authenticate from AD with Kerberos, the following is a tested way of doing this. It does however rely on the Kerberos client tools being installed on the machine running Dovecot. On Debian,this would be the krb5-user, krb5-config and libpam-krb5 packages. You also need to check that the version of Dovecot you use was compiled with GSSAPI.


Note: the following names are used in this document:

SAMDOM.EXAMPLE.COM : the uppercase realm name
host.samdom.example.com : the FQDN of the computer running dovecot

You will need to change these to match your setup.


Check /etc/krb5.conf

You need to ensure that /etc/krb5.conf exists, if you are using your distros packages, it will normally be created for you. If you have compiled Samba yourself, you will have to create it yourself or symlink it from the Samba private directory (normally /usr/local/samba/private). Which ever method is used, /etc/krb5.conf only needs to contain these lines:

[libdefaults]
   default_realm = SAMDOM.EXAMPLE.COM
   dns_lookup_realm = false
   dns_lookup_kdc = true


Create the Dovecot user and keytab

You will need a user in AD for Dovecot to connect to Active Directory. Create the user, with a random password, using 'samba-tool'

samba-tool user create --random-password dovecotuser
User 'dovecotuser' created successfully


To stop the new users password expiring, run this

samba-tool user setexpiry --noexpiry dovecotuser
Expiry for user 'dovecotuser' disabled.


You now need to add the required SPN to your new user 'dovecotuser' and then export the required keytab

samba-tool spn add imap/host.samdom.example.com dovecotuser
samba-tool domain exportkeytab --principal imap/host.samdom.example.com /root/dovecot.keytab


Check the contents of the keytab with ktutil

ktutil
ktutil:  rkt /root/dovecot.keytab 
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1 imap/host.samdom.example.com@SAMDOM.EXAMPLE.COM
   2    1 imap/host.samdom.example.com@SAMDOM.EXAMPLE.COM
   3    1 imap/host.samdom.example.com@SAMDOM.EXAMPLE.COM
ktutil:  q


Transfer the /root/dovecot.keytab to the machine running Dovecot, Dovecot expects to find its keys in the hosts keytab, but you can use another path using the auth_krb5_keytab configuration entry in dovecot.conf. Place the keytab into /etc/dovecot and then change its group and permissions.

chgrp dovecot /etc/dovecot/dovecot.keytab
chmod g+r /etc/dovecot/dovecot.keytab


Example dovecot.conf configuration

auth_gssapi_hostname = "$ALL"
auth_mechanisms = gssapi
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/vmail/%u
}

Note: Mail wil be stored in /var/vmail/$username with uid and gid set to 'vmail'