[Samba] Samba4 AD and mail auth

Carsten Laun-De Lellis carsten.delellis at delellis.net
Fri Jun 28 05:24:01 MDT 2013 

 

Hi Achim 

First of all thankx for your input. 

The way you set it up was the way I did it. But when I go thru your ldap
configuration it doesn't really solves my Problem or, maybe more likely,
I don't understand it. 

For Auth I want my users to connect to dovecot with user/Password token.
In your config I can't see where you match the Password to the AD
Password. 

Maybe I wasn't specific enough, what I want to do. Or I don't understand
where I you match again the user Password. And again there is a good
Chance that the Problem is myself. :'( 

Thankx again. 
---

Mit freundlichem Gruß

Carsten Laun-De Lellis

Hauptstrasse 13
D-67705 Trippstadt

Phone: +49 6306 992140
Fax: +49 6306 992142
Mobile: +49 151 27530865
email: carsten.delellis at delellis.net

http://www.linkedin.com/in/carstenlaundelellis [2] 

Am 2013-06-28 13:13, schrieb Achim Gottinger: 

> Am 28.06.2013 10:31, schrieb Carsten Laun-De Lellis:
> 
>> Hi list Does anyone has experience in setting up dovecot or any other mail system with user auth against a Samba4 AD ? If yes could I get some advice on that Topic or even a link to a ressource where I can get some Information. Googled a lot but didn't find something yet. Thankx in advance.
> 
> I did it with dovecot/postfix on debian wheezy, there is alot more info 
> if you look for dovecot setup agains Microsoft AD.
> 
> First create an user for ldap queries:
> 
>>samta-tool user add ldap [password]
> 
> Configure dovecot passdb against Samba4 AD, add or change this in your 
> dovecot.conf bzw. auth-ldap-conf.ext (on wheezy)
> 
> # Authentication for LDAP users
> 
> passdb {
> driver = ldap
> args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
> }
> 
> Create /etc/dovecot/dovecot-ldap-passdb.conf.ext, can be you have to use 
> sAMAccountName instead of cn for auth_bind_userdn and pass_filter. On my 
> side these are identical because i migrated from samba3/openldap. Filter 
> is looking for person classes with matchin cn and an exiting mail attribute.
> 
> hosts = localhost
> auth_bind = yes
> auth_bind_userdn = cn=%u,cn=Users,dc=yourdomain,dc=local
> ldap_version = 3
> 
> base = cn=Users,dc=yourdomain,dc=local
> pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
> 
> Use differen ldap settings for other user lookups, this goes again into 
> dovecot.conf
> 
> # Users
> userdb {
> driver = ldap
> args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
> }
> 
> Create /etc/dovecot/dovecot-ldap-uesrdb.conf.ext, again you may have to 
> change cn to sAMAccountName in user_filter and iter_attrs. On my side I 
> use one system user vmail (uid:999, gid:999) for all maildirs and those 
> are stored under /var/lib/vmail. With such an setup attributes like 
> uidNumber and gidNumber are not required for every user entry in ldap so 
> i can hardcode all neccesary userdb lookup variables.
> I use /var/lib/vmail/[cn] as the dovecot user homedir (for things like 
> sieve settings etc.) and /var/lib/vmail/[cn]/mail for the maildir.
> 
> hosts = localhost
> dn = cn=ldap,cn=Users,DC=yourdomain,DC=local
> dnpass = [password]
> ldap_version = 3
> base = cn=Users,DC=yourdomain,DC=local
> 
> user_attrs = 
> =uid=999,=gid=999,=home=/var/lib/vmail/%u,mail=/var/lib/vmail/%u/mail
> user_filter = (&(objectClass=person)(cn=%u)(mail=*))
> 
> # Attributes and filter to get a list of all users
> iterate_attrs = cn=user
> iterate_filter = (objectClass=person)
> 
> For refernce these are my maildir settings in dovecot.conf (10-mail.conf 
> on wheezy).
> 
> ## Maildir locations and settings
> 
> mail_plugins = acl
> mail_home = /var/lib/vmail/%u
> mail_location = maildir:/var/lib/vmail/%u/mail
> mail_uid = 999
> mail_gid = 999
> 
> first_valid_uid = 999
> first_valid_gid = 999
> 
> #mail_full_filesystem_access = no
> mail_shared_explicit_inbox = no
> maildir_very_dirty_syncs = yes
> 
> namespace {
> list = no
> location = 
> maildir:/var/lib/vmail/%%u/mail:INDEX=/var/lib/vmail/%u/mail/shared/%%u
> prefix = shared/%%u/
> separator = /
> subscriptions = no
> type = shared
> }
> 
> namespace inbox {
> inbox = yes
> location = maildir:/var/lib/vmail/%u/mail
> prefix =
> separator = /
> type = private
> }
> 
> If you want to use kerberos with dovecot (works well with thunderbird on 
> domain meber workstations) you have to create an spn and an keytab.
> 
> samba-tool spn add imap/server.yourdomain.local at YOURDOMAIN.LOCAL ldap
> 
> I had trouble with the keytab but this worked so far (use ldap users 
> password if asked).
> 
> cd /etc/dovecot
> ktutil
> addent -password -p imap/server.yourdomain.local at YOURDOMAIN.LOCAL -k 1 
> -e arcfour-hmac
> wkt dovecot.keytab
> 
> If you use dovecot for postfix authentification as well:
> 
> samba-tool spn add smtp/server.yourdomain.local at YOURDOMAIN.LOCAL ldap
> 
> cd /etc/dovecot
> ktutil
> addent -password -p imap/server.yourdomain.local at YOURDOMAIN.LOCAL -k 1 
> -e arcfour-hmac
> addent -password -p smtp/server.yourdomain.local at YOURDOMAIN.LOCAL -k 1 
> -e arcfour-hmac
> wkt dovecot.keytab
> 
> The neccesary settings in dovecot.conf (10-auth.conf on wheezy) are. The 
> only way i got it working was with auth_gssapi_hostname = "$ALL" which 
> may be abit insecure.
> 
> auth_mechanisms = plain login gssapi
> 
> # Kerberos
> auth_gssapi_hostname = "$ALL"
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> 
> Hope that helps.
> 
> achim~
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba [1]
 

Links:
------
[1] https://lists.samba.org/mailman/options/samba
[2] http://www.linkedin.com/in/carstenlaundelellis

More information about the samba mailing list