How to "Windows Authenticate"

Rick Romero rick at havokmon.com
Mon Sep 7 01:00:11 UTC 2015


  Hmm.  I would expect to see 'mark at hprs.com'.  Whatever your full domain
name is.

It also won't look up /etc/shadow - Samba is doing the AD->Unix UID
mapping.  Your AD users shouldn't be in there when all is said and done. 
Well, at when I did a Samba4 install as a DC it still behaved like a Samba3
member, and there were no AD users in the local unix passwd files.

What does wbinfo -u provide?  It should list all your users - especially
because it's an DC.  Whatever wbinfo -u shows, you may need to adjust
another config file to match waht Dovecot is receiving. 

I assume /etc/nsswitch.conf has been modified to use Samba?

Sorry I haven't done this, but it doesn't seem like anyone else has either
- so I'm just shooting in the dark here trying to get you steered in the
right direction...

Rick

Quoting Mark Foley <mfoley at ohprs.org>:

> More info ...
>
> My dovecot error log shows:
>
> Sep 05 16:45:19 auth: Debug: client in: AUTH    1       NTLM   
> service=imap
> Sep 05 16:45:19 auth: Debug: client passdb out: OK      1     
>  user=mark at hprs  original_user=mark at HPRS
> Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713     
 10219 
>  1       f56352c207cb8f6dea4d264b2c0f8dc1     
 session_pid=10220     
>  request_auth_token
> Sep 05 16:45:19 auth-worker(5498): Debug:
> shadow(mark at hprs,192.168.0.58): lookup
> Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark at hprs,192.168.0.58):
> unknown user
> Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND       
998899713
>
> whereas the successful 'plain login' config'ed mechanism (before adding
> NTLM
> config) have:
>
> Sep 06 20:27:38 auth-worker(18616): Debug: shadow(mark,104.6.249.210):
> lookup
>
> The failed ntlm look-up is looking up user mark at hprs in shadow, which it
> doesn't
> find. Is there a way to strip the "@hprs" bit from the user so it can
> find the
> correct entry in /etc/shadow? That might fix the problem.
>
> --Mark
>
> -----Original Message-----
> From: Mark Foley <mfoley at ohprs.org>
> Date: Sat, 05 Sep 2015 17:12:50 -0400
> To: dovecot at dovecot.org
> Subject: Re: How to "Windows Authenticate"
>
> Rick et al,
>
> The link you gave was a start, but is targeted for Samba3 and is
> assuming a
> probably Windows [SBS]Server AD/DC separate from the DC hosting dovecot,
> and
> includes setting up kerberos.
>
> I'm using a Samba4 AD/DC with integrated kerberos (so I don't think
> there is any
> setup I can do there).  Nevertheless I've followed the instructions
> otherwise;
> specifically adding to 10-auto.conf the following recommended lines:
>
> auth_use_winbind = yes
> auth_winbind_helper_path = /usr/bin/ntlm_auth
> mechanisms = plain ntlm login
>
> (Before, my 'mechanisms' were only plain and login). /usr/bin/ntlm_auth
> has
> global r/w privilege.
>
> I did not specify the static userdb since these users are configued in
> /etc/passwd and I thought that would work; example given in link (could
> that be
> an issue?):
>
> userdb static {
>   args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln
>   mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln
>   allow_all_users=yes
> }
>
> This didn't work. Also, existing, working Outlook connections using
> 'logon'
> (i.e. the userID and PW are configured in Outlook) stopped working.
>
> I changed a test Outlook client to check the 'Request login using Secure
> Password Authentication (SPA)' and also checked: More Settings >
> Outgoing Server
>> My outgoing server (SMTP) requires authentication' and 'Use same
>> settings as
>
> my incoming mail server'.  Note that on the "Change Account" dialog
> (where the
> SPA checkbox is) the 'User Name' and 'Password' retained their values
> and were
> not grayed out as I would have expected if using AD authentication.
>
> After doing the above and clicking 'Test Account Settings' I was
> re-promted to
> enter a password - also not expected. At bottom are the Dovecot log
> message I
> received after doing the 'Test Account Settings'.
>
> Surely, connecting from an Outlook client to Dovecot on a Samba4 AD/DC
> should be
> a very common implementation. Has someone done this successfully?
>
> Immediately below is my doveconf -n and below that the dovecot log
> messages.
>
>> doveconf -n
>
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = plain ntlm login
> auth_use_winbind = yes
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
> driver = shadow
> }
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> userdb {
> driver = passwd
> }
> verbose_ssl = yes
>
> dovecot log after doing 'Test Account Settings' in Outlook:
>
> Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be
> used for ECDH and ECDHE key exchanges
> Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be
> used for ECDH and ECDHE key exchanges
> Sep 05 16:45:19 auth: Debug: auth client connected (pid=10219)
> Sep 05 16:45:19 auth: Debug: client in: AUTH        1       
NTLM       
> service=imap        session=HXssGAYf0ADAqAA6       
lip=192.168.0.2     
>   rip=192.168.0.58        lport=143        rport=52944
> Sep 05 16:45:19 auth: Debug: client passdb out: CONT        1
> Sep 05 16:45:19 auth: Debug: client passdb out: OK        1     
 
