dovecot - Nov 2005 - Dovecot 1.0a4 + pam + winbind ?

Hi,

I would like dovecot/pop3 to authenticate against a Windows ADS
server. I've got authentication working for Samba and ssh using
pam_winbind.so. Here's what my /etc/pam.d/dovecot file looks
like:

#%PAM-1.0
auth       sufficient   pam_winbind.so
#auth       required     pam_nologin.so
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
account    sufficient   pam_winbind.so
session    required     pam_stack.so service=system-auth
session    sufficient   pam_winbind.so

and this is what a portion of the dovecot.conf file looks like:

auth default {
  # Space separated list of wanted authentication mechanisms:
  #   plain digest-md5 cram-md5 apop anonymous
  mechanisms = plain
passdb pam {
    args = dovecot
  }
userdb passwd {
  }
user = root
}

To get SSH to authenticate against ADS, the user name has to be
prefaced with the domain name like "domain\user1". This is what
I get when I attempt to login to Dovecot via Outlook/pop3 with
the same naming scheme:

Nov  3 20:09:45 server2 dovecot: auth(default): client in: AUTH
     1      PLAIN    service=POP3    lip=192.168.0.3
rip=192.168.0.227       resp=AHZjXGpvYW5uZQBqb2FubmUNov  3 20:09:45 server2
dovecot: auth(default):
plain(domain\user1,192.168.0.227): Username contains disallowed
characters
Nov  3 20:09:46 server2 dovecot: auth(default): client out:
FAIL     1      user=domain\user1
Nov  3 20:09:46 server2 dovecot: pop3-login: Disconnected:
user=<domain\user1>, method=PLAIN, rip=192.168.0.227,
lip=192.168.0.3

Dovecot does not like the "\" character and I'm note sure
authentication gets past that step to get to the pam phase.

Any experiences and suggestions with Dovecot authentication
against Windows Active Directory?

Thanks,
Stephen

* Stephen Lee (splee at plexio.com) wrote:
> Nov  3 20:09:45 server2 dovecot: auth(default): client in: AUTH
>      1      PLAIN    service=POP3    lip=192.168.0.3
> rip=192.168.0.227       resp=AHZjXGpvYW5uZQBqb2FubmU> Nov  3 20:09:45
server2 dovecot: auth(default):
> plain(domain\user1,192.168.0.227): Username contains disallowed
> characters
> Nov  3 20:09:46 server2 dovecot: auth(default): client out:
> FAIL     1      user=domain\user1
> Nov  3 20:09:46 server2 dovecot: pop3-login: Disconnected:
> user=<domain\user1>, method=PLAIN, rip=192.168.0.227,
> lip=192.168.0.3
> 
> Dovecot does not like the "\" character and I'm note sure
> authentication gets past that step to get to the pam phase.
> 
> Any experiences and suggestions with Dovecot authentication
> against Windows Active Directory?
Going for the obvious ( http://wiki.dovecot.org/moin.cgi/MainConfig),
but try adding '\' to the auth_username_chars directive.

hth,
Michele
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20051104/7b0dcef2/attachment.bin>

On Thu, 3 Nov 2005, Stephen Lee wrote:
> I would like dovecot/pop3 to authenticate against a Windows ADS
> server. I've got authentication working for Samba and ssh using
> pam_winbind.so. Here's what my /etc/pam.d/dovecot file looks
> like:
>
> #%PAM-1.0
> auth       sufficient   pam_winbind.so
> #auth       required     pam_nologin.so
> auth       required     pam_stack.so service=system-auth
> account    required     pam_stack.so service=system-auth
> account    sufficient   pam_winbind.so
> session    required     pam_stack.so service=system-auth
> session    sufficient   pam_winbind.so
I have it like this, if you want to create user's home directory
automatically you should add pam_mkhomedir-directive.

#%PAM-1.0
auth       required    pam_stack.so service=system-auth
auth       required    pam_winbind.so
account    required    pam_stack.so service=system-auth
account    required    pam_winbind.so
session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0077
session    required    pam_stack.so service=system-auth
> and this is what a portion of the dovecot.conf file looks like:
>
> auth default {
>   # Space separated list of wanted authentication mechanisms:
>   #   plain digest-md5 cram-md5 apop anonymous
>   mechanisms = plain
> passdb pam {
>     args = dovecot
>   }
Add -session arg  if you want that pam_mkhomedir to work.
> To get SSH to authenticate against ADS, the user name has to be
> prefaced with the domain name like "domain\user1". This is what
> I get when I attempt to login to Dovecot via Outlook/pop3 with
> the same naming scheme:
> Dovecot does not like the "\" character and I'm note sure
> authentication gets past that step to get to the pam phase.
You could make it use the default-domain automatically and then you don't
need the domain-part for the username.

smb.conf:

winbind separator = +
winbind use default domain = yes
workgroup = YOURDOMAIN
> Any experiences and suggestions with Dovecot authentication
> against Windows Active Directory?
Yep, I have had it running for couple of years by now.

-- 
Pasi Sj?holm