As to your suggested links,
Samba4 uses Heimdal Kerberos which is part of the Samba4 installation: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Installation, so I don't know if the krb5 configs discussed in your link will apply. I'll revisit this if other things I'm trying don't work out.
If that http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm link were on paper I've have worn out the pages by now. I did see your original message to me on that, tried what I could and posted my results to the list dated Sat, 05 Sep 2015 17:12:50 -0400. Didn't work, probably because I don't know what I'm doing, although I don't think I've spent longer on any other software package without mastering it! The userdb syntax shown on that site had errors with my dovecot 2.2.15. Instructions for an older version (dates on wikis would be nice)? Check out my Sep 5 posting if you missed it and see if I'm doing something stupidly obviously wrong.
I'll have to also say the the wiki docs are pretty, but very difficult to comprehend. There's an awful lot of assumed knowledge and terminology in there and even though I have decades of Unix sysadmin experience, I get lost very quickly.
A lot of things seem overcomplicated. For example, I'm now trying the checkpassword auth method. Seems pretty simple at first: it gets the username and password and returns 0 if OK or 1 if not. Simple right? But no, the Dovecot implmentation wants you to also set environment variables (which don't appear to be there) and execute programs from within programs, and of course, it doesn't "just work". Why the complexity? Why not return a simple 0 or 1 and go with that? Oh well, I'm going to have to abandon this soon. Workplace indulgence is wearing thin.
--Mark
-----Original Message-----
Date: Thu, 10 Sep 2015 08:27:15 -0500 From: Rick Romero <rick@havokmon.com> To: dovecot@dovecot.org Cc: mfoley@ohprs.org Subject: Re: How to "Windows Authenticate"
Quoting Mark Foley <mfoley@ohprs.org>:
Rick,
Samba4 AD/DC and Dovecot work perfectly for everything including access from SmartPhones. I've got roaming domain logins, redirected folders, calendars and contacts work just fine with Outlook and WebDav for sharing calendars; don't need them in Dovecot.
Do you have that documented somewhere? I would love to see how that's done.
For the most part, Outlook users can't tell they are not still on Exchange ... except they have to maintain their Outlook password distinct from their Windows password. Which is their one HUGE issue.
My absolutely LAST issue with totally duplicating SBS/Exchange functionality on Samba4/Dovecot is getting Dovecot to authenticate with Outlook clients using Windows Authentication which, as I understand things, can supposedly be done with NTLM. I just can't get it to work. I think a heck of a lot if Windows [SB]Server shops would convert to Samba4/Dovecot if someone figured out how to do this.
My Dovecot log messages make it look close to working:
Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): unknown user
Dovecot gets the user as" mark@hprs" instead of "mark" and therefore can't find it in the userdb.
I can find no Dovecot wiki on this. If Dovecot just can't authenticate this way can someone (Timo?) tell me so and I'll cease my 8 month quest.
These are two
http://wiki2.dovecot.org/Authentication/Kerberos http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
As I understand it, NTLM is a layer above Kerberos. I don't see either referenced similarly to either wiki pages in the pasted config...
Otherwise, what should I have for a userdb? What should I have for a passdb? Can I parse the "@hprs" bit off the userId received by Dovecot? These seem to be my hang-ups. At this point, I'm open to guesses.
Just for the heck of it, here's one of the doveconf's I tested with, reproduced here because it's burried in the messages below:
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain ntlm login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes
And wbinfo (requested by you in an earlier message) showing some of the Domain users (I'm testing with mark):
$ wbinfo -u Administrator Guest krbtgt dns-mail mark sogo (more)
You wrote:
It also won't look up /etc/shadow - Samba is doing the AD->Unix UID mapping. Your AD users shouldn't be in there when all is said and done.
If not there, where?
Samba handles the idmap. The pasted config looks like a local shadow lookup.
Though I don't think that resolves the user@domain uid 'issue'.. Maybe Samba/NTLM/Kerberos will just recognize the domain and take care of it ?
In any case, side note - I wrote a webapp a while ago in PHP, and I have 3 domains in a Trust and the user's browser sends their auth info to an Apache server using Kerberos auth. It looks like what you're seeing, based on my code - 'user@domain' is normal: $authusername = $_SERVER["PHP_AUTH_USER"]; if ( stristr($authusername,"@")) { $auth_ar = explode("@",$authusername) ; //<blah blah blah>
So receiving user@domain is at least to be expected.
I don't know what Dovecot would do with that domain info...
I would probably work on doing AD auth on another package first - maybe ssh or PureFTPd - then come back to Dovecot - but also review the two auth options I linked above if you didn't get my mail the first time.
I CCd you directly, because I swear I provided the NTLM wiki page before, and maybe my mail got dropped.
Rick
Humor me. Give me ONE suggestion to try!
--Mark