Hi Mark,

I haven't done it, but I've played with the scenario enough to have an idea.

What you want to do is have Outlook auth via NTLM to Dovecot. 

First that means having the machine be a domain member (usually via Samba) in order to properly process NTLM/Kerberos handshake - which it appears you have. Second that means having Dovecot know how to accept NTLM authentication (SPA) to pass to the Samba backend.

A 'Dovecot NTLM' search led me here: http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm

What's not on the page that I'd expect to see, are the compile-time requirements for inclucing samba/kerberos libs within Dovecot.  If it doesn't 'just work' with the config changes in the wiki, you may need to recompile with the right features.

Also - check the permissions of the ntlm_auth program. That's caused many issues with Radius installs, IIRC.

Hope that helps!

Rick

Quoting Mark Foley mfoley@ohprs.org:

This can't be that hard. I think I've enabled LDAP in Dovecot just by including dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I now have the configuration shown below. Two questions:

1. How do I set Outlook to authenticate with LDAP? Currently the Outlook accounts still have the ID and password set in "Logon Information". Checking "Require logon using Secure Password Authentication (SPA)" doesn't work. All I can seem to find on the Internet is how to configure address books using LDAP.

2. Should I remove "passdb { drive = shadow } from the dovecot configuration?

Anybody?

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = imap ssl_cert =

-----Original Message----- From: Mark Foley mfoley@ohprs.org Date: Wed, 02 Sep 2015 13:31:35 -0400 To: dovecot@dovecot.org Subject: How to "Windows Authenticate"

...

I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems.  Dovecot is hosted on the office Samba4 AC/DC server.

I have been using auth_mechanisms plain login, and passdb driver = shadow.

What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients.

If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful.

Here is my current config:

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

Thanks, Mark Foley

From dovecot-bounces@dovecot.org  Wed Sep  2 13:32:13 2015 Return-Path: dovecot-bounces@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=unavailable version=3.3.2-_revision__1.14__ X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail From: Mark Foley mfoley@ohprs.org Date: Wed, 02 Sep 2015 13:31:35 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: How to "Windows Authenticate" User-Agent: Heirloom mailx 12.5 7/5/10 Content-Type: text/plain; charset=us-ascii X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List List-Unsubscribe: http://dovecot.org/cgi-bin/mailman/options/dovecot, mailto:dovecot-request@dovecot.org?subject=unsubscribe List-Archive: http://dovecot.org/pipermail/dovecot/ List-Post: mailto:dovecot@dovecot.org List-Help: mailto:dovecot-request@dovecot.org?subject=help List-Subscribe: http://dovecot.org/cgi-bin/mailman/listinfo/dovecot, mailto:dovecot-request@dovecot.org?subject=subscribe Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" dovecot-bounces@dovecot.org Status: R

I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems.  Dovecot is hosted on the office Samba4 AC/DC server.

I have been using auth_mechanisms plain login, and passdb driver = shadow.

What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients.

If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful.

Here is my current config:

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

More info ...

My dovecot error log shows:

Sep 05 16:45:19 auth: Debug: client in: AUTH 1 NTLM service=imap Sep 05 16:45:19 auth: Debug: client passdb out: OK 1 user=mark@hprs original_user=mark@HPRS Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713 10219 1 f56352c207cb8f6dea4d264b2c0f8dc1 session_pid=10220 request_auth_token Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): unknown user Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND 998899713

whereas the successful 'plain login' config'ed mechanism (before adding NTLM config) have:

Sep 06 20:27:38 auth-worker(18616): Debug: shadow(mark,104.6.249.210): lookup

The failed ntlm look-up is looking up user mark@hprs in shadow, which it doesn't find. Is there a way to strip the "@hprs" bit from the user so it can find the correct entry in /etc/shadow? That might fix the problem.

--Mark

-----Original Message----- From: Mark Foley mfoley@ohprs.org Date: Sat, 05 Sep 2015 17:12:50 -0400 To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate"

Rick et al,

The link you gave was a start, but is targeted for Samba3 and is assuming a probably Windows [SBS]Server AD/DC separate from the DC hosting dovecot, and includes setting up kerberos.

I'm using a Samba4 AD/DC with integrated kerberos (so I don't think there is any setup I can do there). Nevertheless I've followed the instructions otherwise; specifically adding to 10-auto.conf the following recommended lines:

auth_use_winbind = yes auth_winbind_helper_path = /usr/bin/ntlm_auth mechanisms = plain ntlm login

(Before, my 'mechanisms' were only plain and login). /usr/bin/ntlm_auth has global r/w privilege.

I did not specify the static userdb since these users are configued in /etc/passwd and I thought that would work; example given in link (could that be an issue?):

userdb static { args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln allow_all_users=yes }

This didn't work. Also, existing, working Outlook connections using 'logon' (i.e. the userID and PW are configured in Outlook) stopped working.

I changed a test Outlook client to check the 'Request login using Secure Password Authentication (SPA)' and also checked: More Settings > Outgoing Server

My outgoing server (SMTP) requires authentication' and 'Use same settings as my incoming mail server'. Note that on the "Change Account" dialog (where the SPA checkbox is) the 'User Name' and 'Password' retained their values and were not grayed out as I would have expected if using AD authentication.

After doing the above and clicking 'Test Account Settings' I was re-promted to enter a password - also not expected. At bottom are the Dovecot log message I received after doing the 'Test Account Settings'.

Surely, connecting from an Outlook client to Dovecot on a Samba4 AD/DC should be a very common implementation. Has someone done this successfully?

Immediately below is my doveconf -n and below that the dovecot log messages.

doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain ntlm login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

dovecot log after doing 'Test Account Settings' in Outlook:

Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:45:19 auth: Debug: auth client connected (pid=10219) Sep 05 16:45:19 auth: Debug: client in: AUTH 1 NTLM service=imap session=HXssGAYf0ADAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=52944 Sep 05 16:45:19 auth: Debug: client passdb out: CONT 1 Sep 05 16:45:19 auth: Debug: client passdb out: OK 1 user=mark@hprs original_user=mark@HPRS Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713 10219 1 f56352c207cb8f6dea4d264b2c0f8dc1 session_pid=10220 request_auth_token Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): unknown user Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND 998899713 Sep 05 16:45:19 imap-login: Info: Internal login failure (pid=10219 id=1) (internal failure, 1 successful auths): user=mark@hprs, method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=10220, session=<HXssGAYf0ADAqAA6> Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:46:22 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 05 16:46:22 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Sep 05 16:46:22 auth: Debug: auth client connected (pid=13487) Sep 05 16:46:22 auth: Debug: client in: AUTH 1 NTLM service=imap session=IlvqGwYf0wDAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=52947 Sep 05 16:46:22 auth: Debug: client passdb out: OK 1 user=mark@hprs original_user=mark@HPRS Sep 05 16:46:22 auth: Debug: master in: REQUEST 3030384641 13487 1 bac5f6531f9d4c3316f93bd4c4a63ddd session_pid=13491 request_auth_token Sep 05 16:46:22 auth-worker(13492): Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 05 16:46:22 auth-worker(13492): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:46:22 auth-worker(13492): Info: shadow(mark@hprs,192.168.0.58): unknown user Sep 05 16:46:22 auth: Debug: master userdb out: NOTFOUND 3030384641 Sep 05 16:46:22 imap-login: Info: Internal login failure (pid=13487 id=1) (internal failure, 1 successful auths): user=mark@hprs, method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=13491, session=<IlvqGwYf0wDAqAA6>

Thanks --Mark

-----Original Message-----

Date: Thu, 03 Sep 2015 06:53:19 -0500 From: Rick Romero rick@havokmon.com To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate"

Hi Mark,

I haven't done it, but I've played with the scenario enough to have an idea.

What you want to do is have Outlook auth via NTLM to Dovecot. 

First that means having the machine be a domain member (usually via Samba) in order to properly process NTLM/Kerberos handshake - which it appears you have. Second that means having Dovecot know how to accept NTLM authentication (SPA) to pass to the Samba backend.

A 'Dovecot NTLM' search led me here: http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm

What's not on the page that I'd expect to see, are the compile-time requirements for inclucing samba/kerberos libs within Dovecot.  If it doesn't 'just work' with the config changes in the wiki, you may need to recompile with the right features.

Also - check the permissions of the ntlm_auth program. That's caused many issues with Radius installs, IIRC.

Hope that helps!

Rick

Quoting Mark Foley mfoley@ohprs.org:

...

This can't be that hard. I think I've enabled LDAP in Dovecot just by including dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I now have the configuration shown below. Two questions:

1. How do I set Outlook to authenticate with LDAP? Currently the Outlook accounts still have the ID and password set in "Logon Information". Checking "Require logon using Secure Password Authentication (SPA)" doesn't work. All I can seem to find on the Internet is how to configure address books using LDAP.

