Hello All, I haven't seen the answer to this, maybe I am just using the wrong searches. I have two queries related to this: 1) I have seen how to configure for LDAP and Kerberos. AD uses both together. All user information is in AD/LDAP and authentication is AD/Kerberos. How can I configure Dovecot to use both appropriately? 2) I can cause Samba to create certain directories on login, etc. However, I am needing to do this for Dovecot (and Postfix using Dovecot deliver). I would prefer to use Dovecot functionality for this, not Samba.This is not the autocreate folder/subscribe stuff, at least I think not. For example if I have a directory /var/mail/domain/user. Can I have Dovecot auto create (with proper permissions) the domain/user part? These would be used for maildir. Thank you, Trever Adams -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20091006/4c95134a/attachment-0002.bin>
On Oct 7, 2009, at 12:36 AM, Trever L. Adams wrote:> I haven't seen the answer to this, maybe I am just using the wrong > searches. I have two queries related to this: > > 1) I have seen how to configure for LDAP and Kerberos. AD uses both > together. All user information is in AD/LDAP and authentication is > AD/Kerberos. How can I configure Dovecot to use both appropriately?You could forget about the Kerberos part and just use AD as an LDAP server.> 2) I can cause Samba to create certain directories on login, etc. > However, I am needing to do this for Dovecot (and Postfix using > Dovecot > deliver). I would prefer to use Dovecot functionality for this, not > Samba.This is not the autocreate folder/subscribe stuff, at least I > think not. For example if I have a directory /var/mail/domain/user. > Can > I have Dovecot auto create (with proper permissions) the domain/user > part? These would be used for maildir.If you're using the same UNIX UID for all users, there's really nothing you need to do. Dovecot tries to create missing directories automatically.
Ccing mailing list, since I'm not all-knowing.. On Oct 7, 2009, at 12:49 AM, Trever L. Adams wrote:> Timo Sirainen wrote: >> On Oct 7, 2009, at 12:36 AM, Trever L. Adams wrote: >>> 1) I have seen how to configure for LDAP and Kerberos. AD uses both >>> together. All user information is in AD/LDAP and authentication is >>> AD/Kerberos. How can I configure Dovecot to use both appropriately? >> You could forget about the Kerberos part and just use AD as an LDAP >> server. > I really want to use kerberos/SPNEGO everywhere I can for various > reasons. The LDAP would be for the configuration.Do you actually want the IMAP/POP3 clients to use Kerberos? For plaintext auth I don't see any benefit in Dovecot using Kerberos rather than LDAP (and it doesn't support that, except via pam_kerberos or whatever I guess). But for clients to use Kerberos (GSSAPI) and authenticate against AD while Dovecot is in the middle... I've no idea. I guess that's possible somehow.>>> 2) For example if I have a directory /var/mail/domain/user. Can >>> I have Dovecot auto create (with proper permissions) the domain/user >>> part? These would be used for maildir. >> If you're using the same UNIX UID for all users, there's really >> nothing you need to do. Dovecot tries to create missing directories >> automatically. > No, I will be using the new Samba IDMAP stuff that hashes all the > parts > of the windows ID to a 32 bit UID. Anyway to do to this, or will I > need > to find another solution (not for mailing, but for directory > creation)?There's no great way to do this.. A couple of kludgy ways. Like chmod 01777 /var/mail. Or override mail_executable setting to a script that still runs as root and can create the directory with proper permissions. http://wiki.dovecot.org/PostLoginScripting
On Fri, Feb 04, 2011 at 01:47:31PM -0700, Trever L. Adams wrote:> > There was a thread a month or so ago on how to do GSSAPI with AD and > > dovecot kerberos. It works great, and I highly recommend it for AD > > sites. Check the archives, it isn't really too hard.> I am not finding this. Do you happen to remember the subject?No, but it is pretty simple using latest everything (well, Debian squeeze).. Basically from scratch.. Notice this also sets up NTLM, which is supported by many roaming devices (ie phones). 1) Put this or similar in /etc/samba/smb.conf [global] workgroup = $NT_WORKGROUP$ realm = $REALM$ security = ads kerberos method = secrets and keytab 2) Confirm that hostname gives an unqualified name and hostname -f gives a fully qualified name. Confirm you have DNS setup properly (eg dig -t SRV _kerberos._udp.$REALM$ works OK) 3) Join the machine to AD $ net ads join -U 'user with AD privs' $ kinit AD_USER $ kvno host/`hostname -f` 4) Setup imap SPN: $ net ads keytab add imap $ net ads search cn=`hostname` | grep servicePrincipalName $ klist -k $ kvno imap/`hostname -f` The last three should report imap/`hostname -f` entries. 5) Setup dovecot.. Set these things in the config auth_use_winbind = yes mechanisms = plain gssapi gss-spnego login ntlm 6) Setup exim.. $ net ads keytab add smtp Use these in the dovecot config: client { path = /var/run/dovecot/auth-client mode = 0660 group = Debian-exim } } And this at the end of the exim.conf: dovecot_plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id=PLAIN-${quote:$auth1} dovecot_ntlm: driver = dovecot public_name = NTLM server_socket = /var/run/dovecot/auth-client server_set_id=NTLM-${quote:$auth1} dovecot_gssapi: driver = dovecot public_name = GSSAPI server_socket = /var/run/dovecot/auth-client server_set_id=GSSAPI-${quote:$auth1} dovecot_gssapi_spnego: driver = dovecot public_name = GSS-SPNEGO server_socket = /var/run/dovecot/auth-client server_set_id=GSS-SPNEGO-${quote:$auth1} 7) Setup openssh in sshd_config GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes Jason