Thank you for the info, we will try it. Dovecot is not my major topic
and the documentation is terrible :-)
Am 29.08.22 um 20:23 schrieb Kees van Vloten via samba:> This is how got it done:
>
> dovecot.conf
>
> auth_realms = SAMDOM.COM
> auth_default_realm = SAMDOM.COM
> auth_gssapi_hostname = mailserver.samdom.com
> auth_krb5_keytab = /etc/keytab/dovecot.keytab
> auth_mechanisms = gssapi gss-spnego plain
>
> passdb {
> ? args = /etc/dovecot/dovecot-ldap.conf.ext
> ? #args = /etc/dovecot/ldap_user_to_principal.conf.ext
> ? driver = ldap
> ? pass = yes
> }
> passdb {
> ? driver = pam
> }
>
> userdb {
> ? args = /etc/dovecot/dovecot-ldap.conf.ext
> ? driver = ldap
>
> For user without a Krb5-ticket:
>
> /etc/pam.d/dovecot
>
> #%PAM-1.0
>
> auth sufficient pam_krb5.so alt_auth_map=%s at SAMDOM.COM
> keytab=/etc/keytab/dovecot.keytab
> auth required pam_deny.so
>
> account sufficient pam_krb5.so alt_auth_map=%s at SAMDOM.COM
> keytab=/etc/keytab/dovecot.keytab
> account required pam_deny.so
>
> /etc/dovecot/dovecot-ldap.conf.ext
>
> # This file is commonly accessed via passdb {} or userdb {} section in
> dovecot.conf
> uris = ldap://sambadc1.samdom.com/ ldap://sambadc2.samdom.com/
> tls = yes
> auth_bind = no
> ldap_version = 3
> base = OU=Groupware,DC=samdom,DC=com
> scope = subtree
>
> # User account must be enabled and nested member of the group
> 'mail_user-<mail-domain>'
> pass_filter >
(&(objectClass=user)(sAMAccountName=%n)(memberOf:1.2.840.113556.1.4.1941:=CN=mail_user-%d,OU=Mail
>
Domains,OU=Groups,DC=samdom,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
>
> pass_attrs = \
> ??? =user=%{ldap:mail}, \
> ??? =nopassword=Y, \
> ??? =k5principals=%{ldap:userPrincipalName}
>
> # User account details:
> # This is: user or group (functional mailbox) with the %u as
> mail-address in 'mail'
> #?? No check on locked account here, otherwise mail will not be
> delivered when account is locked
> # Test userdb lookup: doveadm user -u
"<user>@<samdom>"
> user_filter >
(|(&(objectClass=user)(mail=%u))(&(objectClass=group)(mail=%u)))
> user_attrs = \
> ??? =user=%{ldap:mail}, \
> ??? =uid=vmail, \
> ??? =gid=vmail, \
> ??? =home=/srv/mail/vmail
>
> # Attributes and filter to get a list of all users
> # This is: all user objects under basedn and all function mailboxes
> (groups with name: 'mail_box_<mail-address>'
> # Test iterator: doveadm user -u "*"
> iterate_filter >
(|(objectClass=user)(&(objectClass=group)(sAMAccountName=mail_box-*)))
> iterate_attrs = \
> ??? =user=%{ldap:mail}
>
> The config is inspired by:
>
https://wiki.dovecot.org/Authentication/Kerberos#:~:text=Dovecot%20supports%20Kerberos%205%20using%20GSSAPI.%20The%20Kerberos,Microsoft%20Active%20Directory%2C%20LDAP%20is%20pretty%20good%20choice
>
>
> This is the same link Rowland also posted earlier in this thread.
>
>
> - Kees
>
>
> On 29-08-2022 16:42, Sami Hulkko via samba wrote:
>> Hi,
>>
>> One can also use pam auth on Dovecot if dovecot server has samba users
>> via libpam-winbind.
>>
>> SH
>>
>> On 29/08/2022 12:35, Rowland Penny via samba wrote:
>>> On Mon, 2022-08-29 at 11:26 +0200, Stefan Kania via samba wrote:
>>>> Am 29.08.22 um 11:19 schrieb Rowland Penny via samba:
>>>>> Then consider using kerberos instead, it is much more
'the word we
>>>>> will
>>>>> not use' :-)
>>>> We would like to, but dovecot can't use Kerberos to query
the LDAP
>>>> from
>>>> AD :-(
>>> I know it has been sometime since I set up a mailserver, but
dovecot
>>> could use kerberos the last time I did. A quick internet search
turned
>>> this up:
>>>
>>>
https://wiki.dovecot.org/Authentication/Kerberos#:~:text=Dovecot%20supports%20Kerberos%205%20using%20GSSAPI.%20The%20Kerberos,Microsoft%20Active%20Directory%2C%20LDAP%20is%20pretty%20good%20choice.
>>>
>>>
>>> This was top of the list, there were others, 3,980,000 to be
precise.
>>>
>>> Rowland
>>>
>>>
>>>
>>>
>
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre
Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html
Download der root-Zertifikate: https://www.dgn.de/dgncert/downloads.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20220829/ba69a153/OpenPGP_signature.sig>