Good afternoon. Shouldn't at least the wiki page be updated so that it avoids someone in the future having to struggle like I did?
El 08/11/2019 a las 17:13, David Wells via dovecot escribió: > Good afternoon. > > > I'm configuring dovecot to authenticate users against a samba server > running as an active directory domain controller. I followed the > instructions as stated in the page > https://wiki.dovecot.org/Authentication/Kerberos and considering the > sentence that states [...]The Kerberos authentication mechanism > doesn't require having a passdb, but you do need a userdb[...] I > produced a configuration file that looked like this > >> auth_gssapi_hostname = $ALL >> auth_krb5_keytab = /etc/dovecot/dovecot.keytab >> auth_mechanisms = gssapi >> auth_username_format = %u >> mail_location = >> maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8 >> managesieve_notify_capability = mailto >> managesieve_sieve_capability = fileinto reject envelope >> encoded-character vacation subaddress comparator-i;ascii-numeric >> relational regex imap4flags copy include variables body enotify >> environment mailbox date index ihave duplicate mime foreverypart >> extracttext >> namespace inbox { >> inbox = yes >> location = >> mailbox Drafts { >> special_use = \Drafts >> } >> mailbox Junk { >> special_use = \Junk >> } >> mailbox Sent { >> special_use = \Sent >> } >> mailbox "Sent Messages" { >> special_use = \Sent >> } >> mailbox Trash { >> special_use = \Trash >> } >> prefix = >> } >> plugin { >> sieve = file:~/sieve;active=~/.dovecot.sieve >> } >> protocols = imap >> ssl_ca = /etc/ssl/certs/cacertificate.crt >> ssl_cert = </etc/ssl/certs/certificate.crt >> ssl_key = # hidden, use -P to show it >> userdb { >> args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes >> driver = static >> } > > When I ran these settings I would get an error that read > >> Nov 8 17:00:00 mail dovecot: auth: Error: >> gssapi(user@KERBEROSPRINCIPAL,192.168.182.137,<IQMcOtuWI+3AqLaJ>): >> All password databases were skipped >> Nov 8 17:00:02 mail dovecot: imap-login: Disconnected (auth service >> reported temporary failure): user=<user@KERBEROSPRINCIPAL>, >> method=GSSAPI, rip=192.168.182.137, lip=192.168.182.4, TLS, >> session=<IQMcOtuWI+3AqLaJ> > > After Trying many things I finally modified my config > >> auth_gssapi_hostname = $ALL >> auth_krb5_keytab = /etc/dovecot/dovecot.keytab >> auth_mechanisms = gssapi >> auth_username_format = %u >> mail_location = >> maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8 >> managesieve_notify_capability = mailto >> managesieve_sieve_capability = fileinto reject envelope >> encoded-character vacation subaddress comparator-i;ascii-numeric >> relational regex imap4flags copy include variables body enotify >> environment mailbox date index ihave duplicate mime foreverypart >> extracttext >> namespace inbox { >> inbox = yes >> location = >> mailbox Drafts { >> special_use = \Drafts >> } >> mailbox Junk { >> special_use = \Junk >> } >> mailbox Sent { >> special_use = \Sent >> } >> mailbox "Sent Messages" { >> special_use = \Sent >> } >> mailbox Trash { >> special_use = \Trash >> } >> prefix = >> } >> passdb { >> args = /etc/dovecot/dovecot-ldap.conf.ext >> driver = ldap >> } >> plugin { >> sieve = file:~/sieve;active=~/.dovecot.sieve >> } >> protocols = imap >> ssl_ca = /etc/ssl/certs/cacertificate.crt >> ssl_cert = </etc/ssl/certs/certificate.crt >> ssl_key = # hidden, use -P to show it >> userdb { >> args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes >> driver = static >> } > The dovecot-ldap.conf.ext file looks like this > >> hosts = dc1:3268 >> tls = yes >> auth_bind = yes >> auth_bind_userdn = %u >> base = > > With this configuration I can authenticate to the imap server sending > user@KERBEROSPRINCIPAL as my username and without setting a password > so I'm wondering if the wiki page needs to be updated or if there is > something wrong with my first setup. > > > Thanks in advance. > > Best regards, > > David Wells. > >
