with passdb ldap i guess. ---Aki TuomiDovecot oy -------- Original message --------From: Mark Foley <mfoley at ohprs.org> Date: 03/12/2017 21:18 (GMT+02:00) To: dovecot at dovecot.org Subject: Re: Howto authenticate smartPhone via Active Directory Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2 shows: passdb pam { } used for authenticating Android.? Problem #1 is that Slackware does not ship with PAM and the AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I should try configuring PAM on the AD/DC. Is there some otherway I can get authentication using domain credentials besides pam? the phone can send user and password. --Mark -----Original Message-----> Date: Sun, 03 Dec 2017 15:22:56 +0200 > Subject: Re: Howto authenticate smartPhone via Active Directory > From: Aki Tuomi <aki.tuomi at dovecot.fi> > To: Mark Foley <mfoley at ohprs.org>, dovecot at dovecot.org > > Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module? > ---Aki TuomiDovecot oy > > -------- Original message -------- > From: Mark Foley <mfoley at ohprs.org> > Date: 03/12/2017? 06:03? (GMT+02:00) > To: dovecot at dovecot.org > Subject: Howto authenticate smartPhone via Active Directory> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials > using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via > shadow first and. failing that, it does authenticate via GSSAPI. > > Smartphones connect to Dovecot via port 143 and SSL.? They are not domain members so if the > shadow authentication fails, no other methods are tried and no connection is made. > > What can I do with my dovecot config to fix this? > > > doveconf -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 4.4.88 x86_64 Slackware 14.2 > auth_debug = yes > auth_debug_passwords = yes > auth_gssapi_hostname = $ALL > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > auth_mechanisms = plain login gssapi > auth_use_winbind = yes > auth_username_format = %n > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > ? driver = shadow > } > protocols = imap > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > userdb { > ? driver = passwd > } > verbose_ssl = yes > > Thanks, Mark
Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is: Active Directory When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx I have not been able to find an example of someone using Dovecot and ldap with AD. However, I have had some success with CheckPassword (https://wiki2.dovecot.org/AuthDatabase/CheckPassword). Using a program I wrote to do ntlm_auth, I am able to authenticate the smartPhone user and pass the required parameters back to Dovecot. My auth-checkpasswd.conf.ext is the as-shipped standard except pointing to my checkpassword executable. passdb { driver = checkpassword args = /user/util/bin/checkpassword } userdb { driver = prefetch } The one issue I have with this at the moment is that dovecot runs checkpassword for every user, smartphone or otherwise: Dec 03 18:56:32 auth-worker(14903): Info: shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user - trying the next passdb Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input: Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1 Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials: Dec 03 18:56:32 auth: Debug: client passdb out: OK 1 user=charmaine original_user=charmaine at HPRS.LOCAL Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001 14902 1 586863e54c57c999ee5731906a59257c session_pid=14907 request_auth_token Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed charmaine -> HPRS\charmaine Dec 03 18:56:32 auth: Debug: master userdb out: USER 1884160001 HPRS\charmaine system_groups_user=HPRS\charmaineuid=10003 gid=10000 home=/home/HPRS/charmaine auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7 auth_user=charmaine at HPRS.LOCAL Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>, method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=<oy/YWXhfAtXAqAA0> Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913) Notice after the "shadow" auth fails it says, "unknown user - trying the next passdb", which is checkpassword (which apparently succeeds), then it goes on to gssapi which also succeeds. Is there a way to only have it do checkpassword if all shadow and gssapi fail? My mechanisms are: auth_mechanisms = plain login gssapi THX, --Mark --Mark -----Original Message----- Date: Sun, 03 Dec 2017 22:28:53 +0200 Subject: Re: Howto authenticate smartPhone via Active Directory From: Aki Tuomi <aki.tuomi at dovecot.fi> To: Mark Foley <mfoley at ohprs.org>, dovecot at dovecot.org with passdb ldap i guess. ---Aki Tuomi Dovecot oy -------- Original message -------- From: Mark Foley <mfoley at ohprs.org> Date: 03/12/2017 21:18 (GMT+02:00) To: dovecot at dovecot.org Subject: Re: Howto authenticate smartPhone via Active Directory Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2 shows: passdb pam { } used for authenticating Android.? Problem #1 is that Slackware does not ship with PAM and the AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I should try configuring PAM on the AD/DC. Is there some otherway I can get authentication using domain credentials besides pam? the phone can send user and password. --Mark -----Original Message-----> Date: Sun, 03 Dec 2017 15:22:56 +0200 > Subject: Re: Howto authenticate smartPhone via Active Directory > From: Aki Tuomi <aki.tuomi at dovecot.fi> > To: Mark Foley <mfoley at ohprs.org>, dovecot at dovecot.org > > Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module? > ---Aki TuomiDovecot oy > > -------- Original message -------- > From: Mark Foley <mfoley at ohprs.org> > Date: 03/12/2017? 06:03? (GMT+02:00) > To: dovecot at dovecot.org > Subject: Howto authenticate smartPhone via Active Directory> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials > using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via > shadow first and. failing that, it does authenticate via GSSAPI. > > Smartphones connect to Dovecot via port 143 and SSL.? They are not domain members so if the > shadow authentication fails, no other methods are tried and no connection is made. > > What can I do with my dovecot config to fix this? > > > doveconf -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 4.4.88 x86_64 Slackware 14.2 > auth_debug = yes > auth_debug_passwords = yes > auth_gssapi_hostname = $ALL > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > auth_mechanisms = plain login gssapi > auth_use_winbind = yes > auth_username_format = %n > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > ? driver = shadow > } > protocols = imap > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > userdb { > ? driver = passwd > } > verbose_ssl = yes > > Thanks, Mark
