Re: [Dovecot] Samba AD and Dovecot
On Fri, Feb 04, 2011 at 01:47:31PM -0700, Trever L. Adams wrote:
There was a thread a month or so ago on how to do GSSAPI with AD and
dovecot kerberos. It works great, and I highly recommend it for AD
sites. Check the archives, it isn't really too hard.
I am not finding this. Do you happen to remember the subject?
No, but it is pretty simple using latest everything (well, Debian
squeeze).. Basically from scratch.. Notice this also sets up NTLM,
which is supported by many roaming devices (ie phones).
1) Put this or similar in /etc/samba/smb.conf
[global]
workgroup = $NT_WORKGROUP$
realm = $REALM$
security = ads
kerberos method = secrets and keytab
2) Confirm that hostname gives an unqualified name and hostname -f
gives a fully qualified name. Confirm you have DNS setup properly
(eg dig -t SRV _kerberos._udp.$REALM$ works OK)
3) Join the machine to AD
$ net ads join -U 'user with AD privs'
$ kinit AD_USER
$ kvno host/`hostname -f`
4) Setup imap SPN:
$ net ads keytab add imap
$ net ads search cn=`hostname` | grep servicePrincipalName
$ klist -k
$ kvno imap/`hostname -f`
The last three should report imap/`hostname -f` entries.
5) Setup dovecot..
Set these things in the config
auth_use_winbind = yes
mechanisms = plain gssapi gss-spnego login ntlm
6) Setup exim..
$ net ads keytab add smtp
Use these in the dovecot config:
client {
path = /var/run/dovecot/auth-client
mode = 0660
group = Debian-exim
}
}
And this at the end of the exim.conf:
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id=PLAIN-${quote:$auth1}
dovecot_ntlm:
driver = dovecot
public_name = NTLM
server_socket = /var/run/dovecot/auth-client
server_set_id=NTLM-${quote:$auth1}
dovecot_gssapi:
driver = dovecot
public_name = GSSAPI
server_socket = /var/run/dovecot/auth-client
server_set_id=GSSAPI-${quote:$auth1}
dovecot_gssapi_spnego:
driver = dovecot
public_name = GSS-SPNEGO
server_socket = /var/run/dovecot/auth-client
server_set_id=GSS-SPNEGO-${quote:$auth1}
7) Setup openssh
in sshd_config
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
Jason
Re: [Dovecot] Samba AD and Dovecot
Thank you Jason for your answer. This has helped a great deal. I haven't even gotten to the step of SSH yet. That will help me greatly. On 02/05/2011 06:53 PM, Jason Gunthorpe wrote: 5) Setup dovecot.. Set these things in the config auth_use_winbind = yes mechanisms = plain gssapi gss-spnego login ntlm Ok, I do this step differently as I use gssapi directly and not with winbind. 6) Setup exim.. I use postfix instead of exim. How do you know what user is valid and what isn't in exim. I don't see any LDAP. I use LDAP (both postfix and dovecot deliver... I have to use LDAP for the aliases to be setup the way they have been requested). I also don't see any mention of any other user database. 7) Setup openssh in sshd_config GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes Jason Thank you much. Trever signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Samba AD and Dovecot
On Sat, Feb 05, 2011 at 08:39:37PM -0700, Trever L. Adams wrote: Set these things in the config auth_use_winbind = yes mechanisms = plain gssapi gss-spnego login ntlm Ok, I do this step differently as I use gssapi directly and not with winbind. This is also what this does. auth_use_winbind only affects gss-spnego and ntlm which call out to the ntlm_auth helper to make it go. IMHO, if you have AD you should set this up too. I use postfix instead of exim. How do you know what user is valid and what isn't in exim. I don't see any LDAP. I use LDAP (both postfix and dovecot deliver... I have to use LDAP for the aliases to be setup the way they have been requested). I also don't see any mention of any other user database. In my simple world everything rides on nss_winbind and winbindd. These instructions are just how to setup kerberos for authentication not the much sticker authorization.. Jason
[Dovecot] Samba AD and Dovecot
Hello All, I haven't seen the answer to this, maybe I am just using the wrong searches. I have two queries related to this: 1) I have seen how to configure for LDAP and Kerberos. AD uses both together. All user information is in AD/LDAP and authentication is AD/Kerberos. How can I configure Dovecot to use both appropriately? 2) I can cause Samba to create certain directories on login, etc. However, I am needing to do this for Dovecot (and Postfix using Dovecot deliver). I would prefer to use Dovecot functionality for this, not Samba.This is not the autocreate folder/subscribe stuff, at least I think not. For example if I have a directory /var/mail/domain/user. Can I have Dovecot auto create (with proper permissions) the domain/user part? These would be used for maildir. Thank you, Trever Adams signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Samba AD and Dovecot
On Oct 7, 2009, at 12:36 AM, Trever L. Adams wrote: I haven't seen the answer to this, maybe I am just using the wrong searches. I have two queries related to this: 1) I have seen how to configure for LDAP and Kerberos. AD uses both together. All user information is in AD/LDAP and authentication is AD/Kerberos. How can I configure Dovecot to use both appropriately? You could forget about the Kerberos part and just use AD as an LDAP server. 2) I can cause Samba to create certain directories on login, etc. However, I am needing to do this for Dovecot (and Postfix using Dovecot deliver). I would prefer to use Dovecot functionality for this, not Samba.This is not the autocreate folder/subscribe stuff, at least I think not. For example if I have a directory /var/mail/domain/user. Can I have Dovecot auto create (with proper permissions) the domain/user part? These would be used for maildir. If you're using the same UNIX UID for all users, there's really nothing you need to do. Dovecot tries to create missing directories automatically.
