Quoting Mark Foley mfoley@ohprs.org:
Rick,
Samba4 AD/DC and Dovecot work perfectly for everything including access from SmartPhones. I've got roaming domain logins, redirected folders, calendars and contacts work just fine with Outlook and WebDav for sharing calendars; don't need them in Dovecot.
Do you have that documented somewhere? I would love to see how that's done.
For the most part, Outlook users can't tell they are not still on Exchange ... except they have to maintain their Outlook password distinct from their Windows password. Which is their one HUGE issue.
My absolutely LAST issue with totally duplicating SBS/Exchange functionality on Samba4/Dovecot is getting Dovecot to authenticate with Outlook clients using Windows Authentication which, as I understand things, can supposedly be done with NTLM. I just can't get it to work. I think a heck of a lot if Windows [SB]Server shops would convert to Samba4/Dovecot if someone figured out how to do this.
My Dovecot log messages make it look close to working:
Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): unknown user
Dovecot gets the user as" mark@hprs" instead of "mark" and therefore can't find it in the userdb.
I can find no Dovecot wiki on this. If Dovecot just can't authenticate this way can someone (Timo?) tell me so and I'll cease my 8 month quest.
These are two
http://wiki2.dovecot.org/Authentication/Kerberos http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
As I understand it, NTLM is a layer above Kerberos. I don't see either referenced similarly to either wiki pages in the pasted config...
Otherwise, what should I have for a userdb? What should I have for a passdb? Can I parse the "@hprs" bit off the userId received by Dovecot? These seem to be my hang-ups. At this point, I'm open to guesses.
Just for the heck of it, here's one of the doveconf's I tested with, reproduced here because it's burried in the messages below:
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain ntlm login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =
And wbinfo (requested by you in an earlier message) showing some of the Domain users (I'm testing with mark):
$ wbinfo -u Administrator Guest krbtgt dns-mail mark sogo (more)
You wrote:
It also won't look up /etc/shadow - Samba is doing the AD->Unix UID mapping. Your AD users shouldn't be in there when all is said and done.
If not there, where?
Samba handles the idmap. The pasted config looks like a local shadow lookup.
Though I don't think that resolves the user@domain uid 'issue'.. Maybe Samba/NTLM/Kerberos will just recognize the domain and take care of it ?
In any case, side note - I wrote a webapp a while ago in PHP, and I have 3 domains in a Trust and the user's browser sends their auth info to an Apache server using Kerberos auth. It looks like what you're seeing, based on my code - 'user@domain' is normal: $authusername = $_SERVER["PHP_AUTH_USER"]; if ( stristr($authusername,"@")) { $auth_ar = explode("@",$authusername) ; //<blah blah blah>
So receiving user@domain is at least to be expected.
I don't know what Dovecot would do with that domain info...
I would probably work on doing AD auth on another package first - maybe ssh or PureFTPd - then come back to Dovecot - but also review the two auth options I linked above if you didn't get my mail the first time.
I CCd you directly, because I swear I provided the NTLM wiki page before, and maybe my mail got dropped.
Rick
Humor me. Give me ONE suggestion to try!
--Mark