Comments interspersed with yours ... --Mark -----Original Message-----> Date: Sun, 06 Sep 2015 20:00:11 -0500 > From: Rick Romero <rick at havokmon.com> > To: dovecot at dovecot.org > Subject: Re: How to "Windows Authenticate" > > Hmm. I would expect to see 'mark at hprs.com'. Whatever your full domain > name is.Full user at domain would be mark at hprs.local> It also won't look up /etc/shadow - Samba is doing the AD->Unix UID > mapping. Your AD users shouldn't be in there when all is said and done.I was thinking this too. I don't know why NTLM would need a userdb at all. It should just use something like ntlm_auth (which is configured in auth_winbind_helper). What if I simply removed the userdb? What would you recommend for userdb, passdb?> Well, at when I did a Samba4 install as a DC it still behaved like a Samba3 > member, and there were no AD users in the local unix passwd files. > > What does wbinfo -u provide? It should list all your users - especially > because it's an DC. Whatever wbinfo -u shows, you may need to adjust > another config file to match waht Dovecot is receiving.$ wbinfo -u Administrator Guest krbtgt dns-mail mark sogo **arr **ress **mith **nee **ris **atterson **armaine **tkeson **mmitoh These are all the AD users (most obfuscated for a bit of security). I am testing with user mark.> > I assume /etc/nsswitch.conf has been modified to use Samba? >Unless the Samba provision did something to nnswitch, I've done nothing; nor have I seen anything in the Samba or dovecot wikis suggesting changes. Remember also that the Samba4 AD/DC works perfectly with redirected folders and users logging on to any Windows workstations, and works perfectly with things wanting "Windows Authentication" like SQLserver, so the "Windows Authentication" does work at some level. My /etc/nsswitch.conf is: passwd: compat group: compat hosts: files dns networks: files services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files bootparams: files automount: files aliases: files> Sorry I haven't done this, but it doesn't seem like anyone else has either > - so I'm just shooting in the dark here trying to get you steered in the > right direction... > > RickYeah, I can't seem to find a soul on the planet who has actually done this. If I get it figured out I'll post with a suggestion to Timo to wiki-ize it. I'm a bit puzzled that no one appears to have done this. I would think that a Samba4 AD/DC in a office environment with lots of Windows workstations running Outlook would be about the most common environment there is; especially now that Small Business Server is no longer sold and Server Essentials does not support Exchange. What are all the SBS/Exchange/Outlook small businesses doing? Limping along with SBS2008/11, or putting their email in Outlook.com? Seems like the Samba4/dovecot/Outlook combo would be an ideal migration. I appreciate your help.> > Quoting Mark Foley <mfoley at ohprs.org>: > > > More info ... > > > > My dovecot error log shows: > > > > Sep 05 16:45:19 auth: Debug: client in: AUTH? ? 1? ? ? ?NTLM? ? > > service=imap > > Sep 05 16:45:19 auth: Debug: client passdb out: OK? ? ? 1? ? ? > > ?user=mark at hprs? original_user=mark at HPRS > > Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713? ? ? > ?10219? > > ?1? ? ? ?f56352c207cb8f6dea4d264b2c0f8dc1? ? ? > ?session_pid=10220? ? ? > > ?request_auth_token > > Sep 05 16:45:19 auth-worker(5498): Debug: > > shadow(mark at hprs,192.168.0.58): lookup > > Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark at hprs,192.168.0.58): > > unknown user > > Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND? ? ? ? > 998899713 > > > > whereas the successful 'plain login' config'ed mechanism (before adding > > NTLM > > config) have: > > > > Sep 06 20:27:38 auth-worker(18616): Debug: shadow(mark,104.6.249.210): > > lookup > > > > The failed ntlm look-up is looking up user mark at hprs in shadow, which it > > doesn't > > find. Is there a way to strip the "@hprs" bit from the user so it can > > find the > > correct entry in /etc/shadow? That might fix the problem. > > > > --Mark > > > > -----Original Message----- > > From: Mark Foley <mfoley at ohprs.org> > > Date: Sat, 05 Sep 2015 17:12:50 -0400 > > To: dovecot at dovecot.org > > Subject: Re: How to "Windows Authenticate" > > > > Rick et al, > > > > The link you gave was a start, but is targeted for Samba3 and is > > assuming a > > probably Windows [SBS]Server AD/DC separate from the DC hosting dovecot, > > and > > includes setting up kerberos. > > > > I'm using a Samba4 AD/DC with integrated kerberos (so I don't think > > there is any > > setup I can do there).? Nevertheless I've followed the instructions > > otherwise; > > specifically adding to 10-auto.conf the following recommended lines: > > > > auth_use_winbind = yes > > auth_winbind_helper_path = /usr/bin/ntlm_auth > > mechanisms = plain ntlm login > > > > (Before, my 'mechanisms' were only plain and login). /usr/bin/ntlm_auth > > has > > global r/w privilege. > > > > I did not specify the static userdb since these users are configued in > > /etc/passwd and I thought that would work; example given in link (could > > that be > > an issue?): > > > > userdb static { > > ? args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln > > ? mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln > > ? allow_all_users=yes > > } > > > > This didn't work. Also, existing, working Outlook connections using > > 'logon' > > (i.e. the userID and PW are configured in Outlook) stopped working. > > > > I changed a test Outlook client to check the 'Request login using Secure > > Password Authentication (SPA)' and also checked: More Settings > > > Outgoing Server > >> My outgoing server (SMTP) requires authentication' and 'Use same > >> settings as > > > > my incoming mail server'.? Note that on the "Change Account" dialog > > (where the > > SPA checkbox is) the 'User Name' and 'Password' retained their values > > and were > > not grayed out as I would have expected if using AD authentication. > > > > After doing the above and clicking 'Test Account Settings' I was > > re-promted to > > enter a password - also not expected. At bottom are the Dovecot log > > message I > > received after doing the 'Test Account Settings'. > > > > Surely, connecting from an Outlook client to Dovecot on a Samba4 AD/DC > > should be > > a very common implementation. Has someone done this successfully? > > > > Immediately below is my doveconf -n and below that the dovecot log > > messages. > > > >> doveconf -n > > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain ntlm login > > auth_use_winbind = yes > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > > > dovecot log after doing 'Test Account Settings' in Outlook: > > > > Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Sep 05 16:45:19 auth: Debug: auth client connected (pid=10219) > > Sep 05 16:45:19 auth: Debug: client in: AUTH? ? ? ? 1? ? ? ? > NTLM? ? ? ? > > service=imap? ? ? ? session=HXssGAYf0ADAqAA6? ? ? ? > lip=192.168.0.2? ? ? > > ? rip=192.168.0.58? ? ? ? lport=143? ? ? ? rport=52944 > > Sep 05 16:45:19 auth: Debug: client passdb out: CONT? ? ? ? 1 > > Sep 05 16:45:19 auth: Debug: client passdb out: OK? ? ? ? 1? ? ? > ? > > user=mark at hprs? ? ? ? original_user=mark at HPRS > > Sep 05 16:45:19 auth: Debug: master in: REQUEST? ? ? ? 998899713? ? > ? ? > > 10219? ? ? ? 1? ? ? ? f56352c207cb8f6dea4d264b2c0f8dc1? ? ? ? > > session_pid=10220? ? ? ? request_auth_token > > Sep 05 16:45:19 auth-worker(5498): Debug: > > shadow(mark at hprs,192.168.0.58): lookup > > Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark at hprs,192.168.0.58): > > unknown user > > Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND? ? ? ? > 998899713 > > Sep 05 16:45:19 imap-login: Info: Internal login failure (pid=10219 > > id=1) (internal failure, 1 successful auths): user=<mark at hprs>, > > method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=10220, > > session=<HXssGAYf0ADAqAA6> > > Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Sep 05 16:46:22 auth: Debug: Loading modules from directory: > > /usr/local/lib/dovecot/auth > > Sep 05 16:46:22 auth: Debug: Read auth token secret from > > /usr/local/var/run/dovecot/auth-token-secret.dat > > Sep 05 16:46:22 auth: Debug: auth client connected (pid=13487) > > Sep 05 16:46:22 auth: Debug: client in: AUTH? ? ? ? 1? ? ? ? > NTLM? ? ? ? > > service=imap? ? ? ? session=IlvqGwYf0wDAqAA6? ? ? ? > lip=192.168.0.2? ? ? > > ? rip=192.168.0.58? ? ? ? lport=143? ? ? ? rport=52947 > > Sep 05 16:46:22 auth: Debug: client passdb out: OK? ? ? ? 1? ? ? > ? > > user=mark at hprs? ? ? ? original_user=mark at HPRS > > Sep 05 16:46:22 auth: Debug: master in: REQUEST? ? ? ? 3030384641? > ? ? ? > > 13487? ? ? ? 