Hi Achim
First of all thankx for your input. The way you set it up was the way I did it. But when I go thru your ldap configuration it doesn't really solves my Problem or, maybe more likely, I don't understand it. For Auth I want my users to connect to dovecot with user/Password token. In your config I can't see where you match the Password to the AD Password. Maybe I wasn't specific enough, what I want to do. Or I don't understand where I you match again the user Password. And again there is a good Chance that the Problem is myself. :'( Thankx again. --- Mit freundlichem Gruß Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delel...@delellis.net http://www.linkedin.com/in/carstenlaundelellis [2] Am 2013-06-28 13:13, schrieb Achim Gottinger: > Am 28.06.2013 10:31, schrieb Carsten Laun-De Lellis: > >> Hi list Does anyone has experience in setting up dovecot or any other mail >> system with user auth against a Samba4 AD ? If yes could I get some advice >> on that Topic or even a link to a ressource where I can get some >> Information. Googled a lot but didn't find something yet. Thankx in advance. > > I did it with dovecot/postfix on debian wheezy, there is alot more info > if you look for dovecot setup agains Microsoft AD. > > First create an user for ldap queries: > >>samta-tool user add ldap [password] > > Configure dovecot passdb against Samba4 AD, add or change this in your > dovecot.conf bzw. auth-ldap-conf.ext (on wheezy) > > # Authentication for LDAP users > > passdb { > driver = ldap > args = /etc/dovecot/dovecot-ldap-passdb.conf.ext > } > > Create /etc/dovecot/dovecot-ldap-passdb.conf.ext, can be you have to use > sAMAccountName instead of cn for auth_bind_userdn and pass_filter. On my > side these are identical because i migrated from samba3/openldap. Filter > is looking for person classes with matchin cn and an exiting mail attribute. > > hosts = localhost > auth_bind = yes > auth_bind_userdn = cn=%u,cn=Users,dc=yourdomain,dc=local > ldap_version = 3 > > base = cn=Users,dc=yourdomain,dc=local > pass_filter = (&(objectClass=person)(cn=%u)(mail=*)) > > Use differen ldap settings for other user lookups, this goes again into > dovecot.conf > > # Users > userdb { > driver = ldap > args = /etc/dovecot/dovecot-ldap-userdb.conf.ext > } > > Create /etc/dovecot/dovecot-ldap-uesrdb.conf.ext, again you may have to > change cn to sAMAccountName in user_filter and iter_attrs. On my side I > use one system user vmail (uid:999, gid:999) for all maildirs and those > are stored under /var/lib/vmail. With such an setup attributes like > uidNumber and gidNumber are not required for every user entry in ldap so > i can hardcode all neccesary userdb lookup variables. > I use /var/lib/vmail/[cn] as the dovecot user homedir (for things like > sieve settings etc.) and /var/lib/vmail/[cn]/mail for the maildir. > > hosts = localhost > dn = cn=ldap,cn=Users,DC=yourdomain,DC=local > dnpass = [password] > ldap_version = 3 > base = cn=Users,DC=yourdomain,DC=local > > user_attrs = > =uid=999,=gid=999,=home=/var/lib/vmail/%u,mail=/var/lib/vmail/%u/mail > user_filter = (&(objectClass=person)(cn=%u)(mail=*)) > > # Attributes and filter to get a list of all users > iterate_attrs = cn=user > iterate_filter = (objectClass=person) > > For refernce these are my maildir settings in dovecot.conf (10-mail.conf > on wheezy). > > ## Maildir locations and settings > > mail_plugins = acl > mail_home = /var/lib/vmail/%u > mail_location = maildir:/var/lib/vmail/%u/mail > mail_uid = 999 > mail_gid = 999 > > first_valid_uid = 999 > first_valid_gid = 999 > > #mail_full_filesystem_access = no > mail_shared_explicit_inbox = no > maildir_very_dirty_syncs = yes > > namespace { > list = no > location = > maildir:/var/lib/vmail/%%u/mail:INDEX=/var/lib/vmail/%u/mail/shared/%%u > prefix = shared/%%u/ > separator = / > subscriptions = no > type = shared > } > > namespace inbox { > inbox = yes > location = maildir:/var/lib/vmail/%u/mail > prefix = > separator = / > type = private > } > > If you want to use kerberos with dovecot (works well with thunderbird on > domain meber workstations) you have to create an spn and an keytab. > > samba-tool spn add imap/server.yourdomain.local@YOURDOMAIN.LOCAL ldap > > I had trouble with the keytab but this worked so far (use ldap users > password if asked). > > cd /etc/dovecot > ktutil > addent -password -p imap/server.yourdomain.local@YOURDOMAIN.LOCAL -k 1 > -e arcfour-hmac > wkt dovecot.keytab > > If you use dovecot for postfix authentification as well: > > samba-tool spn add smtp/server.yourdomain.local@YOURDOMAIN.LOCAL ldap > > cd /etc/dovecot > ktutil > addent -password -p imap/server.yourdomain.local@YOURDOMAIN.LOCAL -k 1 > -e arcfour-hmac > addent -password -p smtp/server.yourdomain.local@YOURDOMAIN.LOCAL -k 1 > -e arcfour-hmac > wkt dovecot.keytab > > The neccesary settings in dovecot.conf (10-auth.conf on wheezy) are. The > only way i got it working was with auth_gssapi_hostname = "$ALL" which > may be abit insecure. > > auth_mechanisms = plain login gssapi > > # Kerberos > auth_gssapi_hostname = "$ALL" > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > > Hope that helps. > > achim~ > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba [1] Links: ------ [1] https://lists.samba.org/mailman/options/samba [2] http://www.linkedin.com/in/carstenlaundelellis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