You might get better results with https://wiki.dovecot.org/HowTo/ActiveDirectoryNtlm It seems you'd have to configure OpenLDAP backend for Samba to have LDAP. Aki On 04.12.2017 02:38, Mark Foley wrote:> Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just > not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki > https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is: > > Active Directory > > When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are > available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx > > I have not been able to find an example of someone using Dovecot and ldap with AD. > > However, I have had some success with CheckPassword > (https://wiki2.dovecot.org/AuthDatabase/CheckPassword). Using a program I wrote to do > ntlm_auth, I am able to authenticate the smartPhone user and pass the required parameters back > to Dovecot. My auth-checkpasswd.conf.ext is the as-shipped standard except pointing to my > checkpassword executable. > > passdb { > driver = checkpassword > args = /user/util/bin/checkpassword > } > userdb { > driver = prefetch > } > > The one issue I have with this at the moment is that dovecot runs checkpassword for every user, > smartphone or otherwise: > > Dec 03 18:56:32 auth-worker(14903): Info: shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user - trying the next passdb > Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply > Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input: > Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1 > Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials: > Dec 03 18:56:32 auth: Debug: client passdb out: OK 1 user=charmaine original_user=charmaine at HPRS.LOCAL > Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001 14902 1 586863e54c57c999ee5731906a59257c session_pid=14907 request_auth_token > Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup > Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed charmaine -> HPRS\charmaine > Dec 03 18:56:32 auth: Debug: master userdb out: USER 1884160001 HPRS\charmaine system_groups_user=HPRS\charmaineuid=10003 gid=10000 home=/home/HPRS/charmaine auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7 auth_user=charmaine at HPRS.LOCAL > Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>, method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=<oy/YWXhfAtXAqAA0> > Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913) > > Notice after the "shadow" auth fails it says, "unknown user - trying the next passdb", which is > checkpassword (which apparently succeeds), then it goes on to gssapi which also succeeds. Is > there a way to only have it do checkpassword if all shadow and gssapi fail? My mechanisms are: > > auth_mechanisms = plain login gssapi > > THX, --Mark > > --Mark > > -----Original Message----- > Date: Sun, 03 Dec 2017 22:28:53 +0200 > Subject: Re: Howto authenticate smartPhone via Active Directory > From: Aki Tuomi <aki.tuomi at dovecot.fi> > To: Mark Foley <mfoley at ohprs.org>, dovecot at dovecot.org > > with passdb ldap i guess. > > ---Aki Tuomi > Dovecot oy > > -------- Original message -------- > From: Mark Foley <mfoley at ohprs.org> > Date: 03/12/2017 21:18 (GMT+02:00) > To: dovecot at dovecot.org > Subject: Re: Howto authenticate smartPhone via Active Directory > > Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2 > shows: > > passdb pam { > } > > used for authenticating Android.? Problem #1 is that Slackware does not ship with PAM and the > AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I > should try configuring PAM on the AD/DC. > > Is there some otherway I can get authentication using domain credentials besides pam? the phone > can send user and password. > > --Mark > > -----Original Message----- >> Date: Sun, 03 Dec 2017 15:22:56 +0200 >> Subject: Re: Howto authenticate smartPhone via Active Directory >> From: Aki Tuomi <aki.tuomi at dovecot.fi> >> To: Mark Foley <mfoley at ohprs.org>, dovecot at dovecot.org >> >> Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module? >> ---Aki TuomiDovecot oy >> >> -------- Original message -------- >> From: Mark Foley <mfoley at ohprs.org> >> Date: 03/12/2017? 06:03? (GMT+02:00) >> To: dovecot at dovecot.org >> Subject: Howto authenticate smartPhone via Active Directory >> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials >> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via >> shadow first and. failing that, it does authenticate via GSSAPI. >> >> Smartphones connect to Dovecot via port 143 and SSL.? They are not domain members so if the >> shadow authentication fails, no other methods are tried and no connection is made. >> >> What can I do with my dovecot config to fix this? >> >>> doveconf -n >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf >> # OS: Linux 4.4.88 x86_64 Slackware 14.2 >> auth_debug = yes >> auth_debug_passwords = yes >> auth_gssapi_hostname = $ALL >> auth_krb5_keytab = /etc/dovecot/dovecot.keytab >> auth_mechanisms = plain login gssapi >> auth_use_winbind = yes >> auth_username_format = %n >> auth_verbose = yes >> auth_verbose_passwords = plain >> disable_plaintext_auth = no >> info_log_path = /var/log/dovecot_info >> mail_location = maildir:~/Maildir >> passdb { >> ? driver = shadow >> } >> protocols = imap >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key >> userdb { >> ? driver = passwd >> } >> verbose_ssl = yes >> >> Thanks, Mark