1? ? ? ? bac5f6531f9d4c3316f93bd4c4a63ddd? ? ? ? > > session_pid=13491? ? ? ? request_auth_token > > Sep 05 16:46:22 auth-worker(13492): Debug: Loading modules from > > directory: /usr/local/lib/dovecot/auth > > Sep 05 16:46:22 auth-worker(13492): Debug: > > shadow(mark at hprs,192.168.0.58): lookup > > Sep 05 16:46:22 auth-worker(13492): Info: > > shadow(mark at hprs,192.168.0.58): unknown user > > Sep 05 16:46:22 auth: Debug: master userdb out: NOTFOUND? ? ? ? > 3030384641 > > Sep 05 16:46:22 imap-login: Info: Internal login failure (pid=13487 > > id=1) (internal failure, 1 successful auths): user=<mark at hprs>, > > method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=13491, > > session=<IlvqGwYf0wDAqAA6> > > > > Thanks --Mark > > > > -----Original Message----- > >> Date: Thu, 03 Sep 2015 06:53:19 -0500 > >> From: Rick Romero <rick at havokmon.com> > >> To: dovecot at dovecot.org > >> Subject: Re: How to "Windows Authenticate" > >> > >> ? Hi Mark, > >> > >> I haven't done it, but I've played with the scenario enough to have an > >> idea. > >> > >> What you want to do is have Outlook auth via NTLM to Dovecot.? > >> > >> First that means having the machine be a domain member (usually via > >> Samba) > >> in order to properly process NTLM/Kerberos handshake - which it appears > >> you > >> have. > >> Second that means having Dovecot know how to accept NTLM authentication > >> (SPA) to pass to the Samba backend. > >> > >> A 'Dovecot NTLM' search led me here: > >> http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm > >> > >> What's not on the page that I'd expect to see, are the compile-time > >> requirements for inclucing samba/kerberos libs within Dovecot.? If it > >> doesn't 'just work' with the config changes in the wiki, you may need to > >> recompile with the right features. > >> > >> Also - check the permissions of the ntlm_auth program. That's caused > many > >> issues with Radius installs, IIRC. > >> > >> Hope that helps! > >> > >> Rick > >> > >> Quoting Mark Foley <mfoley at ohprs.org>: > >> > >> This can't be that hard. I think I've enabled LDAP in Dovecot just by > >> including > >> dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I > >> now have > >> the configuration shown below. Two questions: > >> > >> 1. How do I set Outlook to authenticate with LDAP? Currently the Outlook > >> accounts still have the ID and password set in "Logon Information". > >> Checking > >> "Require logon using Secure Password Authentication (SPA)" doesn't work. > >> All I > >> can seem to find on the Internet is how to configure address books using > >> LDAP. > >> > >> 2. Should I remove "passdb { drive = shadow } from the dovecot > >> configuration? > >> > >> Anybody? > >> > >> $ doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >> auth_debug_passwords = yes > >> auth_mechanisms = plain login > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> driver = shadow > >> } > >> passdb { > >> args = /etc/dovecot/dovecot-ldap.conf.ext > >> driver = ldap > >> } > >> protocols = imap > >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >> userdb { > >> driver = passwd > >> } > >> userdb { > >> args = /etc/dovecot/dovecot-ldap.conf.ext > >> driver = ldap > >> } > >> verbose_ssl = yes > >> > >> -----Original Message----- > >> From: Mark Foley <mfoley at ohprs.org> > >> Date: Wed, 02 Sep 2015 13:31:35 -0400 > >> To: dovecot at dovecot.org > >> Subject: How to "Windows Authenticate" > >> > >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook > >> (2010/2013) on > >> Windows workstations for over 6 months with no problems.? Dovecot is > >> hosted on > >> the office Samba4 AC/DC server. > >> > >> I have been using auth_mechanisms plain login, and passdb driver > >> shadow. > >> > >> What I'd like to do now is use the "Windows Authenticated" login so I > >> don't have > >> to have separate passwords for users logging into the Windows AD > >> workstations > >> and their Outlook clients. > >> > >> If anyone has actually done this I'd appreciate some tips. My various > >> attempts > >> have not been successful. > >> > >> Here is my current config: > >> > >> $ doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >> auth_debug_passwords = yes > >> auth_mechanisms = plain login > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> ? driver = shadow > >> } > >> protocols = imap > >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >> userdb { > >> ? driver = passwd > >> } > >> verbose_ssl = yes > >> > >> Thanks, Mark Foley > >> > >> From dovecot-bounces at dovecot.org? Wed Sep? 2 13:32:13 2015 > >> Return-Path: <dovecot-bounces at dovecot.org> > >> X-Virus-Status: Clean > >> X-Virus-Scanned: clamav-milter 0.98.6 at mail > >> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ > >> (2011-06-06) on > >> ? ? ? ? mail.hprs.local > >> X-Spam-Level: > >> X-Spam-Status: No, score=0.0 required=3.0 tests=none > >> autolearn=unavailable > >> ? ? ? ? version=3.3.2-_revision__1.14__ > >> X-Original-To: dovecot at dovecot.org > >> Delivered-To: dovecot at dovecot.org > >> X-Virus-Status: Clean > >> X-Virus-Scanned: clamav-milter 0.98.6 at mail > >> From: Mark Foley <mfoley at ohprs.org> > >> Date: Wed, 02 Sep 2015 13:31:35 -0400 > >> Organization: Ohio Highway Patrol Retirement System > >> To: dovecot at dovecot.org > >> Subject: How to "Windows Authenticate" > >> User-Agent: Heirloom mailx 12.5 7/5/10 > >> Content-Type: text/plain; charset=us-ascii > >> X-BeenThere: dovecot at dovecot.org > >> X-Mailman-Version: 2.1.17 > >> Precedence: list > >> List-Id: Dovecot Mailing List <dovecot.dovecot.org> > >> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=unsubscribe> > >> List-Archive: <http://dovecot.org/pipermail/dovecot/> > >> List-Post: <mailto:dovecot at dovecot.org> > >> List-Help: <mailto:dovecot-request at dovecot.org?subject=help> > >> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=subscribe> > >> Errors-To: dovecot-bounces at dovecot.org > >> Sender: "dovecot" <dovecot-bounces at dovecot.org> > >> Status: R > >> > >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook > >> (2010/2013) on > >> Windows workstations for over 6 months with no problems.? Dovecot is > >> hosted on > >> the office Samba4 AC/DC server. > >> > >> I have been using auth_mechanisms plain login, and passdb driver > >> shadow. > >> > >> What I'd like to do now is use the "Windows Authenticated" login so I > >> don't have > >> to have separate passwords for users logging into the Windows AD > >> workstations > >> and their Outlook clients. > >> > >> If anyone has actually done this I'd appreciate some tips. My various > >> attempts > >> have not been successful. > >> > >> Here is my current config: > >> > >> $ doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >> auth_debug_passwords = yes > >> auth_mechanisms = plain login > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> driver = shadow > >> } > >> protocols = imap > >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >> userdb { > >> driver = passwd > >> } > >> verbose_ssl = yes > >> Thanks, Mark Foley > >> From dovecot-bounces at dovecot.org? Thu Sep? 3 07:53:44 2015 > >> Return-Path: <dovecot-bounces at dovecot.org> > >> X-Virus-Status: Clean > >> X-Virus-Scanned: clamav-milter 0.98.6 at mail > >> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ > >> (2011-06-06) on > >> ? ? ? ? mail.hprs.local > >> X-Spam-Level: > >> X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=ham > >> ? ? ? ? version=3.3.2-_revision__1.14__ > >> X-Original-To: dovecot at dovecot.org > >> Delivered-To: dovecot at dovecot.org > >> Date: Thu, 03 Sep 2015 06:53:19 -0500 > >> From: Rick Romero <rick at havokmon.com> > >> To: dovecot at dovecot.org > >> Subject: Re: How to "Windows Authenticate" > >> User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) > >> X-VFEmail-Originating-IP: MTA3LjEzNi4xNDQuMjMw > >> X-VFEmail-AntiSpam: Notify admin at vfemail.net of any spam, and include > >> ? ? ? ? VFEmail headers > >> Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes > >> Content-Disposition: inline > >> Content-Description: Plaintext Message > >> X-Content-Filtered-By: Mailman/MimeDel 2.1.17 > >> X-BeenThere: dovecot at dovecot.org > >> X-Mailman-Version: 2.1.17 > >> Precedence: list > >> List-Id: Dovecot Mailing List <dovecot.dovecot.org> > >> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=unsubscribe> > >> List-Archive: <http://dovecot.org/pipermail/dovecot/> > >> List-Post: <mailto:dovecot at dovecot.org> > >> List-Help: <mailto:dovecot-request at dovecot.org?subject=help> > >> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=subscribe> > >> Errors-To: dovecot-bounces at dovecot.org > >> Sender: "dovecot" <dovecot-bounces at dovecot.org> > >> Status: R > >> > >> ? Hi Mark, > >> > >> I haven't done it, but I've played with the scenario enough to have an > >> idea. > >> > >> What you want to do is have Outlook auth via NTLM to Dovecot.? > >> > >> First that means having the machine be a domain member (usually via > >> Samba) > >> in order to properly process NTLM/Kerberos handshake - which it appears > >> you > >> have. > >> Second that means having Dovecot know how to accept NTLM authentication > >> (SPA) to pass to the Samba backend. > >> > >> A 'Dovecot NTLM' search led me here: > >> http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm > >> > >> What's not on the page that I'd expect to see, are the compile-time > >> requirements for inclucing samba/kerberos libs within Dovecot.? If it > >> doesn't 'just work' with the config changes in the wiki, you may need to > >> recompile with the right features. > >> > >> Also - check the permissions of the ntlm_auth program. That's caused > many > >> issues with Radius installs, IIRC. > >> > >> Hope that helps! > >> > >> Rick > >> > >> Quoting Mark Foley <mfoley at ohprs.org>: > >> > >> This can't be that hard. I think I've enabled LDAP in Dovecot just by > >> including > >> dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I > >> now have > >> the configuration shown below. Two questions: > >> > >> 1. How do I set Outlook to authenticate with LDAP? Currently the Outlook > >> accounts still have the ID and password set in "Logon Information". > >> Checking > >> "Require logon using Secure Password Authentication (SPA)" doesn't work. > >> All I > >> can seem to find on the Internet is how to configure address books using > >> LDAP. > >> > >> 2. Should I remove "passdb { drive = shadow } from the dovecot > >> configuration? > >> > >> Anybody? > >> > >> $ doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >> auth_debug_passwords = yes > >> auth_mechanisms = plain login > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> driver = shadow > >> } > >> passdb { > >> args = /etc/dovecot/dovecot-ldap.conf.ext > >> driver = ldap > >> } > >> protocols = imap > >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >> userdb { > >> driver = passwd > >> } > >> userdb { > >> args = /etc/dovecot/dovecot-ldap.conf.ext > >> driver = ldap > >> } > >> verbose_ssl = yes > >> > >> -----Original Message----- > >> From: Mark Foley <mfoley at ohprs.org> > >> Date: Wed, 02 Sep 2015 13:31:35 -0400 > >> To: dovecot at dovecot.org > >> Subject: How to "Windows Authenticate" > >> > >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook > >> (2010/2013) on > >> Windows workstations for over 6 months with no problems.? Dovecot is > >> hosted on > >> the office Samba4 AC/DC server. > >> > >> I have been using auth_mechanisms plain login, and passdb driver > >> shadow. > >> > >> What I'd like to do now is use the "Windows Authenticated" login so I > >> don't have > >> to have separate passwords for users logging into the Windows AD > >> workstations > >> and their Outlook clients. > >> > >> If anyone has actually done this I'd appreciate some tips. My various > >> attempts > >> have not been successful. > >> > >> Here is my current config: > >> > >> $ doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >> auth_debug_passwords = yes > >> auth_mechanisms = plain login > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> ? driver = shadow > >> } > >> protocols = imap > >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >> userdb { > >> ? driver = passwd > >> } > >> verbose_ssl = yes > >> > >> Thanks, Mark Foley > >> > >> From dovecot-bounces at dovecot.org? Wed Sep? 2 13:32:13 2015 > >> Return-Path: <dovecot-bounces at dovecot.org> > >> X-Virus-Status: Clean > >> X-Virus-Scanned: clamav-milter 0.98.6 at mail > >> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ > >> (2011-06-06) on > >> ? ? ? ? mail.hprs.local > >> X-Spam-Level: > >> X-Spam-Status: No, score=0.0 required=3.0 tests=none > >> autolearn=unavailable > >> ? ? ? ? version=3.3.2-_revision__1.14__ > >> X-Original-To: dovecot at dovecot.org > >> Delivered-To: dovecot at dovecot.org > >> X-Virus-Status: Clean > >> X-Virus-Scanned: clamav-milter 0.98.6 at mail > >> From: Mark Foley <mfoley at ohprs.org> > >> Date: Wed, 02 Sep 2015 13:31:35 -0400 > >> Organization: Ohio Highway Patrol Retirement System > >> To: dovecot at dovecot.org > >> Subject: How to "Windows Authenticate" > >> User-Agent: Heirloom mailx 12.5 7/5/10 > >> Content-Type: text/plain; charset=us-ascii > >> X-BeenThere: dovecot at dovecot.org > >> X-Mailman-Version: 2.1.17 > >> Precedence: list > >> List-Id: Dovecot Mailing List <dovecot.dovecot.org> > >> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=unsubscribe> > >> List-Archive: <http://dovecot.org/pipermail/dovecot/> > >> List-Post: <mailto:dovecot at dovecot.org> > >> List-Help: <mailto:dovecot-request at dovecot.org?subject=help> > >> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=subscribe> > >> Errors-To: dovecot-bounces at dovecot.org > >> Sender: "dovecot" <dovecot-bounces at dovecot.org> > >> Status: R > >> > >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook > >> (2010/2013) on > >> Windows workstations for over 6 months with no problems.? Dovecot is > >> hosted on > >> the office Samba4 AC/DC server. > >> > >> I have been using auth_mechanisms plain login, and passdb driver > >> shadow. > >> > >> What I'd like to do now is use the "Windows Authenticated" login so I > >> don't have > >> to have separate passwords for users logging into the Windows AD > >> workstations > >> and their Outlook clients. > >> > >> If anyone has actually done this I'd appreciate some tips. My various > >> attempts > >> have not been successful. > >> > >> Here is my current config: > >> > >> $ doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >> auth_debug_passwords = yes > >> auth_mechanisms = plain login > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> driver = shadow > >> } > >> protocols = imap > >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >> userdb { > >> driver = passwd > >> } > >> verbose_ssl = yes > >> Thanks, Mark Foley > > > > ? >
More experimentation ... I tried removing userdb and passdb from the dovecot NTLM config. That didn't work. I then tried adding a static userdb as follows: userdb { driver = static # allow_all_users = yes args = gid=100 home=/home/HPRS/%n } (Interestingly, when I uncommented "allow_all_users" I got an "unsupported setting" [or something like that], even though that was in there from the beginning and is shown in the example wiki http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm) Anyway, in both tests my error messages were the same: Sep 08 18:38:16 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 08 18:38:16 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 08 18:38:16 auth: Debug: auth client connected (pid=8758) Sep 08 18:38:16 auth: Debug: client in: AUTH 1 NTLM service=imap session=vPWqBUQfeADAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=56184 Sep 08 18:38:16 auth: Debug: client passdb out: CONT 1 Sep 08 18:38:16 auth: Info: ntlm(?,192.168.0.58,<vPWqBUQfeADAqAA6>): user not authenticated: NT_STATUS_LOGON_FAILURE Sep 08 18:38:18 auth: Debug: client passdb out: FAIL 1 Notice that my userid (mark or mark at ohprs) is nowhere to be found. Whereas when I specified the userdb passwd at least it had a user id in the error log. From my previous test with userdb passwd amd passdb shadow: Sep 05 16:45:19 auth: Debug: client passdb out: OK? ? ? 1? ? ??user=mark at hprs? original_user=mark at HPRS Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark at hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark at hprs,192.168.0.58): unknown user Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND? ? ? ?998899713 The "Info: ntml" log entry has ntlm(?,192.168.0.58,<vPWqBUQfeADAqAA6>), whereas the previous test "Info shadow" log entry has Info: shadow(mark at hprs,192.168.0.58). Of course I have no passdb specified which is right for NTML ... or is it? I feel like this should be obvious to someone familiar with Dovecot. Once again, it's difficult for me to believe no on on planet Earth (who also happens to subscribe to this list) had ever done Dovecot/ntlm from Outlook before. Help!!! If I can't get this last bit sorted out I'll be forced back to Server 2012 and Exchange. Thanks, --Mark -----Original Message----- From: Mark Foley <mfoley at ohprs.org> Date: Mon, 07 Sep 2015 21:28:23 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot at dovecot.org Subject: Re: How to "Windows Authenticate" Comments interspersed with yours ... --Mark -----Original Message-----> Date: Sun, 06 Sep 2015 20:00:11 -0500 > From: Rick Romero <rick at havokmon.com> > To: dovecot at dovecot.org > Subject: Re: How to "Windows Authenticate" > > Hmm. I would expect to see 'mark at hprs.com'. Whatever your full domain > name is.Full user at domain would be mark at hprs.local> It also won't look up /etc/shadow - Samba is doing the AD->Unix UID > mapping. Your AD users shouldn't be in there when all is said and done.I was thinking this too. I don't know why NTLM would need a userdb at all. It should just use something like ntlm_auth (which is configured in auth_winbind_helper). What if I simply removed the userdb? What would you recommend for userdb, passdb?> Well, at when I did a Samba4 install as a DC it still behaved like a Samba3 > member, and there were no AD users in the local unix passwd files. > > What does wbinfo -u provide? It should list all your users - especially > because it's an DC. Whatever wbinfo -u shows, you may need to adjust > another config file to match waht Dovecot is receiving.$ wbinfo -u Administrator Guest krbtgt dns-mail mark sogo **arr **ress **mith **nee **ris **atterson **armaine **tkeson **mmitoh These are all the AD users (most obfuscated for a bit of security). I am testing with user mark.> > I assume /etc/nsswitch.conf has been modified to use Samba? >Unless the Samba provision did something to nnswitch, I've done nothing; nor have I seen anything in the Samba or dovecot wikis suggesting changes. Remember also that the Samba4 AD/DC works perfectly with redirected folders and users logging on to any Windows workstations, and works perfectly with things wanting "Windows Authentication" like SQLserver, so the "Windows Authentication" does work at some level. My /etc/nsswitch.conf is: passwd: compat group: compat hosts: files dns networks: files services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files bootparams: files automount: files aliases: files> Sorry I haven't done this, but it doesn't seem like anyone else has either > - so I'm just shooting in the dark here trying to get you steered in the > right direction... > > RickYeah, I can't seem to find a soul on the planet who has actually done this. If I get it figured out I'll post with a suggestion to Timo to wiki-ize it. I'm a bit puzzled that no one appears to have done this. I would think that a Samba4 AD/DC in a office environment with lots of Windows workstations running Outlook would be about the most common environment there is; especially now that Small Business Server is no longer sold and Server Essentials does not support Exchange. What are all the SBS/Exchange/Outlook small businesses doing? Limping along with SBS2008/11, or putting their email in Outlook.com? Seems like the Samba4/dovecot/Outlook combo would be an ideal migration. I appreciate your help.> > Quoting Mark Foley <mfoley at ohprs.org>: > > > More info ... > > > > My dovecot error log shows: > > > > Sep 05 16:45:19 auth: Debug: client in: AUTH? ? 1? ? ? ?NTLM? ? > > service=imap > > Sep 05 16:45:19 auth: Debug: client passdb out: OK? ? ? 