Am 28.06.2013 10:31, schrieb Carsten Laun-De Lellis:
Hi list
Does anyone has experience in setting up dovecot or any other mail
system with user auth against a Samba4 AD ? If yes could I get some
advice on that Topic or even a link to a ressource where I can get some
Information. Googled a lot but didn't find something yet.
Thankx in advance.
I did it with dovecot/postfix on debian wheezy, there is alot more info
if you look for dovecot setup agains Microsoft AD.
First create an user for ldap queries:
>samta-tool user add ldap [password]
Configure dovecot passdb against Samba4 AD, add or change this in your
dovecot.conf bzw. auth-ldap-conf.ext (on wheezy)
# Authentication for LDAP users
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
}
Create /etc/dovecot/dovecot-ldap-passdb.conf.ext, can be you have to use
sAMAccountName instead of cn for auth_bind_userdn and pass_filter. On my
side these are identical because i migrated from samba3/openldap. Filter
is looking for person classes with matchin cn and an exiting mail attribute.
hosts = localhost
auth_bind = yes
auth_bind_userdn = cn=%u,cn=Users,dc=yourdomain,dc=local
ldap_version = 3
base = cn=Users,dc=yourdomain,dc=local
pass_filter = (&(objectClass=person)(cn=%u)(mail=*))
Use differen ldap settings for other user lookups, this goes again into
dovecot.conf
# Users
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
}
Create /etc/dovecot/dovecot-ldap-uesrdb.conf.ext, again you may have to
change cn to sAMAccountName in user_filter and iter_attrs. On my side I
use one system user vmail (uid:999, gid:999) for all maildirs and those
are stored under /var/lib/vmail. With such an setup attributes like
uidNumber and gidNumber are not required for every user entry in ldap so
i can hardcode all neccesary userdb lookup variables.
I use /var/lib/vmail/[cn] as the dovecot user homedir (for things like
sieve settings etc.) and /var/lib/vmail/[cn]/mail for the maildir.
hosts = localhost
dn = cn=ldap,cn=Users,DC=yourdomain,DC=local
dnpass = [password]
ldap_version = 3
base = cn=Users,DC=yourdomain,DC=local
user_attrs =
=uid=999,=gid=999,=home=/var/lib/vmail/%u,mail=/var/lib/vmail/%u/mail
user_filter = (&(objectClass=person)(cn=%u)(mail=*))
# Attributes and filter to get a list of all users
iterate_attrs = cn=user
iterate_filter = (objectClass=person)
For refernce these are my maildir settings in dovecot.conf (10-mail.conf
on wheezy).
## Maildir locations and settings
mail_plugins = acl
mail_home = /var/lib/vmail/%u
mail_location = maildir:/var/lib/vmail/%u/mail
mail_uid = 999
mail_gid = 999
first_valid_uid = 999
first_valid_gid = 999
#mail_full_filesystem_access = no
mail_shared_explicit_inbox = no
maildir_very_dirty_syncs = yes
namespace {
list = no
location =
maildir:/var/lib/vmail/%%u/mail:INDEX=/var/lib/vmail/%u/mail/shared/%%u
prefix = shared/%%u/
separator = /
subscriptions = no
type = shared
}
namespace inbox {
inbox = yes
location = maildir:/var/lib/vmail/%u/mail
prefix =
separator = /
type = private
}
If you want to use kerberos with dovecot (works well with thunderbird on
domain meber workstations) you have to create an spn and an keytab.
samba-tool spn add imap/server.yourdomain.local@YOURDOMAIN.LOCAL ldap
I had trouble with the keytab but this worked so far (use ldap users
password if asked).
cd /etc/dovecot
ktutil
addent -password -p imap/server.yourdomain.local@YOURDOMAIN.LOCAL -k 1
-e arcfour-hmac
wkt dovecot.keytab
If you use dovecot for postfix authentification as well:
samba-tool spn add smtp/server.yourdomain.local@YOURDOMAIN.LOCAL ldap
cd /etc/dovecot
ktutil
addent -password -p imap/server.yourdomain.local@YOURDOMAIN.LOCAL -k 1
-e arcfour-hmac
addent -password -p smtp/server.yourdomain.local@YOURDOMAIN.LOCAL -k 1
-e arcfour-hmac
wkt dovecot.keytab
The neccesary settings in dovecot.conf (10-auth.conf on wheezy) are. The
only way i got it working was with auth_gssapi_hostname = "$ALL" which
may be abit insecure.
auth_mechanisms = plain login gssapi
# Kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Hope that helps.
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
