Quoting Mark Foley <mfo...@ohprs.org>:
Rick,
Samba4 AD/DC and Dovecot work perfectly for everything including access
from
SmartPhones. I've got roaming domain logins, redirected folders,
calendars and
contacts work just fine with Outlook and WebDav for sharing calendars;
don't
need them in Dovecot.
Do you have that documented somewhere? I would love to see how that's
done.
For the most part, Outlook users can't tell they are not
still on Exchange ... except they have to maintain their Outlook
password
distinct from their Windows password. Which is their one HUGE issue.
My absolutely LAST issue with totally duplicating SBS/Exchange
functionality on
Samba4/Dovecot is getting Dovecot to authenticate with Outlook clients
using
Windows Authentication which, as I understand things, can supposedly be
done
with NTLM. I just can't get it to work. I think a heck of a lot if
Windows
[SB]Server shops would convert to Samba4/Dovecot if someone figured out
how to
do this.
My Dovecot log messages make it look close to working:
Sep 05 16:45:19 auth-worker(5498): Debug:
shadow(mark@hprs,192.168.0.58): lookup
Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58):
unknown user
Dovecot gets the user as" mark@hprs" instead of "mark" and therefore
can't find
it in the userdb.
I can find no Dovecot wiki on this. If Dovecot just can't authenticate
this way
can someone (Timo?) tell me so and I'll cease my 8 month quest.
These are two
http://wiki2.dovecot.org/Authentication/Kerberos
http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
As I understand it, NTLM is a layer above Kerberos. I don't see either
referenced similarly to either wiki pages in the pasted config...
Otherwise, what should I have for a userdb? What should I have for a
passdb? Can
I parse the "@hprs" bit off the userId received by Dovecot? These seem
to be my
hang-ups. At this point, I'm open to guesses.
Just for the heck of it, here's one of the doveconf's I tested with,
reproduced
here because it's burried in the messages below:
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain ntlm login
auth_use_winbind = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
driver = passwd
}
verbose_ssl = yes
And wbinfo (requested by you in an earlier message) showing some of the
Domain
users (I'm testing with mark):
$ wbinfo -u
Administrator
Guest
krbtgt
dns-mail
mark
sogo
(more)
You wrote:
It also won't look up /etc/shadow - Samba is doing the AD->Unix UID
mapping. Your AD users shouldn't be in there when all is said and
done.
If not there, where?
Samba handles the idmap. The pasted config looks like a local shadow
lookup.
Though I don't think that resolves the user@domain uid 'issue'.. Maybe
Samba/NTLM/Kerberos will just recognize the domain and take care of it ?
In any case, side note - I wrote a webapp a while ago in PHP, and I have
3 domains in a Trust and the user's browser sends their auth info to an
Apache server using Kerberos auth. It looks like what you're seeing,
based on my code - 'user@domain' is normal:
$authusername = $_SERVER["PHP_AUTH_USER"];
if ( stristr($authusername,"@")) {
$auth_ar = explode("@",$authusername) ;
//<blah blah blah>
So receiving user@domain is at least to be expected.
I don't know what Dovecot would do with that domain info...
I would probably work on doing AD auth on another package first - maybe ssh
or PureFTPd - then come back to Dovecot - but also review the two auth
options I linked above if you didn't get my mail the first time.
I CCd you directly, because I swear I provided the NTLM wiki page before,
and maybe my mail got dropped.
Rick
Humor me. Give me ONE suggestion to try!
--Mark
