[Dovecot] Dovecot 1.0a4 + pam + winbind ?

Pasi Sjoholm ptsjohol at cc.jyu.fi
Fri Nov 4 10:45:23 EET 2005 

On Thu, 3 Nov 2005, Stephen Lee wrote:

> I would like dovecot/pop3 to authenticate against a Windows ADS
> server. I've got authentication working for Samba and ssh using
> pam_winbind.so. Here's what my /etc/pam.d/dovecot file looks
> like:
>
> #%PAM-1.0
> auth       sufficient   pam_winbind.so
> #auth       required     pam_nologin.so
> auth       required     pam_stack.so service=system-auth
> account    required     pam_stack.so service=system-auth
> account    sufficient   pam_winbind.so
> session    required     pam_stack.so service=system-auth
> session    sufficient   pam_winbind.so

I have it like this, if you want to create user's home directory
automatically you should add pam_mkhomedir-directive.

#%PAM-1.0
auth       required    pam_stack.so service=system-auth
auth       required    pam_winbind.so
account    required    pam_stack.so service=system-auth
account    required    pam_winbind.so
session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0077
session    required    pam_stack.so service=system-auth

> and this is what a portion of the dovecot.conf file looks like:
>
> auth default {
>   # Space separated list of wanted authentication mechanisms:
>   #   plain digest-md5 cram-md5 apop anonymous
>   mechanisms = plain
> passdb pam {
>     args = dovecot
>   }

Add -session arg  if you want that pam_mkhomedir to work.

> To get SSH to authenticate against ADS, the user name has to be
> prefaced with the domain name like "domain\user1". This is what
> I get when I attempt to login to Dovecot via Outlook/pop3 with
> the same naming scheme:
> Dovecot does not like the "\" character and I'm note sure
> authentication gets past that step to get to the pam phase.

You could make it use the default-domain automatically and then you don't
need the domain-part for the username.

smb.conf:

winbind separator = +
winbind use default domain = yes
workgroup = YOURDOMAIN

> Any experiences and suggestions with Dovecot authentication
> against Windows Active Directory?

Yep, I have had it running for couple of years by now.

-- 
Pasi Sjöholm

More information about the dovecot mailing list