2. Should I remove "passdb { drive = shadow } from the dovecot configuration?

Anybody?

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = imap ssl_cert =

-----Original Message----- From: Mark Foley mfoley@ohprs.org Date: Wed, 02 Sep 2015 13:31:35 -0400 To: dovecot@dovecot.org Subject: How to "Windows Authenticate"

...

I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems.  Dovecot is hosted on the office Samba4 AC/DC server.

I have been using auth_mechanisms plain login, and passdb driver = shadow.

What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients.

If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful.

Here is my current config:

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

Thanks, Mark Foley

From dovecot-bounces@dovecot.org  Wed Sep  2 13:32:13 2015 Return-Path: dovecot-bounces@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=unavailable version=3.3.2-_revision__1.14__ X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail From: Mark Foley mfoley@ohprs.org Date: Wed, 02 Sep 2015 13:31:35 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: How to "Windows Authenticate" User-Agent: Heirloom mailx 12.5 7/5/10 Content-Type: text/plain; charset=us-ascii X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List List-Unsubscribe: http://dovecot.org/cgi-bin/mailman/options/dovecot, mailto:dovecot-request@dovecot.org?subject=unsubscribe List-Archive: http://dovecot.org/pipermail/dovecot/ List-Post: mailto:dovecot@dovecot.org List-Help: mailto:dovecot-request@dovecot.org?subject=help List-Subscribe: http://dovecot.org/cgi-bin/mailman/listinfo/dovecot, mailto:dovecot-request@dovecot.org?subject=subscribe Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" dovecot-bounces@dovecot.org Status: R

I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems.  Dovecot is hosted on the office Samba4 AC/DC server.

I have been using auth_mechanisms plain login, and passdb driver = shadow.

What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients.

If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful.

Here is my current config:

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = dovecot-bounces@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=ham version=3.3.2-_revision__1.14__ X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org Date: Thu, 03 Sep 2015 06:53:19 -0500 From: Rick Romero rick@havokmon.com To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate" User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) X-VFEmail-Originating-IP: MTA3LjEzNi4xNDQuMjMw X-VFEmail-AntiSpam: Notify admin@vfemail.net of any spam, and include VFEmail headers Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Description: Plaintext Message X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List List-Unsubscribe: http://dovecot.org/cgi-bin/mailman/options/dovecot, mailto:dovecot-request@dovecot.org?subject=unsubscribe List-Archive: http://dovecot.org/pipermail/dovecot/ List-Post: mailto:dovecot@dovecot.org List-Help: mailto:dovecot-request@dovecot.org?subject=help List-Subscribe: http://dovecot.org/cgi-bin/mailman/listinfo/dovecot, mailto:dovecot-request@dovecot.org?subject=subscribe Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" dovecot-bounces@dovecot.org Status: R

Hi Mark,

I haven't done it, but I've played with the scenario enough to have an idea.

What you want to do is have Outlook auth via NTLM to Dovecot. 

First that means having the machine be a domain member (usually via Samba) in order to properly process NTLM/Kerberos handshake - which it appears you have. Second that means having Dovecot know how to accept NTLM authentication (SPA) to pass to the Samba backend.

A 'Dovecot NTLM' search led me here: http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm

What's not on the page that I'd expect to see, are the compile-time requirements for inclucing samba/kerberos libs within Dovecot.  If it doesn't 'just work' with the config changes in the wiki, you may need to recompile with the right features.

Also - check the permissions of the ntlm_auth program. That's caused many issues with Radius installs, IIRC.

Hope that helps!

Rick

Quoting Mark Foley mfoley@ohprs.org:

...

This can't be that hard. I think I've enabled LDAP in Dovecot just by including dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I now have the configuration shown below. Two questions:

1. How do I set Outlook to authenticate with LDAP? Currently the Outlook accounts still have the ID and password set in "Logon Information". Checking "Require logon using Secure Password Authentication (SPA)" doesn't work. All I can seem to find on the Internet is how to configure address books using LDAP.

2. Should I remove "passdb { drive = shadow } from the dovecot configuration?

Anybody?

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = imap ssl_cert =

-----Original Message----- From: Mark Foley mfoley@ohprs.org Date: Wed, 02 Sep 2015 13:31:35 -0400 To: dovecot@dovecot.org Subject: How to "Windows Authenticate"

...

I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems.  Dovecot is hosted on the office Samba4 AC/DC server.

I have been using auth_mechanisms plain login, and passdb driver = shadow.

What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients.

If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful.

Here is my current config:

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

Thanks, Mark Foley

From dovecot-bounces@dovecot.org  Wed Sep  2 13:32:13 2015 Return-Path: dovecot-bounces@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=unavailable version=3.3.2-_revision__1.14__ X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail From: Mark Foley mfoley@ohprs.org Date: Wed, 02 Sep 2015 13:31:35 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: How to "Windows Authenticate" User-Agent: Heirloom mailx 12.5 7/5/10 Content-Type: text/plain; charset=us-ascii X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List List-Unsubscribe: http://dovecot.org/cgi-bin/mailman/options/dovecot, mailto:dovecot-request@dovecot.org?subject=unsubscribe List-Archive: http://dovecot.org/pipermail/dovecot/ List-Post: mailto:dovecot@dovecot.org List-Help: mailto:dovecot-request@dovecot.org?subject=help List-Subscribe: http://dovecot.org/cgi-bin/mailman/listinfo/dovecot, mailto:dovecot-request@dovecot.org?subject=subscribe Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" dovecot-bounces@dovecot.org Status: R

I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems.  Dovecot is hosted on the office Samba4 AC/DC server.

I have been using auth_mechanisms plain login, and passdb driver = shadow.

What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients.

If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful.

Here is my current config:

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

Comments interspersed with yours ...

--Mark

-----Original Message-----

Date: Sun, 06 Sep 2015 20:00:11 -0500 From: Rick Romero rick@havokmon.com To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate"

Hmm. I would expect to see 'mark@hprs.com'. Whatever your full domain name is.

Full user@domain would be mark@hprs.local

It also won't look up /etc/shadow - Samba is doing the AD->Unix UID mapping. Your AD users shouldn't be in there when all is said and done.

I was thinking this too. I don't know why NTLM would need a userdb at all. It should just use something like ntlm_auth (which is configured in auth_winbind_helper).

What if I simply removed the userdb? What would you recommend for userdb, passdb?

Well, at when I did a Samba4 install as a DC it still behaved like a Samba3 member, and there were no AD users in the local unix passwd files.

What does wbinfo -u provide? It should list all your users - especially because it's an DC. Whatever wbinfo -u shows, you may need to adjust another config file to match waht Dovecot is receiving.

$ wbinfo -u

Administrator Guest krbtgt dns-mail mark sogo **arr **ress **mith **nee **ris **atterson **armaine **tkeson **mmitoh

These are all the AD users (most obfuscated for a bit of security). I am testing with user mark.

I assume /etc/nsswitch.conf has been modified to use Samba?

Unless the Samba provision did something to nnswitch, I've done nothing; nor have I seen anything in the Samba or dovecot wikis suggesting changes. Remember also that the Samba4 AD/DC works perfectly with redirected folders and users logging on to any Windows workstations, and works perfectly with things wanting "Windows Authentication" like SQLserver, so the "Windows Authentication" does work at some level. My /etc/nsswitch.conf is:

passwd: compat group: compat

hosts: files dns networks: files

services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files bootparams: files

automount: files aliases: files

Sorry I haven't done this, but it doesn't seem like anyone else has either

• so I'm just shooting in the dark here trying to get you steered in the right direction...

Rick

Yeah, I can't seem to find a soul on the planet who has actually done this. If I get it figured out I'll post with a suggestion to Timo to wiki-ize it.

I'm a bit puzzled that no one appears to have done this. I would think that a Samba4 AD/DC in a office environment with lots of Windows workstations running Outlook would be about the most common environment there is; especially now that Small Business Server is no longer sold and Server Essentials does not support Exchange. What are all the SBS/Exchange/Outlook small businesses doing? Limping along with SBS2008/11, or putting their email in Outlook.com? Seems like the Samba4/dovecot/Outlook combo would be an ideal migration.

I appreciate your help.

Quoting Mark Foley mfoley@ohprs.org:

...

More info ...

My dovecot error log shows:

Sep 05 16:45:19 auth: Debug: client in: AUTH    1       NTLM    service=imap Sep 05 16:45:19 auth: Debug: client passdb out: OK      1      user=mark@hprs  original_user=mark@HPRS Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713      10219  1       f56352c207cb8f6dea4d264b2c0f8dc1      session_pid=10220      request_auth_token Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): unknown user Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND        998899713

whereas the successful 'plain login' config'ed mechanism (before adding NTLM config) have:

Sep 06 20:27:38 auth-worker(18616): Debug: shadow(mark,104.6.249.210): lookup

The failed ntlm look-up is looking up user mark@hprs in shadow, which it doesn't find. Is there a way to strip the "@hprs" bit from the user so it can find the correct entry in /etc/shadow? That might fix the problem.

