Dne středa 16. června 2021 8:41:20 CEST, Luca Olivetti napsal(a):
> El 16/6/21 a les 0:04, Vladislav Kurz ha escrit:
> > Hello,
> >
> > I have several working Cyrus installations authenticated against AD, but I
> > do not use LDAP. Instead it authenticates via kerberos. To be more
> > precise: Cyrus/Exim -> Saslauthd -> PAM -> pam_krb5.so -> AD
>
> Is there some advantage using pam_krb5 instead of pam_ldap/pam_winbind
> or "saslauthd -a ldap"?
Easy configuration, just set up /etc/krb5.conf
[libdefaults]
default_realm = YOURREALM
[realms]
YOURREALM = {
kdc = 192.168.x.x
}
If you set your DNS properly to resolve YOURREALM in DNS, you are fine with
just the [libdefaults] section. Then just check if login works with kinit.
Originally I tried LDAP, and failed too. This worked flawlessly.
> > For distribution groups, aliases and such stuff I use LDAP queries in
> > Exim. But kerberos for authentication
> >
> > Unfortunately kerberos does not give you groups. Maybe you could use
> > winbind and libnss-winbind to get groups from AD to Linux and use them as
> > if they were in /etc/group...
>
> that's what I do, but then I don't have many active users and my DC is
> samba not windows (though that shouldn't matter as long as the mail
> server is joined to the domain).
I did not try pam_winbind. (I do not need groups for mail access).
If you already have winbind working, surely try pam_winbind
--
Best Regards
Vladislav Kurz
------------------------------------------
Cyrus: Info
Permalink:
https://cyrus.topicbox.com/groups/info/T1c604a219c5fa805-M9a36295e2c27ba6956064e12
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
