Good afternoon.
I'm configuring dovecot to authenticate users against a samba server running as an active directory domain controller. I followed the instructions as stated in the page https://wiki.dovecot.org/Authentication/Kerberos and considering the sentence that states [...]The Kerberos authentication mechanism doesn't require having a passdb, but you do need a userdb[...] I produced a configuration file that looked like this
auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = gssapi auth_username_format = %u mail_location = maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = imap ssl_ca = /etc/ssl/certs/cacertificate.crt ssl_cert = </etc/ssl/certs/certificate.crt ssl_key = # hidden, use -P to show it userdb { args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes driver = static }
When I ran these settings I would get an error that read
Nov 8 17:00:00 mail dovecot: auth: Error: gssapi(user@KERBEROSPRINCIPAL,192.168.182.137,<IQMcOtuWI+3AqLaJ>): All password databases were skipped Nov 8 17:00:02 mail dovecot: imap-login: Disconnected (auth service reported temporary failure): user=<user@KERBEROSPRINCIPAL>, method=GSSAPI, rip=192.168.182.137, lip=192.168.182.4, TLS, session=<IQMcOtuWI+3AqLaJ>
After Trying many things I finally modified my config
auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = gssapi auth_username_format = %u mail_location = maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = imap ssl_ca = /etc/ssl/certs/cacertificate.crt ssl_cert = </etc/ssl/certs/certificate.crt ssl_key = # hidden, use -P to show it userdb { args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes driver = static } The dovecot-ldap.conf.ext file looks like this
hosts = dc1:3268 tls = yes auth_bind = yes auth_bind_userdn = %u base =
With this configuration I can authenticate to the imap server sending user@KERBEROSPRINCIPAL as my username and without setting a password so I'm wondering if the wiki page needs to be updated or if there is something wrong with my first setup.
Thanks in advance.
Best regards,
David Wells.
Good afternoon.
Shouldn't at least the wiki page be updated so that it avoids someone in the future having to struggle like I did?
El 08/11/2019 a las 17:13, David Wells via dovecot escribió:
Good afternoon.
I'm configuring dovecot to authenticate users against a samba server running as an active directory domain controller. I followed the instructions as stated in the page https://wiki.dovecot.org/Authentication/Kerberos and considering the sentence that states [...]The Kerberos authentication mechanism doesn't require having a passdb, but you do need a userdb[...] I produced a configuration file that looked like this
auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = gssapi auth_username_format = %u mail_location = maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = imap ssl_ca = /etc/ssl/certs/cacertificate.crt ssl_cert = </etc/ssl/certs/certificate.crt ssl_key = # hidden, use -P to show it userdb { args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes driver = static }
When I ran these settings I would get an error that read
Nov 8 17:00:00 mail dovecot: auth: Error: gssapi(user@KERBEROSPRINCIPAL,192.168.182.137,<IQMcOtuWI+3AqLaJ>): All password databases were skipped Nov 8 17:00:02 mail dovecot: imap-login: Disconnected (auth service reported temporary failure): user=<user@KERBEROSPRINCIPAL>, method=GSSAPI, rip=192.168.182.137, lip=192.168.182.4, TLS, session=<IQMcOtuWI+3AqLaJ>
After Trying many things I finally modified my config
auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = gssapi auth_username_format = %u mail_location = maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = imap ssl_ca = /etc/ssl/certs/cacertificate.crt ssl_cert = </etc/ssl/certs/certificate.crt ssl_key = # hidden, use -P to show it userdb { args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes driver = static } The dovecot-ldap.conf.ext file looks like this
hosts = dc1:3268 tls = yes auth_bind = yes auth_bind_userdn = %u base =
With this configuration I can authenticate to the imap server sending user@KERBEROSPRINCIPAL as my username and without setting a password so I'm wondering if the wiki page needs to be updated or if there is something wrong with my first setup.
Thanks in advance.
Best regards,
David Wells.
participants (2)
-
David Wells
-
David Wells - Alfavinil S.A.