Good afternoon.
I'm configuring dovecot to authenticate users against a samba server
running as an active directory domain controller. I followed the
instructions as stated in the page
https://wiki.dovecot.org/Authentication/Kerberos and considering the
sentence that states [...]The Kerberos authentication mechanism doesn't
require having a passdb, but you do need a userdb[...] I produced a
configuration file that looked like this
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = gssapi
auth_username_format = %u
mail_location =
maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = imap
ssl_ca = /etc/ssl/certs/cacertificate.crt
ssl_cert = </etc/ssl/certs/certificate.crt
ssl_key = # hidden, use -P to show it
userdb {
args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes
driver = static
}
When I ran these settings I would get an error that read
Nov 8 17:00:00 mail dovecot: auth: Error:
gssapi(user@KERBEROSPRINCIPAL,192.168.182.137,<IQMcOtuWI+3AqLaJ>): All
password databases were skipped
Nov 8 17:00:02 mail dovecot: imap-login: Disconnected (auth service
reported temporary failure): user=<user@KERBEROSPRINCIPAL>,
method=GSSAPI, rip=192.168.182.137, lip=192.168.182.4, TLS,
session=<IQMcOtuWI+3AqLaJ>
After Trying many things I finally modified my config
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = gssapi
auth_username_format = %u
mail_location =
maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = imap
ssl_ca = /etc/ssl/certs/cacertificate.crt
ssl_cert = </etc/ssl/certs/certificate.crt
ssl_key = # hidden, use -P to show it
userdb {
args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes
driver = static
}
The dovecot-ldap.conf.ext file looks like this
hosts = dc1:3268
tls = yes
auth_bind = yes
auth_bind_userdn = %u
base =
With this configuration I can authenticate to the imap server sending
user@KERBEROSPRINCIPAL as my username and without setting a password so
I'm wondering if the wiki page needs to be updated or if there is
something wrong with my first setup.
Thanks in advance.
Best regards,
David Wells.
