Displaying 20 results from an estimated 8000 matches similar to: "Howto authenticate smartPhone via Active Directory"
2017 Dec 04
2
Howto authenticate smartPhone via Active Directory
Hi Mark,
Just to let you know that we are running dovecot with AD. (and I guess:
*many* people are running that combination)
It worked without issues, we are using in dovecot-ldap.conf.ext:
> auth_bind = yes
this user/passwd filter:
> = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
> dn = cn=search_dovecit,cn=users,dc=company,dc=com
> dnpass =
2017 Dec 04
0
Howto authenticate smartPhone via Active Directory
Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just
not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki
https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is:
Active Directory
When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are
available in port
2017 Dec 04
1
Howto authenticate smartPhone via Active Directory
You might get better results with
https://wiki.dovecot.org/HowTo/ActiveDirectoryNtlm
It seems you'd have to configure OpenLDAP backend for Samba to have LDAP.
Aki
On 04.12.2017 02:38, Mark Foley wrote:
> Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just
> not knowledgeable enough about how to use ldap and Active Directory. The dovecot
2017 Dec 05
0
Howto authenticate smartPhone via Active Directory
mj - thanks! That the first useful example I've received from any forum/list. I'm getting ready
to try my config (have to do so after hours), but I have some probably simple-minded questions:
Your example is not the complete dovecot-ldap.conf.ext file, right? Have you just given me
differences in your config from the "original"? You've kept the hosts, base, ldap_version,
2016 Jun 30
2
Looking for GSSAPI config [was: Looking for NTLM config example]
I think the problem still is that your keytab file has no entry
imap/hostname at DOMAIN and IMAP/hostname at DOMAIN
you also have no host/hostname at DOMAIN
Aki
On 29.06.2016 18:40, Mark Foley wrote:
> Yes, I think that's exactly correct. I just made a similar reply to Edgar Pettijohn about that.
> The Thunderbird message is:
>
> "The Kerberos/GSSAPI ticket was not accepted
2016 Jun 29
2
Looking for GSSAPI config [was: Looking for NTLM config example]
> On Jun 28, 2016, at 10:32 PM, Mark Foley <mfoley at ohprs.org> wrote:
>
> Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and restarted. Now I
> don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, and mail is
> delivered successfully to the other domain users having PLAIN authentication. That's a
2016 Jun 29
3
Looking for GSSAPI config [was: Looking for NTLM config example]
Aki, you wrote:
> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself?
>
> I'll try to check status of NTLM this week.
I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.
I do have the Dovecot sources and will peruse the possible options after I send this. I am on
version 2.2.15 and I see that the current downloadable
2016 Jul 01
3
Where is krb5.keytab or equivalent?
More info ...
when I do
MAIL=imap://mark at mail.ohprs.org/ mutt
(using the domain of the registered certificate). I do not get the message "Certificate host
check failed: certificate owner does not match hosthame ..."
I do get the same (mutt?) edit screen shown below with the "(r)eject, accept (o)nce, (a)ccept
always" action at the bottom. If I "accept (o)nce",
2016 Jun 28
2
Looking for GSSAPI config [was: Looking for NTLM config example]
Aki - made your suggested changes, but no joy :(
My /etc/krb5.conf:
------SNIP--------
[libdefaults]
default_realm = HPRS.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
[libdefaults]
default_realm = HPRS.LOCAL
dns_lookup_kdc = true
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[realms]
HPRS.LOCAL = {
2016 Jun 30
3
Where is krb5.keytab or equivalent?
Am 30.06.2016 um 23:16 schrieb Mark Foley:
> Achim, thanks a lot! A couple of questions on your suggested settings:
>
>> 1. Create an user
>> samba-tool create user dovcot
> I did this (actually `samba-tool user create dovecot`), but it asked for a password. I
> entered one. You didn't mention that, so I hope it's OK.
Yes
>
>
>> 2. Add the spn
2016 Jun 30
2
Where is krb5.keytab or equivalent?
Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer
required with dovecot (2.2.13 here).
Add "auth_debug=yes" to your dovecor config.
192.168.100.1 is my clients ip 192.168.100.101 is the servers
ag is the domain account username I use to login to windows and also the
username configured in thunderbird.
On my debian system an package named
2016 Jun 27
4
Looking for GSSAPI config [was: Looking for NTLM config example]
On 27.06.2016 07:31, Mark Foley wrote:
> Thanks for the reply. When you say it [NTLM] "should" work, I understand you to be implying
> you've not actually tried NTLM yourself, right? I've never gotten a response from someone
> saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be
> the problem, but email clients I've tried
2015 Sep 10
2
How to "Windows Authenticate"
Quoting Mark Foley <mfoley at ohprs.org>:
> Rick,
>
> Samba4 AD/DC and Dovecot work perfectly for everything including access
> from
> SmartPhones.? I've got roaming domain logins, redirected folders,
> calendars and
> contacts work just fine with Outlook and WebDav for sharing calendars;
> don't
> need them in Dovecot.?
> ?
Do you have that documented
2016 Jul 04
3
Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
> > http://wiki2.dovecot.org/Authentication/Kerberos
>
> It has been now updated.
Excellent! That was quick!
Although, you used my actual local domain in your example: mail.hprs.local. Not that I care,
no one can get to that, but it might be clearer to those of us who uncomprehendingly
monkey-type
2016 Jun 30
2
Where is krb5.keytab or equivalent?
Am 30.06.2016 um 10:45 schrieb Mark Foley:
> To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set
> Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab
> file as required by Dovecot. I've also downloaded and installed Kerberos for access to
> the k* commands (ktutil, kinit, klist, ...).
>
> In my
2016 Jul 04
4
Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On 07/04/2016 03:30 AM, Mark Foley wrote:
> Actually, I see that you used host.domain.name further down. That's a good substitute for mail.hprs.local.
>
> Also, not to be a literary critic, but it might not hurt to show an example keytab beneath your
> "Make sure your keytab has entry for ...". Just in case people don't exactly know how to "make sure:
>
> $
2015 Sep 11
2
Need help on checkpassword userdb/passdb
I'm experimenting with checkpassword as an auth method for usedb and passdb
(http://wiki2.dovecot.org/AuthDatabase/CheckPassword). I've set up the userdb
and passdb *exactly* as the wiki suggests as the "standard way":
passdb {
driver = checkpassword
args = /user/util/bin/checkpassword
}
userdb {
driver = prefetch
}
I've created a checkpassword program that does
2015 Sep 03
2
How to "Windows Authenticate"
Hi Mark,
I haven't done it, but I've played with the scenario enough to have an
idea.
What you want to do is have Outlook auth via NTLM to Dovecot.?
First that means having the machine be a domain member (usually via Samba)
in order to properly process NTLM/Kerberos handshake - which it appears you
have.
Second that means having Dovecot know how to accept NTLM authentication
(SPA) to
2015 Sep 08
2
How to "Windows Authenticate"
Comments interspersed with yours ...
--Mark
-----Original Message-----
> Date: Sun, 06 Sep 2015 20:00:11 -0500
> From: Rick Romero <rick at havokmon.com>
> To: dovecot at dovecot.org
> Subject: Re: How to "Windows Authenticate"
>
> Hmm. I would expect to see 'mark at hprs.com'. Whatever your full domain
> name is.
Full user at domain would be
2015 Sep 07
2
How to "Windows Authenticate"
More info ...
My dovecot error log shows:
Sep 05 16:45:19 auth: Debug: client in: AUTH 1 NTLM service=imap
Sep 05 16:45:19 auth: Debug: client passdb out: OK 1 user=mark at hprs original_user=mark at HPRS
Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713 10219 1 f56352c207cb8f6dea4d264b2c0f8dc1 session_pid=10220 request_auth_token
Sep 05