1? ? ? > > ?user=mark at hprs? original_user=mark at HPRS > > Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713? ? ? > ?10219? > > ?1? ? ? ?f56352c207cb8f6dea4d264b2c0f8dc1? ? ? > ?session_pid=10220? ? ? > > ?request_auth_token > > Sep 05 16:45:19 auth-worker(5498): Debug: > > shadow(mark at hprs,192.168.0.58): lookup > > Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark at hprs,192.168.0.58): > > unknown user > > Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND? ? ? ? > 998899713 > > > > whereas the successful 'plain login' config'ed mechanism (before adding > > NTLM > > config) have: > > > > Sep 06 20:27:38 auth-worker(18616): Debug: shadow(mark,104.6.249.210): > > lookup > > > > The failed ntlm look-up is looking up user mark at hprs in shadow, which it > > doesn't > > find. Is there a way to strip the "@hprs" bit from the user so it can > > find the > > correct entry in /etc/shadow? That might fix the problem. > > > > --Mark > > > > -----Original Message----- > > From: Mark Foley <mfoley at ohprs.org> > > Date: Sat, 05 Sep 2015 17:12:50 -0400 > > To: dovecot at dovecot.org > > Subject: Re: How to "Windows Authenticate" > > > > Rick et al, > > > > The link you gave was a start, but is targeted for Samba3 and is > > assuming a > > probably Windows [SBS]Server AD/DC separate from the DC hosting dovecot, > > and > > includes setting up kerberos. > > > > I'm using a Samba4 AD/DC with integrated kerberos (so I don't think > > there is any > > setup I can do there).? Nevertheless I've followed the instructions > > otherwise; > > specifically adding to 10-auto.conf the following recommended lines: > > > > auth_use_winbind = yes > > auth_winbind_helper_path = /usr/bin/ntlm_auth > > mechanisms = plain ntlm login > > > > (Before, my 'mechanisms' were only plain and login). /usr/bin/ntlm_auth > > has > > global r/w privilege. > > > > I did not specify the static userdb since these users are configued in > > /etc/passwd and I thought that would work; example given in link (could > > that be > > an issue?): > > > > userdb static { > > ? args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln > > ? mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln > > ? allow_all_users=yes > > } > > > > This didn't work. Also, existing, working Outlook connections using > > 'logon' > > (i.e. the userID and PW are configured in Outlook) stopped working. > > > > I changed a test Outlook client to check the 'Request login using Secure > > Password Authentication (SPA)' and also checked: More Settings > > > Outgoing Server > >> My outgoing server (SMTP) requires authentication' and 'Use same > >> settings as > > > > my incoming mail server'.? Note that on the "Change Account" dialog > > (where the > > SPA checkbox is) the 'User Name' and 'Password' retained their values > > and were > > not grayed out as I would have expected if using AD authentication. > > > > After doing the above and clicking 'Test Account Settings' I was > > re-promted to > > enter a password - also not expected. At bottom are the Dovecot log > > message I > > received after doing the 'Test Account Settings'. > > > > Surely, connecting from an Outlook client to Dovecot on a Samba4 AD/DC > > should be > > a very common implementation. Has someone done this successfully? > > > > Immediately below is my doveconf -n and below that the dovecot log > > messages. > > > >> doveconf -n > > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain ntlm login > > auth_use_winbind = yes > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > > > dovecot log after doing 'Test Account Settings' in Outlook: > > > > Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Sep 05 16:45:19 auth: Debug: auth client connected (pid=10219) > > Sep 05 16:45:19 auth: Debug: client in: AUTH? ? ? ? 1? ? ? ? > NTLM? ? ? ? > > service=imap? ? ? ? session=HXssGAYf0ADAqAA6? ? ? ? > lip=192.168.0.2? ? ? > > ? rip=192.168.0.58? ? ? ? lport=143? ? ? ? rport=52944 > > Sep 05 16:45:19 auth: Debug: client passdb out: CONT? ? ? ? 1 > > Sep 05 16:45:19 auth: Debug: client passdb out: OK? ? ? ? 1? ? ? > ? > > user=mark at hprs? ? ? ? original_user=mark at HPRS > > Sep 05 16:45:19 auth: Debug: master in: REQUEST? ? ? ? 998899713? ? > ? ? > > 10219? ? ? ? 1? ? ? ? f56352c207cb8f6dea4d264b2c0f8dc1? ? ? ? > > session_pid=10220? ? ? ? request_auth_token > > Sep 05 16:45:19 auth-worker(5498): Debug: > > shadow(mark at hprs,192.168.0.58): lookup > > Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark at hprs,192.168.0.58): > > unknown user > > Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND? ? ? ? > 998899713 > > Sep 05 16:45:19 imap-login: Info: Internal login failure (pid=10219 > > id=1) (internal failure, 1 successful auths): user=<mark at hprs>, > > method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=10220, > > session=<HXssGAYf0ADAqAA6> > > Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Sep 05 16:46:22 auth: Debug: Loading modules from directory: > > /usr/local/lib/dovecot/auth > > Sep 05 16:46:22 auth: Debug: Read auth token secret from > > /usr/local/var/run/dovecot/auth-token-secret.dat > > Sep 05 16:46:22 auth: Debug: auth client connected (pid=13487) > > Sep 05 16:46:22 auth: Debug: client in: AUTH? ? ? ? 1? ? ? ? > NTLM? ? ? ? > > service=imap? ? ? ? session=IlvqGwYf0wDAqAA6? ? ? ? > lip=192.168.0.2? ? ? > > ? rip=192.168.0.58? ? ? ? lport=143? ? ? ? rport=52947 > > Sep 05 16:46:22 auth: Debug: client passdb out: OK? ? ? ? 1? ? ? > ? > > user=mark at hprs? ? ? ? original_user=mark at HPRS > > Sep 05 16:46:22 auth: Debug: master in: REQUEST? ? ? ? 3030384641? > ? ? ? > > 13487? ? ? ? 1? ? ? ? bac5f6531f9d4c3316f93bd4c4a63ddd? ? ? ? > > session_pid=13491? ? ? ? request_auth_token > > Sep 05 16:46:22 auth-worker(13492): Debug: Loading modules from > > directory: /usr/local/lib/dovecot/auth > > Sep 05 16:46:22 auth-worker(13492): Debug: > > shadow(mark at hprs,192.168.0.58): lookup > > Sep 05 16:46:22 auth-worker(13492): Info: > > shadow(mark at hprs,192.168.0.58): unknown user > > Sep 05 16:46:22 auth: Debug: master userdb out: NOTFOUND? ? ? ? > 3030384641 > > Sep 05 16:46:22 imap-login: Info: Internal login failure (pid=13487 > > id=1) (internal failure, 1 successful auths): user=<mark at hprs>, > > method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=13491, > > session=<IlvqGwYf0wDAqAA6> > > > > Thanks --Mark > > > > -----Original Message----- > >> Date: Thu, 03 Sep 2015 06:53:19 -0500 > >> From: Rick Romero <rick at havokmon.com> > >> To: dovecot at dovecot.org > >> Subject: Re: How to "Windows Authenticate" > >> > >> ? Hi Mark, > >> > >> I haven't done it, but I've played with the scenario enough to have an > >> idea. > >> > >> What you want to do is have Outlook auth via NTLM to Dovecot.? > >> > >> First that means having the machine be a domain member (usually via > >> Samba) > >> in order to properly process NTLM/Kerberos handshake - which it appears > >> you > >> have. > >> Second that means having Dovecot know how to accept NTLM authentication > >> (SPA) to pass to the Samba backend. > >> > >> A 'Dovecot NTLM' search led me here: > >> http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm > >> > >> What's not on the page that I'd expect to see, are the compile-time > >> requirements for inclucing samba/kerberos libs within Dovecot.? If it > >> doesn't 'just work' with the config changes in the wiki, you may need to > >> recompile with the right features. > >> > >> Also - check the permissions of the ntlm_auth program. That's caused > many > >> issues with Radius installs, IIRC. > >> > >> Hope that helps! > >> > >> Rick > >> > >> Quoting Mark Foley <mfoley at ohprs.org>: > >> > >> This can't be that hard. I think I've enabled LDAP in Dovecot just by > >> including > >> dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I > >> now have > >> the configuration shown below. Two questions: > >> > >> 1. How do I set Outlook to authenticate with LDAP? Currently the Outlook > >> accounts still have the ID and password set in "Logon Information". > >> Checking > >> "Require logon using Secure Password Authentication (SPA)" doesn't work. > >> All I > >> can seem to find on the Internet is how to configure address books using > >> LDAP. > >> > >> 2. Should I remove "passdb { drive = shadow } from the dovecot > >> configuration? > >> > >> Anybody? > >> > >> $ doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >> auth_debug_passwords = yes > >> auth_mechanisms = plain login > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> driver = shadow > >> } > >> passdb { > >> args = /etc/dovecot/dovecot-ldap.conf.ext > >> driver = ldap > >> } > >> protocols = imap > >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >> userdb { > >> driver = passwd > >> } > >> userdb { > >> args = /etc/dovecot/dovecot-ldap.conf.ext > >> driver = ldap > >> } > >> verbose_ssl = yes > >> > >> -----Original Message----- > >> From: Mark Foley <mfoley at ohprs.org> > >> Date: Wed, 02 Sep 2015 13:31:35 -0400 > >> To: dovecot at dovecot.org > >> Subject: How to "Windows Authenticate" > >> > >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook > >> (2010/2013) on > >> Windows workstations for over 6 months with no problems.? Dovecot is > >> hosted on > >> the office Samba4 AC/DC server. > >> > >> I have been using auth_mechanisms plain login, and passdb driver > >> shadow. > >> > >> What I'd like to do now is use the "Windows Authenticated" login so I > >> don't have > >> to have separate passwords for users logging into the Windows AD > >> workstations > >> and their Outlook clients. > >> > >> If anyone has actually done this I'd appreciate some tips. My various > >> attempts > >> have not been successful. > >> > >> Here is my current config: > >> > >> $ doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >> auth_debug_passwords = yes > >> auth_mechanisms = plain login > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> ? driver = shadow > >> } > >> protocols = imap > >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >> userdb { > >> ? driver = passwd > >> } > >> verbose_ssl = yes > >> > >> Thanks, Mark Foley > >> > >> From dovecot-bounces at dovecot.org? Wed Sep? 2 13:32:13 2015 > >> Return-Path: <dovecot-bounces at dovecot.org> > >> X-Virus-Status: Clean > >> X-Virus-Scanned: clamav-milter 0.98.6 at mail > >> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ > >> (2011-06-06) on > >> ? ? ? ? mail.hprs.local > >> X-Spam-Level: > >> X-Spam-Status: No, score=0.0 required=3.0 tests=none > >> autolearn=unavailable > >> ? ? ? ? version=3.3.2-_revision__1.14__ > >> X-Original-To: dovecot at dovecot.org > >> Delivered-To: dovecot at dovecot.org > >> X-Virus-Status: Clean > >> X-Virus-Scanned: clamav-milter 0.98.6 at mail > >> From: Mark Foley <mfoley at ohprs.org> > >> Date: Wed, 02 Sep 2015 13:31:35 -0400 > >> Organization: Ohio Highway Patrol Retirement System > >> To: dovecot at dovecot.org > >> Subject: How to "Windows Authenticate" > >> User-Agent: Heirloom mailx 12.5 7/5/10 > >> Content-Type: text/plain; charset=us-ascii > >> X-BeenThere: dovecot at dovecot.org > >> X-Mailman-Version: 2.1.17 > >> Precedence: list > >> List-Id: Dovecot Mailing List <dovecot.dovecot.org> > >> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=unsubscribe> > >> List-Archive: <http://dovecot.org/pipermail/dovecot/> > >> List-Post: <mailto:dovecot at dovecot.org> > >> List-Help: <mailto:dovecot-request at dovecot.org?subject=help> > >> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=subscribe> > >> Errors-To: dovecot-bounces at dovecot.org > >> Sender: "dovecot" <dovecot-bounces at dovecot.org> > >> Status: R > >> > >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook > >> (2010/2013) on > >> Windows workstations for over 6 months with no problems.? Dovecot is > >> hosted on > >> the office Samba4 AC/DC server. > >> > >> I have been using auth_mechanisms plain login, and passdb driver > >> shadow. > >> > >> What I'd like to do now is use the "Windows Authenticated" login so I > >> don't have > >> to have separate passwords for users logging into the Windows AD > >> workstations > >> and their Outlook clients. > >> > >> If anyone has actually done this I'd appreciate some tips. My various > >> attempts > >> have not been successful. > >> > >> Here is my current config: > >> > >> $ doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >> auth_debug_passwords = yes > >> auth_mechanisms = plain login > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> driver = shadow > >> } > >> protocols = imap > >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >> userdb { > >> driver = passwd > >> } > >> verbose_ssl = yes > >> Thanks, Mark Foley > >> From dovecot-bounces at dovecot.org? Thu Sep? 3 07:53:44 2015 > >> Return-Path: <dovecot-bounces at dovecot.org> > >> X-Virus-Status: Clean > >> X-Virus-Scanned: clamav-milter 0.98.6 at mail > >> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ > >> (2011-06-06) on > >> ? ? ? ? mail.hprs.local > >> X-Spam-Level: > >> X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=ham > >> ? ? ? ? version=3.3.2-_revision__1.14__ > >> X-Original-To: dovecot at dovecot.org > >> Delivered-To: dovecot at dovecot.org > >> Date: Thu, 03 Sep 2015 06:53:19 -0500 > >> From: Rick Romero <rick at havokmon.com> > >> To: dovecot at dovecot.org > >> Subject: Re: How to "Windows Authenticate" > >> User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) > >> X-VFEmail-Originating-IP: MTA3LjEzNi4xNDQuMjMw > >> X-VFEmail-AntiSpam: Notify admin at vfemail.net of any spam, and include > >> ? ? ? ? VFEmail headers > >> Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes > >> Content-Disposition: inline > >> Content-Description: Plaintext Message > >> X-Content-Filtered-By: Mailman/MimeDel 2.1.17 > >> X-BeenThere: dovecot at dovecot.org > >> X-Mailman-Version: 2.1.17 > >> Precedence: list > >> List-Id: Dovecot Mailing List <dovecot.dovecot.org> > >> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=unsubscribe> > >> List-Archive: <http://dovecot.org/pipermail/dovecot/> > >> List-Post: <mailto:dovecot at dovecot.org> > >> List-Help: <mailto:dovecot-request at dovecot.org?subject=help> > >> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=subscribe> > >> Errors-To: dovecot-bounces at dovecot.org > >> Sender: "dovecot" <dovecot-bounces at dovecot.org> > >> Status: R > >> > >> ? Hi Mark, > >> > >> I haven't done it, but I've played with the scenario enough to have an > >> idea. > >> > >> What you want to do is have Outlook auth via NTLM to Dovecot.? > >> > >> First that means having the machine be a domain member (usually via > >> Samba) > >> in order to properly process NTLM/Kerberos handshake - which it appears > >> you > >> have. > >> Second that means having Dovecot know how to accept NTLM authentication > >> (SPA) to pass to the Samba backend. > >> > >> A 'Dovecot NTLM' search led me here: > >> http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm > >> > >> What's not on the page that I'd expect to see, are the compile-time > >> requirements for inclucing samba/kerberos libs within Dovecot.? If it > >> doesn't 'just work' with the config changes in the wiki, you may need to > >> recompile with the right features. > >> > >> Also - check the permissions of the ntlm_auth program. That's caused > many > >> issues with Radius installs, IIRC. > >> > >> Hope that helps! > >> > >> Rick > >> > >> Quoting Mark Foley <mfoley at ohprs.org>: > >> > >> This can't be that hard. I think I've enabled LDAP in Dovecot just by > >> including > >> dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I > >> now have > >> the configuration shown below. Two questions: > >> > >> 1. How do I set Outlook to authenticate with LDAP? Currently the Outlook > >> accounts still have the ID and password set in "Logon Information". > >> Checking > >> "Require logon using Secure Password Authentication (SPA)" doesn't work. > >> All I > >> can seem to find on the Internet is how to configure address books using > >> LDAP. > >> > >> 2. Should I remove "passdb { drive = shadow } from the dovecot > >> configuration? > >> > >> Anybody? > >> > >> $ doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >> auth_debug_passwords = yes > >> auth_mechanisms = plain login > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> driver = shadow > >> } > >> passdb { > >> args = /etc/dovecot/dovecot-ldap.conf.ext > >> driver = ldap > >> } > >> protocols = imap > >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >> userdb { > >> driver = passwd > >> } > >> userdb { > >> args = /etc/dovecot/dovecot-ldap.conf.ext > >> driver = ldap > >> } > >> verbose_ssl = yes > >> > >> -----Original Message----- > >> From: Mark Foley <mfoley at ohprs.org> > >> Date: Wed, 02 Sep 2015 13:31:35 -0400 > >> To: dovecot at dovecot.org > >> Subject: How to "Windows Authenticate" > >> > >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook > >> (2010/2013) on > >> Windows workstations for over 6 months with no problems.? Dovecot is > >> hosted on > >> the office Samba4 AC/DC server. > >> > >> I have been using auth_mechanisms plain login, and passdb driver > >> shadow. > >> > >> What I'd like to do now is use the "Windows Authenticated" login so I > >> don't have > >> to have separate passwords for users logging into the Windows AD > >> workstations > >> and their Outlook clients. > >> > >> If anyone has actually done this I'd appreciate some tips. My various > >> attempts > >> have not been successful. > >> > >> Here is my current config: > >> > >> $ doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >> auth_debug_passwords = yes > >> auth_mechanisms = plain login > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> ? driver = shadow > >> } > >> protocols = imap > >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >> userdb { > >> ? driver = passwd > >> } > >> verbose_ssl = yes > >> > >> Thanks, Mark Foley > >> > >> From dovecot-bounces at dovecot.org? Wed Sep? 2 13:32:13 2015 > >> Return-Path: <dovecot-bounces at dovecot.org> > >> X-Virus-Status: Clean > >> X-Virus-Scanned: clamav-milter 0.98.6 at mail > >> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ > >> (2011-06-06) on > >> ? ? ? ? mail.hprs.local > >> X-Spam-Level: > >> X-Spam-Status: No, score=0.0 required=3.0 tests=none > >> autolearn=unavailable > >> ? ? ? ? version=3.3.2-_revision__1.14__ > >> X-Original-To: dovecot at dovecot.org > >> Delivered-To: dovecot at dovecot.org > >> X-Virus-Status: Clean > >> X-Virus-Scanned: clamav-milter 0.98.6 at mail > >> From: Mark Foley <mfoley at ohprs.org> > >> Date: Wed, 02 Sep 2015 13:31:35 -0400 > >> Organization: Ohio Highway Patrol Retirement System > >> To: dovecot at dovecot.org > >> Subject: How to "Windows Authenticate" > >> User-Agent: Heirloom mailx 12.5 7/5/10 > >> Content-Type: text/plain; charset=us-ascii > >> X-BeenThere: dovecot at dovecot.org > >> X-Mailman-Version: 2.1.17 > >> Precedence: list > >> List-Id: Dovecot Mailing List <dovecot.dovecot.org> > >> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=unsubscribe> > >> List-Archive: <http://dovecot.org/pipermail/dovecot/> > >> List-Post: <mailto:dovecot at dovecot.org> > >> List-Help: <mailto:dovecot-request at dovecot.org?subject=help> > >> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=subscribe> > >> Errors-To: dovecot-bounces at dovecot.org > >> Sender: "dovecot" <dovecot-bounces at dovecot.org> > >> Status: R > >> > >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook > >> (2010/2013) on > >> Windows workstations for over 6 months with no problems.? Dovecot is > >> hosted on > >> the office Samba4 AC/DC server. > >> > >> I have been using auth_mechanisms plain login, and passdb driver > >> shadow. > >> > >> What I'd like to do now is use the "Windows Authenticated" login so I > >> don't have > >> to have separate passwords for users logging into the Windows AD > >> workstations > >> and their Outlook clients. > >> > >> If anyone has actually done this I'd appreciate some tips. My various > >> attempts > >> have not been successful. > >> > >> Here is my current config: > >> > >> $ doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >> auth_debug_passwords = yes > >> auth_mechanisms = plain login > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> driver = shadow > >> } > >> protocols = imap > >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >> userdb { > >> driver = passwd > >> } > >> verbose_ssl = yes > >> Thanks, Mark Foley > > > > ? >
