Hi list Does anyone has experience in setting up dovecot or any other mail system with user auth against a Samba4 AD ? If yes could I get some advice on that Topic or even a link to a ressource where I can get some Information. Googled a lot but didn't find something yet. Thankx in advance. -- Mit freundlichem Gru? Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delellis at delellis.net http://www.linkedin.com/in/carstenlaundelellis [1] Links: ------ [1] http://www.linkedin.com/in/carstenlaundelellis
Am 28.06.2013 10:31, schrieb Carsten Laun-De Lellis:> > > Hi list > > Does anyone has experience in setting up dovecot or any other mail > system with user auth against a Samba4 AD ? If yes could I get some > advice on that Topic or even a link to a ressource where I can get some > Information. Googled a lot but didn't find something yet. > > Thankx in advance.I did it with dovecot/postfix on debian wheezy, there is alot more info if you look for dovecot setup agains Microsoft AD. First create an user for ldap queries: >samta-tool user add ldap [password] Configure dovecot passdb against Samba4 AD, add or change this in your dovecot.conf bzw. auth-ldap-conf.ext (on wheezy) # Authentication for LDAP users passdb { driver = ldap args = /etc/dovecot/dovecot-ldap-passdb.conf.ext } Create /etc/dovecot/dovecot-ldap-passdb.conf.ext, can be you have to use sAMAccountName instead of cn for auth_bind_userdn and pass_filter. On my side these are identical because i migrated from samba3/openldap. Filter is looking for person classes with matchin cn and an exiting mail attribute. hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,cn=Users,dc=yourdomain,dc=local ldap_version = 3 base = cn=Users,dc=yourdomain,dc=local pass_filter = (&(objectClass=person)(cn=%u)(mail=*)) Use differen ldap settings for other user lookups, this goes again into dovecot.conf # Users userdb { driver = ldap args = /etc/dovecot/dovecot-ldap-userdb.conf.ext } Create /etc/dovecot/dovecot-ldap-uesrdb.conf.ext, again you may have to change cn to sAMAccountName in user_filter and iter_attrs. On my side I use one system user vmail (uid:999, gid:999) for all maildirs and those are stored under /var/lib/vmail. With such an setup attributes like uidNumber and gidNumber are not required for every user entry in ldap so i can hardcode all neccesary userdb lookup variables. I use /var/lib/vmail/[cn] as the dovecot user homedir (for things like sieve settings etc.) and /var/lib/vmail/[cn]/mail for the maildir. hosts = localhost dn = cn=ldap,cn=Users,DC=yourdomain,DC=local dnpass = [password] ldap_version = 3 base = cn=Users,DC=yourdomain,DC=local user_attrs = =uid=999,=gid=999,=home=/var/lib/vmail/%u,mail=/var/lib/vmail/%u/mail user_filter = (&(objectClass=person)(cn=%u)(mail=*)) # Attributes and filter to get a list of all users iterate_attrs = cn=user iterate_filter = (objectClass=person) For refernce these are my maildir settings in dovecot.conf (10-mail.conf on wheezy). ## Maildir locations and settings mail_plugins = acl mail_home = /var/lib/vmail/%u mail_location = maildir:/var/lib/vmail/%u/mail mail_uid = 999 mail_gid = 999 first_valid_uid = 999 first_valid_gid = 999 #mail_full_filesystem_access = no mail_shared_explicit_inbox = no maildir_very_dirty_syncs = yes namespace { list = no location = maildir:/var/lib/vmail/%%u/mail:INDEX=/var/lib/vmail/%u/mail/shared/%%u prefix = shared/%%u/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = maildir:/var/lib/vmail/%u/mail prefix separator = / type = private } If you want to use kerberos with dovecot (works well with thunderbird on