How to "Windows Authenticate"
Mark Foley
mfoley at ohprs.org
Wed Sep 16 21:44:24 UTC 2015
Love your "ASCII Ribbon Campaign" signature! I still use mailx myself.
I'll have to check out that "access denied" message for the email to
mfoley at ohprs.org. I haven't seen that before. FreeBSD.org is not blocked in my
access.db. Hmmm ...
Anyway, yes, I've been through those instructions over and over and they
certainly do "suggest" it should work, but I haven't yet found anyone that has
actually got it working. I assume you have not either, right?
The platform these instructions are targeted to are not quite my setup as the
Dovecot host is also the AD/DC using Samba4, so the DC/join instructions don't
apply, nor does the Kerberos: "Please note that you do not need to install or
configure any other Kerberos KDC for Samba to work. Samba includes a
AD-compatible KDC, currently based on an included copy of the Heimdal project."
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Testing_Kerberos
Also, the instruction in the link you reference must be a bit out of date
because the suggested userdb:
userdb static {
args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln
mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln
allow_all_users=yes
}
gives an error with my dovecot 2.2.15. The word "static" has to go inside the
curly-braces as "driver static" and the "allow_all_users" has to be added to the
'args' string. Otherwise, Dovecot won't run the config as shown in the link.
Otherwise and with the above changes to the userdb, I believe I've followed all
applicable instructions in that link. The error I get with my config in the
Dovecot log is:
Sep 13 00:53:12 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Sep 13 00:53:12 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<2PnkuZkfqADAqAA6>
Any idea what would generate this message?
--Mark
-----Original Message-----
> Subject: Re: How to "Windows Authenticate"
> From: Remko Lodder <remko at FreeBSD.org>
> Date: Wed, 16 Sep 2015 19:38:08 +0200
> To: Mark Foley <mfoley at ohprs.org>
> Cc: dovecot at dovecot.org
>
> > On 16 Sep 2015, at 19:10, Mark Foley <mfoley at ohprs.org> wrote:
> >
> > Does the Dovecot NTLM mechanism work with MS Outlook?
> >
> > [ ] YES
> > [ ] NO
> >
> > Please check one ... anybody.
> >
> > ???Mark
>
>
>
> The URL on the wiki, which had probably been shared before with you;
>
> http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
>
> suggests it does.
>
> The URL quotes:
>
> Step 5. Passwordless authentication
>
> If you have logged on from Windows to the AD domain, try leaving the password field, on the account, on the MUA, blank. The username / password, from the initial logon to the Windows machine, are seamlessly picked up and supplied to the challenge-response process between the MUA, Dovecot and AD. Employing this way of authentication we achieve single sign-on and we don't need to maintain MUA local passwords.
>
> Did you follow the suggestions that are on that page? (all of them).
>
> Thank you,
> Remko
>
> --
> /"\ Best regards, | remko at FreeBSD.org
> \ / Remko Lodder | remko at EFnet
> X http://www.evilcoder.org/ |
> / \ ASCII Ribbon Campaign | Against HTML Mail and News
>
More information about the dovecot
mailing list