This is how got it done:
dovecot.conf
auth_realms = SAMDOM.COM
auth_default_realm = SAMDOM.COM
auth_gssapi_hostname = mailserver.samdom.com
auth_krb5_keytab = /etc/keytab/dovecot.keytab
auth_mechanisms = gssapi gss-spnego plain
passdb {
? args = /etc/dovecot/dovecot-ldap.conf.ext
? #args = /etc/dovecot/ldap_user_to_principal.conf.ext
? driver = ldap
? pass = yes
}
passdb {
? driver = pam
}
userdb {
? args = /etc/dovecot/dovecot-ldap.conf.ext
? driver = ldap
For user without a Krb5-ticket:
/etc/pam.d/dovecot
#%PAM-1.0
auth sufficient pam_krb5.so alt_auth_map=%s at SAMDOM.COM
keytab=/etc/keytab/dovecot.keytab
auth required pam_deny.so
account sufficient pam_krb5.so alt_auth_map=%s at SAMDOM.COM
keytab=/etc/keytab/dovecot.keytab
account required pam_deny.so
/etc/dovecot/dovecot-ldap.conf.ext
# This file is commonly accessed via passdb {} or userdb {} section in
dovecot.conf
uris = ldap://sambadc1.samdom.com/ ldap://sambadc2.samdom.com/
tls = yes
auth_bind = no
ldap_version = 3
base = OU=Groupware,DC=samdom,DC=com
scope = subtree
# User account must be enabled and nested member of the group
'mail_user-<mail-domain>'
pass_filter =
(&(objectClass=user)(sAMAccountName=%n)(memberOf:1.2.840.113556.1.4.1941:=CN=mail_user-%d,OU=Mail
Domains,OU=Groups,DC=samdom,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs = \
??? =user=%{ldap:mail}, \
??? =nopassword=Y, \
??? =k5principals=%{ldap:userPrincipalName}
# User account details:
# This is: user or group (functional mailbox) with the %u as
mail-address in 'mail'
#?? No check on locked account here, otherwise mail will not be
delivered when account is locked
# Test userdb lookup: doveadm user -u "<user>@<samdom>"
user_filter =
(|(&(objectClass=user)(mail=%u))(&(objectClass=group)(mail=%u)))
user_attrs = \
??? =user=%{ldap:mail}, \
??? =uid=vmail, \
??? =gid=vmail, \
??? =home=/srv/mail/vmail
# Attributes and filter to get a list of all users
# This is: all user objects under basedn and all function mailboxes
(groups with name: 'mail_box_<mail-address>'
# Test iterator: doveadm user -u "*"
iterate_filter =
(|(objectClass=user)(&(objectClass=group)(sAMAccountName=mail_box-*)))
iterate_attrs = \
??? =user=%{ldap:mail}
The config is inspired by:
https://wiki.dovecot.org/Authentication/Kerberos#:~:text=Dovecot%20supports%20Kerberos%205%20using%20GSSAPI.%20The%20Kerberos,Microsoft%20Active%20Directory%2C%20LDAP%20is%20pretty%20good%20choice
This is the same link Rowland also posted earlier in this thread.
- Kees
On 29-08-2022 16:42, Sami Hulkko via samba wrote:> Hi,
>
> One can also use pam auth on Dovecot if dovecot server has samba users
> via libpam-winbind.
>
> SH
>
> On 29/08/2022 12:35, Rowland Penny via samba wrote:
>> On Mon, 2022-08-29 at 11:26 +0200, Stefan Kania via samba wrote:
>>> Am 29.08.22 um 11:19 schrieb Rowland Penny via samba:
>>>> Then consider using kerberos instead, it is much more 'the
word we
>>>> will
>>>> not use' :-)
>>> We would like to, but dovecot can't use Kerberos to query the
LDAP
>>> from
>>> AD :-(
>> I know it has been sometime since I set up a mailserver, but dovecot
>> could use kerberos the last time I did. A quick internet search turned
>> this up:
>>
>>
https://wiki.dovecot.org/Authentication/Kerberos#:~:text=Dovecot%20supports%20Kerberos%205%20using%20GSSAPI.%20The%20Kerberos,Microsoft%20Active%20Directory%2C%20LDAP%20is%20pretty%20good%20choice.
>>
>>
>> This was top of the list, there were others, 3,980,000 to be precise.
>>
>> Rowland
>>
>>
>>
>>