[Samba] Samba4 AD and mail auth

Carsten Laun-De Lellis carsten.delellis at delellis.net
Fri Jun 28 12:35:19 MDT 2013 

 

Dear Achim 

Thank you very much for your Support so far. I think I am really close,
but not there yet. 

I got the following log Messages: 

Jun 28 20:12:33 rv1325 dovecot: auth: Debug: client passdb out:
FAIL#0115#011user=test
Jun 28 20:12:33 rv1325 dovecot: auth: Debug: client in:
AUTH#0116#011LOGIN#011service=smtp#011nologin#011lip=178.254.21.125#011rip=84.154.198.155#011secured
Jun 28 20:12:37 rv1325 dovecot: auth: Debug: client passdb out:
CONT#0116#011VXNlcm5hbWU6
Jun 28 20:12:37 rv1325 dovecot: auth: Debug: client in:
CONT#0116#011dGVzdA== (previous base64 data may contain sensitive data)
Jun 28 20:12:37 rv1325 dovecot: auth: Debug: client passdb out:
CONT#0116#011UGFzc3dvcmQ6
Jun 28 20:12:37 rv1325 dovecot: auth: Debug: client in:
CONT#0116#011dGVzdHVzZXI= (previous base64 data may contain sensitive
data)
Jun 28 20:12:37 rv1325 dovecot: auth: Debug: ldap(test,84.154.198.155):
bind search: base=cn=Users, dc=delellis, dc=net
filter=(&(objectClass=person)(sAMAccountName=test))
Jun 28 20:12:37 rv1325 dovecot: auth: Debug: ldap(test,84.154.198.155):
result: sAMAccountName=test; sAMAccountName unused
Jun 28 20:12:37 rv1325 dovecot: auth: Debug: ldap(test,84.154.198.155):
result: sAMAccountName=test
Jun 28 20:12:37 rv1325 dovecot: auth: Debug: client passdb out:
OK#0116#011user=test#011u%=test 

As you can see the sAMAccountName is set to test, what is right, but
what I don't understand is the line saying sAMAccountName is unused. 

Does anyone could give me the last push. I would really appreciate. 

Regards, 
---

Mit freundlichem Gruß

Carsten Laun-De Lellis

Hauptstrasse 13
D-67705 Trippstadt

Phone: +49 6306 992140
Fax: +49 6306 992142
Mobile: +49 151 27530865
email: carsten.delellis at delellis.net

http://www.linkedin.com/in/carstenlaundelellis [2] 

Am 2013-06-28 19:14, schrieb Achim Gottinger: 

