[Dovecot] Dovecot 1.0a4 + pam + winbind ?

[Stephen Lee]

Hi,

I would like dovecot/pop3 to authenticate against a Windows ADS
server. I've got authentication working for Samba and ssh using
pam_winbind.so. Here's what my /etc/pam.d/dovecot file looks
like:

#%PAM-1.0
auth       sufficient   pam_winbind.so
#auth       required     pam_nologin.so
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
account    sufficient   pam_winbind.so
session    required     pam_stack.so service=system-auth
session    sufficient   pam_winbind.so

and this is what a portion of the dovecot.conf file looks like:

auth default {
  # Space separated list of wanted authentication mechanisms:
  #   plain digest-md5 cram-md5 apop anonymous
  mechanisms = plain
passdb pam {
    args = dovecot
  }
userdb passwd {
  }
user = root
}

To get SSH to authenticate against ADS, the user name has to be
prefaced with the domain name like "domain\user1". This is what
I get when I attempt to login to Dovecot via Outlook/pop3 with
the same naming scheme:

Nov  3 20:09:45 server2 dovecot: auth(default): client in: AUTH
     1      PLAIN    service=POP3    lip=192.168.0.3
rip=192.168.0.227       resp=AHZjXGpvYW5uZQBqb2FubmU=
Nov  3 20:09:45 server2 dovecot: auth(default):
plain(domain\user1,192.168.0.227): Username contains disallowed
characters
Nov  3 20:09:46 server2 dovecot: auth(default): client out:
FAIL     1      user=domain\user1
Nov  3 20:09:46 server2 dovecot: pop3-login: Disconnected:
user=<domain\user1>, method=PLAIN, rip=192.168.0.227,
lip=192.168.0.3

Dovecot does not like the "\" character and I'm note sure
authentication gets past that step to get to the pam phase.

Any experiences and suggestions with Dovecot authentication
against Windows Active Directory?

Thanks,
Stephen