Re: [gentoo-user] IMAP Server - authenticating off a Windows Domain?
2005/12/10, Stroller [EMAIL PROTECTED]: On Dec 5, 2005, at 2:34 pm, Arturo 'Buanzo' Busleiman wrote: Stroller wrote: to authenticate against the domain controller everytime the user logs on to their email? You have many approaches, each of them with specific complications: ... 3) PAM_LDAP and use courier with authpam: May probe useful. It certainly did a couple of years ago for me. From http://www.networkcomputing.com/1305/1305ws12.html I'm readingthat:Finally, we need to add users to both the Linux server and the Windows domain.Here lies an obvious deficiency with thissolution.We have provided an enterprise-scalable authenticationmechanism but not an enterprise-scalable account-managementmechanism. Is this really the case, please? I had just decided that PAM was theway to go for me until I read this. I've never done this, but theoretically you could authenticate against a PDC using Kerberos and then use that Kerberos ticket to connect to any machine in your network using SSH (SSH has builtin support for SSO using Kerberos). I've successfully configured SSO in this way, but authentication was done against an OpenLDAP/Heimdal server. But weren't we talking about IMAP servers? Best regards Jose
Re: [gentoo-user] IMAP Server - authenticating off a Windows Domain?
On Dec 13, 2005, at 8:36 am, Jose Gonzalez Gomez wrote: Finally, we need to add users to both the Linux server and the Windows domain. Here lies an obvious deficiency with this solution. We have provided an enterprise-scalable authentication mechanism but not an enterprise-scalable account-management mechanism. Is this really the case, please? I had just decided that PAM was the way to go for me until I read this. I've never done this, but theoretically you could authenticate against a PDC using Kerberos and then use that Kerberos ticket to connect to any machine in your network using SSH (SSH has builtin support for SSO using Kerberos). I've successfully configured SSO in this way, but authentication was done against an OpenLDAP/Heimdal server. But weren't we talking about IMAP servers? We are - using PAM the authentication mechanism can be applied to any service, but of course the IMAP server needs somewhere to store users' mailboxes. That's the problem I'm getting at the moment - the user authenticates ok (using Samba's winbind PAM) but the IMAP server exits because it can't chdir into the user's home directory (which doesn't exist). I'm told I can use `pam_mkhomedir` to solve this, but I'm beginning to wonder if I've gone up the wrong path with winbind. Winbind _is_ authenticating beautifully for me, and wasn't too hard to setup, so I'm curious how other authentication mechanisms (Mr Busleiman suggested several) handle this. Stroller. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] IMAP Server - authenticating off a Windows Domain?
Hi, That's the problem I'm getting at the moment - the user authenticates ok (using Samba's winbind PAM) but the IMAP server exits because it can't chdir into the user's home directory (which doesn't exist). I'm told I can use `pam_mkhomedir` to solve this, but I'm beginning to wonder if I've gone up the wrong path with winbind. Hm, why not just use a IMAP server that doesn't depend on existing Unix accounts for its users? Cyrus comes to my mind... -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] IMAP Server - authenticating off a Windows Domain?
On Dec 5, 2005, at 2:34 pm, Arturo 'Buanzo' Busleiman wrote: Stroller wrote: to authenticate against the domain controller everytime the user logs on to their email? You have many approaches, each of them with specific complications: ... 3) PAM_LDAP and use courier with authpam: May probe useful. It certainly did a couple of years ago for me. From http://www.networkcomputing.com/1305/1305ws12.html I'm reading that: Finally, we need to add users to both the Linux server and the Windows domain. Here lies an obvious deficiency with this solution. We have provided an enterprise-scalable authentication mechanism but not an enterprise-scalable account-management mechanism. Is this really the case, please? I had just decided that PAM was the way to go for me until I read this. Stroller -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] IMAP Server - authenticating off a Windows Domain?
2005/12/5, Stroller [EMAIL PROTECTED]: Hi there,Does anyone have any experience of this, please? I have a number ofusers with roaming profiles on a Windows Domain Controller (SBS 2003).I don't want to use Exchange as a mailserver but instead an IMAP sever such as Courier (which I'm familiar with).Each user will have to change their password on the domain every coupleof weeks and because I want to provide webmail access to their IMAPaccounts it's desirable that their IMAP username password be the same as their Windows one. I don't mind adding users by hand on theLinux-based IMAP server but I would prefer that passwords be changedautomatically - I guess the best way to do this is for the IMAP serverto authenticate against the domain controller everytime the user logs on to their email?Has anyone any experience of this, please? You should either go the Kerneros way for single sign on (I think SBS 2003 uses it), or use an IMAP server that is capable of handling user authentication against LDAP (if using Active Directory). HTH, best regards Jose
Re: [gentoo-user] IMAP Server - authenticating off a Windows Domain?
On 12/5/05, Stroller [EMAIL PROTECTED] wrote: Hi there, Does anyone have any experience of this, please? I have a number of users with roaming profiles on a Windows Domain Controller (SBS 2003). I don't want to use Exchange as a mailserver but instead an IMAP sever such as Courier (which I'm familiar with). Each user will have to change their password on the domain every couple of weeks and because I want to provide webmail access to their IMAP accounts it's desirable that their IMAP username password be the same as their Windows one. I don't mind adding users by hand on the Linux-based IMAP server but I would prefer that passwords be changed automatically - I guess the best way to do this is for the IMAP server to authenticate against the domain controller everytime the user logs on to their email? Has anyone any experience of this, please? You might be able to use samba winbind for this, and modify the imap pam config to use system-auth-winbind. I haven't actually tried this, but it might be something worth playing with. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] IMAP Server - authenticating off a Windows Domain?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stroller wrote: to authenticate against the domain controller everytime the user logs on to their email? You have many approaches, each of them with specific complications: 1) Samba+Winbind+PAM = You really want samba on a mail server? 2) Kerberos = I can't talk much about this one :) - Not enough experience. 3) PAM_LDAP and use courier with authpam: May probe useful. It certainly did a couple of years ago for me. 4) courier's authldap module - like (3), but with one layer less. never tried it. - -- Arturo Buanzo Busleiman - www.buanzo.com.ar Consultor en Seguridad Informatica / Dominio Digital TV - Da FOSS man! KTP Consultores - info AT ktpconsultores.com.ar Romper un sistema de seguridad los acerca tanto a ser hackers como el encender autos puenteando los convierte en ingenieros automotrices. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDlFAGAlpOsGhXcE0RAshTAJ0U8yd8dMASwHwp0FnlKv2rDMLwaQCdFEaq QV+cUttgowE9q1C99bCH7EA= =LMpT -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
[gentoo-user] IMAP Server - authenticating off a Windows Domain?
Hi there, Does anyone have any experience of this, please? I have a number of users with roaming profiles on a Windows Domain Controller (SBS 2003). I don't want to use Exchange as a mailserver but instead an IMAP sever such as Courier (which I'm familiar with). Each user will have to change their password on the domain every couple of weeks and because I want to provide webmail access to their IMAP accounts it's desirable that their IMAP username password be the same as their Windows one. I don't mind adding users by hand on the Linux-based IMAP server but I would prefer that passwords be changed automatically - I guess the best way to do this is for the IMAP server to authenticate against the domain controller everytime the user logs on to their email? Has anyone any experience of this, please? TIA for any advice, Stroller. -- gentoo-user@gentoo.org mailing list