> user=mark at hprs        original_user=mark at HPRS
> Sep 05 16:45:19 auth: Debug: master in: REQUEST        998899713   
   
> 10219        1        f56352c207cb8f6dea4d264b2c0f8dc1       
> session_pid=10220        request_auth_token
> Sep 05 16:45:19 auth-worker(5498): Debug:
> shadow(mark at hprs,192.168.0.58): lookup
> Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark at hprs,192.168.0.58):
> unknown user
> Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND       
998899713
> Sep 05 16:45:19 imap-login: Info: Internal login failure (pid=10219
> id=1) (internal failure, 1 successful auths): user=<mark at hprs>,
> method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=10220,
> session=<HXssGAYf0ADAqAA6>
> Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be
> used for ECDH and ECDHE key exchanges
> Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be
> used for ECDH and ECDHE key exchanges
> Sep 05 16:46:22 auth: Debug: Loading modules from directory:
> /usr/local/lib/dovecot/auth
> Sep 05 16:46:22 auth: Debug: Read auth token secret from
> /usr/local/var/run/dovecot/auth-token-secret.dat
> Sep 05 16:46:22 auth: Debug: auth client connected (pid=13487)
> Sep 05 16:46:22 auth: Debug: client in: AUTH        1       
NTLM       
> service=imap        session=IlvqGwYf0wDAqAA6       
lip=192.168.0.2     
>   rip=192.168.0.58        lport=143        rport=52947
> Sep 05 16:46:22 auth: Debug: client passdb out: OK        1     
 
> user=mark at hprs        original_user=mark at HPRS
> Sep 05 16:46:22 auth: Debug: master in: REQUEST        3030384641 
     