domain meber workstations) you have to create an spn and an keytab. samba-tool spn add imap/server.yourdomain.local at YOURDOMAIN.LOCAL ldap I had trouble with the keytab but this worked so far (use ldap users password if asked). cd /etc/dovecot ktutil addent -password -p imap/server.yourdomain.local at YOURDOMAIN.LOCAL -k 1 -e arcfour-hmac wkt dovecot.keytab If you use dovecot for postfix authentification as well: samba-tool spn add smtp/server.yourdomain.local at YOURDOMAIN.LOCAL ldap cd /etc/dovecot ktutil addent -password -p imap/server.yourdomain.local at YOURDOMAIN.LOCAL -k 1 -e arcfour-hmac addent -password -p smtp/server.yourdomain.local at YOURDOMAIN.LOCAL -k 1 -e arcfour-hmac wkt dovecot.keytab The neccesary settings in dovecot.conf (10-auth.conf on wheezy) are. The only way i got it working was with auth_gssapi_hostname = "$ALL" which may be abit insecure. auth_mechanisms = plain login gssapi # Kerberos auth_gssapi_hostname = "$ALL" auth_krb5_keytab = /etc/dovecot/dovecot.keytab Hope that helps. achim~
Hi Achim Don't wanna bothering you, but I still got error Messages. Jun 28 15:09:57 rv1325 dovecot: auth: Debug: auth client connected (pid=2157) Jun 28 15:09:57 rv1325 dovecot: auth: Debug: client in: AUTH#0111#011NTLM#011service=imap#011session=KkN8mDbgGABUmsab#011lip=178.254.21.125#011rip=84.154.198.155#011lport=143#011rport=49432 Jun 28 15:09:57 rv1325 dovecot: auth: Debug: client passdb out: CONT#0111#011 Jun 28 15:09:57 rv1325 dovecot: auth: Debug: client in: CONT#0111#011TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAvAjAAAADw=(previous base64 data may contain sensitive data) Jun 28 15:09:57 rv1325 dovecot: auth: Debug: client passdb out: CONT#0111#011TlRMTVNTUAACAAAADAAMADAAAAAFAooAzlGLZuaYgz0AAAAAAAAAABQAFAA8AAAAcgB2ADEAMwAyADUAAwAMAHIAdgAxADMAMgA1AAAAAAAJun 28 15:09:58 rv1325 dovecot: auth: Debug: client in: CONT#0111#011TlRMTVNTUAADAAAAGAAYAHYAAADAAMAAjgAAAAAAAABYAAAAEAAQAFgAAAAOAA4AaAAAAAAAAABOAQAABQKIAgYC8CMAAAAP6HRQNL0+o3yODw5hHqFFvHQAZQBzAHQAdQBzAGUAcgBXADAAMAAwADAAMAA1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABnluuxW4N/hRueL6TyYm30BAQAAAAAAAB2Yjc4AdM4B6LKt7eH6AGUAAAAAAwAMAHIAdgAxADMAMgA1AAgAMAAwAAAAAAAAAAEAAAAAIAAABJBPeBFKFDBXIh0KoOgHioqV/yHKS7i3O2lbwelRVv4KABAAAAAAAAAAAAAAAAAAAAAAAAkAMABpAG0AYQBwAC8AcgB2ADEAMwAyADUALgBkAGUAbABlAGwAbABpAHMALgBuAGUAdAAAAAAAAAAAAA=(previous base64 data may contain sensitive data) Jun 28 15:09:58 rv1325 dovecot: auth: Debug: password(testuser,84.154.198.155,<KkN8mDbgGABUmsab>): passdb doesn't support credential lookups Jun 28 15:09:58 rv1325 dovecot: auth: Debug: password(testuser,84.154.198.155,<KkN8mDbgGABUmsab>): passdb doesn't support credential lookups Jun 28 15:10:00 rv1325 dovecot: auth: Debug: client passdb out: FAIL#0111#011user=testuser Jun 28 15:10:00 rv1325 dovecot: auth: Debug: client in: AUTH#0112#011DIGEST-MD5#011service=imap#011session=KkN8mDbgGABUmsab#011lip=178.254.21.125#011rip=84.154.198.155#011lport=143#011rport=49432 Jun 28 15:10:04 rv1325 dovecot: auth: Debug: client passdb out: CONT#0112#011cmVhbG09IiIsbm9uY2U9Ii9nZndwbWd1TTlDMlVkekhZRld0R0E9PSIscW9wPSJhdXRoIixjaGFyc2V0PSJ1dGYtOCIsYWxnb3JpdGhtPSJtZDUtc2VzcyIJun 28 15:10:04 rv1325 dovecot: auth: Debug: client in: CONT#0112#011dXNlcm5hbWU9InRlc3R1c2VyIixyZWFsbT0iIixub25jZT0iL2dmd3BtZ3VNOUMyVWR6SFlGV3RHQT09IixkaWdlc3QtdXJpPSJpbWFwL3J2MTMyNS5kZWxlbGxpcy5uZXQiLGNub25jZT0iMjQ0NTRjZjAxNjVmOTE3YmVjMTJhMjk5OTc1ZGQ0MTYiLG5jPTAwMDAwMDAxLHJlc3BvbnNlPWVjZWI4MjJhZDFiZWY4NjU1OTYzMTk0YzhlZDQ0NmYxLHFvcD1hdXRoLGNoYXJzZXQ9dXRmLTg(previous base64 data may contain sensitive data) Jun 28 15:10:04 rv1325 dovecot: auth: Debug: password(testuser,84.154.198.155,<KkN8mDbgGABUmsab>): passdb doesn't support credential lookups Jun 28 15:10:06 rv1325 dovecot: auth: Debug: client passdb out: FAIL#0112#011user=testuser Jun 28 15:10:06 rv1325 dovecot: auth: Debug: client in: AUTH#0113#011PLAIN#011service=imap#011session=KkN8mDbgGABUmsab#011lip=178.254.21.125#011rip=84.154.198.155#011lport=143#011rport=49432#011resp=AHRlc3R1c2VyAHRlc3R1c2Vy (previous base64 data may contain sensitive data) My auth.conf file Looks like: hosts = localhost auth_bind = yes auth_bind_userdn sAMAccountName=%u,cn=Users,dc=delellis,dc=net base cn=Users,dc=delellis,dc=net ldap_version = 3 pass_filter = (&(objectClass=user)(sAMAccoutName=%u)(mail=*)) And I have no idea why it doesn't work. --- Mit freundlichem Gru? Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delellis at delellis.net http://www.linkedin.com/in/carstenlaundelellis [2] Am 2013-06-28 14:04, schrieb Achim Gottinger:> Am 28.06.2013 13:55, schrieb Carsten Laun-De Lellis: > >> Hi Achim >> >> Thankx a lot. I will try. >> >> Have a nice Weekend. > NP take a look at this > > http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds [1] > > --- > > Mit freundlichem Gru? > > Carsten Laun-De Lellis > > Hauptstrasse 13 > D-67705 Trippstadt > > Phone: +49 6306 992140 > Fax: +49 6306 992142 > Mobile: +49 151 27530865 > email: carsten.delellis at delellis.net > > http://www.linkedin.com/in/carstenlaundelellis [2] > > Am 2013-06-28 13:35, schrieb Achim Gottinger: > > Am 28.06.2013 13:24, schrieb Carsten Laun-De Lellis: > Hi Achim First of all thankx for your input. The way you set it up was the way I did it. But when I go thru your ldap configuration it doesn't really solves my Problem or, maybe more likely, I don't understand it. For Auth I want my users to connect to dovecot with user/Password token. In your config I can't see where you match the Password to the AD Password. > > For authetification dovecot uses what is configured in passdb in the > corresponding ldap config you can see it uses auth_bind=yes and > auth_bind_userdn defines the dn used to auth against samb4 ldap. > As said on my side cn is identical with sAMAccountName, if it's not on > your side you may have to use cn/Password instead of > sAMAccountName/Password . > Maybe I wasn't specific enough, what I want to do. Or I don't understand where I you match again the user Password. And again there is a good Chance that the Problem is myself. Weinend Thankx again. --- Mit freundlichem Gru? Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delellis at delellis.net <mailto:carsten.delellis at delellis.net> http://www.linkedin.com/in/carstenlaundelellis [2]Am 2013-06-28 13:13, schrieb Achim Gottinger: Am 28.06.2013 10:31, schrieb Carsten Laun-De Lellis: Hi list Does anyone has experience in setting up dovecot or any other mail system with user auth against a Samba4 AD ? If yes could I get some advice on that Topic or even a link to a ressource where I can get some Information. Googled a lot but didn't find something yet. Thankx in advance. I did it with dovecot/postfix on debian wheezy, there is alot more info if you look for dovecot setup agains Microsoft AD.First create an user for ldap queries: >samta-tool user add ldap [password] Configure dovecot passdb against Samba4 AD, add or change this in your dovecot.conf bzw. auth-ldap-conf.ext (on wheezy) # Authentication for LDAP users passdb { driver = ldap args = /etc/dovecot/dovecot-ldap-passdb.conf.ext } Create /etc/dovecot/dovecot-ldap-passdb.conf.ext, can be you have to use sAMAccountName instead of cn for