--Mark

-----Original Message----- From: Mark Foley mfoley@ohprs.org Date: Sat, 05 Sep 2015 17:12:50 -0400 To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate"

Rick et al,

The link you gave was a start, but is targeted for Samba3 and is assuming a probably Windows [SBS]Server AD/DC separate from the DC hosting dovecot, and includes setting up kerberos.

I'm using a Samba4 AD/DC with integrated kerberos (so I don't think there is any setup I can do there).  Nevertheless I've followed the instructions otherwise; specifically adding to 10-auto.conf the following recommended lines:

auth_use_winbind = yes auth_winbind_helper_path = /usr/bin/ntlm_auth mechanisms = plain ntlm login

(Before, my 'mechanisms' were only plain and login). /usr/bin/ntlm_auth has global r/w privilege.

I did not specify the static userdb since these users are configued in /etc/passwd and I thought that would work; example given in link (could that be an issue?):

userdb static { args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln allow_all_users=yes }

This didn't work. Also, existing, working Outlook connections using 'logon' (i.e. the userID and PW are configured in Outlook) stopped working.

I changed a test Outlook client to check the 'Request login using Secure Password Authentication (SPA)' and also checked: More Settings > Outgoing Server

...

My outgoing server (SMTP) requires authentication' and 'Use same settings as

my incoming mail server'.  Note that on the "Change Account" dialog (where the SPA checkbox is) the 'User Name' and 'Password' retained their values and were not grayed out as I would have expected if using AD authentication.

After doing the above and clicking 'Test Account Settings' I was re-promted to enter a password - also not expected. At bottom are the Dovecot log message I received after doing the 'Test Account Settings'.

Surely, connecting from an Outlook client to Dovecot on a Samba4 AD/DC should be a very common implementation. Has someone done this successfully?

Immediately below is my doveconf -n and below that the dovecot log messages.

...

doveconf -n

# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain ntlm login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

dovecot log after doing 'Test Account Settings' in Outlook:

Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:45:19 auth: Debug: auth client connected (pid=10219) Sep 05 16:45:19 auth: Debug: client in: AUTH        1        NTLM        service=imap        session=HXssGAYf0ADAqAA6        lip=192.168.0.2      rip=192.168.0.58        lport=143        rport=52944 Sep 05 16:45:19 auth: Debug: client passdb out: CONT        1 Sep 05 16:45:19 auth: Debug: client passdb out: OK        1      user=mark@hprs        original_user=mark@HPRS Sep 05 16:45:19 auth: Debug: master in: REQUEST        998899713    10219        1        f56352c207cb8f6dea4d264b2c0f8dc1        session_pid=10220        request_auth_token Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): unknown user Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND        998899713 Sep 05 16:45:19 imap-login: Info: Internal login failure (pid=10219 id=1) (internal failure, 1 successful auths): user=mark@hprs, method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=10220, session=<HXssGAYf0ADAqAA6> Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:46:22 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 05 16:46:22 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Sep 05 16:46:22 auth: Debug: auth client connected (pid=13487) Sep 05 16:46:22 auth: Debug: client in: AUTH        1        NTLM        service=imap        session=IlvqGwYf0wDAqAA6        lip=192.168.0.2      rip=192.168.0.58        lport=143        rport=52947 Sep 05 16:46:22 auth: Debug: client passdb out: OK        1      user=mark@hprs        original_user=mark@HPRS Sep 05 16:46:22 auth: Debug: master in: REQUEST        3030384641  13487        1        bac5f6531f9d4c3316f93bd4c4a63ddd        session_pid=13491        request_auth_token Sep 05 16:46:22 auth-worker(13492): Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 05 16:46:22 auth-worker(13492): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:46:22 auth-worker(13492): Info: shadow(mark@hprs,192.168.0.58): unknown user Sep 05 16:46:22 auth: Debug: master userdb out: NOTFOUND        3030384641 Sep 05 16:46:22 imap-login: Info: Internal login failure (pid=13487 id=1) (internal failure, 1 successful auths): user=mark@hprs, method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=13491, session=<IlvqGwYf0wDAqAA6>

Thanks --Mark

-----Original Message-----

...

Date: Thu, 03 Sep 2015 06:53:19 -0500 From: Rick Romero rick@havokmon.com To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate"

  Hi Mark,

I haven't done it, but I've played with the scenario enough to have an idea.

What you want to do is have Outlook auth via NTLM to Dovecot. 

First that means having the machine be a domain member (usually via Samba) in order to properly process NTLM/Kerberos handshake - which it appears you have. Second that means having Dovecot know how to accept NTLM authentication (SPA) to pass to the Samba backend.

A 'Dovecot NTLM' search led me here: http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm

What's not on the page that I'd expect to see, are the compile-time requirements for inclucing samba/kerberos libs within Dovecot.  If it doesn't 'just work' with the config changes in the wiki, you may need to recompile with the right features.

Also - check the permissions of the ntlm_auth program. That's caused many issues with Radius installs, IIRC.

Hope that helps!

Rick

Quoting Mark Foley mfoley@ohprs.org:

This can't be that hard. I think I've enabled LDAP in Dovecot just by including dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I now have the configuration shown below. Two questions:

1. How do I set Outlook to authenticate with LDAP? Currently the Outlook accounts still have the ID and password set in "Logon Information". Checking "Require logon using Secure Password Authentication (SPA)" doesn't work. All I can seem to find on the Internet is how to configure address books using LDAP.

2. Should I remove "passdb { drive = shadow } from the dovecot configuration?

Anybody?

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = imap ssl_cert =

-----Original Message----- From: Mark Foley mfoley@ohprs.org Date: Wed, 02 Sep 2015 13:31:35 -0400 To: dovecot@dovecot.org Subject: How to "Windows Authenticate"

I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems.  Dovecot is hosted on the office Samba4 AC/DC server.

I have been using auth_mechanisms plain login, and passdb driver = shadow.

What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients.

If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful.

Here is my current config:

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

Thanks, Mark Foley

From dovecot-bounces@dovecot.org  Wed Sep  2 13:32:13 2015 Return-Path: dovecot-bounces@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=unavailable version=3.3.2-_revision__1.14__ X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail From: Mark Foley mfoley@ohprs.org Date: Wed, 02 Sep 2015 13:31:35 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: How to "Windows Authenticate" User-Agent: Heirloom mailx 12.5 7/5/10 Content-Type: text/plain; charset=us-ascii X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List List-Unsubscribe: http://dovecot.org/cgi-bin/mailman/options/dovecot, mailto:dovecot-request@dovecot.org?subject=unsubscribe List-Archive: http://dovecot.org/pipermail/dovecot/ List-Post: mailto:dovecot@dovecot.org List-Help: mailto:dovecot-request@dovecot.org?subject=help List-Subscribe: http://dovecot.org/cgi-bin/mailman/listinfo/dovecot, mailto:dovecot-request@dovecot.org?subject=subscribe Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" dovecot-bounces@dovecot.org Status: R

I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems.  Dovecot is hosted on the office Samba4 AC/DC server.

I have been using auth_mechanisms plain login, and passdb driver = shadow.

What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients.

If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful.

Here is my current config:

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = dovecot-bounces@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=ham version=3.3.2-_revision__1.14__ X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org Date: Thu, 03 Sep 2015 06:53:19 -0500 From: Rick Romero rick@havokmon.com To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate" User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) X-VFEmail-Originating-IP: MTA3LjEzNi4xNDQuMjMw X-VFEmail-AntiSpam: Notify admin@vfemail.net of any spam, and include VFEmail headers Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Description: Plaintext Message X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List List-Unsubscribe: http://dovecot.org/cgi-bin/mailman/options/dovecot, mailto:dovecot-request@dovecot.org?subject=unsubscribe List-Archive: http://dovecot.org/pipermail/dovecot/ List-Post: mailto:dovecot@dovecot.org List-Help: mailto:dovecot-request@dovecot.org?subject=help List-Subscribe: http://dovecot.org/cgi-bin/mailman/listinfo/dovecot, mailto:dovecot-request@dovecot.org?subject=subscribe Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" dovecot-bounces@dovecot.org Status: R

  Hi Mark,

I haven't done it, but I've played with the scenario enough to have an idea.

What you want to do is have Outlook auth via NTLM to Dovecot. 

First that means having the machine be a domain member (usually via Samba) in order to properly process NTLM/Kerberos handshake - which it appears you have. Second that means having Dovecot know how to accept NTLM authentication (SPA) to pass to the Samba backend.

A 'Dovecot NTLM' search led me here: http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm

What's not on the page that I'd expect to see, are the compile-time requirements for inclucing samba/kerberos libs within Dovecot.  If it doesn't 'just work' with the config changes in the wiki, you may need to recompile with the right features.

