iPhone no longer authenticating

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

iPhone no longer authenticating

Mark Foley-2
I've switched a user to being an active directory user. That user's email client authorizes
just fine with dovecot using GSSAPI. However, now his iPhone won't authorize. In the dovecot
log file I get:

Dec 01 14:27:28 auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured session=q4n3W0xfggBiZj9s        lip=98.102.63.107 rip=98.102.63.108       lport=993       rport=49538     resp=AG1wcmVzcwBEaW5va3JvbndhbGw0NQ== (previous base64 data may contain sensitive data)
Dec 01 14:27:32 auth-worker(5988): Debug: shadow(mpress,98.102.xx.yyy): lookup
Dec 01 14:27:32 auth-worker(5988): Info: shadow(mpress,98.102.xx.yyy): unknown user (given password: *******)
Dec 01 14:27:34 auth: Debug: client passdb out: FAIL    1       user=mpress
Dec 01 14:27:34 imap-login: Info: Aborted login (auth failed, 1 attempts in 6 secs): user=<mpress>, method=PLAIN, rip=98.102.xx.yyy, lip=98.102.63.107, TLS, session=<q4n3W0xfggBiZj9s>
Dec 01 14:27:34 imap-login: Debug: SSL alert: close notify [98.102.xx.yyy]

This same user will authenticate OK from his local domain workstation:

Dec 01 14:28:52 auth: Debug: master userdb out: USER    1948516353      mpress  system_groups_user=HPRS\mpress  uid=10005gid=10000        home=/home/HPRS/mpress  auth_token=ce3050035718ed0996af698400c4de1be453ec06     auth_user=[hidden email]
Dec 01 14:28:52 imap-login: Info: Login: user=<mpress>, method=GSSAPI, rip=192.168.0.54, lip=192.168.0.2, mpid=9755, TLS, session=<6MT1YExftwDAqAA2>

I'm pretty sure the reason has to do with Active Directory authenication locally, but of course
his iPhone is not a member of the domain, and he is no longer in /etc/passwd/shadow.

So, what is the best way to get the iPhone to authenticate?

Here's my current config:

> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 4.4.88 x86_64 Slackware 14.2
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
  driver = passwd
}
verbose_ssl = yes


Thanks, --Mark
Reply | Threaded
Open this post in threaded view
|

Howto authenticate smartPhone via Active Directory

Mark Foley-2
I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials
using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via
shadow first and. failing that, it does authenticate via GSSAPI.

Smartphones connect to Dovecot via port 143 and SSL.  They are not domain members so if the
shadow authentication fails, no other methods are tried and no connection is made.

What can I do with my dovecot config to fix this?

> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 4.4.88 x86_64 Slackware 14.2
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
  driver = passwd
}
verbose_ssl = yes

Thanks, Mark
Reply | Threaded
Open this post in threaded view
|

Re: Howto authenticate smartPhone via Active Directory

Aki Tuomi-2
Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module?
---Aki TuomiDovecot oy
-------- Original message --------From: Mark Foley <[hidden email]> Date: 03/12/2017  06:03  (GMT+02:00) To: [hidden email] Subject: Howto authenticate smartPhone via Active Directory
I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials
using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via
shadow first and. failing that, it does authenticate via GSSAPI.

Smartphones connect to Dovecot via port 143 and SSL.  They are not domain members so if the
shadow authentication fails, no other methods are tried and no connection is made.

What can I do with my dovecot config to fix this?

> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 4.4.88 x86_64 Slackware 14.2
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
  driver = passwd
}
verbose_ssl = yes

Thanks, Mark
Reply | Threaded
Open this post in threaded view
|

Re: Howto authenticate smartPhone via Active Directory

Mark Foley-2
In reply to this post by Mark Foley-2
Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2
shows:

passdb pam {
}

used for authenticating Android.  Problem #1 is that Slackware does not ship with PAM and the
AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I
should try configuring PAM on the AD/DC.

Is there some otherway I can get authentication using domain credentials besides pam? the phone
can send user and password.

--Mark

-----Original Message-----

> Date: Sun, 03 Dec 2017 15:22:56 +0200
> Subject: Re: Howto authenticate smartPhone via Active Directory
> From: Aki Tuomi <[hidden email]>
> To: Mark Foley <[hidden email]>, [hidden email]
>
> Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module?
> ---Aki TuomiDovecot oy
>
> -------- Original message --------
> From: Mark Foley <[hidden email]>
> Date: 03/12/2017  06:03  (GMT+02:00)
> To: [hidden email]
> Subject: Howto authenticate smartPhone via Active Directory

> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials
> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via
> shadow first and. failing that, it does authenticate via GSSAPI.
>
> Smartphones connect to Dovecot via port 143 and SSL.  They are not domain members so if the
> shadow authentication fails, no other methods are tried and no connection is made.
>
> What can I do with my dovecot config to fix this?
>
> > doveconf -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 4.4.88 x86_64 Slackware 14.2
> auth_debug = yes
> auth_debug_passwords = yes
> auth_gssapi_hostname = $ALL
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = plain login gssapi
> auth_use_winbind = yes
> auth_username_format = %n
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>   driver = shadow
> }
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> userdb {
>   driver = passwd
> }
> verbose_ssl = yes
>
> Thanks, Mark
Reply | Threaded
Open this post in threaded view
|

Re: Howto authenticate smartPhone via Active Directory

Aki Tuomi-2
In reply to this post by Mark Foley-2
with passdb ldap i guess.
---Aki TuomiDovecot oy
-------- Original message --------From: Mark Foley <[hidden email]> Date: 03/12/2017  21:18  (GMT+02:00) To: [hidden email] Subject: Re: Howto authenticate smartPhone via Active Directory
Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2
shows:

passdb pam {
}

used for authenticating Android.  Problem #1 is that Slackware does not ship with PAM and the
AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I
should try configuring PAM on the AD/DC.

Is there some otherway I can get authentication using domain credentials besides pam? the phone
can send user and password.

--Mark

-----Original Message-----

> Date: Sun, 03 Dec 2017 15:22:56 +0200
> Subject: Re: Howto authenticate smartPhone via Active Directory
> From: Aki Tuomi <[hidden email]>
> To: Mark Foley <[hidden email]>, [hidden email]
>
> Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module?
> ---Aki TuomiDovecot oy
>
> -------- Original message --------
> From: Mark Foley <[hidden email]>
> Date: 03/12/2017  06:03  (GMT+02:00)
> To: [hidden email]
> Subject: Howto authenticate smartPhone via Active Directory

> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials
> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via
> shadow first and. failing that, it does authenticate via GSSAPI.
>
> Smartphones connect to Dovecot via port 143 and SSL.  They are not domain members so if the
> shadow authentication fails, no other methods are tried and no connection is made.
>
> What can I do with my dovecot config to fix this?
>
> > doveconf -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 4.4.88 x86_64 Slackware 14.2
> auth_debug = yes
> auth_debug_passwords = yes
> auth_gssapi_hostname = $ALL
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = plain login gssapi
> auth_use_winbind = yes
> auth_username_format = %n
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>   driver = shadow
> }
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> userdb {
>   driver = passwd
> }
> verbose_ssl = yes
>
> Thanks, Mark
Reply | Threaded
Open this post in threaded view
|

Re: Howto authenticate smartPhone via Active Directory

Mark Foley-2
Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just
not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki
https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is:

Active Directory

When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are
available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx

I have not been able to find an example of someone using Dovecot and ldap with AD.

However, I have had some success with CheckPassword
(https://wiki2.dovecot.org/AuthDatabase/CheckPassword).  Using a program I wrote to do
ntlm_auth, I am able to authenticate the smartPhone user and pass the required parameters back
to Dovecot.  My auth-checkpasswd.conf.ext is the as-shipped standard except pointing to my
checkpassword executable.

passdb {
          driver = checkpassword
            args = /user/util/bin/checkpassword
}
userdb {
          driver = prefetch
}

The one issue I have with this at the moment is that dovecot runs checkpassword for every user,
smartphone or otherwise:

Dec 03 18:56:32 auth-worker(14903): Info: shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user  - trying the next passdb
Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input:
Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1
Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials:
Dec 03 18:56:32 auth: Debug: client passdb out: OK      1       user=charmaine  original_user=[hidden email]
Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001      14902   1       586863e54c57c999ee5731906a59257c        session_pid=14907 request_auth_token
Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup
Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed charmaine -> HPRS\charmaine
Dec 03 18:56:32 auth: Debug: master userdb out: USER    1884160001      HPRS\charmaine  system_groups_user=HPRS\charmaineuid=10003        gid=10000       home=/home/HPRS/charmaine       auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7     auth_user=[hidden email]
Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>, method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=<oy/YWXhfAtXAqAA0>
Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)

Notice after the "shadow" auth fails it says, "unknown user - trying the next passdb", which is
checkpassword (which apparently succeeds), then it goes on to gssapi which also succeeds.  Is
there a way to only have it do checkpassword if all shadow and gssapi fail? My mechanisms are:

auth_mechanisms = plain login gssapi

THX, --Mark

--Mark

-----Original Message-----
Date: Sun, 03 Dec 2017 22:28:53 +0200
Subject: Re: Howto authenticate smartPhone via Active Directory
From: Aki Tuomi <[hidden email]>
To: Mark Foley <[hidden email]>, [hidden email]

with passdb ldap i guess.

