I'm still a bit fuzzy on exactly what has blown up here since my 1.2
install (or maybe it was broken then and I never noticed), but it
looks like the way dovecot is calling out to ntlm_auth is violating
the --helper-protocol=squid-2.5-ntlmssp scheme.
The issue is how it handles simultaneous client
The next thing I noticed in my v1.2 -> 2.2 upgrade is that
mail_location = maildir:[..]:LAYOUT=imapdir
is broken, the symptom is dovecot returning this to the client when
requesting any mailbox beyond INBOX:
Character not allowed in mailbox name: '
Which is actually trying to say "Character n
Hi all,
I am upgrading a dovecot 1.2 installation to a 2.2 installation and
have found and fixed a number of problems..
I've seen several postings in the archive about ntlm_auth not working,
and it is true, there are several regressions in dovecot here.
The first and simplest is that the enablem
On Wed, Aug 31, 2011 at 09:28:50AM -0600, Trever L. Adams wrote:
> I have only followed part of this. It the original poster's problem is
> that the LDAP database is not being able to be accessed with an SPN
> ticket, this is because SPNs are not allowed to log in in AD. You need
> to use a user a
On Sat, Feb 05, 2011 at 08:49:21PM -0700, Trever L. Adams wrote:
> >> It appears that the script you recommended doesn't do the trick. Does
> >> /usr/libexec/dovecot/auth clear the environment. Even doing it manually
> >> from the command line the openldap stuff doesn't seem to pick up the
> >> KR
On Sat, Feb 05, 2011 at 08:39:37PM -0700, Trever L. Adams wrote:
> > Set these things in the config
> >
> > auth_use_winbind = yes
> >
> > mechanisms = plain gssapi gss-spnego login ntlm
> Ok, I do this step differently as I use gssapi directly and not with
> winbind.
This is also what this do
On Fri, Feb 04, 2011 at 01:47:31PM -0700, Trever L. Adams wrote:
> > There was a thread a month or so ago on how to do GSSAPI with AD and
> > dovecot kerberos. It works great, and I highly recommend it for AD
> > sites. Check the archives, it isn't really too hard.
> I am not finding this. Do you
On Fri, Feb 04, 2011 at 12:57:11PM -0700, Trever L. Adams wrote:
> On 02/02/2011 04:17 PM, Timo Sirainen wrote:
> >
> > It does set that, but only on first GSSAPI authentication. I guess it
> > wouldn't hurt moving it to do it always. If that script helps you, I can
> > do this change.
> It appears
On Thu, Feb 03, 2011 at 01:17:02AM +0200, Timo Sirainen wrote:
> > Postfix (the other half of my solution -- though the version I am using
> > doesn't do SASL LDAP yet, but 2.9.x does) allows you, in the
> > configuration, to set what environment variables it should not unset and
> > even define ne
On Wed, Nov 04, 2009 at 02:33:07PM -0500, Timo Sirainen wrote:
> I still don't really understand. Probably because I don't know how
> exactly SRV records are supposed to even work. How would I query LDAP
> service with e.g. dig?
Latest versions of openldap do this automatically, IIRC you specify a
On Wed, Oct 07, 2009 at 12:57:21AM -0400, Timo Sirainen wrote:
> Ccing mailing list, since I'm not all-knowing..
>
> On Oct 7, 2009, at 12:49 AM, Trever L. Adams wrote:
>
> >Timo Sirainen wrote:
> >>On Oct 7, 2009, at 12:36 AM, Trever L. Adams wrote:
> >>>1) I have seen how to configure for LDAP
On Mon, Aug 31, 2009 at 11:20:18PM +0100, Gavin Hamill wrote:
> > Ok.. this is not too good, you should have many other entries too,
> > several starting with host/ and CCIMAP$.
>
> The suggestion to remove the computer object (and the 'imapCcimap' user
> I bound the SPN to using ktpass) and 'net
On Mon, Aug 31, 2009 at 10:21:47PM +0100, Gavin Hamill wrote:
> On Mon, 2009-08-31 at 13:24 -0600, Jason Gunthorpe wrote:
>
> > > Ouch, can you go a little more slowly, please? I think I've joined the
> > > domain OK:
>
> > Sure..