Also - check the permissions of the ntlm_auth program. That's caused many issues with Radius installs, IIRC.

Hope that helps!

Rick

Quoting Mark Foley mfoley@ohprs.org:

This can't be that hard. I think I've enabled LDAP in Dovecot just by including dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I now have the configuration shown below. Two questions:

1. How do I set Outlook to authenticate with LDAP? Currently the Outlook accounts still have the ID and password set in "Logon Information". Checking "Require logon using Secure Password Authentication (SPA)" doesn't work. All I can seem to find on the Internet is how to configure address books using LDAP.

2. Should I remove "passdb { drive = shadow } from the dovecot configuration?

Anybody?

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = imap ssl_cert =

-----Original Message----- From: Mark Foley mfoley@ohprs.org Date: Wed, 02 Sep 2015 13:31:35 -0400 To: dovecot@dovecot.org Subject: How to "Windows Authenticate"

I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems.  Dovecot is hosted on the office Samba4 AC/DC server.

I have been using auth_mechanisms plain login, and passdb driver = shadow.

What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients.

If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful.

Here is my current config:

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

Thanks, Mark Foley

From dovecot-bounces@dovecot.org  Wed Sep  2 13:32:13 2015 Return-Path: dovecot-bounces@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=unavailable version=3.3.2-_revision__1.14__ X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail From: Mark Foley mfoley@ohprs.org Date: Wed, 02 Sep 2015 13:31:35 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: How to "Windows Authenticate" User-Agent: Heirloom mailx 12.5 7/5/10 Content-Type: text/plain; charset=us-ascii X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List List-Unsubscribe: http://dovecot.org/cgi-bin/mailman/options/dovecot, mailto:dovecot-request@dovecot.org?subject=unsubscribe List-Archive: http://dovecot.org/pipermail/dovecot/ List-Post: mailto:dovecot@dovecot.org List-Help: mailto:dovecot-request@dovecot.org?subject=help List-Subscribe: http://dovecot.org/cgi-bin/mailman/listinfo/dovecot, mailto:dovecot-request@dovecot.org?subject=subscribe Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" dovecot-bounces@dovecot.org Status: R

I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems.  Dovecot is hosted on the office Samba4 AC/DC server.

I have been using auth_mechanisms plain login, and passdb driver = shadow.

What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients.

If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful.

Here is my current config:

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

 

If I had time I would be all over this - but IMHO the main problem is that Dovecot != Exchange.  Even in small environments - unless I'm out of date, there's no calendar, tasks or contact lists within Dovecot.

Your next best best is to use something like Horde that would allow you to auth via ActiveSync (on Outlook 2013 clients) and manage everything else that the users will want, with Dovecot as the mail backend. Though I believe there could be licensing issues if you're looking to do it for free.  I think, by license, you still need CALs for each ActiveSync client (if you're in the US).

Auth-Wise it'd be a whole different animal.  I'm not sure if there's anything pre-packaged NTLM + Horde - though Apache/PHP/Linux with Samba would accept the username via GSSAPI and I suppose you could pass that to HordeAuth.

I hate Exchange - I have a nagging 45 second delay on OWA logins ever since I had to setup multiple NICs to get Outlook to stop complaining about certs, and today while trying to fix that issue, AD decided to stop replicating one of my trusted domains (and began rejecting auths for linked mailboxes from that domain) and in short I really just hate that environment with every fiber of my being and would love to see a decent free Exchange replacement on *nix.

Rick

Quoting Mark Foley mfoley@ohprs.org:

More experimentation ...

I tried removing userdb and passdb from the dovecot NTLM config. That didn't work. I then tried adding a static userdb as follows:

userdb { driver = static #  allow_all_users = yes args = gid=100 home=/home/HPRS/%n }

(Interestingly, when I uncommented "allow_all_users" I got an "unsupported setting" [or something like that], even though that was in there from the beginning and is shown in the example wiki http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm)

Anyway, in both tests my error messages were the same:

Sep 08 18:38:16 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 08 18:38:16 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 08 18:38:16 auth: Debug: auth client connected (pid=8758) Sep 08 18:38:16 auth: Debug: client in: AUTH    1       NTLM    service=imap    session=vPWqBUQfeADAqAA6      lip=192.168.0.2  rip=192.168.0.58        lport=143       rport=56184 Sep 08 18:38:16 auth: Debug: client passdb out: CONT    1 Sep 08 18:38:16 auth: Info: ntlm(?,192.168.0.58,<vPWqBUQfeADAqAA6>): user not authenticated: NT_STATUS_LOGON_FAILURE Sep 08 18:38:18 auth: Debug: client passdb out: FAIL    1

Notice that my userid (mark or mark@ohprs) is nowhere to be found.  Whereas when I specified the userdb passwd at least it had a user id in the error log.  From my previous test with userdb passwd amd passdb shadow:

Sep 05 16:45:19 auth: Debug: client passdb out: OK      1    user=mark@hprs  original_user=mark@HPRS Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): unknown user Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND      998899713

The "Info: ntml" log entry has ntlm(?,192.168.0.58,<vPWqBUQfeADAqAA6>), whereas the previous test "Info shadow" log entry has Info: shadow(mark@hprs,192.168.0.58).

Of course I have no passdb specified which is right for NTML ... or is it?

I feel like this should be obvious to someone familiar with Dovecot. Once again, it's difficult for me to believe no on on planet Earth (who also happens to subscribe to this list) had ever done Dovecot/ntlm from Outlook before.

Help!!! If I can't get this last bit sorted out I'll be forced back to Server 2012 and Exchange.

Thanks, --Mark

-----Original Message----- From: Mark Foley mfoley@ohprs.org Date: Mon, 07 Sep 2015 21:28:23 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate"

Comments interspersed with yours ...

--Mark

-----Original Message-----

...

Date: Sun, 06 Sep 2015 20:00:11 -0500 From: Rick Romero rick@havokmon.com To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate"

  Hmm.  I would expect to see 'mark@hprs.com'.  Whatever your full domain name is.

Full user@domain would be mark@hprs.local

...

It also won't look up /etc/shadow - Samba is doing the AD->Unix UID mapping.  Your AD users shouldn't be in there when all is said and done.

I was thinking this too.  I don't know why NTLM would need a userdb at all.  It should just use something like ntlm_auth (which is configured in auth_winbind_helper).

What if I simply removed the userdb?  What would you recommend for userdb, passdb?

...

Well, at when I did a Samba4 install as a DC it still behaved like a Samba3 member, and there were no AD users in the local unix passwd files.

What does wbinfo -u provide?  It should list all your users - especially because it's an DC.  Whatever wbinfo -u shows, you may need to adjust another config file to match waht Dovecot is receiving.

$ wbinfo -u

Administrator Guest krbtgt dns-mail mark sogo **arr **ress **mith **nee **ris **atterson **armaine **tkeson **mmitoh

These are all the AD users (most obfuscated for a bit of security). I am testing with user mark.

...

I assume /etc/nsswitch.conf has been modified to use Samba?

Unless the Samba provision did something to nnswitch, I've done nothing; nor have I seen anything in the Samba or dovecot wikis suggesting changes.  Remember also that the Samba4 AD/DC works perfectly with redirected folders and users logging on to any Windows workstations, and works perfectly with things wanting "Windows Authentication" like SQLserver, so the "Windows Authentication" does work at some level.  My /etc/nsswitch.conf is:

passwd:         compat group:          compat

hosts:          files dns networks:       files

services:       files protocols:      files rpc:            files ethers:         files netmasks:       files netgroup:       files bootparams:     files

automount:      files aliases:        files

...

Sorry I haven't done this, but it doesn't seem like anyone else has either

• so I'm just shooting in the dark here trying to get you steered in the right direction...

Rick

Yeah, I can't seem to find a soul on the planet who has actually done this. If I get it figured out I'll post with a suggestion to Timo to wiki-ize it.

I'm a bit puzzled that no one appears to have done this. I would think that a Samba4 AD/DC in a office environment with lots of Windows workstations running Outlook would be about the most common environment there is; especially now that Small Business Server is no longer sold and Server Essentials does not support Exchange. What are all the SBS/Exchange/Outlook small businesses doing? Limping along with SBS2008/11, or putting their email in Outlook.com? Seems like the Samba4/dovecot/Outlook combo would be an ideal migration.

I appreciate your help.

...

Quoting Mark Foley mfoley@ohprs.org:

More info ...

