How to "Windows Authenticate"

[Mark Foley]

As to your suggested links,

Samba4 uses Heimdal Kerberos which is part of the Samba4 installation:
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Installation, so I don't know
if the krb5 configs discussed in your link will apply. I'll revisit this if other
things I'm trying don't work out.

If that http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm link were on paper
I've have worn out the pages by now.  I did see your original message to me on
that, tried what I could and posted my results to the list dated Sat, 05 Sep
2015 17:12:50 -0400.  Didn't work, probably because I don't know what I'm doing,
although I don't think I've spent longer on any other software package without
mastering it! The userdb syntax shown on that site had errors with my dovecot
2.2.15.  Instructions for an older version (dates on wikis would be nice)? Check
out my Sep 5 posting if you missed it and see if I'm doing something stupidly
obviously wrong. 

I'll have to also say the the wiki docs are pretty, but very difficult to
comprehend. There's an awful lot of assumed knowledge and terminology in there
and even though I have decades of Unix sysadmin experience, I get lost very
quickly.

A lot of things seem overcomplicated. For example, I'm now trying the
checkpassword auth method. Seems pretty simple at first: it gets the username
and password and returns 0 if OK or 1 if not. Simple right? But no, the Dovecot
implmentation wants you to also set environment variables (which don't appear to
be there) and execute programs from within programs, and of course, it doesn't
"just work". Why the complexity? Why not return a simple 0 or 1 and go with
that? Oh well, I'm going to have to abandon this soon. Workplace indulgence is
wearing thin.

--Mark

-----Original Message-----
> Date: Thu, 10 Sep 2015 08:27:15 -0500
> From: Rick Romero <rick at havokmon.com>
> To: dovecot at dovecot.org
> Cc: mfoley at ohprs.org
> Subject: Re: How to "Windows Authenticate"
>
>   Quoting Mark Foley <mfoley at ohprs.org>:
>
> > Rick,
> >
> > Samba4 AD/DC and Dovecot work perfectly for everything including access
> > from
> > SmartPhones.  I've got roaming domain logins, redirected folders,
> > calendars and
> > contacts work just fine with Outlook and WebDav for sharing calendars;
> > don't
> > need them in Dovecot. 
> >  
>
> Do you have that documented somewhere?  I would love to see how that's
> done.
>
> > For the most part, Outlook users can't tell they are not
> > still on Exchange ...  except they have to maintain their Outlook
> password
> > distinct from their Windows password.  Which is their one HUGE issue.
> >
> > My absolutely LAST issue with totally duplicating SBS/Exchange
> > functionality on
> > Samba4/Dovecot is getting Dovecot to authenticate with Outlook clients
> > using
> > Windows Authentication which, as I understand things, can supposedly be
> > done
> > with NTLM.  I just can't get it to work.  I think a heck of a lot if
> > Windows
> > [SB]Server shops would convert to Samba4/Dovecot if someone figured out
> > how to
> > do this.
> >
> > My Dovecot log messages make it look close to working:
> >
> > Sep 05 16:45:19 auth-worker(5498): Debug:
> > shadow(mark at hprs,192.168.0.58): lookup
> > Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark at hprs,192.168.0.58):
> > unknown user
> >
> > Dovecot gets the user as" mark at hprs" instead of "mark" and therefore
> > can't find
> > it in the userdb.
> >
> > I can find no Dovecot wiki on this. If Dovecot just can't authenticate
> > this way
> > can someone (Timo?) tell me so and I'll cease my 8 month quest.
>
> These are two
>
> http://wiki2.dovecot.org/Authentication/Kerberos
> http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
>
> As I understand it, NTLM is a layer above Kerberos.  I don't see either
> referenced similarly to either wiki pages in the pasted config...
>
> > Otherwise, what should I have for a userdb? What should I have for a
> > passdb? Can
> > I parse the "@hprs" bit off the userId received by Dovecot? These seem
> > to be my
> > hang-ups.  At this point, I'm open to guesses.
> >
> > Just for the heck of it, here's one of the doveconf's I tested with,
> > reproduced
> > here because it's burried in the messages below:
> >
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = plain ntlm login
> > auth_use_winbind = yes
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> > driver = shadow
> > }
> > protocols = imap
> > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> > userdb {
> > driver = passwd
> > }
> > verbose_ssl = yes
> >
> > And wbinfo (requested by you in an earlier message) showing some of the
> > Domain
> > users (I'm testing with mark):
> >
> > $ wbinfo -u
> > Administrator
> > Guest
> > krbtgt
> > dns-mail
> > mark
> > sogo
> > (more)
> >
> > You wrote:
> >
> >> It also won't look up /etc/shadow - Samba is doing the AD->Unix UID
> >> mapping.  Your AD users shouldn't be in there when all is said and
> >> done.
> >
> > If not there, where?
>
>   Samba handles the idmap. The pasted config looks like a local shadow
> lookup.
>
> Though I don't think that resolves the user at domain uid 'issue'..  Maybe
> Samba/NTLM/Kerberos will just recognize the domain and take care of it ?
>
> In any case, side note -  I wrote a webapp a while ago in PHP, and I have
> 3 domains in a Trust and the user's browser sends their auth info to an
> Apache server using Kerberos auth.  It looks like what you're seeing,
> based on my code - 'user at domain' is normal:
> $authusername = $_SERVER["PHP_AUTH_USER"];
> if ( stristr($authusername,"@")) {
>         $auth_ar = explode("@",$authusername) ;
> //<blah blah blah>
>
> So receiving user at domain is at least to be expected.
>
> I don't know what Dovecot would do with that domain info... 
>
> I would probably work on doing AD auth on another package first - maybe ssh
> or PureFTPd - then come back to Dovecot - but also review the two auth
> options I linked above if you didn't get my mail the first time.
>
> I CCd you directly, because I swear I provided the NTLM wiki page before,
> and maybe my mail got dropped.
>
> Rick
>
> > Humor me. Give me ONE suggestion to try!
>
> > --Mark
> >