Paolo Basenghi wrote:
Active Directory uses kerberos protocol for authentication, so you need pam_krb5 module to authenticate. I don't know if it is possible to authenticate in A.D. without Kerberos.
In the configuration I proposed to you, A.D. is required only for authentication, the accounting information (uid, gid) is static (vmail Linux user), the home dir. is determined by template (example: /home/vmail/mailboxes/
). In other words, my config. works well if you can utilize virtual mailboxes *AND* each mailbox dir. name equals to A.D. username. I heard that exists a Microsoft extension to A.D. LDAP schema to add Unix accounting info, but I never used it.
So I don't know if you *must* use pam+kerberos, but I suggest that you *should* try it, leaving out dovecot-ldap.conf.
Cheers
Hello,
I'm now trying with pam + kerbers , when I tries with "kinit abc" authentication to AD works which means my ker5.conf file is correct , however when I tries from mail client thunderbird I got error...
"dovecot-auth: PAM: pam_authenticate(rizwan) failed: unknown user"
I added "dovecot" file to /etc/pam.d/ with these lines (as you suggested)
account required pam_krb5.so no_user_check account required pam_permit.so
It looks like that pam is not using kerbers thats why it giving me error of "unknown user", I treid with changing the module name eg, pam_kerb5.so to pam_kerb5.so.4 , which gives me errors .........
teacher dovecot-auth: in openpam_load_module(): no pam_krb5.so.4 found Apr 12 19:04:24 teacher dovecot-auth: PAM: pam_start(abc) failed: system error Apr 12 19:04:24 teacher dovecot-auth: in openpam_load_module(): no pam_krb5.so.4 found Apr 12 19:04:24 teacher dovecot-auth: PAM: pam_start(abc) failed: system error
which mean pam do reading and loading the specified modules and complains if something misssing.
Regards
Askar