Good afternoon.

Shouldn't at least the wiki page be updated so that it avoids someone in the future having to struggle like I did?

El 08/11/2019 a las 17:13, David Wells via dovecot escribió:

Good afternoon.

I'm configuring dovecot to authenticate users against a samba server running as an active directory domain controller. I followed the instructions as stated in the page https://wiki.dovecot.org/Authentication/Kerberos and considering the sentence that states [...]The Kerberos authentication mechanism doesn't require having a passdb, but you do need a userdb[...] I produced a configuration file that looked like this

...

auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = gssapi auth_username_format = %u mail_location = maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = imap ssl_ca = /etc/ssl/certs/cacertificate.crt ssl_cert =

When I ran these settings I would get an error that read

...

Nov  8 17:00:00 mail dovecot: auth: Error: gssapi(user@KERBEROSPRINCIPAL,192.168.182.137,): All password databases were skipped Nov  8 17:00:02 mail dovecot: imap-login: Disconnected (auth service reported temporary failure): user=user@KERBEROSPRINCIPAL, method=GSSAPI, rip=192.168.182.137, lip=192.168.182.4, TLS, session=

After Trying many things I finally modified my config

...

auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = gssapi auth_username_format = %u mail_location = maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = imap ssl_ca = /etc/ssl/certs/cacertificate.crt ssl_cert =

...

hosts = dc1:3268 tls = yes auth_bind = yes auth_bind_userdn = %u base =

With this configuration I can authenticate to the imap server sending user@KERBEROSPRINCIPAL as my username and without setting a password so I'm wondering if the wiki page needs to be updated or if there is something wrong with my first setup.

Thanks in advance.

Best regards,

David Wells.