My dovecot error log shows:

Sep 05 16:45:19 auth: Debug: client in: AUTH    1       NTLM    service=imap Sep 05 16:45:19 auth: Debug: client passdb out: OK      1      user=mark@hprs  original_user=mark@HPRS Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713      10219  1       f56352c207cb8f6dea4d264b2c0f8dc1      session_pid=10220      request_auth_token Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): unknown user Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND        998899713

whereas the successful 'plain login' config'ed mechanism (before adding NTLM config) have:

Sep 06 20:27:38 auth-worker(18616): Debug: shadow(mark,104.6.249.210): lookup

The failed ntlm look-up is looking up user mark@hprs in shadow, which it doesn't find. Is there a way to strip the "@hprs" bit from the user so it can find the correct entry in /etc/shadow? That might fix the problem.

--Mark

-----Original Message----- From: Mark Foley mfoley@ohprs.org Date: Sat, 05 Sep 2015 17:12:50 -0400 To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate"

Rick et al,

The link you gave was a start, but is targeted for Samba3 and is assuming a probably Windows [SBS]Server AD/DC separate from the DC hosting dovecot, and includes setting up kerberos.

I'm using a Samba4 AD/DC with integrated kerberos (so I don't think there is any setup I can do there).  Nevertheless I've followed the instructions otherwise; specifically adding to 10-auto.conf the following recommended lines:

auth_use_winbind = yes auth_winbind_helper_path = /usr/bin/ntlm_auth mechanisms = plain ntlm login

(Before, my 'mechanisms' were only plain and login). /usr/bin/ntlm_auth has global r/w privilege.

I did not specify the static userdb since these users are configued in /etc/passwd and I thought that would work; example given in link (could that be an issue?):

userdb static { args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln allow_all_users=yes }

This didn't work. Also, existing, working Outlook connections using 'logon' (i.e. the userID and PW are configured in Outlook) stopped working.

I changed a test Outlook client to check the 'Request login using Secure Password Authentication (SPA)' and also checked: More Settings > Outgoing Server My outgoing server (SMTP) requires authentication' and 'Use same settings as

my incoming mail server'.  Note that on the "Change Account" dialog (where the SPA checkbox is) the 'User Name' and 'Password' retained their values and were not grayed out as I would have expected if using AD authentication.

After doing the above and clicking 'Test Account Settings' I was re-promted to enter a password - also not expected. At bottom are the Dovecot log message I received after doing the 'Test Account Settings'.

Surely, connecting from an Outlook client to Dovecot on a Samba4 AD/DC should be a very common implementation. Has someone done this successfully?

Immediately below is my doveconf -n and below that the dovecot log messages.

doveconf -n

# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain ntlm login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

dovecot log after doing 'Test Account Settings' in Outlook:

Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:45:19 auth: Debug: auth client connected (pid=10219) Sep 05 16:45:19 auth: Debug: client in: AUTH        1        NTLM        service=imap        session=HXssGAYf0ADAqAA6        lip=192.168.0.2      rip=192.168.0.58        lport=143        rport=52944 Sep 05 16:45:19 auth: Debug: client passdb out: CONT        1 Sep 05 16:45:19 auth: Debug: client passdb out: OK        1      user=mark@hprs        original_user=mark@HPRS Sep 05 16:45:19 auth: Debug: master in: REQUEST        998899713  10219        1        f56352c207cb8f6dea4d264b2c0f8dc1      session_pid=10220        request_auth_token Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): unknown user Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND        998899713 Sep 05 16:45:19 imap-login: Info: Internal login failure (pid=10219 id=1) (internal failure, 1 successful auths): user=mark@hprs, method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=10220, session=<HXssGAYf0ADAqAA6> Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:46:22 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 05 16:46:22 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Sep 05 16:46:22 auth: Debug: auth client connected (pid=13487) Sep 05 16:46:22 auth: Debug: client in: AUTH        1        NTLM        service=imap        session=IlvqGwYf0wDAqAA6        lip=192.168.0.2      rip=192.168.0.58        lport=143        rport=52947 Sep 05 16:46:22 auth: Debug: client passdb out: OK        1      user=mark@hprs        original_user=mark@HPRS Sep 05 16:46:22 auth: Debug: master in: REQUEST        3030384641  13487        1        bac5f6531f9d4c3316f93bd4c4a63ddd      session_pid=13491        request_auth_token Sep 05 16:46:22 auth-worker(13492): Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 05 16:46:22 auth-worker(13492): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:46:22 auth-worker(13492): Info: shadow(mark@hprs,192.168.0.58): unknown user Sep 05 16:46:22 auth: Debug: master userdb out: NOTFOUND        3030384641 Sep 05 16:46:22 imap-login: Info: Internal login failure (pid=13487 id=1) (internal failure, 1 successful auths): user=mark@hprs, method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=13491, session=<IlvqGwYf0wDAqAA6>

Thanks --Mark

-----Original Message----- Date: Thu, 03 Sep 2015 06:53:19 -0500 From: Rick Romero rick@havokmon.com To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate"

  Hi Mark,

I haven't done it, but I've played with the scenario enough to have an idea.

What you want to do is have Outlook auth via NTLM to Dovecot. 

First that means having the machine be a domain member (usually via Samba) in order to properly process NTLM/Kerberos handshake - which it appears you have. Second that means having Dovecot know how to accept NTLM authentication (SPA) to pass to the Samba backend.

A 'Dovecot NTLM' search led me here: http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm

What's not on the page that I'd expect to see, are the compile-time requirements for inclucing samba/kerberos libs within Dovecot.  If it doesn't 'just work' with the config changes in the wiki, you may need to recompile with the right features.

Also - check the permissions of the ntlm_auth program. That's caused many issues with Radius installs, IIRC.

Hope that helps!

Rick

Quoting Mark Foley mfoley@ohprs.org:

This can't be that hard. I think I've enabled LDAP in Dovecot just by including dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I now have the configuration shown below. Two questions:

1. How do I set Outlook to authenticate with LDAP? Currently the Outlook accounts still have the ID and password set in "Logon Information". Checking "Require logon using Secure Password Authentication (SPA)" doesn't work. All I can seem to find on the Internet is how to configure address books using LDAP.

2. Should I remove "passdb { drive = shadow } from the dovecot configuration?

Anybody?

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = imap ssl_cert =

-----Original Message----- From: Mark Foley mfoley@ohprs.org Date: Wed, 02 Sep 2015 13:31:35 -0400 To: dovecot@dovecot.org Subject: How to "Windows Authenticate"

I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems.  Dovecot is hosted on the office Samba4 AC/DC server.

I have been using auth_mechanisms plain login, and passdb driver = shadow.

What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients.

If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful.

Here is my current config:

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

Thanks, Mark Foley

From dovecot-bounces@dovecot.org  Wed Sep  2 13:32:13 2015 Return-Path: dovecot-bounces@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=unavailable version=3.3.2-_revision__1.14__ X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail From: Mark Foley mfoley@ohprs.org Date: Wed, 02 Sep 2015 13:31:35 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: How to "Windows Authenticate" User-Agent: Heirloom mailx 12.5 7/5/10 Content-Type: text/plain; charset=us-ascii X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List List-Unsubscribe: http://dovecot.org/cgi-bin/mailman/options/dovecot, mailto:dovecot-request@dovecot.org?subject=unsubscribe List-Archive: http://dovecot.org/pipermail/dovecot/ List-Post: mailto:dovecot@dovecot.org List-Help: mailto:dovecot-request@dovecot.org?subject=help List-Subscribe: http://dovecot.org/cgi-bin/mailman/listinfo/dovecot, mailto:dovecot-request@dovecot.org?subject=subscribe Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" dovecot-bounces@dovecot.org Status: R

I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems.  Dovecot is hosted on the office Samba4 AC/DC server.

I have been using auth_mechanisms plain login, and passdb driver = shadow.

What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients.

If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful.

Here is my current config:

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = dovecot-bounces@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=ham version=3.3.2-_revision__1.14__ X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org Date: Thu, 03 Sep 2015 06:53:19 -0500 From: Rick Romero rick@havokmon.com To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate" User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) X-VFEmail-Originating-IP: MTA3LjEzNi4xNDQuMjMw X-VFEmail-AntiSpam: Notify admin@vfemail.net of any spam, and include VFEmail headers Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Description: Plaintext Message X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List List-Unsubscribe: http://dovecot.org/cgi-bin/mailman/options/dovecot, mailto:dovecot-request@dovecot.org?subject=unsubscribe List-Archive: http://dovecot.org/pipermail/dovecot/ List-Post: mailto:dovecot@dovecot.org List-Help: mailto:dovecot-request@dovecot.org?subject=help List-Subscribe: http://dovecot.org/cgi-bin/mailman/listinfo/dovecot, mailto:dovecot-request@dovecot.org?subject=subscribe Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" dovecot-bounces@dovecot.org Status: R

  Hi Mark,

I haven't done it, but I've played with the scenario enough to have an idea.

What you want to do is have Outlook auth via NTLM to Dovecot. 

First that means having the machine be a domain member (usually via Samba) in order to properly process NTLM/Kerberos handshake - which it appears you have. Second that means having Dovecot know how to accept NTLM authentication (SPA) to pass to the Samba backend.