---Aki Tuomi
Dovecot oy

-------- Original message --------
From: Mark Foley <[hidden email]>
Date: 03/12/2017  21:18  (GMT+02:00)
To: [hidden email]
Subject: Re: Howto authenticate smartPhone via Active Directory

Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2
shows:

passdb pam {
}

used for authenticating Android.  Problem #1 is that Slackware does not ship with PAM and the
AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I
should try configuring PAM on the AD/DC.

Is there some otherway I can get authentication using domain credentials besides pam? the phone
can send user and password.

--Mark

-----Original Message-----

> Date: Sun, 03 Dec 2017 15:22:56 +0200
> Subject: Re: Howto authenticate smartPhone via Active Directory
> From: Aki Tuomi <[hidden email]>
> To: Mark Foley <[hidden email]>, [hidden email]
>
> Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module?
> ---Aki TuomiDovecot oy
>
> -------- Original message --------
> From: Mark Foley <[hidden email]>
> Date: 03/12/2017  06:03  (GMT+02:00)
> To: [hidden email]
> Subject: Howto authenticate smartPhone via Active Directory

> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials
> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via
> shadow first and. failing that, it does authenticate via GSSAPI.
>
> Smartphones connect to Dovecot via port 143 and SSL.  They are not domain members so if the
> shadow authentication fails, no other methods are tried and no connection is made.
>
> What can I do with my dovecot config to fix this?
>
> > doveconf -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 4.4.88 x86_64 Slackware 14.2
> auth_debug = yes
> auth_debug_passwords = yes
> auth_gssapi_hostname = $ALL
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = plain login gssapi
> auth_use_winbind = yes
> auth_username_format = %n
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>   driver = shadow
> }
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> userdb {
>   driver = passwd
> }
> verbose_ssl = yes
>
> Thanks, Mark

Reply | Threaded
Open this post in threaded view
|

Re: Howto authenticate smartPhone via Active Directory

Aki Tuomi-2
You might get better results with
https://wiki.dovecot.org/HowTo/ActiveDirectoryNtlm

It seems you'd have to configure OpenLDAP backend for Samba to have LDAP.

Aki


On 04.12.2017 02:38, Mark Foley wrote:

> Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just
> not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki
> https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is:
>
> Active Directory
>
> When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are
> available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx
>
> I have not been able to find an example of someone using Dovecot and ldap with AD.
>
> However, I have had some success with CheckPassword
> (https://wiki2.dovecot.org/AuthDatabase/CheckPassword).  Using a program I wrote to do
> ntlm_auth, I am able to authenticate the smartPhone user and pass the required parameters back
> to Dovecot.  My auth-checkpasswd.conf.ext is the as-shipped standard except pointing to my
> checkpassword executable.
>
> passdb {
>  driver = checkpassword
>    args = /user/util/bin/checkpassword
> }
> userdb {
>  driver = prefetch
> }
>
> The one issue I have with this at the moment is that dovecot runs checkpassword for every user,
> smartphone or otherwise:
>
> Dec 03 18:56:32 auth-worker(14903): Info: shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user  - trying the next passdb
> Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
> Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input:
> Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1
> Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials:
> Dec 03 18:56:32 auth: Debug: client passdb out: OK      1       user=charmaine  original_user=[hidden email]
> Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001      14902   1       586863e54c57c999ee5731906a59257c        session_pid=14907 request_auth_token
> Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup
> Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed charmaine -> HPRS\charmaine
> Dec 03 18:56:32 auth: Debug: master userdb out: USER    1884160001      HPRS\charmaine  system_groups_user=HPRS\charmaineuid=10003        gid=10000       home=/home/HPRS/charmaine       auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7     auth_user=[hidden email]
> Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>, method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=<oy/YWXhfAtXAqAA0>
> Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)
>
> Notice after the "shadow" auth fails it says, "unknown user - trying the next passdb", which is
> checkpassword (which apparently succeeds), then it goes on to gssapi which also succeeds.  Is
> there a way to only have it do checkpassword if all shadow and gssapi fail? My mechanisms are:
>
> auth_mechanisms = plain login gssapi
>
> THX, --Mark
>
> --Mark
>
> -----Original Message-----
> Date: Sun, 03 Dec 2017 22:28:53 +0200
> Subject: Re: Howto authenticate smartPhone via Active Directory
> From: Aki Tuomi <[hidden email]>
> To: Mark Foley <[hidden email]>, [hidden email]
>
> with passdb ldap i guess.
>
> ---Aki Tuomi
> Dovecot oy
>
> -------- Original message --------
> From: Mark Foley <[hidden email]>
> Date: 03/12/2017  21:18  (GMT+02:00)
> To: [hidden email]
> Subject: Re: Howto authenticate smartPhone via Active Directory
>
> Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2
> shows:
>
> passdb pam {
> }
>
> used for authenticating Android.  Problem #1 is that Slackware does not ship with PAM and the
> AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I
> should try configuring PAM on the AD/DC.
>
> Is there some otherway I can get authentication using domain credentials besides pam? the phone
> can send user and password.
>
> --Mark
>
> -----Original Message-----
>> Date: Sun, 03 Dec 2017 15:22:56 +0200
>> Subject: Re: Howto authenticate smartPhone via Active Directory
>> From: Aki Tuomi <[hidden email]>
>> To: Mark Foley <[hidden email]>, [hidden email]
>>
>> Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module?
>> ---Aki TuomiDovecot oy
>>
>> -------- Original message --------
>> From: Mark Foley <[hidden email]>
>> Date: 03/12/2017  06:03  (GMT+02:00)
>> To: [hidden email]
>> Subject: Howto authenticate smartPhone via Active Directory
>> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials
>> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via
>> shadow first and. failing that, it does authenticate via GSSAPI.
>>
>> Smartphones connect to Dovecot via port 143 and SSL.  They are not domain members so if the
>> shadow authentication fails, no other methods are tried and no connection is made.
>>
>> What can I do with my dovecot config to fix this?
>>
>>> doveconf -n
>> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
>> # OS: Linux 4.4.88 x86_64 Slackware 14.2
>> auth_debug = yes
>> auth_debug_passwords = yes
>> auth_gssapi_hostname = $ALL
>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
>> auth_mechanisms = plain login gssapi
>> auth_use_winbind = yes
>> auth_username_format = %n
>> auth_verbose = yes
>> auth_verbose_passwords = plain
>> disable_plaintext_auth = no
>> info_log_path = /var/log/dovecot_info
>> mail_location = maildir:~/Maildir
>> passdb {
>>   driver = shadow
>> }
>> protocols = imap
>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>> userdb {
>>   driver = passwd
>> }
>> verbose_ssl = yes
>>
>> Thanks, Mark