Hi Mark, Just to let you know that we are running dovecot with AD. (and I guess: *many* people are running that combination) It worked without issues, we are using in dovecot-ldap.conf.ext: > auth_bind = yes this user/passwd filter:> = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))> dn = cn=search_dovecit,cn=users,dc=company,dc=com > dnpass = top_secret And not the 3268 port, but regular 389. Hope that helps. MJ On 12/04/2017 01:38 AM, Mark Foley wrote:> Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just > not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki > https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is: > > Active Directory > > When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are > available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx > > I have not been able to find an example of someone using Dovecot and ldap with AD. > > However, I have had some success with CheckPassword > (https://wiki2.dovecot.org/AuthDatabase/CheckPassword). Using a program I wrote to do > ntlm_auth, I am able to authenticate the smartPhone user and pass the required parameters back > to Dovecot. My auth-checkpasswd.conf.ext is the as-shipped standard except pointing to my > checkpassword executable. > > passdb { > driver = checkpassword > args = /user/util/bin/checkpassword > } > userdb { > driver = prefetch > } > > The one issue I have with this at the moment is that dovecot runs checkpassword for every user, > smartphone or otherwise: > > Dec 03 18:56:32 auth-worker(14903): Info: shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user - trying the next passdb > Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply > Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input: > Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1 > Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials: > Dec 03 18:56:32 auth: Debug: client passdb out: OK 1 user=charmaine original_user=charmaine at HPRS.LOCAL > Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001 14902 1 586863e54c57c999ee5731906a59257c session_pid=14907 request_auth_token > Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup > Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed charmaine -> HPRS\charmaine > Dec 03 18:56:32 auth: Debug: master userdb out: USER 1884160001 HPRS\charmaine system_groups_user=HPRS\charmaineuid=10003 gid=10000 home=/home/HPRS/charmaine auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7 auth_user=charmaine at HPRS.LOCAL > Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>, method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=<oy/YWXhfAtXAqAA0> > Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913) > > Notice after the "shadow" auth fails it says, "unknown user - trying the next passdb", which is > checkpassword (which apparently succeeds), then it goes on to gssapi which also succeeds. Is > there a way to only have it do checkpassword if all shadow and gssapi fail? My mechanisms are: > > auth_mechanisms = plain login gssapi > > THX, --Mark > > --Mark > > -----Original Message----- > Date: Sun, 03 Dec 2017 22:28:53 +0200 > Subject: Re: Howto authenticate smartPhone via Active Directory > From: Aki Tuomi <aki.tuomi at dovecot.fi> > To: Mark Foley <mfoley at ohprs.org>, dovecot at dovecot.org > > with passdb ldap i guess. > > ---Aki Tuomi > Dovecot oy > > -------- Original message -------- > From: Mark Foley <mfoley at ohprs.org> > Date: 03/12/2017 21:18 (GMT+02:00) > To: dovecot at dovecot.org > Subject: Re: Howto authenticate smartPhone via Active Directory > > Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2 > shows: > > passdb pam { > } > > used for authenticating Android.? Problem #1 is that Slackware does not ship with PAM and the > AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I > should try configuring PAM on the AD/DC. > > Is there some otherway I can get authentication using domain credentials besides pam? the phone > can send user and password. > > --Mark > > -----Original Message----- >> Date: Sun, 03 Dec 2017 15:22:56 +0200 >> Subject: Re: Howto authenticate smartPhone via Active Directory >> From: Aki Tuomi <aki.tuomi at dovecot.fi> >> To: Mark Foley <mfoley at ohprs.org>, dovecot at dovecot.org >> >> Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module? >> ---Aki TuomiDovecot oy >> >> -------- Original message -------- >> From: Mark Foley <mfoley at ohprs.org> >> Date: 03/12/2017? 06:03? (GMT+02:00) >> To: dovecot at dovecot.org >> Subject: Howto authenticate smartPhone via Active Directory > >> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials >> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via >> shadow first and. failing that, it does authenticate via GSSAPI. >> >> Smartphones connect to Dovecot via port 143 and SSL.? They are not domain members so if the >> shadow authentication fails, no other methods are tried and no connection is made. >> >> What can I do with my dovecot config to fix this? >> >>> doveconf -n >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf >> # OS: Linux 4.4.88 x86_64 Slackware 14.2 >> auth_debug = yes >> auth_debug_passwords = yes >> auth_gssapi_hostname = $ALL >> auth_krb5_keytab = /etc/dovecot/dovecot.keytab >> auth_mechanisms = plain login gssapi >> auth_use_winbind = yes >> auth_username_format = %n >> auth_verbose = yes >> auth_verbose_passwords = plain >> disable_plaintext_auth = no >> info_log_path = /var/log/dovecot_info >> mail_location = maildir:~/Maildir >> passdb { >> ? driver = shadow >> } >> protocols = imap >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key >> userdb { >> ? driver = passwd >> } >> verbose_ssl = yes >> >> Thanks, Mark >