A 'Dovecot NTLM' search led me here: http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm

What's not on the page that I'd expect to see, are the compile-time requirements for inclucing samba/kerberos libs within Dovecot.  If it doesn't 'just work' with the config changes in the wiki, you may need to recompile with the right features.

Also - check the permissions of the ntlm_auth program. That's caused many issues with Radius installs, IIRC.

Hope that helps!

Rick

Quoting Mark Foley mfoley@ohprs.org:

This can't be that hard. I think I've enabled LDAP in Dovecot just by including dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I now have the configuration shown below. Two questions:

1. How do I set Outlook to authenticate with LDAP? Currently the Outlook accounts still have the ID and password set in "Logon Information". Checking "Require logon using Secure Password Authentication (SPA)" doesn't work. All I can seem to find on the Internet is how to configure address books using LDAP.

2. Should I remove "passdb { drive = shadow } from the dovecot configuration?

Anybody?

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = imap ssl_cert =

-----Original Message----- From: Mark Foley mfoley@ohprs.org Date: Wed, 02 Sep 2015 13:31:35 -0400 To: dovecot@dovecot.org Subject: How to "Windows Authenticate"

I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems.  Dovecot is hosted on the office Samba4 AC/DC server.

I have been using auth_mechanisms plain login, and passdb driver = shadow.

What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients.

If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful.

Here is my current config:

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

Thanks, Mark Foley

From dovecot-bounces@dovecot.org  Wed Sep  2 13:32:13 2015 Return-Path: dovecot-bounces@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=unavailable version=3.3.2-_revision__1.14__ X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail From: Mark Foley mfoley@ohprs.org Date: Wed, 02 Sep 2015 13:31:35 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: How to "Windows Authenticate" User-Agent: Heirloom mailx 12.5 7/5/10 Content-Type: text/plain; charset=us-ascii X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List List-Unsubscribe: http://dovecot.org/cgi-bin/mailman/options/dovecot, mailto:dovecot-request@dovecot.org?subject=unsubscribe List-Archive: http://dovecot.org/pipermail/dovecot/ List-Post: mailto:dovecot@dovecot.org List-Help: mailto:dovecot-request@dovecot.org?subject=help List-Subscribe: http://dovecot.org/cgi-bin/mailman/listinfo/dovecot, mailto:dovecot-request@dovecot.org?subject=subscribe Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" dovecot-bounces@dovecot.org Status: R

I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems.  Dovecot is hosted on the office Samba4 AC/DC server.

I have been using auth_mechanisms plain login, and passdb driver = shadow.

What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients.

If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful.

Here is my current config:

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

 

 

Rick,

I extremely dislike Exchange as well. I have a long list of problems: near impossibility to monitor logs for trouble, poor configurable spam checking, no good way to archive and review emails ... I could go on for paragraphs, but the main reason we recently migrated away from SBS/Exchange is that Microsoft no longer sells Small Business Server and its replacement, Server Essentials, does not support Exchange! Exchange has to run on Server 2012, but MS would prefer you to use Server Essentials with your email in the cloud. We're not gonna do that.

Samba4 AD/DC and Dovecot work perfectly for everything including access from SmartPhones. I've got roaming domain logins, redirected folders, calendars and contacts work just fine with Outlook and WebDav for sharing calendars; don't need them in Dovecot. For the most part, Outlook users can't tell they are not still on Exchange ... except they have to maintain their Outlook password distinct from their Windows password. Which is their one HUGE issue.

My absolutely LAST issue with totally duplicating SBS/Exchange functionality on Samba4/Dovecot is getting Dovecot to authenticate with Outlook clients using Windows Authentication which, as I understand things, can supposedly be done with NTLM. I just can't get it to work. I think a heck of a lot if Windows [SB]Server shops would convert to Samba4/Dovecot if someone figured out how to do this.

My Dovecot log messages make it look close to working:

Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): unknown user

Dovecot gets the user as" mark@hprs" instead of "mark" and therefore can't find it in the userdb.

I can find no Dovecot wiki on this. If Dovecot just can't authenticate this way can someone (Timo?) tell me so and I'll cease my 8 month quest.

Otherwise, what should I have for a userdb? What should I have for a passdb? Can I parse the "@hprs" bit off the userId received by Dovecot? These seem to be my hang-ups. At this point, I'm open to guesses.

Just for the heck of it, here's one of the doveconf's I tested with, reproduced here because it's burried in the messages below:

# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain ntlm login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

And wbinfo (requested by you in an earlier message) showing some of the Domain users (I'm testing with mark):

$ wbinfo -u Administrator Guest krbtgt dns-mail mark sogo (more)

You wrote:

It also won't look up /etc/shadow - Samba is doing the AD->Unix UID mapping.  Your AD users shouldn't be in there when all is said and done.

If not there, where?

Humor me. Give me ONE suggestion to try!

--Mark

-----Original Message-----

Date: Tue, 08 Sep 2015 21:21:13 -0500 From: Rick Romero rick@havokmon.com To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate"

If I had time I would be all over this - but IMHO the main problem is that Dovecot != Exchange.  Even in small environments - unless I'm out of date, there's no calendar, tasks or contact lists within Dovecot.

Your next best best is to use something like Horde that would allow you to auth via ActiveSync (on Outlook 2013 clients) and manage everything else that the users will want, with Dovecot as the mail backend. Though I believe there could be licensing issues if you're looking to do it for free.  I think, by license, you still need CALs for each ActiveSync client (if you're in the US).

Auth-Wise it'd be a whole different animal.  I'm not sure if there's anything pre-packaged NTLM + Horde - though Apache/PHP/Linux with Samba would accept the username via GSSAPI and I suppose you could pass that to HordeAuth.

I hate Exchange - I have a nagging 45 second delay on OWA logins ever since I had to setup multiple NICs to get Outlook to stop complaining about certs, and today while trying to fix that issue, AD decided to stop replicating one of my trusted domains (and began rejecting auths for linked mailboxes from that domain) and in short I really just hate that environment with every fiber of my being and would love to see a decent free Exchange replacement on *nix.

Rick

Quoting Mark Foley mfoley@ohprs.org:

...

More experimentation ...

I tried removing userdb and passdb from the dovecot NTLM config. That didn't work. I then tried adding a static userdb as follows:

userdb { driver = static #  allow_all_users = yes args = gid=100 home=/home/HPRS/%n }

(Interestingly, when I uncommented "allow_all_users" I got an "unsupported setting" [or something like that], even though that was in there from the beginning and is shown in the example wiki http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm)

Anyway, in both tests my error messages were the same:

Sep 08 18:38:16 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 08 18:38:16 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 08 18:38:16 auth: Debug: auth client connected (pid=8758) Sep 08 18:38:16 auth: Debug: client in: AUTH    1       NTLM    service=imap    session=vPWqBUQfeADAqAA6      lip=192.168.0.2  rip=192.168.0.58        lport=143       rport=56184 Sep 08 18:38:16 auth: Debug: client passdb out: CONT    1 Sep 08 18:38:16 auth: Info: ntlm(?,192.168.0.58,<vPWqBUQfeADAqAA6>): user not authenticated: NT_STATUS_LOGON_FAILURE Sep 08 18:38:18 auth: Debug: client passdb out: FAIL    1

Notice that my userid (mark or mark@ohprs) is nowhere to be found.  Whereas when I specified the userdb passwd at least it had a user id in the error log.  From my previous test with userdb passwd amd passdb shadow:

Sep 05 16:45:19 auth: Debug: client passdb out: OK      1    user=mark@hprs  original_user=mark@HPRS Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): unknown user Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND      998899713

The "Info: ntml" log entry has ntlm(?,192.168.0.58,<vPWqBUQfeADAqAA6>), whereas the previous test "Info shadow" log entry has Info: shadow(mark@hprs,192.168.0.58).

Of course I have no passdb specified which is right for NTML ... or is it?

I feel like this should be obvious to someone familiar with Dovecot. Once again, it's difficult for me to believe no on on planet Earth (who also happens to subscribe to this list) had ever done Dovecot/ntlm from Outlook before.

Help!!! If I can't get this last bit sorted out I'll be forced back to Server 2012 and Exchange.

Thanks, --Mark

-----Original Message----- From: Mark Foley mfoley@ohprs.org Date: Mon, 07 Sep 2015 21:28:23 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate"

Comments interspersed with yours ...

--Mark

-----Original Message-----

...

Date: Sun, 06 Sep 2015 20:00:11 -0500 From: Rick Romero rick@havokmon.com To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate"

  Hmm.  I would expect to see 'mark@hprs.com'.  Whatever your full domain name is.

Full user@domain would be mark@hprs.local

...

It also won't look up /etc/shadow - Samba is doing the AD->Unix UID mapping.  Your AD users shouldn't be in there when all is said and done.