auth_bind_userdn and pass_filter. On my side these are identical because i migrated from samba3/openldap. Filter is looking for person classes with matchin cn and an exiting mail attribute. hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,cn=Users,dc=yourdomain,dc=local ldap_version = 3 base = cn=Users,dc=yourdomain,dc=local pass_filter = (&(objectClass=person)(cn=%u)(mail=*)) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba [3] Links: ------ [1] http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds [2] http://www.linkedin.com/in/carstenlaundelellis [3] https://lists.samba.org/mailman/options/samba
Dear Achim Thank you very much for your Support so far. I think I am really close, but not there yet. I got the following log Messages: Jun 28 20:12:33 rv1325 dovecot: auth: Debug: client passdb out: FAIL#0115#011user=test Jun 28 20:12:33 rv1325 dovecot: auth: Debug: client in: AUTH#0116#011LOGIN#011service=smtp#011nologin#011lip=178.254.21.125#011rip=84.154.198.155#011secured Jun 28 20:12:37 rv1325 dovecot: auth: Debug: client passdb out: CONT#0116#011VXNlcm5hbWU6 Jun 28 20:12:37 rv1325 dovecot: auth: Debug: client in: CONT#0116#011dGVzdA== (previous base64 data may contain sensitive data) Jun 28 20:12:37 rv1325 dovecot: auth: Debug: client passdb out: CONT#0116#011UGFzc3dvcmQ6 Jun 28 20:12:37 rv1325 dovecot: auth: Debug: client in: CONT#0116#011dGVzdHVzZXI= (previous base64 data may contain sensitive data) Jun 28 20:12:37 rv1325 dovecot: auth: Debug: ldap(test,84.154.198.155): bind search: base=cn=Users, dc=delellis, dc=net filter=(&(objectClass=person)(sAMAccountName=test)) Jun 28 20:12:37 rv1325 dovecot: auth: Debug: ldap(test,84.154.198.155): result: sAMAccountName=test; sAMAccountName unused Jun 28 20:12:37 rv1325 dovecot: auth: Debug: ldap(test,84.154.198.155): result: sAMAccountName=test Jun 28 20:12:37 rv1325 dovecot: auth: Debug: client passdb out: OK#0116#011user=test#011u%=test As you can see the sAMAccountName is set to test, what is right, but what I don't understand is the line saying sAMAccountName is unused. Does anyone could give me the last push. I would really appreciate. Regards, --- Mit freundlichem Gru? Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delellis at delellis.net http://www.linkedin.com/in/carstenlaundelellis [2] Am 2013-06-28 19:14, schrieb Achim Gottinger:> Am 28.06.2013 18:49, schrieb Carsten Laun-De Lellis: > >> Hi Achim >> >> Don't wanna bothering you, but I still got error Messages. > Never mind got curious by myself. replacing cn with sAMAccountNName can not work because the dn's are defined with cn. > I mailed oyu that link before http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds [1]. > It describes two ways for passdb lookups and you must use the "DN lookup" type, which does an anonymous query with pass_filter for the dn first and then tries to autheticate with that dn against samba4/ldap. > You can eighter configure samba4 to allow anonymous queries or use an samba user account like i did with userpadd => dn/dnpass. > > Try this, worked here. > > hosts = localhost > dn = cn=ldap,cn=Users,dc=delellis,dc=net > dnpass = [password] > auth_bind = yes > ldap_version = 3 > > base = cn=Users,dc=delellis,dc=net pass_attrs = sAMAccountName=user > pass_filter = (&(objectClass=person)(sAMAccountName=%u)(mail=*)) > > My auth.conf file Looks like: > > hosts = localhost auth_bind = yes auth_bind_userdn = sAMAccountName=%u,cn=Users,dc=delellis,dc=net base = cn=Users,dc=delellis,dc=net ldap_version = 3 > > pass_filter = (&(objectClass=user)(sAMAccoutName=%u)(mail=*)) > > And I have no idea why