Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module? ---Aki TuomiDovecot oy -------- Original message --------From: Mark Foley mfoley@ohprs.org Date: 03/12/2017 06:03 (GMT+02:00) To: dovecot@dovecot.org Subject: Howto authenticate smartPhone via Active Directory I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via shadow first and. failing that, it does authenticate via GSSAPI.
Smartphones connect to Dovecot via port 143 and SSL. They are not domain members so if the shadow authentication fails, no other methods are tried and no connection is made.
What can I do with my dovecot config to fix this?
doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 4.4.88 x86_64 Slackware 14.2 auth_debug = yes auth_debug_passwords = yes auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi auth_use_winbind = yes auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =
Thanks, Mark