mj
Reply | Threaded
Open this post in threaded view
|

Re: Howto authenticate smartPhone via Active Directory

mj
In reply to this post by Mark Foley-2
Hi Mark,

Just to let you know that we are running dovecot with AD. (and I guess:
*many* people are running that combination)

It worked without issues, we are using in dovecot-ldap.conf.ext:

 > auth_bind = yes

this user/passwd filter:
> = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))

 > dn = cn=search_dovecit,cn=users,dc=company,dc=com
 > dnpass = top_secret

And not the 3268 port, but regular 389.

Hope that helps.

MJ



On 12/04/2017 01:38 AM, Mark Foley wrote:

> Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just
> not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki
> https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is:
>
> Active Directory
>
> When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are
> available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx
>
> I have not been able to find an example of someone using Dovecot and ldap with AD.
>
> However, I have had some success with CheckPassword
> (https://wiki2.dovecot.org/AuthDatabase/CheckPassword).  Using a program I wrote to do
> ntlm_auth, I am able to authenticate the smartPhone user and pass the required parameters back
> to Dovecot.  My auth-checkpasswd.conf.ext is the as-shipped standard except pointing to my
> checkpassword executable.
>
> passdb {
>  driver = checkpassword
>    args = /user/util/bin/checkpassword
> }
> userdb {
>  driver = prefetch
> }
>
> The one issue I have with this at the moment is that dovecot runs checkpassword for every user,
> smartphone or otherwise:
>
> Dec 03 18:56:32 auth-worker(14903): Info: shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user  - trying the next passdb
> Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
> Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input:
> Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1
> Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials:
> Dec 03 18:56:32 auth: Debug: client passdb out: OK      1       user=charmaine  original_user=[hidden email]
> Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001      14902   1       586863e54c57c999ee5731906a59257c        session_pid=14907 request_auth_token
> Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup
> Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed charmaine -> HPRS\charmaine
> Dec 03 18:56:32 auth: Debug: master userdb out: USER    1884160001      HPRS\charmaine  system_groups_user=HPRS\charmaineuid=10003        gid=10000       home=/home/HPRS/charmaine       auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7     auth_user=[hidden email]
> Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>, method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=<oy/YWXhfAtXAqAA0>
> Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)
>
> Notice after the "shadow" auth fails it says, "unknown user - trying the next passdb", which is
> checkpassword (which apparently succeeds), then it goes on to gssapi which also succeeds.  Is
> there a way to only have it do checkpassword if all shadow and gssapi fail? My mechanisms are:
>
> auth_mechanisms = plain login gssapi
>
> THX, --Mark
>
> --Mark
>
> -----Original Message-----
> Date: Sun, 03 Dec 2017 22:28:53 +0200
> Subject: Re: Howto authenticate smartPhone via Active Directory
> From: Aki Tuomi <[hidden email]>
> To: Mark Foley <[hidden email]>, [hidden email]
>
> with passdb ldap i guess.
>
> ---Aki Tuomi
> Dovecot oy
>
> -------- Original message --------
> From: Mark Foley <[hidden email]>
> Date: 03/12/2017  21:18  (GMT+02:00)
> To: [hidden email]
> Subject: Re: Howto authenticate smartPhone via Active Directory
>
> Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2
> shows:
>
> passdb pam {
> }
>
> used for authenticating Android.  Problem #1 is that Slackware does not ship with PAM and the
> AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I
> should try configuring PAM on the AD/DC.
>
> Is there some otherway I can get authentication using domain credentials besides pam? the phone
> can send user and password.
>
> --Mark
>
> -----Original Message-----
>> Date: Sun, 03 Dec 2017 15:22:56 +0200
>> Subject: Re: Howto authenticate smartPhone via Active Directory
>> From: Aki Tuomi <[hidden email]>
>> To: Mark Foley <[hidden email]>, [hidden email]
>>
>> Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module?
>> ---Aki TuomiDovecot oy
>>
>> -------- Original message --------
>> From: Mark Foley <[hidden email]>
>> Date: 03/12/2017  06:03  (GMT+02:00)
>> To: [hidden email]
>> Subject: Howto authenticate smartPhone via Active Directory
>
>> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials
>> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via
>> shadow first and. failing that, it does authenticate via GSSAPI.
>>
>> Smartphones connect to Dovecot via port 143 and SSL.  They are not domain members so if the
>> shadow authentication fails, no other methods are tried and no connection is made.
>>
>> What can I do with my dovecot config to fix this?
>>
>>> doveconf -n
>> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
>> # OS: Linux 4.4.88 x86_64 Slackware 14.2
>> auth_debug = yes
>> auth_debug_passwords = yes
>> auth_gssapi_hostname = $ALL
>> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
>> auth_mechanisms = plain login gssapi
>> auth_use_winbind = yes
>> auth_username_format = %n
>> auth_verbose = yes
>> auth_verbose_passwords = plain
>> disable_plaintext_auth = no
>> info_log_path = /var/log/dovecot_info
>> mail_location = maildir:~/Maildir
>> passdb {
>>    driver = shadow
>> }
>> protocols = imap
>> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
>> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
>> userdb {
>>    driver = passwd
>> }
>> verbose_ssl = yes
>>
>> Thanks, Mark
>
mj
Reply | Threaded
Open this post in threaded view
|

