Dmitry Butskoy
2007-Nov-02 14:46 UTC
[Dovecot] Successful experience with auth_winbind module
Hi, Recently the support of Samba's ntlm_auth helper was added to dovecot-auth (mech-winbind.c etc.). It is alrready in 1.1, the patch for 1.0 is here: http://dovecot.org/patches/1.0/dovecot-1.0.3-winbind.patch . It allows auth against NT or AD domain. I would like to infrom all that we successfully use this new feature during 2 month and ~300 users 24x7 (an energy power company). No any failures at all! This feature allows to specify "SPA" (Secure Password Authentication) option in OE, and to avoid explicit user passwords in mail accounts. Some random notes: - In the mixed environment (both plain and ntlm methods in use), you have to specify: mechanisms = plain ntlm login i.e. "ntlm" before "login". When sending mails, OE just catch first seen and try to use it, even if you specify to use SPA in the mail account preferences. - It seems that MS Outlook requires the specifying of password even when SPA is in effect - When OE has several identities, and one of the identities has SPA for SMTP set (outgoing mail), it wins over all another identities. - "The Bat" mailer supports NTLM for reading, not sending, and requires password too. Regards, Dmitry Bustkoy http://www.fedoraproject.org/wiki/DmitryButskoy P.S. We use NTLM only, GSS-SPNEGO still not tested.