I am trying to use the checkpassword authentication (https://wiki.dovecot.org/AuthDatabase/CheckPassword) I do have a working checkpassword program. The protocol expects to received on fd 3 the following:
username<nul>password<nul>optionalstuff</null>
I find that this works properly and the program can authenticate if the client is using PLAIN LOGIN. Both username and password are sent on fd3. But, if the client has specified kerberos/gssapi authentication then only the username is passed to checkpassword. The following is a debug dump from checkpassword showing the input read on fd 3 (12 bytes):
len 12: 636861726d61696e65000000 charmaine... User: [charmaine], PW: []
Without a password, checkpassword returns failure.
I am running dovecot in a Samba4 Active Directory. I have some email clients that use kerberos/GSSAPI (Thunderbird) and some that can only use PLAIN LOGIN (Outlook). All users, however, are active directory domain users and all could potentially authenticate with AD credentials.
I was hoping to use checkpassword for this. Otherwise, every user who cannot authenticate via kerberos/GSSAPI has to also be in the mail server's /etc/passwd file with the same ID/PW as their AD credentials, which become a bit of a pain when the user changes his domain password.
Why does not dovecot pass to checkpassword the user's password? When I tried this a few years ago I thought it did.
If checkpassword fails, why does it not then try the kerberos/GSSAPI mechanism?
Is there a solution to this?
THX --Mark