I was thinking this too.  I don't know why NTLM would need a userdb at all.  It should just use something like ntlm_auth (which is configured in auth_winbind_helper).

What if I simply removed the userdb?  What would you recommend for userdb, passdb?

...

Well, at when I did a Samba4 install as a DC it still behaved like a Samba3 member, and there were no AD users in the local unix passwd files.

What does wbinfo -u provide?  It should list all your users - especially because it's an DC.  Whatever wbinfo -u shows, you may need to adjust another config file to match waht Dovecot is receiving.

$ wbinfo -u

Administrator Guest krbtgt dns-mail mark sogo **arr **ress **mith **nee **ris **atterson **armaine **tkeson **mmitoh

These are all the AD users (most obfuscated for a bit of security). I am testing with user mark.

...

I assume /etc/nsswitch.conf has been modified to use Samba?

Unless the Samba provision did something to nnswitch, I've done nothing; nor have I seen anything in the Samba or dovecot wikis suggesting changes.  Remember also that the Samba4 AD/DC works perfectly with redirected folders and users logging on to any Windows workstations, and works perfectly with things wanting "Windows Authentication" like SQLserver, so the "Windows Authentication" does work at some level.  My /etc/nsswitch.conf is:

passwd:         compat group:          compat

hosts:          files dns networks:       files

services:       files protocols:      files rpc:            files ethers:         files netmasks:       files netgroup:       files bootparams:     files

automount:      files aliases:        files

...

Sorry I haven't done this, but it doesn't seem like anyone else has either

• so I'm just shooting in the dark here trying to get you steered in the right direction...

Rick

Yeah, I can't seem to find a soul on the planet who has actually done this. If I get it figured out I'll post with a suggestion to Timo to wiki-ize it.

I'm a bit puzzled that no one appears to have done this. I would think that a Samba4 AD/DC in a office environment with lots of Windows workstations running Outlook would be about the most common environment there is; especially now that Small Business Server is no longer sold and Server Essentials does not support Exchange. What are all the SBS/Exchange/Outlook small businesses doing? Limping along with SBS2008/11, or putting their email in Outlook.com? Seems like the Samba4/dovecot/Outlook combo would be an ideal migration.

I appreciate your help.

...

Quoting Mark Foley mfoley@ohprs.org:

More info ...

My dovecot error log shows:

Sep 05 16:45:19 auth: Debug: client in: AUTH    1       NTLM    service=imap Sep 05 16:45:19 auth: Debug: client passdb out: OK      1      user=mark@hprs  original_user=mark@HPRS Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713      10219  1       f56352c207cb8f6dea4d264b2c0f8dc1      session_pid=10220      request_auth_token Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): unknown user Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND        998899713

whereas the successful 'plain login' config'ed mechanism (before adding NTLM config) have:

Sep 06 20:27:38 auth-worker(18616): Debug: shadow(mark,104.6.249.210): lookup

The failed ntlm look-up is looking up user mark@hprs in shadow, which it doesn't find. Is there a way to strip the "@hprs" bit from the user so it can find the correct entry in /etc/shadow? That might fix the problem.

--Mark

-----Original Message----- From: Mark Foley mfoley@ohprs.org Date: Sat, 05 Sep 2015 17:12:50 -0400 To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate"

Rick et al,

The link you gave was a start, but is targeted for Samba3 and is assuming a probably Windows [SBS]Server AD/DC separate from the DC hosting dovecot, and includes setting up kerberos.

I'm using a Samba4 AD/DC with integrated kerberos (so I don't think there is any setup I can do there).  Nevertheless I've followed the instructions otherwise; specifically adding to 10-auto.conf the following recommended lines:

auth_use_winbind = yes auth_winbind_helper_path = /usr/bin/ntlm_auth mechanisms = plain ntlm login

(Before, my 'mechanisms' were only plain and login). /usr/bin/ntlm_auth has global r/w privilege.

I did not specify the static userdb since these users are configued in /etc/passwd and I thought that would work; example given in link (could that be an issue?):

userdb static { args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln allow_all_users=yes }

This didn't work. Also, existing, working Outlook connections using 'logon' (i.e. the userID and PW are configured in Outlook) stopped working.

I changed a test Outlook client to check the 'Request login using Secure Password Authentication (SPA)' and also checked: More Settings > Outgoing Server My outgoing server (SMTP) requires authentication' and 'Use same settings as

my incoming mail server'.  Note that on the "Change Account" dialog (where the SPA checkbox is) the 'User Name' and 'Password' retained their values and were not grayed out as I would have expected if using AD authentication.

After doing the above and clicking 'Test Account Settings' I was re-promted to enter a password - also not expected. At bottom are the Dovecot log message I received after doing the 'Test Account Settings'.

Surely, connecting from an Outlook client to Dovecot on a Samba4 AD/DC should be a very common implementation. Has someone done this successfully?

Immediately below is my doveconf -n and below that the dovecot log messages.

doveconf -n

# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain ntlm login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

dovecot log after doing 'Test Account Settings' in Outlook:

Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:45:19 auth: Debug: auth client connected (pid=10219) Sep 05 16:45:19 auth: Debug: client in: AUTH        1        NTLM        service=imap        session=HXssGAYf0ADAqAA6        lip=192.168.0.2      rip=192.168.0.58        lport=143        rport=52944 Sep 05 16:45:19 auth: Debug: client passdb out: CONT        1 Sep 05 16:45:19 auth: Debug: client passdb out: OK        1      user=mark@hprs        original_user=mark@HPRS Sep 05 16:45:19 auth: Debug: master in: REQUEST        998899713  10219        1        f56352c207cb8f6dea4d264b2c0f8dc1      session_pid=10220        request_auth_token Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): unknown user Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND        998899713 Sep 05 16:45:19 imap-login: Info: Internal login failure (pid=10219 id=1) (internal failure, 1 successful auths): user=mark@hprs, method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=10220, session=<HXssGAYf0ADAqAA6> Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:46:22 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 05 16:46:22 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Sep 05 16:46:22 auth: Debug: auth client connected (pid=13487) Sep 05 16:46:22 auth: Debug: client in: AUTH        1        NTLM        service=imap        session=IlvqGwYf0wDAqAA6        lip=192.168.0.2      rip=192.168.0.58        lport=143        rport=52947 Sep 05 16:46:22 auth: Debug: client passdb out: OK        1      user=mark@hprs        original_user=mark@HPRS Sep 05 16:46:22 auth: Debug: master in: REQUEST        3030384641  13487        1        bac5f6531f9d4c3316f93bd4c4a63ddd      session_pid=13491        request_auth_token Sep 05 16:46:22 auth-worker(13492): Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 05 16:46:22 auth-worker(13492): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:46:22 auth-worker(13492): Info: shadow(mark@hprs,192.168.0.58): unknown user Sep 05 16:46:22 auth: Debug: master userdb out: NOTFOUND        3030384641 Sep 05 16:46:22 imap-login: Info: Internal login failure (pid=13487 id=1) (internal failure, 1 successful auths): user=mark@hprs, method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=13491, session=<IlvqGwYf0wDAqAA6>

Thanks --Mark

-----Original Message----- Date: Thu, 03 Sep 2015 06:53:19 -0500 From: Rick Romero rick@havokmon.com To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate"

  Hi Mark,

I haven't done it, but I've played with the scenario enough to have an idea.

What you want to do is have Outlook auth via NTLM to Dovecot. 

First that means having the machine be a domain member (usually via Samba) in order to properly process NTLM/Kerberos handshake - which it appears you have. Second that means having Dovecot know how to accept NTLM authentication (SPA) to pass to the Samba backend.

A 'Dovecot NTLM' search led me here: http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm

What's not on the page that I'd expect to see, are the compile-time requirements for inclucing samba/kerberos libs within Dovecot.  If it doesn't 'just work' with the config changes in the wiki, you may need to recompile with the right features.

Also - check the permissions of the ntlm_auth program. That's caused many issues with Radius installs, IIRC.

Hope that helps!

Rick

Quoting Mark Foley mfoley@ohprs.org:

This can't be that hard. I think I've enabled LDAP in Dovecot just by including dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I now have the configuration shown below. Two questions:

1. How do I set Outlook to authenticate with LDAP? Currently the Outlook accounts still have the ID and password set in "Logon Information". Checking "Require logon using Secure Password Authentication (SPA)" doesn't work. All I can seem to find on the Internet is how to configure address books using LDAP.

2. Should I remove "passdb { drive = shadow } from the dovecot configuration?

Anybody?

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = imap ssl_cert =

-----Original Message----- From: Mark Foley mfoley@ohprs.org Date: Wed, 02 Sep 2015 13:31:35 -0400 To: dovecot@dovecot.org Subject: How to "Windows Authenticate"

I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems.  Dovecot is hosted on the office Samba4 AC/DC server.

I have been using auth_mechanisms plain login, and passdb driver = shadow.