> 13487        1        bac5f6531f9d4c3316f93bd4c4a63ddd       
> session_pid=13491        request_auth_token
> Sep 05 16:46:22 auth-worker(13492): Debug: Loading modules from
> directory: /usr/local/lib/dovecot/auth
> Sep 05 16:46:22 auth-worker(13492): Debug:
> shadow(mark at hprs,192.168.0.58): lookup
> Sep 05 16:46:22 auth-worker(13492): Info:
> shadow(mark at hprs,192.168.0.58): unknown user
> Sep 05 16:46:22 auth: Debug: master userdb out: NOTFOUND       
3030384641
> Sep 05 16:46:22 imap-login: Info: Internal login failure (pid=13487
> id=1) (internal failure, 1 successful auths): user=<mark at hprs>,
> method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=13491,
> session=<IlvqGwYf0wDAqAA6>
>
> Thanks --Mark
>
> -----Original Message-----
>> Date: Thu, 03 Sep 2015 06:53:19 -0500
>> From: Rick Romero <rick at havokmon.com>
>> To: dovecot at dovecot.org
>> Subject: Re: How to "Windows Authenticate"
>>
>>   Hi Mark,
>>
>> I haven't done it, but I've played with the scenario enough to have an
>> idea.
>>
>> What you want to do is have Outlook auth via NTLM to Dovecot. 
>>
>> First that means having the machine be a domain member (usually via
>> Samba)
>> in order to properly process NTLM/Kerberos handshake - which it appears
>> you
>> have.
>> Second that means having Dovecot know how to accept NTLM authentication
>> (SPA) to pass to the Samba backend.
>>
>> A 'Dovecot NTLM' search led me here:
>> http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
>>
>> What's not on the page that I'd expect to see, are the compile-time
>> requirements for inclucing samba/kerberos libs within Dovecot.  If it
>> doesn't 'just work' with the config changes in the wiki, you may need to
>> recompile with the right features.
>>
>> Also - check the permissions of the ntlm_auth program. That's caused
many
>> issues with Radius installs, IIRC.
>>
>> Hope that helps!
>>
>> Rick
>>
>> Quoting Mark Foley <mfoley at ohprs.org>:
>>
>> This can't be that hard. I think I've enabled LDAP in Dovecot just by
>> including
>> dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I
>> now have
>> the configuration shown below. Two questions:
>>
>> 1. How do I set Outlook to authenticate with LDAP? Currently the Outlook
>> accounts still have the ID and password set in "Logon Information".
>> Checking
>> "Require logon using Secure Password Authentication (SPA)" doesn't work.
>> All I
>> can seem to find on the Internet is how to configure address books using
>> LDAP.
>>
>> 2. Should I remove "passdb { drive = shadow } from the dovecot
>> configuration?
>>
>> Anybody?
>>
>> $ doveconf -n
>> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
>> # OS: Linux 3.10.17 x86_64 Slackware 14.1
>> auth_debug_passwords = yes
>> auth_mechanisms = plain login
>> auth_verbose = yes
>> auth_verbose_passwords = plain
>> disable_plaintext_auth = no
>> info_log_path = /var/log/dovecot_info
>> mail_location = maildir:~/Maildir
>> passdb {
>> driver = shadow
>> }
>> passdb {
>> args = /etc/dovecot/dovecot-ldap.conf.ext
>> driver = ldap
>> }
>> protocols = imap
>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>> userdb {
>> driver = passwd
>> }
>> userdb {
>> args = /etc/dovecot/dovecot-ldap.conf.ext
>> driver = ldap
>> }
>> verbose_ssl = yes
>>
>> -----Original Message-----
>> From: Mark Foley <mfoley at ohprs.org>
>> Date: Wed, 02 Sep 2015 13:31:35 -0400
>> To: dovecot at dovecot.org
>> Subject: How to "Windows Authenticate"
>>
>> I've been using Dovecot 2.2.15 as the IMAP server for Outlook
>> (2010/2013) on
>> Windows workstations for over 6 months with no problems.  Dovecot is
>> hosted on
>> the office Samba4 AC/DC server.
>>
>> I have been using auth_mechanisms plain login, and passdb driver =
>> shadow.
>>
>> What I'd like to do now is use the "Windows Authenticated" login so I
>> don't have
>> to have separate passwords for users logging into the Windows AD
