Authenticating with checkpassword

[Mark Foley]

I am trying to use the checkpassword authentication (https://wiki.dovecot.org/AuthDatabase/CheckPassword)
I do have a working checkpassword program. The protocol expects to received on fd 3 the
following:

username<nul>password<nul>optionalstuff</null>

I find that this works properly and the program can authenticate if the client is using PLAIN
LOGIN.  Both username and password are sent on fd3.  But, if the client has specified
kerberos/gssapi authentication then only the username is passed to checkpassword.  The
following is a debug dump from checkpassword showing the input read on fd 3 (12 bytes):

len 12: 636861726d61696e65000000 charmaine...
User: [charmaine], PW: []

Without a password, checkpassword returns failure. 

I am running dovecot in a Samba4 Active Directory.  I have some email clients that use
kerberos/GSSAPI (Thunderbird) and some that can only use PLAIN LOGIN (Outlook).  All users,
however, are active directory domain users and all could potentially authenticate with AD
credentials. 

I was hoping to use checkpassword for this. Otherwise, every user who cannot authenticate via
kerberos/GSSAPI has to also be in the mail server's /etc/passwd file with the same ID/PW as 
their AD credentials, which become a bit of a pain when the user changes his domain password.

Why does not dovecot pass to checkpassword the user's password? When I tried this a few years
ago I thought it did.

If checkpassword fails, why does it not then try the kerberos/GSSAPI mechanism?

Is there a solution to this? 

THX --Mark