Re: [Dovecot] Samba AD and Dovecot
Ccing mailing list, since I'm not all-knowing.. On Oct 7, 2009, at 12:49 AM, Trever L. Adams wrote: Timo Sirainen wrote: On Oct 7, 2009, at 12:36 AM, Trever L. Adams wrote: 1) I have seen how to configure for LDAP and Kerberos. AD uses both together. All user information is in AD/LDAP and authentication is AD/Kerberos. How can I configure Dovecot to use both appropriately? You could forget about the Kerberos part and just use AD as an LDAP server. I really want to use kerberos/SPNEGO everywhere I can for various reasons. The LDAP would be for the configuration. Do you actually want the IMAP/POP3 clients to use Kerberos? For plaintext auth I don't see any benefit in Dovecot using Kerberos rather than LDAP (and it doesn't support that, except via pam_kerberos or whatever I guess). But for clients to use Kerberos (GSSAPI) and authenticate against AD while Dovecot is in the middle... I've no idea. I guess that's possible somehow. 2) For example if I have a directory /var/mail/domain/user. Can I have Dovecot auto create (with proper permissions) the domain/user part? These would be used for maildir. If you're using the same UNIX UID for all users, there's really nothing you need to do. Dovecot tries to create missing directories automatically. No, I will be using the new Samba IDMAP stuff that hashes all the parts of the windows ID to a 32 bit UID. Anyway to do to this, or will I need to find another solution (not for mailing, but for directory creation)? There's no great way to do this.. A couple of kludgy ways. Like chmod 01777 /var/mail. Or override mail_executable setting to a script that still runs as root and can create the directory with proper permissions. http://wiki.dovecot.org/PostLoginScripting
Re: [Dovecot] Samba AD and Dovecot
Timo Sirainen wrote: I really want to use kerberos/SPNEGO everywhere I can for various reasons. The LDAP would be for the configuration. Do you actually want the IMAP/POP3 clients to use Kerberos? For plaintext auth I don't see any benefit in Dovecot using Kerberos rather than LDAP (and it doesn't support that, except via pam_kerberos or whatever I guess). But for clients to use Kerberos (GSSAPI) and authenticate against AD while Dovecot is in the middle... I've no idea. I guess that's possible somehow. You have all of the Kerberos/GSSAPI/SPNEGO stuff done. It is just a matter of can I still have the configuration (for user directories, etc.) done in LDAP? http://wiki.dovecot.org/Authentication/Mechanisms/Winbind?highlight=%28spnego%29 for the SNPEG/Kerberos I am not using this via Plain Text. This is for AD and Kerberos domains. (Yes, I understand that if I want to do straight kerberos, I use http://wiki.dovecot.org/Authentication/Kerberos instead. But instead of userdb static, can it be userdb ldap or some such? There's no great way to do this.. A couple of kludgy ways. Like chmod 01777 /var/mail. Or override mail_executable setting to a script that still runs as root and can create the directory with proper permissions. http://wiki.dovecot.org/PostLoginScripting Alright, I am going to have to find another way for this part. The other part (Kerberos and LDAP together), I do need. LDAP for configuration, Kerberos (or NTLM in some cases for SPNEGO) for authentication. Trever Adams signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Samba AD and Dovecot
On Wed, Oct 07, 2009 at 12:57:21AM -0400, Timo Sirainen wrote: Ccing mailing list, since I'm not all-knowing.. On Oct 7, 2009, at 12:49 AM, Trever L. Adams wrote: Timo Sirainen wrote: On Oct 7, 2009, at 12:36 AM, Trever L. Adams wrote: 1) I have seen how to configure for LDAP and Kerberos. AD uses both together. All user information is in AD/LDAP and authentication is AD/Kerberos. How can I configure Dovecot to use both appropriately? You could forget about the Kerberos part and just use AD as an LDAP server. I really want to use kerberos/SPNEGO everywhere I can for various reasons. The LDAP would be for the configuration. Do you actually want the IMAP/POP3 clients to use Kerberos? For plaintext auth I don't see any benefit in Dovecot using Kerberos rather than LDAP (and it doesn't support that, except via pam_kerberos or whatever I guess). But for clients to use Kerberos (GSSAPI) and authenticate against AD while Dovecot is in the middle... I've no idea. I guess that's possible somehow. There was a thread a month or so ago on how to do GSSAPI with AD and dovecot kerberos. It works great, and I highly recommend it for AD sites. Check the archives, it isn't really too hard. The problem with LDAP is you have to use SSL ldap for security. The overhead is much higher than using native kerberos or samba pam modules. There is also an obnoxios setup procedure on the AD side to get a LDAP SSL cert installed and serious issues with failover to backup domain controllers. For plain text password auth on AD sites, samba's pam_winbind is probably the best choice. Secure, easy to setup and pretty fast. If you have an AD server I also *highly* recommend the dovcot winbind NTLM method. Almost every client in the world will do some level of NTLM hashing and it reduces the risk from plain password exposure. No, I will be using the new Samba IDMAP stuff that hashes all the parts of the windows ID to a 32 bit UID. Anyway to do to this, or will I need to find another solution (not for mailing, but for directory creation)? There's no great way to do this.. A couple of kludgy ways. Like chmod 01777 /var/mail. Or override mail_executable setting to a script that still runs as root and can create the directory with proper permissions. http://wiki.dovecot.org/PostLoginScripting Can dovecot use pam_mkhomedir? Jason