If I had time I would be all over this - but IMHO the main problem is that Dovecot != Exchange.? Even in small environments - unless I'm out of date, there's no calendar, tasks or contact lists within Dovecot. Your next best best is to use something like Horde that would allow you to auth via ActiveSync (on Outlook 2013 clients) and manage everything else that the users will want, with Dovecot as the mail backend. Though I believe there could be licensing issues if you're looking to do it for free.? I think, by license, you still need CALs for each ActiveSync client (if you're in the US). Auth-Wise it'd be a whole different animal.? I'm not sure if there's anything pre-packaged NTLM + Horde - though Apache/PHP/Linux with Samba would accept the username via GSSAPI and I suppose you could pass that to HordeAuth. I hate Exchange - I have a nagging 45 second delay on OWA logins ever since I had to setup multiple NICs to get Outlook to stop complaining about certs, and today while trying to fix that issue, AD decided to stop replicating one of my trusted domains (and began rejecting auths for linked mailboxes from that domain) and in short I really just hate that environment with every fiber of my being and would love to see a decent free Exchange replacement on *nix. Rick Quoting Mark Foley <mfoley at ohprs.org>:> More experimentation ... > > I tried removing userdb and passdb from the dovecot NTLM config. That > didn't > work. I then tried adding a static userdb as follows: > > userdb { > driver = static > #? allow_all_users = yes > args = gid=100 home=/home/HPRS/%n > } > > (Interestingly, when I uncommented "allow_all_users" I got an"unsupported> setting" [or something like that], even though that was in there from the > beginning and is shown in the example wiki > http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm) > > Anyway, in both tests my error messages were the same: > > Sep 08 18:38:16 imap-login: Debug: SSL: elliptic curve secp384r1 will be > used for ECDH and ECDHE key exchanges > Sep 08 18:38:16 imap-login: Debug: SSL: elliptic curve secp384r1 will be > used for ECDH and ECDHE key exchanges > Sep 08 18:38:16 auth: Debug: auth client connected (pid=8758) > Sep 08 18:38:16 auth: Debug: client in: AUTH? ? 1? ? ? ?NTLM? ? > service=imap? ? session=vPWqBUQfeADAqAA6? ? ? lip=192.168.0.2? > rip=192.168.0.58? ? ? ? lport=143? ? ? ?rport=56184 > Sep 08 18:38:16 auth: Debug: client passdb out: CONT? ? 1 > Sep 08 18:38:16 auth: Info: ntlm(?,192.168.0.58,<vPWqBUQfeADAqAA6>): > user not authenticated: NT_STATUS_LOGON_FAILURE > Sep 08 18:38:18 auth: Debug: client passdb out: FAIL? ? 1 > > Notice that my userid (mark or mark at ohprs) is nowhere to be found.? > Whereas when > I specified the userdb passwd at least it had a user id in the error > log.? From > my previous test with userdb passwd amd passdb shadow: > > Sep 05 16:45:19 auth: Debug: client passdb out: OK? ? ? 1? ? > ??user=mark at hprs? original_user=mark at HPRS > Sep 05 16:45:19 auth-worker(5498): Debug: > shadow(mark at hprs,192.168.0.58): lookup > Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark at hprs,192.168.0.58): > unknown user > Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND? ? ??998899713> > The "Info: ntml" log entry has ntlm(?,192.168.0.58,<vPWqBUQfeADAqAA6>), > whereas > the previous test "Info shadow" log entry has Info: > shadow(mark at hprs,192.168.0.58). > > Of course I have no passdb specified which is right for NTML ... or isit?> > I feel like this should be obvious to someone familiar with Dovecot. > Once again, > it's difficult for me to believe no on on planet Earth (who also happens > to > subscribe to this list) had ever done Dovecot/ntlm from Outlook before. > > Help!!! If I can't get this last bit sorted out I'll be forced back to > Server > 2012 and Exchange. > > Thanks, --Mark > > -----Original Message----- > From: Mark Foley <mfoley at ohprs.org> > Date: Mon, 07 Sep 2015 21:28:23 -0400 > Organization: Ohio Highway Patrol Retirement System > To: dovecot at dovecot.org > Subject: Re: How to "Windows Authenticate" > > Comments interspersed with yours ... > > --Mark > > -----Original Message----- >> Date: Sun, 06 Sep 2015 20:00:11 -0500 >> From: Rick Romero <rick at havokmon.com> >> To: dovecot at dovecot.org >> Subject: Re: How to "Windows Authenticate" >> >> ? Hmm.? I would expect to see 'mark at hprs.com'.? Whatever your fulldomain>> name is. > > Full user at domain would be mark at hprs.local > >> It also won't look up /etc/shadow - Samba is doing the AD->Unix UID >> mapping.? Your AD users shouldn't be in there when all is said anddone.> > I was thinking this too.? I don't know why NTLM would need a userdb at > all.? It > should just use something like ntlm_auth (which is configured in > auth_winbind_helper). > > What if I simply removed the userdb?? What would you recommend for > userdb, passdb? > >> Well, at when I did a Samba4 install as a DC it still behaved like a >> Samba3 >> member, and there were no AD users in the local unix passwd files. >> >> What does wbinfo -u provide?? It should list all your users -especially>> because it's an DC.? Whatever wbinfo -u shows, you may need to adjust >> another config file to match waht Dovecot is receiving. > > $ wbinfo -u > > Administrator > Guest > krbtgt > dns-mail > mark > sogo > **arr > **ress > **mith > **nee > **ris > **atterson > **armaine > **tkeson > **mmitoh > > These are all the AD users (most obfuscated for a bit of security). I am > testing > with user mark. > >> I assume /etc/nsswitch.conf has been modified to use Samba? > > Unless the Samba provision did something to nnswitch, I've done nothing; > nor > have I seen anything in the Samba or dovecot wikis suggesting changes.? > Remember > also that the Samba4 AD/DC works perfectly with redirected folders and > users > logging on to any Windows workstations, and works perfectly with things > wanting > "Windows Authentication" like SQLserver, so the "Windows Authentication" > does > work at some level.? My /etc/nsswitch.conf is: > > passwd:? ? ? ? ?compat > group:? ? ? ? ? compat > > hosts:? ? ? ? ? files dns > networks:? ? ? ?files > > services:? ? ? ?files > protocols:? ? ? files > rpc:? ? ? ? ? ? files > ethers:? ? ? ? ?files > netmasks:? ? ? ?files > netgroup:? ? ? ?files > bootparams:? ? ?files > > automount:? ? ? files > aliases:? ? ? ? files > >> Sorry I haven't done this, but it doesn't seem like anyone else has >> either >> - so I'm just shooting in the dark here trying to get you steered in the >> right direction... >> >> Rick > > Yeah, I can't seem to find a soul on the planet who has actually done > this. If I > get it figured out I'll post with a suggestion to Timo to wiki-ize it. > > I'm a bit puzzled that no one appears to have done this. I would think > that a > Samba4 AD/DC in a office environment with lots of Windows workstations > running > Outlook would be about the most common environment there is; especially > now that > Small Business Server is no longer sold and Server Essentials does not > support > Exchange. What are all the SBS/Exchange/Outlook small businesses doing? > Limping > along with SBS2008/11, or putting their email in Outlook.com? Seems like > the > Samba4/dovecot/Outlook combo would be an ideal migration. > > I appreciate your help. > >> Quoting Mark Foley <mfoley at ohprs.org>: >> >> More info ... >> >> My dovecot error log shows: >> >> Sep 05 16:45:19 auth: Debug: client in: AUTH? ? 1? ? ? ?NTLM? ? >> service=imap >> Sep 05 16:45:19 auth: Debug: client passdb out: OK? ? ? 1? ? ? >> ?user=mark at hprs? original_user=mark at HPRS >> Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713? ? ? >> ?10219? >> ?1? ? ? ?f56352c207cb8f6dea4d264b2c0f8dc1? ? ? >> ?session_pid=10220? ? ? >> ?request_auth_token >> Sep 05 16:45:19 auth-worker(5498): Debug: >> shadow(mark at hprs,192.168.0.58): lookup >> Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark at hprs,192.168.0.58): >> unknown user >> Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND? ? ? ? >> 998899713 >> >> whereas the successful 'plain login' config'ed mechanism (before adding >> NTLM >> config) have: >> >> Sep 06 20:27:38 auth-worker(18616): Debug: shadow(mark,104.6.249.210): >> lookup >> >> The failed ntlm look-up is looking up user mark at hprs in shadow, which it >> doesn't >> find. Is there a way to strip the "@hprs" bit from the user so it can >> find the >> correct entry in /etc/shadow? That might fix the problem. >> >> --Mark >> >> -----Original Message----- >> From: Mark Foley <mfoley at ohprs.org> >> Date: Sat, 05 Sep 2015 17:12:50 -0400 >> To: dovecot at dovecot.org >> Subject: Re: How to "Windows Authenticate" >> >> Rick et al, >> >> The link you gave was a start, but is targeted for Samba3 and is >> assuming a >> probably Windows [SBS]Server AD/DC separate from the DC hosting dovecot, >> and >> includes setting up kerberos. >> >> I'm using a Samba4 AD/DC with integrated kerberos (so I don't think >> there is any >> setup I can do there).? Nevertheless I've followed the instructions >> otherwise; >> specifically adding to 10-auto.conf the following recommended lines: >> >> auth_use_winbind = yes >> auth_winbind_helper_path = /usr/bin/ntlm_auth >> mechanisms = plain ntlm login >> >> (Before, my 'mechanisms' were only plain and login). /usr/bin/ntlm_auth >> has >> global r/w privilege. >> >> I did not specify the static userdb since these users are configued in >> /etc/passwd and I thought that would work; example given in link (could >> that be >> an issue?): >> >> userdb static { >> ? args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln >> ? mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln >> ? allow_all_users=yes >> } >> >> This didn't work. Also, existing, working Outlook connections using >> 'logon' >> (i.e. the userID and PW are configured in Outlook) stopped working. >> >> I changed a test Outlook client to check the 'Request login using Secure >> Password Authentication (SPA)' and also checked: More Settings > >> Outgoing Server >> My outgoing server (SMTP) requires authentication' and 'Use same >> settings as >> >> my incoming mail server'.? Note that on the "Change Account" dialog >> (where the >> SPA checkbox is) the 'User Name' and 'Password' retained their values >> and were >> not grayed out as I would have expected if using AD authentication. >> >> After doing the above and clicking 'Test Account Settings' I was >> re-promted to >> enter a password - also not expected. At bottom are the Dovecot log >> message I >> received after doing the 'Test Account Settings'. >> >> Surely, connecting from an Outlook client to Dovecot on a Samba4 AD/DC >> should be >> a very common implementation. Has someone done this successfully? >> >> Immediately below is my doveconf -n and below that the dovecot log >> messages. >> >> doveconf -n >> >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 >> auth_debug_passwords = yes >> auth_mechanisms = plain ntlm login >> auth_use_winbind = yes >> auth_verbose = yes >> auth_verbose_passwords = plain >> disable_plaintext_auth = no >> info_log_path = /var/log/dovecot_info >> mail_location = maildir:~/Maildir >> passdb { >> driver = shadow >> } >> protocols = imap >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key >> userdb { >> driver = passwd >> } >> verbose_ssl = yes >> >> dovecot log after doing 'Test Account Settings' in Outlook: >> >> Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be >> used for ECDH and ECDHE key exchanges >> Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be >> used for ECDH and ECDHE key exchanges >> Sep 05 16:45:19 auth: Debug: auth client connected (pid=10219) >> Sep 05 16:45:19 auth: Debug: client in: AUTH? ? ? ? 1? ? ? ? >> NTLM? ? ? ? >> service=imap? ? ? ? session=HXssGAYf0ADAqAA6? ? ? ? >> lip=192.168.0.2? ? ? >> ? rip=192.168.0.58? ? ? ? lport=143? ? ? ? rport=52944 >> Sep 05 16:45:19 auth: Debug: client passdb out: CONT? ? ? ? 1 >> Sep 05 16:45:19 auth: Debug: client passdb out: OK? ? ? ? 1? ? ? >> ? >> user=mark at hprs? ? ? ? original_user=mark at HPRS >> Sep 05 16:45:19 auth: Debug: master in: REQUEST? ? ? ? 998899713??>> ? ? >> 10219? ? ? ? 1? ? ? ? f56352c207cb8f6dea4d264b2c0f8dc1? ? ??>> session_pid=10220? ? ? ? request_auth_token >> Sep 05 16:45:19 auth-worker(5498): Debug: >> shadow(mark at hprs,192.168.0.58): lookup >> Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark at hprs,192.168.0.58): >> unknown user >> Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND? ? ? ? >> 998899713 >> Sep 05 16:45:19 imap-login: Info: Internal login failure (pid=10219 >> id=1) (internal failure, 1 successful auths): user=<mark at hprs>, >> method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=10220, >> session=<HXssGAYf0ADAqAA6> >> Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be >> used for ECDH and ECDHE key exchanges >> Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be >> used for ECDH and ECDHE key exchanges >> Sep 05 16:46:22 auth: Debug: Loading modules from directory: >> /usr/local/lib/dovecot/auth >> Sep 05 16:46:22 auth: Debug: Read auth token secret from >> /usr/local/var/run/dovecot/auth-token-secret.dat >> Sep 05 16:46:22 auth: Debug: auth client connected (pid=13487) >> Sep 05 16:46:22 auth: Debug: client in: AUTH? ? ? ? 1? ? ? ? >> NTLM? ? ? ? >> service=imap? ? ? ? session=IlvqGwYf0wDAqAA6? ? ? ? >> lip=192.168.0.2? ? ? >> ? rip=192.168.0.58? ? ? ? lport=143? ? ? ? rport=52947 >> Sep 05 16:46:22 auth: Debug: client passdb out: OK? ? ? ? 1? ? ? >> ? >> user=mark at hprs? ? ? ? original_user=mark at HPRS >> Sep 05 16:46:22 auth: Debug: master in: REQUEST? ? ? ? 3030384641? >> ? ? ? >> 13487? ? ? ? 1? ? ? ? bac5f6531f9d4c3316f93bd4c4a63ddd? ? ??>> session_pid=13491? ? ? ? request_auth_token >> Sep 05 16:46:22 auth-worker(13492): Debug: Loading modules from >> directory: /usr/local/lib/dovecot/auth >> Sep 05 16:46:22 auth-worker(13492): Debug: >> shadow(mark at hprs,192.168.0.58): lookup >> Sep 05 16:46:22 auth-worker(13492): Info: >> shadow(mark at hprs,192.168.0.58): unknown user >> Sep 05 16:46:22 auth: Debug: master userdb out: NOTFOUND? ? ? ? >> 3030384641 >> Sep 05 16:46:22 imap-login: Info: Internal login failure (pid=13487 >> id=1) (internal failure, 1 successful auths): user=<mark at hprs>, >> method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=13491, >> session=<IlvqGwYf0wDAqAA6> >> >> Thanks --Mark >> >> -----Original Message----- >> Date: Thu, 03 Sep 2015 06:53:19 -0500 >> From: Rick Romero <rick at havokmon.com> >> To: dovecot at dovecot.org >> Subject: Re: How to "Windows Authenticate" >> >> ? Hi Mark, >> >> I haven't done it, but I've played with the scenario enough to have an >> idea. >> >> What you want to do is have Outlook auth via NTLM to Dovecot.? >> >> First that means having the machine be a domain member (usually via >> Samba) >> in order to properly process NTLM/Kerberos handshake - which it appears >> you >> have. >> Second that means having Dovecot know how to accept NTLM authentication >> (SPA) to pass to the Samba backend. >> >> A 'Dovecot NTLM' search led me here: >> http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm >> >> What's not on the page that I'd expect to see, are the compile-time >> requirements for inclucing samba/kerberos libs within Dovecot.? If it >> doesn't 'just work' with the config changes in the wiki, you may need to >> recompile with the right features. >> >> Also - check the permissions of the ntlm_auth program. That's caused >> many >> issues with Radius installs, IIRC. >> >> Hope that helps! >> >> Rick >> >> Quoting Mark Foley <mfoley at ohprs.org>: >> >> This can't be that hard. I think I've enabled LDAP in Dovecot just by >> including >> dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I >> now have >> the configuration shown below. Two questions: >> >> 1. How do I set Outlook to authenticate with LDAP? Currently the Outlook >> accounts still have the ID and password set in "Logon Information". >> Checking >> "Require logon using Secure Password Authentication (SPA)" doesn't work. >> All I >> can seem to find on the Internet is how to configure address books using >> LDAP. >> >> 2. Should I remove "passdb { drive = shadow } from the dovecot >> configuration? >> >> Anybody? >> >> $ doveconf -n >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 >> auth_debug_passwords = yes >> auth_mechanisms = plain login >> auth_verbose = yes >> auth_verbose_passwords = plain >> disable_plaintext_auth = no >> info_log_path = /var/log/dovecot_info >> mail_location = maildir:~/Maildir >> passdb { >> driver = shadow >> } >> passdb { >> args = /etc/dovecot/dovecot-ldap.conf.ext >> driver = ldap >> } >> protocols = imap >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key >> userdb { >> driver = passwd >> } >> userdb { >> args = /etc/dovecot/dovecot-ldap.conf.ext >> driver = ldap >> } >> verbose_ssl = yes >> >> -----Original Message----- >> From: Mark Foley <mfoley at ohprs.org> >> Date: Wed, 02 Sep 2015 13:31:35 -0400 >> To: dovecot at dovecot.org >> Subject: How to "Windows Authenticate" >> >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook >> (2010/2013) on >> Windows workstations for over 6 months with no problems.? Dovecot is >> hosted on >> the office Samba4 AC/DC server. >> >> I have been using auth_mechanisms plain login, and passdb driver >> shadow. >> >> What I'd like to do now is use the "Windows Authenticated" login so I >> don't have >> to have separate passwords for users logging into the Windows AD >> workstations >> and their Outlook clients. >> >> If anyone has actually done this I'd appreciate some tips. My various >> attempts >> have not been successful. >> >> Here is my current config: >> >> $ doveconf -n >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 >> auth_debug_passwords = yes >> auth_mechanisms = plain login >> auth_verbose = yes >> auth_verbose_passwords = plain >> disable_plaintext_auth = no >> info_log_path = /var/log/dovecot_info >> mail_location = maildir:~/Maildir >> passdb { >> ? driver = shadow >> } >> protocols = imap >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key >> userdb { >> ? driver = passwd >> } >> verbose_ssl = yes >> >> Thanks, Mark Foley >> >> From dovecot-bounces at dovecot.org? Wed Sep? 2 13:32:13 2015 >> Return-Path: <dovecot-bounces at dovecot.org> >> X-Virus-Status: Clean >> X-Virus-Scanned: clamav-milter 0.98.6 at mail >> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ >> (2011-06-06) on >> ? ? ? ? mail.hprs.local >> X-Spam-Level: >> X-Spam-Status: No, score=0.0 required=3.0 tests=none >> autolearn=unavailable >> ? ? ? ? version=3.3.2-_revision__1.14__ >> X-Original-To: dovecot at dovecot.org >> Delivered-To: dovecot at dovecot.org >> X-Virus-Status: Clean >> X-Virus-Scanned: clamav-milter 0.98.6 at mail >> From: Mark Foley <mfoley at ohprs.org> >> Date: Wed, 