[Dovecot] Samba AD and Dovecot

Jason Gunthorpe jgunthorpe at obsidianresearch.com
Wed Oct 7 08:38:12 EEST 2009 

On Wed, Oct 07, 2009 at 12:57:21AM -0400, Timo Sirainen wrote:
> Ccing mailing list, since I'm not all-knowing..
> 
> On Oct 7, 2009, at 12:49 AM, Trever L. Adams wrote:
> 
> >Timo Sirainen wrote:
> >>On Oct 7, 2009, at 12:36 AM, Trever L. Adams wrote:
> >>>1) I have seen how to configure for LDAP and Kerberos. AD uses both
> >>>together. All user information is in AD/LDAP and authentication is
> >>>AD/Kerberos. How can I configure Dovecot to use both appropriately?
> >>You could forget about the Kerberos part and just use AD as an LDAP
> >>server.
> >I really want to use kerberos/SPNEGO everywhere I can for various
> >reasons. The LDAP would be for the configuration.
> 
> Do you actually want the IMAP/POP3 clients to use Kerberos? For  
> plaintext auth I don't see any benefit in Dovecot using Kerberos  
> rather than LDAP (and it doesn't support that, except via pam_kerberos  
> or whatever I guess). But for clients to use Kerberos (GSSAPI) and  
> authenticate against AD while Dovecot is in the middle... I've no  
> idea. I guess that's possible somehow.

There was a thread a month or so ago on how to do GSSAPI with AD and
dovecot kerberos. It works great, and I highly recommend it for AD
sites. Check the archives, it isn't really too hard.

The problem with LDAP is you have to use SSL ldap for security. The
overhead is much higher than using native kerberos or samba pam
modules. There is also an obnoxios setup procedure on the AD side to
get a LDAP SSL cert installed and serious issues with failover to
backup domain controllers. For plain text password auth on AD sites,
samba's pam_winbind is probably the best choice. Secure, easy to setup
and pretty fast.

If you have an AD server I also *highly* recommend the dovcot winbind
NTLM method. Almost every client in the world will do some level of
NTLM hashing and it reduces the risk from plain password exposure.

> >No, I will be using the new Samba IDMAP stuff that hashes all the  
> >parts
> >of the windows ID to a 32 bit UID. Anyway to do to this, or will I  
> >need
> >to find another solution (not for mailing, but for directory  
> >creation)?
> 
> There's no great way to do this.. A couple of kludgy ways. Like chmod  
> 01777 /var/mail. Or override mail_executable setting to a script that  
> still runs as root and can create the directory with proper  
> permissions. http://wiki.dovecot.org/PostLoginScripting

Can dovecot use pam_mkhomedir?

Jason

More information about the dovecot mailing list