Re: Howto authenticate smartPhone via Active Directory

mj
In reply to this post by Aki Tuomi-2


On 12/04/2017 09:01 AM, Aki Tuomi wrote:
> It seems you'd have to configure OpenLDAP backend for Samba to have LDAP.

No. As far as I know, samba in AD mode always does ldap. (AD *is* just
that: microsoft-ized ldap)

And you should configure dovecot simply as a regular ldap client. That's
what we do, anyway.

MJ
Reply | Threaded
Open this post in threaded view
|

Re: Howto authenticate smartPhone via Active Directory

Mark Foley-2
In reply to this post by mj
mj - thanks! That the first useful example I've received from any forum/list. I'm getting ready
to try my config (have to do so after hours), but I have some probably simple-minded questions:

Your example is not the complete dovecot-ldap.conf.ext file, right? Have you just given me
differences in your config from the "original"? You've kept the hosts, base, ldap_version,
scope, deref, debug_level, and auth_bind_userdn settings in your config, right?

Your dn is:

dn = cn=search_dovecit,cn=users,dc=company,dc=com

Mine (original) is:

dn = cn=user_for_bind,cn=Users,dc=dom

Can you tell me why you have "search_dovecit" versus "user_for_bind"? Is that something I need
in order to make this work?

Is your "dc=company,dc=com" meta-syntax and you use your actual domain CNs here, or is that
litterally what you have there?

My dnpass (original) is:

dnpass = ************

your example is:

dnpass = top_secret

Again, are the assigned values meta-syntax (meta-syntax in configs is not obvious to me unless
it is bold, underlined, italicized and colored ... or uses brackets or some other convention)?
If meta, what is actually supposed to go there?

With your "this user/passwd filter". Can you tell me why you have "userAccountControl=514"? Is
that 514 bit documented somewhere? Your user_filer/pass_filter is *completely* different from
my installed original.

You don't mention the user_attrs/pass_attrs settings. Is this because you use the originals or
because you have commented them out? My current settings are:

user_attrs      = quotaFieldAD=quota_rule=*:storage=%$MB
pass_attrs      = userPassword=password

My auth_mechanisms are:

auth_mechanisms = plain login gssapi

Is this sufficient for ldap?

Thanks for your help --Mark

btw - I have been running Dovecot with AD for years, but for local Domain users authenticating
via GSSAPI.  Remote users (e.g. smartPhones) don't have that mechanism that I'm aware of.
Currently they are authenticated via shadow, but I'd like to remove AD users from /etc/passwd.

