[Dovecot] Successful experience with auth_winbind module
Dmitry Butskoy
buc at odusz.so-cdu.ru
Fri Nov 2 16:46:31 EET 2007
Hi,
Recently the support of Samba's ntlm_auth helper was added to
dovecot-auth (mech-winbind.c etc.). It is alrready in 1.1, the patch for
1.0 is here: http://dovecot.org/patches/1.0/dovecot-1.0.3-winbind.patch
. It allows auth against NT or AD domain.
I would like to infrom all that we successfully use this new feature
during 2 month and ~300 users 24x7 (an energy power company). No any
failures at all!
This feature allows to specify "SPA" (Secure Password Authentication)
option in OE, and to avoid explicit user passwords in mail accounts.
Some random notes:
- In the mixed environment (both plain and ntlm methods in use), you
have to specify:
mechanisms = plain ntlm login
i.e. "ntlm" before "login". When sending mails, OE just catch first seen
and try to use it, even if you specify to use SPA in the mail account
preferences.
- It seems that MS Outlook requires the specifying of password even when
SPA is in effect
- When OE has several identities, and one of the identities has SPA for
SMTP set (outgoing mail), it wins over all another identities.
- "The Bat" mailer supports NTLM for reading, not sending, and requires
password too.
Regards,
Dmitry Bustkoy
http://www.fedoraproject.org/wiki/DmitryButskoy
P.S. We use NTLM only, GSS-SPNEGO still not tested.
More information about the dovecot
mailing list