>> workstations
>> and their Outlook clients.
>>
>> If anyone has actually done this I'd appreciate some tips. My various
>> attempts
>> have not been successful.
>>
>> Here is my current config:
>>
>> $ doveconf -n
>> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
>> # OS: Linux 3.10.17 x86_64 Slackware 14.1
>> auth_debug_passwords = yes
>> auth_mechanisms = plain login
>> auth_verbose = yes
>> auth_verbose_passwords = plain
>> disable_plaintext_auth = no
>> info_log_path = /var/log/dovecot_info
>> mail_location = maildir:~/Maildir
>> passdb {
>>   driver = shadow
>> }
>> protocols = imap
>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>> userdb {
>>   driver = passwd
>> }
>> verbose_ssl = yes
>>
>> Thanks, Mark Foley
>>
>> From dovecot-bounces at dovecot.org  Wed Sep  2 13:32:13 2015
>> Return-Path: <dovecot-bounces at dovecot.org>
>> X-Virus-Status: Clean
>> X-Virus-Scanned: clamav-milter 0.98.6 at mail
>> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__
>> (2011-06-06) on
>>         mail.hprs.local
>> X-Spam-Level:
>> X-Spam-Status: No, score=0.0 required=3.0 tests=none
>> autolearn=unavailable
>>         version=3.3.2-_revision__1.14__
>> X-Original-To: dovecot at dovecot.org
>> Delivered-To: dovecot at dovecot.org
>> X-Virus-Status: Clean
>> X-Virus-Scanned: clamav-milter 0.98.6 at mail
>> From: Mark Foley <mfoley at ohprs.org>
>> Date: Wed, 02 Sep 2015 13:31:35 -0400
>> Organization: Ohio Highway Patrol Retirement System
>> To: dovecot at dovecot.org
>> Subject: How to "Windows Authenticate"
>> User-Agent: Heirloom mailx 12.5 7/5/10
>> Content-Type: text/plain; charset=us-ascii
>> X-BeenThere: dovecot at dovecot.org
>> X-Mailman-Version: 2.1.17
>> Precedence: list
>> List-Id: Dovecot Mailing List <dovecot.dovecot.org>
>> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
>>         <mailto:dovecot-request at dovecot.org?subject=unsubscribe>
>> List-Archive: <http://dovecot.org/pipermail/dovecot/>
>> List-Post: <mailto:dovecot at dovecot.org>
>> List-Help: <mailto:dovecot-request at dovecot.org?subject=help>
>> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
>>         <mailto:dovecot-request at dovecot.org?subject=subscribe>
>> Errors-To: dovecot-bounces at dovecot.org
>> Sender: "dovecot" <dovecot-bounces at dovecot.org>
>> Status: R
>>
>> I've been using Dovecot 2.2.15 as the IMAP server for Outlook
>> (2010/2013) on
>> Windows workstations for over 6 months with no problems.  Dovecot is
>> hosted on
>> the office Samba4 AC/DC server.
>>
>> I have been using auth_mechanisms plain login, and passdb driver =
>> shadow.
>>
>> What I'd like to do now is use the "Windows Authenticated" login so I
>> don't have
>> to have separate passwords for users logging into the Windows AD
>> workstations
>> and their Outlook clients.
>>
>> If anyone has actually done this I'd appreciate some tips. My various
>> attempts
>> have not been successful.
>>
>> Here is my current config:
>>
>> $ doveconf -n
>> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
>> # OS: Linux 3.10.17 x86_64 Slackware 14.1
>> auth_debug_passwords = yes
>> auth_mechanisms = plain login
>> auth_verbose = yes
>> auth_verbose_passwords = plain
>> disable_plaintext_auth = no
>> info_log_path = /var/log/dovecot_info
>> mail_location = maildir:~/Maildir
>> passdb {
>> driver = shadow
>> }
>> protocols = imap
>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>> userdb {
>> driver = passwd
>> }
>> verbose_ssl = yes
>> Thanks, Mark Foley
>> From dovecot-bounces at dovecot.org  Thu Sep  3 07:53:44 2015
>> Return-Path: <dovecot-bounces at dovecot.org>
>> X-Virus-Status: Clean
>> X-Virus-Scanned: clamav-milter 0.98.6 at mail
>> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__
>> (2011-06-06) on
>>         mail.hprs.local
>> X-Spam-Level:
>> X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=ham
>>         version=3.3.2-_revision__1.14__