On Mon, 4 Dec 2017 09:04:57 +0100 mj <[hidden email]> wrote

>
> Hi Mark,
>
> Just to let you know that we are running dovecot with AD. (and I guess:
> *many* people are running that combination)
>
> It worked without issues, we are using in dovecot-ldap.conf.ext:
>
>  > auth_bind = yes
>
> this user/passwd filter:
> > = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
>
>  > dn = cn=search_dovecit,cn=users,dc=company,dc=com
>  > dnpass = top_secret
>
> And not the 3268 port, but regular 389.
>
> Hope that helps.
>
> MJ
>
>
>
> On 12/04/2017 01:38 AM, Mark Foley wrote:
> > Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just
> > not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki
> > https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is:
> >
> > Active Directory
> >
> > When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are
> > available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx
> >
> > I have not been able to find an example of someone using Dovecot and ldap with AD.
> >
> > However, I have had some success with CheckPassword
> > (https://wiki2.dovecot.org/AuthDatabase/CheckPassword).  Using a program I wrote to do
> > ntlm_auth, I am able to authenticate the smartPhone user and pass the required parameters back
> > to Dovecot.  My auth-checkpasswd.conf.ext is the as-shipped standard except pointing to my
> > checkpassword executable.
> >
> > passdb {
> >  driver = checkpassword
> >    args = /user/util/bin/checkpassword
> > }
> > userdb {
> >  driver = prefetch
> > }
> >
> > The one issue I have with this at the moment is that dovecot runs checkpassword for every user,
> > smartphone or otherwise:
> >
> > Dec 03 18:56:32 auth-worker(14903): Info: shadow(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): unknown user  - trying the next passdb
> > Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
> > Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Received input:
> > Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): exit_status=1
> > Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): Credentials:
> > Dec 03 18:56:32 auth: Debug: client passdb out: OK      1       user=charmaine  original_user=[hidden email]
> > Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001      14902   1       586863e54c57c999ee5731906a59257c        session_pid=14907 request_auth_token
> > Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): lookup
> > Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,<oy/YWXhfAtXAqAA0>): username changed charmaine -> HPRS\charmaine
> > Dec 03 18:56:32 auth: Debug: master userdb out: USER    1884160001      HPRS\charmaine  system_groups_user=HPRS\charmaineuid=10003        gid=10000       home=/home/HPRS/charmaine       auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7     auth_user=[hidden email]
> > Dec 03 18:56:32 imap-login: Info: Login: user=<charmaine>, method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=<oy/YWXhfAtXAqAA0>
> > Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)
> >
> > Notice after the "shadow" auth fails it says, "unknown user - trying the next passdb", which is
> > checkpassword (which apparently succeeds), then it goes on to gssapi which also succeeds.  Is
> > there a way to only have it do checkpassword if all shadow and gssapi fail? My mechanisms are:
> >
> > auth_mechanisms = plain login gssapi
> >
> > THX, --Mark
> >
> > --Mark
> >
> > -----Original Message-----
> > Date: Sun, 03 Dec 2017 22:28:53 +0200
> > Subject: Re: Howto authenticate smartPhone via Active Directory
> > From: Aki Tuomi <[hidden email]>
> > To: Mark Foley <[hidden email]>, [hidden email]
> >
> > with passdb ldap i guess.
> >
> > ---Aki Tuomi
> > Dovecot oy
> >
> > -------- Original message --------
> > From: Mark Foley <[hidden email]>
> > Date: 03/12/2017  21:18  (GMT+02:00)
> > To: [hidden email]
> > Subject: Re: Howto authenticate smartPhone via Active Directory
> >
> > Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2
> > shows:
> >
> > passdb pam {
> > }
> >
> > used for authenticating Android.  Problem #1 is that Slackware does not ship with PAM and the
> > AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I
> > should try configuring PAM on the AD/DC.
> >
> > Is there some otherway I can get authentication using domain credentials besides pam? the phone
> > can send user and password.
> >
> > --Mark
> >
> > -----Original Message-----
> >> Date: Sun, 03 Dec 2017 15:22:56 +0200
> >> Subject: Re: Howto authenticate smartPhone via Active Directory
> >> From: Aki Tuomi <[hidden email]>
> >> To: Mark Foley <[hidden email]>, [hidden email]
> >>
> >> Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module?
> >> ---Aki TuomiDovecot oy
> >>
> >> -------- Original message --------
> >> From: Mark Foley <[hidden email]>
> >> Date: 03/12/2017  06:03  (GMT+02:00)
> >> To: [hidden email]
> >> Subject: Howto authenticate smartPhone via Active Directory
> >
> >> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials
> >> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via
> >> shadow first and. failing that, it does authenticate via GSSAPI.
> >>
> >> Smartphones connect to Dovecot via port 143 and SSL.  They are not domain members so if the
> >> shadow authentication fails, no other methods are tried and no connection is made.
> >>
> >> What can I do with my dovecot config to fix this?
> >>
> >>> doveconf -n
> >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> >> # OS: Linux 4.4.88 x86_64 Slackware 14.2
> >> auth_debug = yes
> >> auth_debug_passwords = yes
> >> auth_gssapi_hostname = $ALL
> >> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> >> auth_mechanisms = plain login gssapi
> >> auth_use_winbind = yes
> >> auth_username_format = %n
> >> auth_verbose = yes
> >> auth_verbose_passwords = plain
> >> disable_plaintext_auth = no
> >> info_log_path = /var/log/dovecot_info
> >> mail_location = maildir:~/Maildir
> >> passdb {
> >>    driver = shadow
> >> }
> >> protocols = imap
> >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
> >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> >> userdb {
> >>    driver = passwd
> >> }
> >> verbose_ssl = yes
> >>
> >> Thanks, Mark
> >
>
mj
Reply | Threaded
Open this post in threaded view
|

