[Samba] Samba4 AD and mail auth

Achim Gottinger achim at ag-web.biz
Fri Jun 28 05:13:22 MDT 2013 

Am 28.06.2013 10:31, schrieb Carsten Laun-De Lellis:
>   
>
> Hi list
>
> Does anyone has experience in setting up dovecot or any other mail
> system with user auth against a Samba4 AD ? If yes could I get some
> advice on that Topic or even a link to a ressource where I can get some
> Information. Googled a lot but didn't find something yet.
>
> Thankx in advance.
I did it with dovecot/postfix on debian wheezy, there is alot more info 
if you look for dovecot setup agains Microsoft AD.


First create an user for ldap queries:

 >samta-tool user add ldap [password]

Configure dovecot passdb against Samba4 AD, add or change this in your 
dovecot.conf bzw. auth-ldap-conf.ext (on wheezy)

# Authentication for LDAP users

passdb {
   driver = ldap
   args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
}

Create /etc/dovecot/dovecot-ldap-passdb.conf.ext, can be you have to use 
sAMAccountName instead of cn for auth_bind_userdn and pass_filter. On my 
side these are identical because i migrated from samba3/openldap. Filter 
is looking for person classes with matchin cn and an exiting mail attribute.

hosts = localhost
auth_bind = yes
auth_bind_userdn = cn=%u,cn=Users,dc=yourdomain,dc=local
ldap_version = 3

base = cn=Users,dc=yourdomain,dc=local
pass_filter = (&(objectClass=person)(cn=%u)(mail=*))

Use differen ldap settings for other user lookups, this goes again into 
dovecot.conf

# Users
userdb {
   driver = ldap
   args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
}

Create /etc/dovecot/dovecot-ldap-uesrdb.conf.ext, again you may have to 
change cn to sAMAccountName in user_filter and iter_attrs. On my side I 
use one system user vmail (uid:999, gid:999) for all maildirs and those 
are stored under /var/lib/vmail. With such an setup attributes like 
uidNumber and gidNumber are not required for every user entry in ldap so 
i can hardcode all neccesary userdb lookup variables.
I use /var/lib/vmail/[cn] as the dovecot user homedir (for things like 
sieve settings etc.) and /var/lib/vmail/[cn]/mail for the maildir.

hosts = localhost
dn = cn=ldap,cn=Users,DC=yourdomain,DC=local
dnpass = [password]
ldap_version = 3
base = cn=Users,DC=yourdomain,DC=local

user_attrs = 
=uid=999,=gid=999,=home=/var/lib/vmail/%u,mail=/var/lib/vmail/%u/mail
user_filter = (&(objectClass=person)(cn=%u)(mail=*))

# Attributes and filter to get a list of all users
iterate_attrs = cn=user
iterate_filter = (objectClass=person)

For refernce these are my maildir settings in dovecot.conf (10-mail.conf 
on wheezy).

## Maildir locations and settings

mail_plugins = acl
mail_home = /var/lib/vmail/%u
mail_location = maildir:/var/lib/vmail/%u/mail
mail_uid = 999
mail_gid = 999

first_valid_uid = 999
first_valid_gid = 999

#mail_full_filesystem_access = no
mail_shared_explicit_inbox = no
maildir_very_dirty_syncs = yes

namespace {
   list = no
   location = 
maildir:/var/lib/vmail/%%u/mail:INDEX=/var/lib/vmail/%u/mail/shared/%%u
   prefix = shared/%%u/
   separator = /
   subscriptions = no
   type = shared
}

namespace inbox {
   inbox = yes
   location = maildir:/var/lib/vmail/%u/mail
   prefix =
   separator = /
   type = private
}

If you want to use kerberos with dovecot (works well with thunderbird on 
domain meber workstations) you have to create an spn and an keytab.

samba-tool spn add  imap/server.yourdomain.local at YOURDOMAIN.LOCAL ldap

I had trouble with the keytab but this worked so far (use ldap users 
password if asked).

cd /etc/dovecot
ktutil
addent -password -p imap/server.yourdomain.local at YOURDOMAIN.LOCAL -k 1 
-e arcfour-hmac
wkt dovecot.keytab

If you use dovecot for postfix authentification as well:

samba-tool spn add  smtp/server.yourdomain.local at YOURDOMAIN.LOCAL ldap

cd /etc/dovecot
ktutil
addent -password -p imap/server.yourdomain.local at YOURDOMAIN.LOCAL -k 1 
-e arcfour-hmac
addent -password -p smtp/server.yourdomain.local at YOURDOMAIN.LOCAL -k 1 
-e arcfour-hmac
wkt dovecot.keytab

The neccesary settings in dovecot.conf (10-auth.conf on wheezy) are. The 
only way i got it working was with auth_gssapi_hostname = "$ALL" which 
may be abit insecure.

auth_mechanisms = plain login gssapi

# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab


Hope that helps.

achim~

More information about the samba mailing list