>> X-Original-To: dovecot at dovecot.org
>> Delivered-To: dovecot at dovecot.org
>> Date: Thu, 03 Sep 2015 06:53:19 -0500
>> From: Rick Romero <rick at havokmon.com>
>> To: dovecot at dovecot.org
>> Subject: Re: How to "Windows Authenticate"
>> User-Agent: Internet Messaging Program (IMP) H5 (6.2.2)
>> X-VFEmail-Originating-IP: MTA3LjEzNi4xNDQuMjMw
>> X-VFEmail-AntiSpam: Notify admin at vfemail.net of any spam, and include
>>         VFEmail headers
>> Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes
>> Content-Disposition: inline
>> Content-Description: Plaintext Message
>> X-Content-Filtered-By: Mailman/MimeDel 2.1.17
>> X-BeenThere: dovecot at dovecot.org
>> X-Mailman-Version: 2.1.17
>> Precedence: list
>> List-Id: Dovecot Mailing List <dovecot.dovecot.org>
>> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
>>         <mailto:dovecot-request at dovecot.org?subject=unsubscribe>
>> List-Archive: <http://dovecot.org/pipermail/dovecot/>
>> List-Post: <mailto:dovecot at dovecot.org>
>> List-Help: <mailto:dovecot-request at dovecot.org?subject=help>
>> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
>>         <mailto:dovecot-request at dovecot.org?subject=subscribe>
>> Errors-To: dovecot-bounces at dovecot.org
>> Sender: "dovecot" <dovecot-bounces at dovecot.org>
>> Status: R
>>
>>   Hi Mark,
>>
>> I haven't done it, but I've played with the scenario enough to have an
>> idea.
>>
>> What you want to do is have Outlook auth via NTLM to Dovecot. 
>>
>> First that means having the machine be a domain member (usually via
>> Samba)
>> in order to properly process NTLM/Kerberos handshake - which it appears
>> you
>> have.
>> Second that means having Dovecot know how to accept NTLM authentication
>> (SPA) to pass to the Samba backend.
>>
>> A 'Dovecot NTLM' search led me here:
>> http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
>>
>> What's not on the page that I'd expect to see, are the compile-time
>> requirements for inclucing samba/kerberos libs within Dovecot.  If it
>> doesn't 'just work' with the config changes in the wiki, you may need to
>> recompile with the right features.
>>
>> Also - check the permissions of the ntlm_auth program. That's caused
many
>> issues with Radius installs, IIRC.
>>
>> Hope that helps!
>>
>> Rick
>>
>> Quoting Mark Foley <mfoley at ohprs.org>:
>>
>> This can't be that hard. I think I've enabled LDAP in Dovecot just by
>> including
>> dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I
>> now have
>> the configuration shown below. Two questions:
>>
>> 1. How do I set Outlook to authenticate with LDAP? Currently the Outlook
>> accounts still have the ID and password set in "Logon Information".
>> Checking
>> "Require logon using Secure Password Authentication (SPA)" doesn't work.
>> All I
>> can seem to find on the Internet is how to configure address books using
>> LDAP.
>>
>> 2. Should I remove "passdb { drive = shadow } from the dovecot
>> configuration?
>>
>> Anybody?
>>
>> $ doveconf -n
>> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
>> # OS: Linux 3.10.17 x86_64 Slackware 14.1
>> auth_debug_passwords = yes
>> auth_mechanisms = plain login
>> auth_verbose = yes
>> auth_verbose_passwords = plain
>> disable_plaintext_auth = no
>> info_log_path = /var/log/dovecot_info
>> mail_location = maildir:~/Maildir
>> passdb {
>> driver = shadow
>> }
>> passdb {
>> args = /etc/dovecot/dovecot-ldap.conf.ext
>> driver = ldap
>> }
>> protocols = imap
>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>> userdb {
>> driver = passwd
>> }
>> userdb {
>> args = /etc/dovecot/dovecot-ldap.conf.ext
>> driver = ldap
>> }
>> verbose_ssl = yes
>>
>> -----Original Message-----
>> From: Mark Foley <mfoley at ohprs.org>
>> Date: Wed, 02 Sep 2015 13:31:35 -0400
>> To: dovecot at dovecot.org
>> Subject: How to "Windows Authenticate"
>>
>> I've been using Dovecot 2.2.15 as the IMAP server for Outlook
>> (2010/2013) on