What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients.

If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful.

Here is my current config:

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

Thanks, Mark Foley

As to your suggested links,

Samba4 uses Heimdal Kerberos which is part of the Samba4 installation: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Installation, so I don't know if the krb5 configs discussed in your link will apply. I'll revisit this if other things I'm trying don't work out.

If that http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm link were on paper I've have worn out the pages by now. I did see your original message to me on that, tried what I could and posted my results to the list dated Sat, 05 Sep 2015 17:12:50 -0400. Didn't work, probably because I don't know what I'm doing, although I don't think I've spent longer on any other software package without mastering it! The userdb syntax shown on that site had errors with my dovecot 2.2.15. Instructions for an older version (dates on wikis would be nice)? Check out my Sep 5 posting if you missed it and see if I'm doing something stupidly obviously wrong.

I'll have to also say the the wiki docs are pretty, but very difficult to comprehend. There's an awful lot of assumed knowledge and terminology in there and even though I have decades of Unix sysadmin experience, I get lost very quickly.

A lot of things seem overcomplicated. For example, I'm now trying the checkpassword auth method. Seems pretty simple at first: it gets the username and password and returns 0 if OK or 1 if not. Simple right? But no, the Dovecot implmentation wants you to also set environment variables (which don't appear to be there) and execute programs from within programs, and of course, it doesn't "just work". Why the complexity? Why not return a simple 0 or 1 and go with that? Oh well, I'm going to have to abandon this soon. Workplace indulgence is wearing thin.

--Mark

-----Original Message-----

Date: Thu, 10 Sep 2015 08:27:15 -0500 From: Rick Romero rick@havokmon.com To: dovecot@dovecot.org Cc: mfoley@ohprs.org Subject: Re: How to "Windows Authenticate"

Quoting Mark Foley mfoley@ohprs.org:

...

Rick,

Samba4 AD/DC and Dovecot work perfectly for everything including access from SmartPhones.  I've got roaming domain logins, redirected folders, calendars and contacts work just fine with Outlook and WebDav for sharing calendars; don't need them in Dovecot. 

Do you have that documented somewhere?  I would love to see how that's done.

...

For the most part, Outlook users can't tell they are not still on Exchange ...  except they have to maintain their Outlook password distinct from their Windows password.  Which is their one HUGE issue.

My absolutely LAST issue with totally duplicating SBS/Exchange functionality on Samba4/Dovecot is getting Dovecot to authenticate with Outlook clients using Windows Authentication which, as I understand things, can supposedly be done with NTLM.  I just can't get it to work.  I think a heck of a lot if Windows [SB]Server shops would convert to Samba4/Dovecot if someone figured out how to do this.

My Dovecot log messages make it look close to working:

Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): unknown user

Dovecot gets the user as" mark@hprs" instead of "mark" and therefore can't find it in the userdb.

I can find no Dovecot wiki on this. If Dovecot just can't authenticate this way can someone (Timo?) tell me so and I'll cease my 8 month quest.

These are two

http://wiki2.dovecot.org/Authentication/Kerberos http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm

As I understand it, NTLM is a layer above Kerberos.  I don't see either referenced similarly to either wiki pages in the pasted config...

...

Otherwise, what should I have for a userdb? What should I have for a passdb? Can I parse the "@hprs" bit off the userId received by Dovecot? These seem to be my hang-ups.  At this point, I'm open to guesses.

Just for the heck of it, here's one of the doveconf's I tested with, reproduced here because it's burried in the messages below:

# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain ntlm login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =

And wbinfo (requested by you in an earlier message) showing some of the Domain users (I'm testing with mark):

$ wbinfo -u Administrator Guest krbtgt dns-mail mark sogo (more)

You wrote:

...

It also won't look up /etc/shadow - Samba is doing the AD->Unix UID mapping.  Your AD users shouldn't be in there when all is said and done.

If not there, where?

Samba handles the idmap. The pasted config looks like a local shadow lookup.

Though I don't think that resolves the user@domain uid 'issue'..  Maybe Samba/NTLM/Kerberos will just recognize the domain and take care of it ?

In any case, side note -  I wrote a webapp a while ago in PHP, and I have 3 domains in a Trust and the user's browser sends their auth info to an Apache server using Kerberos auth.  It looks like what you're seeing, based on my code - 'user@domain' is normal: $authusername = $_SERVER["PHP_AUTH_USER"]; if ( stristr($authusername,"@")) { $auth_ar = explode("@",$authusername) ; //<blah blah blah>

So receiving user@domain is at least to be expected.

I don't know what Dovecot would do with that domain info... 

I would probably work on doing AD auth on another package first - maybe ssh or PureFTPd - then come back to Dovecot - but also review the two auth options I linked above if you didn't get my mail the first time.

I CCd you directly, because I swear I provided the NTLM wiki page before, and maybe my mail got dropped.

Rick

...

Humor me. Give me ONE suggestion to try!

...

--Mark

Does the Dovecot NTLM mechanism work with MS Outlook?

[ ] YES [ ] NO

Please check one ... anybody.

--Mark

-----Original Message----- From: Mark Foley mfoley@ohprs.org Date: Sun, 13 Sep 2015 01:10:57 -0400 To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate"

I am running Dovecot 2.2.15 on Linux Slackware 14.1 and Samba 4.1.17 as the Active Directory/Domain Controller on the same host as Dovecot. Sendmail/procmail delivers mail to users' $HOME/Maildir. MS Outlook/IMAP is the client MTU used to connect with Dovecot to read mail on the Users' WIN7 workstations.

I believe I have confirmed that MS Outlook will either ...

1. send the userid and password configured in the Outlook settings to Dovecot for authorizing. This mechanism has been working fine for months.

or ...

2. Use NTML authorization if "Require login using Secure Password Authentication (SPA)" is checked: https://en.wikipedia.org/wiki/Secure_Password_Authentication

Those, I believe, are the only two choices with Outlook (other than Exchange). Therefore, in order not to configure a Domain-distinct password in Outlook, I need to use the NTLM auth_mechanism for AD "Windows Authentication" with Dovecot. I've tried the settings below (just trying one user at the moment):

$ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain ntlm auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert =

Dovecot log results after setting my Outlook to SPA and clicking the 'Test Account Settings' give me:

Sep 13 00:53:12 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 13 00:53:12 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<2PnkuZkfqADAqAA6>

Can someone tell me what this means and how to fix it?

Note that I have read http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm over and over, so simply referring me to that link will not help.

Thanks, Mark

Love your "ASCII Ribbon Campaign" signature! I still use mailx myself.

I'll have to check out that "access denied" message for the email to mfoley@ohprs.org. I haven't seen that before. FreeBSD.org is not blocked in my access.db. Hmmm ...

Anyway, yes, I've been through those instructions over and over and they certainly do "suggest" it should work, but I haven't yet found anyone that has actually got it working. I assume you have not either, right?

The platform these instructions are targeted to are not quite my setup as the Dovecot host is also the AD/DC using Samba4, so the DC/join instructions don't apply, nor does the Kerberos: "Please note that you do not need to install or configure any other Kerberos KDC for Samba to work. Samba includes a AD-compatible KDC, currently based on an included copy of the Heimdal project."

https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Contr...

Also, the instruction in the link you reference must be a bit out of date because the suggested userdb:

userdb static { args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln allow_all_users=yes }

gives an error with my dovecot 2.2.15. The word "static" has to go inside the curly-braces as "driver static" and the "allow_all_users" has to be added to the 'args' string. Otherwise, Dovecot won't run the config as shown in the link.

Otherwise and with the above changes to the userdb, I believe I've followed all applicable instructions in that link. The error I get with my config in the Dovecot log is:

Sep 13 00:53:12 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 13 00:53:12 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<2PnkuZkfqADAqAA6>

Any idea what would generate this message?

--Mark

-----Original Message-----

Subject: Re: How to "Windows Authenticate" From: Remko Lodder remko@FreeBSD.org Date: Wed, 16 Sep 2015 19:38:08 +0200 To: Mark Foley mfoley@ohprs.org Cc: dovecot@dovecot.org

...

On 16 Sep 2015, at 19:10, Mark Foley mfoley@ohprs.org wrote:

Does the Dovecot NTLM mechanism work with MS Outlook?

[ ] YES [ ] NO

Please check one ... anybody.

???Mark

The URL on the wiki, which had probably been shared before with you;

http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm

suggests it does.

The URL quotes:

Step 5. Passwordless authentication

If you have logged on from Windows to the AD domain, try leaving the password field, on the account, on the MUA, blank. The username / password, from the initial logon to the Windows machine, are seamlessly picked up and supplied to the challenge-response process between the MUA, Dovecot and AD. Employing this way of authentication we achieve single sign-on and we don't need to maintain MUA local passwords.

Did you follow the suggestions that are on that page? (all of them).

Thank you, Remko

-- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News