> Am 28.06.2013 18:49, schrieb Carsten Laun-De Lellis: 
> 
>> Hi Achim 
>> 
>> Don't wanna bothering you, but I still got error Messages.
> Never mind got curious by myself. replacing cn with sAMAccountNName can not work because the dn's are defined with cn.
> I mailed oyu that link before http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds [1]. 
> It describes two ways for passdb lookups and you must use the "DN lookup" type, which does an anonymous query with pass_filter for the dn first and then tries to autheticate with that dn against samba4/ldap.
> You can eighter configure samba4 to allow anonymous queries or use an samba user account like i did with userpadd => dn/dnpass.
> 
> Try this, worked here.
> 
> hosts = localhost 
> dn = cn=ldap,cn=Users,dc=delellis,dc=net
> dnpass = [password]
> auth_bind = yes
> ldap_version = 3 
> 
> base = cn=Users,dc=delellis,dc=net pass_attrs = sAMAccountName=user
> pass_filter = (&(objectClass=person)(sAMAccountName=%u)(mail=*))
> 
> My auth.conf file Looks like: 
> 
> hosts = localhost auth_bind = yes auth_bind_userdn = sAMAccountName=%u,cn=Users,dc=delellis,dc=net base = cn=Users,dc=delellis,dc=net ldap_version = 3 
> 
> pass_filter = (&(objectClass=user)(sAMAccoutName=%u)(mail=*)) 
> 
> And I have no idea why it doesn't work. 
> ---
> 
> Mit freundlichem Gruß
> 
> Carsten Laun-De Lellis
> 
> Hauptstrasse 13
> D-67705 Trippstadt
> 
> Phone: +49 6306 992140
> Fax: +49 6306 992142
> Mobile: +49 151 27530865
> email: carsten.delellis at delellis.net
> 
> http://www.linkedin.com/in/carstenlaundelellis [2] 
> 
> Am 2013-06-28 14:04, schrieb Achim Gottinger: 
> Am 28.06.2013 13:55, schrieb Carsten Laun-De Lellis: 
> 
> Hi Achim 
> 
> Thankx a lot. I will try. 
> 
> Have a nice Weekend. NP take a look at this
> 
> http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds [1]
> 
> ---
> 
> Mit freundlichem Gruß
> 
> Carsten Laun-De Lellis
> 
> Hauptstrasse 13
> D-67705 Trippstadt
> 
> Phone: +49 6306 992140
> Fax: +49 6306 992142
> Mobile: +49 151 27530865
> email: carsten.delellis at delellis.net
> 
> http://www.linkedin.com/in/carstenlaundelellis [2] 
> 
> Am 2013-06-28 13:35, schrieb Achim Gottinger: 
> 
> Am 28.06.2013 13:24, schrieb Carsten Laun-De Lellis:
> Hi Achim First of all thankx for your input. The way you set it up was the way I did it. But when I go thru your ldap configuration it doesn't really solves my Problem or, maybe more likely, I don't understand it. For Auth I want my users to connect to dovecot with user/Password token. In your config I can't see where you match the Password to the AD Password. 
> 
> For authetification dovecot uses what is configured in passdb in the 
> corresponding ldap config you can see it uses auth_bind=yes and 
> auth_bind_userdn defines the dn used to auth against samb4 ldap.
> As said on my side cn is identical with sAMAccountName, if it's not on 
> your side you may have to use cn/Password instead of 
> sAMAccountName/Password .
> Maybe I wasn't specific enough, what I want to do. Or I don't understand where I you match again the user Password. And again there is a good Chance that the Problem is myself. Weinend Thankx again. --- Mit freundlichem Gruß Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delellis at delellis.net <mailto:carsten.delellis at delellis.net> http://www.linkedin.com/in/carstenlaundelellis [2]Am 2013-06-28 13:13, schrieb Achim Gottinger: Am 28.06.2013 10:31, schrieb Carsten Laun-De Lellis: Hi list Does anyone has experience in setting up dovecot or any other mail system with user auth against a Samba4 AD ? If yes could I get some advice on that Topic or even a link to a ressource where I can get some Information. Googled a lot but didn't find something yet. Thankx in advance. I did it with dovecot/postfix on debian wheezy, there is alot more info if you look for dovecot setup agains Microsoft AD.
First create an user for ldap queries: >samta-tool user add ldap [password] Configure dovecot passdb against Samba4 AD, add or change this in your dovecot.conf bzw. auth-ldap-conf.ext (on wheezy) # Authentication for LDAP users passdb { driver = ldap args = /etc/dovecot/dovecot-ldap-passdb.conf.ext } Create /etc/dovecot/dovecot-ldap-passdb.conf.ext, can be you have to use sAMAccountName instead of cn for auth_bind_userdn and pass_filter. On my side these are identical because i migrated from samba3/openldap. Filter is looking for person classes with matchin cn and an exiting mail attribute. hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,cn=Users,dc=yourdomain,dc=local ldap_version = 3 base = cn=Users,dc=yourdomain,dc=local pass_filter = (&(objectClass=person)(cn=%u)(mail=*))

-- 
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba [3]

 

Links:
------
[1] http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds
[2] http://www.linkedin.com/in/carstenlaundelellis
[3] https://lists.samba.org/mailman/options/samba

More information about the samba mailing list