02 Sep 2015 13:31:35 -0400 >> Organization: Ohio Highway Patrol Retirement System >> To: dovecot at dovecot.org >> Subject: How to "Windows Authenticate" >> User-Agent: Heirloom mailx 12.5 7/5/10 >> Content-Type: text/plain; charset=us-ascii >> X-BeenThere: dovecot at dovecot.org >> X-Mailman-Version: 2.1.17 >> Precedence: list >> List-Id: Dovecot Mailing List <dovecot.dovecot.org> >> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=unsubscribe> >> List-Archive: <http://dovecot.org/pipermail/dovecot/> >> List-Post: <mailto:dovecot at dovecot.org> >> List-Help: <mailto:dovecot-request at dovecot.org?subject=help> >> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=subscribe> >> Errors-To: dovecot-bounces at dovecot.org >> Sender: "dovecot" <dovecot-bounces at dovecot.org> >> Status: R >> >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook >> (2010/2013) on >> Windows workstations for over 6 months with no problems.? Dovecot is >> hosted on >> the office Samba4 AC/DC server. >> >> I have been using auth_mechanisms plain login, and passdb driver >> shadow. >> >> What I'd like to do now is use the "Windows Authenticated" login so I >> don't have >> to have separate passwords for users logging into the Windows AD >> workstations >> and their Outlook clients. >> >> If anyone has actually done this I'd appreciate some tips. My various >> attempts >> have not been successful. >> >> Here is my current config: >> >> $ doveconf -n >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 >> auth_debug_passwords = yes >> auth_mechanisms = plain login >> auth_verbose = yes >> auth_verbose_passwords = plain >> disable_plaintext_auth = no >> info_log_path = /var/log/dovecot_info >> mail_location = maildir:~/Maildir >> passdb { >> driver = shadow >> } >> protocols = imap >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key >> userdb { >> driver = passwd >> } >> verbose_ssl = yes >> Thanks, Mark Foley >> From dovecot-bounces at dovecot.org? Thu Sep? 3 07:53:44 2015 >> Return-Path: <dovecot-bounces at dovecot.org> >> X-Virus-Status: Clean >> X-Virus-Scanned: clamav-milter 0.98.6 at mail >> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ >> (2011-06-06) on >> ? ? ? ? mail.hprs.local >> X-Spam-Level: >> X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=ham >> ? ? ? ? version=3.3.2-_revision__1.14__ >> X-Original-To: dovecot at dovecot.org >> Delivered-To: dovecot at dovecot.org >> Date: Thu, 03 Sep 2015 06:53:19 -0500 >> From: Rick Romero <rick at havokmon.com> >> To: dovecot at dovecot.org >> Subject: Re: How to "Windows Authenticate" >> User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) >> X-VFEmail-Originating-IP: MTA3LjEzNi4xNDQuMjMw >> X-VFEmail-AntiSpam: Notify admin at vfemail.net of any spam, and include >> ? ? ? ? VFEmail headers >> Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes >> Content-Disposition: inline >> Content-Description: Plaintext Message >> X-Content-Filtered-By: Mailman/MimeDel 2.1.17 >> X-BeenThere: dovecot at dovecot.org >> X-Mailman-Version: 2.1.17 >> Precedence: list >> List-Id: Dovecot Mailing List <dovecot.dovecot.org> >> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=unsubscribe> >> List-Archive: <http://dovecot.org/pipermail/dovecot/> >> List-Post: <mailto:dovecot at dovecot.org> >> List-Help: <mailto:dovecot-request at dovecot.org?subject=help> >> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=subscribe> >> Errors-To: dovecot-bounces at dovecot.org >> Sender: "dovecot" <dovecot-bounces at dovecot.org> >> Status: R >> >> ? Hi Mark, >> >> I haven't done it, but I've played with the scenario enough to have an >> idea. >> >> What you want to do is have Outlook auth via NTLM to Dovecot.? >> >> First that means having the machine be a domain member (usually via >> Samba) >> in order to properly process NTLM/Kerberos handshake - which it appears >> you >> have. >> Second that means having Dovecot know how to accept NTLM authentication >> (SPA) to pass to the Samba backend. >> >> A 'Dovecot NTLM' search led me here: >> http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm >> >> What's not on the page that I'd expect to see, are the compile-time >> requirements for inclucing samba/kerberos libs within Dovecot.? If it >> doesn't 'just work' with the config changes in the wiki, you may need to >> recompile with the right features. >> >> Also - check the permissions of the ntlm_auth program. That's caused >> many >> issues with Radius installs, IIRC. >> >> Hope that helps! >> >> Rick >> >> Quoting Mark Foley <mfoley at ohprs.org>: >> >> This can't be that hard. I think I've enabled LDAP in Dovecot just by >> including >> dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I >> now have >> the configuration shown below. Two questions: >> >> 1. How do I set Outlook to authenticate with LDAP? Currently the Outlook >> accounts still have the ID and password set in "Logon Information". >> Checking >> "Require logon using Secure Password Authentication (SPA)" doesn't work. >> All I >> can seem to find on the Internet is how to configure address books using >> LDAP. >> >> 2. Should I remove "passdb { drive = shadow } from the dovecot >> configuration? >> >> Anybody? >> >> $ doveconf -n >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 >> auth_debug_passwords = yes >> auth_mechanisms = plain login >> auth_verbose = yes >> auth_verbose_passwords = plain >> disable_plaintext_auth = no >> info_log_path = /var/log/dovecot_info >> mail_location = maildir:~/Maildir >> passdb { >> driver = shadow >> } >> passdb { >> args = /etc/dovecot/dovecot-ldap.conf.ext >> driver = ldap >> } >> protocols = imap >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key >> userdb { >> driver = passwd >> } >> userdb { >> args = /etc/dovecot/dovecot-ldap.conf.ext >> driver = ldap >> } >> verbose_ssl = yes >> >> -----Original Message----- >> From: Mark Foley <mfoley at ohprs.org> >> Date: Wed, 02 Sep 2015 13:31:35 -0400 >> To: dovecot at dovecot.org >> Subject: How to "Windows Authenticate" >> >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook >> (2010/2013) on >> Windows workstations for over 6 months with no problems.? Dovecot is >> hosted on >> the office Samba4 AC/DC server. >> >> I have been using auth_mechanisms plain login, and passdb driver >> shadow. >> >> What I'd like to do now is use the "Windows Authenticated" login so I >> don't have >> to have separate passwords for users logging into the Windows AD >> workstations >> and their Outlook clients. >> >> If anyone has actually done this I'd appreciate some tips. My various >> attempts >> have not been successful. >> >> Here is my current config: >> >> $ doveconf -n >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 >> auth_debug_passwords = yes >> auth_mechanisms = plain login >> auth_verbose = yes >> auth_verbose_passwords = plain >> disable_plaintext_auth = no >> info_log_path = /var/log/dovecot_info >> mail_location = maildir:~/Maildir >> passdb { >> ? driver = shadow >> } >> protocols = imap >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key >> userdb { >> ? driver = passwd >> } >> verbose_ssl = yes >> >> Thanks, Mark Foley >> >> From dovecot-bounces at dovecot.org? Wed Sep? 2 13:32:13 2015 >> Return-Path: <dovecot-bounces at dovecot.org> >> X-Virus-Status: Clean >> X-Virus-Scanned: clamav-milter 0.98.6 at mail >> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ >> (2011-06-06) on >> ? ? ? ? mail.hprs.local >> X-Spam-Level: >> X-Spam-Status: No, score=0.0 required=3.0 tests=none >> autolearn=unavailable >> ? ? ? ? version=3.3.2-_revision__1.14__ >> X-Original-To: dovecot at dovecot.org >> Delivered-To: dovecot at dovecot.org >> X-Virus-Status: Clean >> X-Virus-Scanned: clamav-milter 0.98.6 at mail >> From: Mark Foley <mfoley at ohprs.org> >> Date: Wed, 02 Sep 2015 13:31:35 -0400 >> Organization: Ohio Highway Patrol Retirement System >> To: dovecot at dovecot.org >> Subject: How to "Windows Authenticate" >> User-Agent: Heirloom mailx 12.5 7/5/10 >> Content-Type: text/plain; charset=us-ascii >> X-BeenThere: dovecot at dovecot.org >> X-Mailman-Version: 2.1.17 >> Precedence: list >> List-Id: Dovecot Mailing List <dovecot.dovecot.org> >> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=unsubscribe> >> List-Archive: <http://dovecot.org/pipermail/dovecot/> >> List-Post: <mailto:dovecot at dovecot.org> >> List-Help: <mailto:dovecot-request at dovecot.org?subject=help> >> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, >> ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=subscribe> >> Errors-To: dovecot-bounces at dovecot.org >> Sender: "dovecot" <dovecot-bounces at dovecot.org> >> Status: R >> >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook >> (2010/2013) on >> Windows workstations for over 6 months with no problems.? Dovecot is >> hosted on >> the office Samba4 AC/DC server. >> >> I have been using auth_mechanisms plain login, and passdb driver >> shadow. >> >> What I'd like to do now is use the "Windows Authenticated" login so I >> don't have >> to have separate passwords for users logging into the Windows AD >> workstations >> and their Outlook clients. >> >> If anyone has actually done this I'd appreciate some tips. My various >> attempts >> have not been successful. >> >> Here is my current config: >> >> $ doveconf -n >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 >> auth_debug_passwords = yes >> auth_mechanisms = plain login >> auth_verbose = yes >> auth_verbose_passwords = plain >> disable_plaintext_auth = no >> info_log_path = /var/log/dovecot_info >> mail_location = maildir:~/Maildir >> passdb { >> driver = shadow >> } >> protocols = imap >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key >> userdb { >> driver = passwd >> } >> verbose_ssl = yes >> Thanks, Mark Foley >> >> ? > > ?