>
> Many thanks for
On Mon, Aug 31, 2009 at 07:23:22PM +0100, Gavin Hamill wrote:
> On Sun, 2009-08-30 at 14:29 -0600, Jason Gunthorpe wrote:
>
> > The kerberos setup is pretty easy.. 'net ads join' your server, go
> > into the adsi editor and provide a imap and smtp SPN for the host, use
On Sun, Aug 30, 2009 at 08:38:20PM +0100, Gavin Hamill wrote:
> On Sat, 2009-08-29 at 21:55 -0600, Jason Gunthorpe wrote:
> > On Sun, Aug 30, 2009 at 01:50:02AM +0100, Gavin Hamill wrote:
> > > Has anyone successfully configured the above to enable Single Sign-On? I
> > &
On Sun, Aug 30, 2009 at 01:50:02AM +0100, Gavin Hamill wrote:
> Has anyone successfully configured the above to enable Single Sign-On? I
> would love to move away from Exchange but SSO is a corporate
> requirement.
I looked at this in some detail and concluded that the NTLM support on
Outlook 2007
On Fri, Aug 07, 2009 at 12:50:25PM -0400, Timo Sirainen wrote:
> I think "secure authentication" usually means CRAM-MD5 in Thunderbird.
> But maybe they use it for GSSAPI too, no idea.
For sure it enables NTML and GSSAPI at least.
Jason
On Wed, Feb 18, 2009 at 10:33:09PM +0300, Nikolay Shopik wrote:
> I'm currently trying to configure Dovecot to use kerberos. My KDC is
> Windows 2003 and I successful generated keytab file for Dovecot machine.
> Problem is when I'm trying to use GSSAPI it told me
> Obtaining credentials for i...
On Wed, Jan 21, 2009 at 08:26:37AM +0200, Dimitrios Karapiperis wrote:
> I would like to ask if there is adequate mechanism to authenticate users
> through POP3 against Active Directory by Outlook Express so that users will
> authenticate seamlessly using logon credentials.
>
> I have implemented
On Tue, Dec 09, 2008 at 01:57:43PM +0100, Thomas Siebert wrote:
> > That works but has 3 main drawbacks:
> > 1) It is a pain to setup SSL LDAP on both windows and linux. If you
> > don't do this then it is massively insecure
>
> Agreed, if you don't it is massively insecure. But I don't see
On Mon, Dec 08, 2008 at 02:43:53PM +0100, Thomas Siebert wrote:
> You have to use LDAP as Authentication Backend with Port 3268.
>
> http://wiki.dovecot.org/AuthDatabase/LDAP
That works but has 3 main drawbacks:
1) It is a pain to setup SSL LDAP on both windows and linux. If you
don't do thi
Hey all,
I'm curious, has anyone been able to get outlook to do single sign on
with a linux IMAP/SMTP back end? I have it doing NTLM authentication
via the dovecot winbind module with Samba 3.2 just fine, but I have
yet to see it try to use the cached windows logon credentials.. It
appears to do a
On Wed, Aug 13, 2008 at 03:07:55PM -0400, Timo Sirainen wrote:
>> + auth_request_log_info(request, "gssapi",
>> +"Using all keytab entires");
>
> I'm beginning to wonder about the logging in the code though. To me it
> looks like all of these should rather be log
On Wed, Aug 13, 2008 at 04:23:46PM -0400, Timo Sirainen wrote:
> Committed the patch to v1.2 tree with some changes:
> http://hg.dovecot.org/dovecot-1.2/rev/641d761219a6
What happens when the winbind_spnego and the gssapi_spnego are
registered at once? I did not address this because I did not hav
On Tue, Aug 12, 2008 at 10:23:19PM +0200, Angel Marin wrote:
> Jason Gunthorpe wrote:
> > On Tue, Aug 12, 2008 at 10:27:40AM +0200, Angel Marin wrote:
> >> Jason Gunthorpe wrote:
> >>> I cooked this up while trying to figure out why thunderbird on Windows
> &g
On Tue, Aug 12, 2008 at 01:11:47PM -0400, Timo Sirainen wrote:
> On Aug 12, 2008, at 2:44 AM, Jason Gunthorpe wrote:
>
>> This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which
>> simply passes SPNEGO packets directly to gssapi if the library is new
>> enough. T
On Tue, Aug 12, 2008 at 10:27:40AM +0200, Angel Marin wrote:
> Jason Gunthorpe wrote:
> >I cooked this up while trying to figure out why thunderbird on Windows
> >w/ SSPI was not working, but it turned out thunderbird does not use
> >it, so I haven't been able to test it
I cooked this up while trying to figure out why thunderbird on Windows
w/ SSPI was not working, but it turned out thunderbird does not use
it, so I haven't been able to test it yet. I'm presenting it for
discussion only, unless someone else can try it :)
Modern versions of MIT kerberos support GSS
I saw some past chatter on this in the list archives, but here is
another stab and another rational.
This patch follows a similar patch to openssh in that it allows any
key in the specified keytab to match the incoming host key. This is
necessary for multihomed hosts. See:
https://bugzilla.mindrot
29 matches
Mail list logo