it doesn't work. > --- > > Mit freundlichem Gru? > > Carsten Laun-De Lellis > > Hauptstrasse 13 > D-67705 Trippstadt > > Phone: +49 6306 992140 > Fax: +49 6306 992142 > Mobile: +49 151 27530865 > email: carsten.delellis at delellis.net > > http://www.linkedin.com/in/carstenlaundelellis [2] > > Am 2013-06-28 14:04, schrieb Achim Gottinger: > Am 28.06.2013 13:55, schrieb Carsten Laun-De Lellis: > > Hi Achim > > Thankx a lot. I will try. > > Have a nice Weekend. NP take a look at this > > http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds [1] > > --- > > Mit freundlichem Gru? > > Carsten Laun-De Lellis > > Hauptstrasse 13 > D-67705 Trippstadt > > Phone: +49 6306 992140 > Fax: +49 6306 992142 > Mobile: +49 151 27530865 > email: carsten.delellis at delellis.net > > http://www.linkedin.com/in/carstenlaundelellis [2] > > Am 2013-06-28 13:35, schrieb Achim Gottinger: > > Am 28.06.2013 13:24, schrieb Carsten Laun-De Lellis: > Hi Achim First of all thankx for your input. The way you set it up was the way I did it. But when I go thru your ldap configuration it doesn't really solves my Problem or, maybe more likely, I don't understand it. For Auth I want my users to connect to dovecot with user/Password token. In your config I can't see where you match the Password to the AD Password. > > For authetification dovecot uses what is configured in passdb in the > corresponding ldap config you can see it uses auth_bind=yes and > auth_bind_userdn defines the dn used to auth against samb4 ldap. > As said on my side cn is identical with sAMAccountName, if it's not on > your side you may have to use cn/Password instead of > sAMAccountName/Password . > Maybe I wasn't specific enough, what I want to do. Or I don't understand where I you match again the user Password. And again there is a good Chance that the Problem is myself. Weinend Thankx again. --- Mit freundlichem Gru? Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delellis at delellis.net <mailto:carsten.delellis at delellis.net> http://www.linkedin.com/in/carstenlaundelellis [2]Am 2013-06-28 13:13, schrieb Achim Gottinger: Am 28.06.2013 10:31, schrieb Carsten Laun-De Lellis: Hi list Does anyone has experience in setting up dovecot or any other mail system with user auth against a Samba4 AD ? If yes could I get some advice on that Topic or even a link to a ressource where I can get some Information. Googled a lot but didn't find something yet. Thankx in advance. I did it with dovecot/postfix on debian wheezy, there is alot more info if you look for dovecot setup agains Microsoft AD.First create an user for ldap queries: >samta-tool user add ldap [password] Configure dovecot passdb against Samba4 AD, add or change this in your dovecot.conf bzw. auth-ldap-conf.ext (on wheezy) # Authentication for LDAP users passdb { driver = ldap args = /etc/dovecot/dovecot-ldap-passdb.conf.ext } Create /etc/dovecot/dovecot-ldap-passdb.conf.ext, can be you have to use sAMAccountName instead of cn for auth_bind_userdn and pass_filter. On my side these are identical because i migrated from samba3/openldap. Filter is looking for person classes with matchin cn and an exiting mail attribute. hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,cn=Users,dc=yourdomain,dc=local ldap_version = 3 base = cn=Users,dc=yourdomain,dc=local pass_filter = (&(objectClass=person)(cn=%u)(mail=*)) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba [3] Links: ------ [1] http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds [2] http://www.linkedin.com/in/carstenlaundelellis [3] https://lists.samba.org/mailman/options/samba