-----Original Message----- From: dovecot-bounces+siebert+lists=et.rub.de@dovecot.org [mailto:dovecot-bounces+siebert+lists=et.rub.de@dovecot.org] On Behalf Of Jason Gunthorpe Sent: Tuesday, December 09, 2008 12:13 AM To: Thomas Siebert; Michel Vega Fuenzalida Cc: 'Dovecot Mailing List' Subject: Re: [Dovecot] Dovecot authenticating---> Active Directory Win2003
On Mon, Dec 08, 2008 at 02:43:53PM +0100, Thomas Siebert wrote:
You have to use LDAP as Authentication Backend with Port 3268.
That works but has 3 main drawbacks:
- It is a pain to setup SSL LDAP on both windows and linux. If you don't do this then it is massively insecure
Agreed, if you don't it is massively insecure. But I don't see why it should be that complicated. For the ADS, Microsoft gives advice: http://support.microsoft.com/kb/321051
...and for Linux, there are tons of tutorials.
- Passwords must be exchanged in plain text over IMAP. Also no single sign on capabilities.
Agreed there's no single sign on. But for plain text password exchange, there's no drawback when you use IMAPS or POP3S. And you should always do so.
- There is no redundancy or load balancing if you have multiple ADS servers
The *best* answer is to use a combination of samba's winbind and kerberos. This gives you encryption and mutual authentication between dovecot and the ADS server and various non-plaintext options between the client and dovecot - plus single sign on capabilities for SSPI or kerberdized clients.
For load balancing, it should be possible to use a round-robin DNS server instead. And you forget that the numbers of LDAP queries will be doubled as there's no possibility to use userdb prefetch.
Use dovecot's pam support to call out to pam_winbind/pam_krb5, and the native support to call out to winbind for ntlm and spnego. Dovecot's native gssapi kerberos rounds things out.
The basic steps are
- Get samba, winbind, dovecot, kerberos installed 1a) Setup smb.conf with the proper ADS options Note you do not need to run nmbd or smbd, just winbind.
- Use samba to join the machine to the domain with 'net ads join -U Administrator' Verify in ADS you have a computer with the proper name
- Create an imap keytab entry 'net ads keytab imap/host@REALM' Also tell windows imap is allowed for this host via the gui or adsiedit/ldapedit/etc
- Start winbind
- Setup dovecot 5a) Setup pma_winbind for dovecot
- Test on the dovecot machine: net ads testjoin wbinfo -n mywinuser klist -k kinit mywinuser@REALM kvno imap/host@REALM
check DNS that host has proper forward and reverse entries
telnet localhost imap 1 CAPABILITIY * CAPABILITY [..] AUTH=PLAIN AUTH=GSSAPI AUTH=GSS-SPNEGO AUTH=LOGIN AUTH=NTLM
I also have exim setup to use dovecot SASL and so it also does NTLM, GSSAPI and SPNEGO.
There is alot of information about this scattered on various web sites. The method I've outlined above is the lastest scheme using the newer software. Some reference material uses older techniques...
In my experience pretty much every client supports some version of NTLM, so passwords will be exchanged non-plaintext in most cases (though weak flavors of NTLM might be negotiated). Many clients like thunderbird support kerberos, and so on windows you get single sign on too. Most linux clients also support kerberos so can gen single sign on for them too with some setup.
Here are some config fragments you might find helpful
smb.conf: [global] netbios name = host workgroup = FOO realm = ADS.FOO security = ads use kerberos keytab = true encrypt passwords = true winbind use default domain = yes
Dovecot:
auth_ntlm_use_winbind = yes auth_username_format = %n auth_winbind_helper_path = /usr/bin/ntlm_auth mechanisms = plain gssapi gss-spnego login ntlm passdb pam {}