>> Windows workstations for over 6 months with no problems.  Dovecot is
>> hosted on
>> the office Samba4 AC/DC server.
>>
>> I have been using auth_mechanisms plain login, and passdb driver =
>> shadow.
>>
>> What I'd like to do now is use the "Windows Authenticated" login so I
>> don't have
>> to have separate passwords for users logging into the Windows AD
>> workstations
>> and their Outlook clients.
>>
>> If anyone has actually done this I'd appreciate some tips. My various
>> attempts
>> have not been successful.
>>
>> Here is my current config:
>>
>> $ doveconf -n
>> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
>> # OS: Linux 3.10.17 x86_64 Slackware 14.1
>> auth_debug_passwords = yes
>> auth_mechanisms = plain login
>> auth_verbose = yes
>> auth_verbose_passwords = plain
>> disable_plaintext_auth = no
>> info_log_path = /var/log/dovecot_info
>> mail_location = maildir:~/Maildir
>> passdb {
>>   driver = shadow
>> }
>> protocols = imap
>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>> userdb {
>>   driver = passwd
>> }
>> verbose_ssl = yes
>>
>> Thanks, Mark Foley
>>
>> From dovecot-bounces at dovecot.org  Wed Sep  2 13:32:13 2015
>> Return-Path: <dovecot-bounces at dovecot.org>
>> X-Virus-Status: Clean
>> X-Virus-Scanned: clamav-milter 0.98.6 at mail
>> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__
>> (2011-06-06) on
>>         mail.hprs.local
>> X-Spam-Level:
>> X-Spam-Status: No, score=0.0 required=3.0 tests=none
>> autolearn=unavailable
>>         version=3.3.2-_revision__1.14__
>> X-Original-To: dovecot at dovecot.org
>> Delivered-To: dovecot at dovecot.org
>> X-Virus-Status: Clean
>> X-Virus-Scanned: clamav-milter 0.98.6 at mail
>> From: Mark Foley <mfoley at ohprs.org>
>> Date: Wed, 02 Sep 2015 13:31:35 -0400
>> Organization: Ohio Highway Patrol Retirement System
>> To: dovecot at dovecot.org
>> Subject: How to "Windows Authenticate"
>> User-Agent: Heirloom mailx 12.5 7/5/10
>> Content-Type: text/plain; charset=us-ascii
>> X-BeenThere: dovecot at dovecot.org
>> X-Mailman-Version: 2.1.17
>> Precedence: list
>> List-Id: Dovecot Mailing List <dovecot.dovecot.org>
>> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
>>         <mailto:dovecot-request at dovecot.org?subject=unsubscribe>
>> List-Archive: <http://dovecot.org/pipermail/dovecot/>
>> List-Post: <mailto:dovecot at dovecot.org>
>> List-Help: <mailto:dovecot-request at dovecot.org?subject=help>
>> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
>>         <mailto:dovecot-request at dovecot.org?subject=subscribe>
>> Errors-To: dovecot-bounces at dovecot.org
>> Sender: "dovecot" <dovecot-bounces at dovecot.org>
>> Status: R
>>
>> I've been using Dovecot 2.2.15 as the IMAP server for Outlook
>> (2010/2013) on
>> Windows workstations for over 6 months with no problems.  Dovecot is
>> hosted on
>> the office Samba4 AC/DC server.
>>
>> I have been using auth_mechanisms plain login, and passdb driver =
>> shadow.
>>
>> What I'd like to do now is use the "Windows Authenticated" login so I
>> don't have
>> to have separate passwords for users logging into the Windows AD
>> workstations
>> and their Outlook clients.
>>
>> If anyone has actually done this I'd appreciate some tips. My various
>> attempts
>> have not been successful.
>>
>> Here is my current config:
>>
>> $ doveconf -n
>> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
>> # OS: Linux 3.10.17 x86_64 Slackware 14.1
>> auth_debug_passwords = yes
>> auth_mechanisms = plain login
>> auth_verbose = yes
>> auth_verbose_passwords = plain
>> disable_plaintext_auth = no
>> info_log_path = /var/log/dovecot_info
>> mail_location = maildir:~/Maildir
>> passdb {
>> driver = shadow
>> }
>> protocols = imap
>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>> userdb {
>> driver = passwd
>> }
>> verbose_ssl = yes
>> Thanks, Mark Foley
>
>  


More information about the dovecot mailing list