Re: Howto authenticate smartPhone via Active Directory

mj
Hi,

Not much time to reply now.

On 12/05/2017 05:21 AM, Mark Foley wrote:
> mj - thanks! That the first useful example I've received from any forum/list. I'm getting ready
> to try my config (have to do so after hours), but I have some probably simple-minded questions:
Well, that looks as if you are testing/trying out on your production
machine. Why not setup a seperate (virtual?) test server to play with..?
Use the same os version, with the same dovecot version.
Or clone your production machine, so you can test as much as you like,
without time pressure, at any given time.

> Your example is not the complete dovecot-ldap.conf.ext file, right? Have you just given me
> differences in your config from the "original"? You've kept the hosts, base, ldap_version,
> scope, deref, debug_level, and auth_bind_userdn settings in your config, right?
Not the complete file, no. I just provided the essentials.

> Your dn is:
>
> dn = cn=search_dovecit,cn=users,dc=company,dc=com
>
> Mine (original) is:
>
> dn = cn=user_for_bind,cn=Users,dc=dom
>
> Can you tell me why you have "search_dovecit" versus "user_for_bind"? Is that something I need
> in order to make this work?
It's the user that dovecot uses to search for your user, Can be
anything, as long as it can authenticate using the password in:

> My dnpass (original) is:
>
> dnpass = ************
>
> your example is:
>
> dnpass = top_secret
Use the password of whatever user you use.

> If meta, what is actually supposed to go there?
The password of user_for_bind

> With your "this user/passwd filter". Can you tell me why you have "userAccountControl=514"? Is
> that 514 bit documented somewhere? Your user_filer/pass_filter is *completely* different from
> my installed original.
https://social.msdn.microsoft.com/Forums/vstudio/en-US/77f48af7-bbef-4cd7-9c83-d9359b255534/ldap-query-get-nonlockeddisabled-accounts?forum=netfxbcl

For the rest: my advise is that you *really* need to pay around with
this much more. Get yourself a test environment, and play and test.

Plus: read some dovecot/ad howto's, and try things in your own environment.

Quick google returns:
https://www.howtoforge.com/postfix-dovecot-authentication-against-active-directory-on-centos-5.x

Enjoy :-)

MJ
Reply | Threaded
Open this post in threaded view
|

Re: Howto authenticate smartPhone via Active Directory

Mark Foley-2
In reply to this post by Mark Foley-2
On Tue, 5 Dec 2017 16:42:15 +0100 mj <[hidden email]> wrote:

> Hi,
>
> Not much time to reply now.
>
> On 12/05/2017 05:21 AM, Mark Foley wrote:
> > mj - thanks! That the first useful example I've received from any forum/list. I'm getting ready
> > to try my config (have to do so after hours), but I have some probably simple-minded questions:
>
> Well, that looks as if you are testing/trying out on your production
> machine. Why not setup a seperate (virtual?) test server to play with..?
> Use the same os version, with the same dovecot version.
> Or clone your production machine, so you can test as much as you like,
> without time pressure, at any given time.

I've been playing with this ldap authentication for a couple of years off and on. Time isn't a
problem. The issue with setting up a test environment is that I really need the domain
workstations and external smartphone attempting to connect when I make a change so I can follow
what's going on in the Dovecot log and maillog. It's rather simple to test a change, then put
things back. I'll likely not go the test platform route for now, but thanks for the input.

> > Your example is not the complete dovecot-ldap.conf.ext file, right? Have you just given me
> > differences in your config from the "original"? You've kept the hosts, base, ldap_version,
> > scope, deref, debug_level, and auth_bind_userdn settings in your config, right?

