[Dovecot] Samba4 Active Directory and Doveadm

Trever L. Adams trever.adams at gmail.com
Fri Oct 15 16:17:27 EEST 2010 

 On 10/15/2010 06:22 AM, Timo Sirainen wrote:
> On Fri, 2010-10-15 at 06:14 -0600, Trever L. Adams wrote:
>
>> Is there some global option like mail_location for homedirectory? That
>> is one I am not finding one with google or with grep in the configuration.
> That's exactly what the mail_home is. I don't know why it wouldn't work
> for you.
My apologies, I misread it as mail_location. I have fixed this. Thank you.
mail_home = /home/vmail/%d/%n
mail_location = maildir:~/Maildir
>>
>> I have done this as well. The problem with removing all of this is I use
>> Dovecot's deliver (LDA). It needs a way of finding which users do and do
>> not exist. Is there a better way to do this?
> Assuming you're not using auth_bind=yes with ldap, LDA can check the
> user's existence by doing a passdb lookup instead.
Fantastic. I am not. Postfix, is validating user existence. I read
somewhere I can turn off Dovecot LDA validation, but now I am unable to
find the page.
>> The only problem that is there is this: I need doveadm expunge -A. This
>> is where I am having the problem. I guess this doesn't use the user_
>> stuff. It uses the iterate_attrs right?
> Right.
>
>>> Oct 15 05:48:06 TeaSet dovecot: master: Error: service(auth-worker): child 16375 killed with signal 11 (core dumps disabled)
> Can you get a gdb backtrace? First enable core dumps with "ulimit -c
> unlimited" and once you have core file see
> http://dovecot.org/bugreport.html
I am not sure this is necessary. The problem seems to be in this
dovecot: auth: Debug: ldap(?): result: sAMAccountName(?unknown?)=

I get that for all fields in the AD. It looks like I am going to have to
do a bind of some kind. I am having a heck of a time doing this. As I
said, I am learning ldap as I am doing this. Samba4 (it seems) and
Windows AD servers themselves do SASL authentication, but I am having a
hard time getting this to work.

If you wouldn't mind helping there:

dn = CN=SMTP-SERVICE-PRINCIPAL-USER,CN=Users,DC=example,DC=org
dnpass = correct password
sasl_bind = yes
sasl_mech = gssapi
sasl_realm = EXAMPLE.ORG

So, the user is the same as is in the AD for the service principal
smtp/host. So, it already has a ticket. The rest of the ldap file is
pretty much the same as before (with the modifications we have been
talking about).

With that I get:
 auth: Error: LDAP: binding failed (dn
CN=SMTP-SERVICE-PRINCIPAL-USER,CN=Users,DC=example,DC=org): Local error,
SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied
(Cannot determine realm for numeric host address)

I am thinking I should add gss-spnego to the mech, but haven't done so.

> Also:
>
>> iterate_attrs = uid=samaccountname
> this should be:
>
> iterate_attrs = samaccountname=user
Yes, that is working MUCH better. Still the problem with empty fields
mentioned above is the killer.

Thank you,
Trever

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20101015/b2e42590/attachment.bin

More information about the dovecot mailing list