How to "Windows Authenticate"

Rick Romero rick at havokmon.com
Thu Sep 10 13:27:15 UTC 2015 

  Quoting Mark Foley <mfoley at ohprs.org>:

> Rick,
>
> Samba4 AD/DC and Dovecot work perfectly for everything including access
> from
> SmartPhones.  I've got roaming domain logins, redirected folders,
> calendars and
> contacts work just fine with Outlook and WebDav for sharing calendars;
> don't
> need them in Dovecot. 
>  

Do you have that documented somewhere?  I would love to see how that's
done.

> For the most part, Outlook users can't tell they are not
> still on Exchange ...  except they have to maintain their Outlook
password
> distinct from their Windows password.  Which is their one HUGE issue.
>
> My absolutely LAST issue with totally duplicating SBS/Exchange
> functionality on
> Samba4/Dovecot is getting Dovecot to authenticate with Outlook clients
> using
> Windows Authentication which, as I understand things, can supposedly be
> done
> with NTLM.  I just can't get it to work.  I think a heck of a lot if
> Windows
> [SB]Server shops would convert to Samba4/Dovecot if someone figured out
> how to
> do this.
>
> My Dovecot log messages make it look close to working:
>
> Sep 05 16:45:19 auth-worker(5498): Debug:
> shadow(mark at hprs,192.168.0.58): lookup
> Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark at hprs,192.168.0.58):
> unknown user
>
> Dovecot gets the user as" mark at hprs" instead of "mark" and therefore
> can't find
> it in the userdb.
>
> I can find no Dovecot wiki on this. If Dovecot just can't authenticate
> this way
> can someone (Timo?) tell me so and I'll cease my 8 month quest.

These are two

http://wiki2.dovecot.org/Authentication/Kerberos
http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm

As I understand it, NTLM is a layer above Kerberos.  I don't see either
referenced similarly to either wiki pages in the pasted config...

> Otherwise, what should I have for a userdb? What should I have for a
> passdb? Can
> I parse the "@hprs" bit off the userId received by Dovecot? These seem
> to be my
> hang-ups.  At this point, I'm open to guesses.
>
> Just for the heck of it, here's one of the doveconf's I tested with,
> reproduced
> here because it's burried in the messages below:
>
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = plain ntlm login
> auth_use_winbind = yes
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
> driver = shadow
> }
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> userdb {
> driver = passwd
> }
> verbose_ssl = yes
>
> And wbinfo (requested by you in an earlier message) showing some of the
> Domain
> users (I'm testing with mark):
>
> $ wbinfo -u
> Administrator
> Guest
> krbtgt
> dns-mail
> mark
> sogo
> (more)
>
> You wrote:
>
>> It also won't look up /etc/shadow - Samba is doing the AD->Unix UID
>> mapping.  Your AD users shouldn't be in there when all is said and
>> done.
>
> If not there, where?

  Samba handles the idmap. The pasted config looks like a local shadow
lookup.

Though I don't think that resolves the user at domain uid 'issue'..  Maybe
Samba/NTLM/Kerberos will just recognize the domain and take care of it ?

In any case, side note -  I wrote a webapp a while ago in PHP, and I have
3 domains in a Trust and the user's browser sends their auth info to an
Apache server using Kerberos auth.  It looks like what you're seeing,
based on my code - 'user at domain' is normal:
$authusername = $_SERVER["PHP_AUTH_USER"];
if ( stristr($authusername,"@")) {
        $auth_ar = explode("@",$authusername) ;
//<blah blah blah>

So receiving user at domain is at least to be expected.

I don't know what Dovecot would do with that domain info... 

I would probably work on doing AD auth on another package first - maybe ssh
or PureFTPd - then come back to Dovecot - but also review the two auth
options I linked above if you didn't get my mail the first time.

I CCd you directly, because I swear I provided the NTLM wiki page before,
and maybe my mail got dropped.

Rick

> Humor me. Give me ONE suggestion to try!

> --Mark
>  

More information about the dovecot mailing list