> Not the complete file, no. I just provided the essentials.
>
[deleted]

Ok, here's what I've come up with for dovecot-ldap.conf.ext

hosts = mail.hprs.local
base = dc=mail, dc=hprs, dc=local

ldap_version = 3
scope           = subtree
deref           = never

debug_level = -1

auth_bind = yes
auth_bind_userdn = %n@dom
dn = cn=Administrator,cn=users,dc=hprs,dc=local
dnpass = *******

user_filter     = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
pass_filter     = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))



I've enabled auth-ldap.conf.ext in 10-auth.conf. My doveconf is listed at bottom.

Unfortuntately, this doesn't work. My remote devices are not even showing as trying to connect.
For internal domain LAN users I get:

Dec 06 01:08:10 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 30 secs): user=<>, rip=192.168.0.52, lip=192.168.0.2, session=<3/ZyxaVfE8PAqAA0>

I do see ldap listening on 389, imap[s] (Dovecot) listening on 143 and 993, these last two are
opened externally through the firewall.

> For the rest: my advise is that you *really* need to pay around with
> this much more. Get yourself a test environment, and play and test.
>
> Plus: read some dovecot/ad howto's, and try things in your own environment.
>
> Quick google returns:
> https://www.howtoforge.com/postfix-dovecot-authentication-against-active-directory-on-centos-5.x
>

I know my level of sophistication on this must sound like I've glibly posted a question hoping
someone will do the work for me without my having to do any thinking myself, but believe me,
I've been reading and experimenting with this for a very long time.  I've got internal AD
authentication working with GSSAPI and I've got a rather complex checkpassword program able to
do authentication, so I don't think I'm a complete moron, although this project makes me feel
that way. Now, I just want smartphones to authenticate with their owners' domain credentials
and get them out of /etc/passwd.

I believe I've read all the Dovecot wikis on ldap plus things from many other sites.  I've been
to that howtoforge site before.  It mostly deals with setting up Postfix, which I'm not using.
The dovecot bits make more sense in light of your feedback.  I've tried that ldapsearch
example:

ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'cn=users,dc=example,dc=com'

with the domain user I specified in my dovecot-ldap.conf.ext with my host and dc info and I get
the error

ldap_bind: Strong(er) authentication required (8)
        additional info: BindSimple: Transport encryption required.

I've seen confusing postings on this error having to do with port 636 and LDAPS -- no idea what
they're talking about.  My user is the Samba/domain administrator and has a pretty complex
password. None of the sites I've visited on this error indicate it has anything to do with the
actual password's complexity.

Perhaps I'm just thick-skulled with all this.

If you or anyone can see something obviously wrong with my conf, or have any suggestion at all
on a baby step I can take to incm me forward, please let me know.

Thanks, --Mark

doveconf -n:
# 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 4.4.88 x86_64 Slackware 14.2
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
ssl_key =  # hidden, use -P to show it
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
userdb {
  driver = passwd
}
verbose_ssl = yes

mj
Reply | Threaded
Open this post in threaded view
|

Re: Howto authenticate smartPhone via Active Directory

mj
Hi,

> ldap_bind: Strong(er) authentication required (8)
>          additional info: BindSimple: Transport encryption required.
>


If you are using recent (4.7) samba, your problem could be that it
requires ssl ldap by default, unless you configure

ldap server require strong auth = no

in smb.conf.

MJ
Reply | Threaded
Open this post in threaded view
|

Re: Howto authenticate smartPhone via Active Directory

Steffen Kaiser-2
In reply to this post by Mark Foley-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 2 Dec 2017, Mark Foley wrote:

> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials
> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via
                                      ^^^^^^^^^^ ????
> shadow first and. failing that, it does authenticate via GSSAPI.
>
> Smartphones connect to Dovecot via port 143 and SSL.  They are not domain members so if the
> shadow authentication fails, no other methods are tried and no connection is made.
>
> What can I do with my dovecot config to fix this?

If you are asking about how to auth against AD with plain credentials, see
https://wiki2.dovecot.org/AuthDatabase/LDAP

You can add another passdb {} . However, this enables any client to use
plain credentials, incl. Thunderbird.

- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWi4pxMQnQQNheMxiAQJeKQf/UmSsc1YRSgPAJKEjB12lJCpCX2oj8Wfd
qV9by9tyU942gNsAArBzMaSxgRWYb8yr6lmuPer0/HZJCQyExchjGgzc/HDeMJPU
uxt0dOVvY4SXmfwv+phwlDO3UvDt5sagLNNx54v8nal+OIxAZ+juAxs/NiNPTlt+
78R7TGaRj6Fxoyc/Ssf1CbCVr2ECK6m1YtJ+Jpe6Zi5FPMndx9rwWj/MMp5CW93/
UDUMM2wWoYBavzBXIEVb8Xi9n7PYJH8kdA4YILQdNrYTQR5k6XDLsKH9UYc/n216
CjktUGSC75E3zUk8a665gDJ+D/CjPfJSz/DICgkIeGAzweUfvVZk3Q==
=L5oG
-----END PGP SIGNATURE-----