10 Replies Latest reply: Feb 24, 2012 7:09 PM by Tenn_Surety
Troy Shafer Level 1 Level 1 (85 points)

Had to change the name of the server, it warned me this may break some stuff.

 

I changed it, rebound to AD. Now when trying to login to webmail it fails. However, logging into the server using an AD account works just fine.

 

Am I missing something? I have set AD to trust the mac server for delegation, first using kerberos and then for all protocols.

 

before the name change it was working, because i assume Mac setups the trust relationships it needs. Would i be better off to just start over, reinstall?


Mac mini, Mac OS X (10.7.2)
  • 1. Re: 10.7.3 AD authentication
    Troy Shafer Level 1 Level 1 (85 points)

    I have AD authentication working on the server again. Workgroup manager opens and by default shows the AD accounts and groups. however, i still cannot authenticate to webmail using an AD account.

     

    So I followed these KB articles from Apple:

     

    http://support.apple.com/kb/HT4776

    This article called for editing db.inc.php and adding:

    require_once(RCMAIL_CONFIG_DIR . '/siteoverrides.inc.php');

     

    then creating a file siteoverrides.inc.php with the following lines:

    $rcmail_config['imap_auth_type'] = LOGIN;

    $rcmail_config['default_host'] = 'tls://%n';

     

    Except db.inc.php already had the line require_once(RCMAIL_CONFIG_DIR .'/apple.siteoverrides.inc.php');

    There was a lot of config settings apple.siteoverrides.inc.php that i was afraid to lose. So i added the lines to that file and restarted mail. I suppose i could try to create the file they call and see if it works, but it would seem losing all the config information in it will break something.

     

    I also followed http://support.apple.com/kb/HT4778, except the config file was already set the way the KB article called for.

     

    Any suggestions?

  • 2. Re: 10.7.3 AD authentication
    elifrombrooklyn Level 1 Level 1 (0 points)

    I'm running a mac mini lion server 10.7.3 connected to AD.

     

    I am running into the exact same issues. I went through the same articles and can not get AD to let me login to mail. Everything else seems to work fine I'm just having a problem with mail.

     

    I get this error in the log when I try and login to webmail.

     

    dovecot[17052]: auth: Error: od(username ipaddress): verify plain: user account: username not enabled for mail

     

    Username = Whatever account I try with

    Ip address = The server IP address

  • 3. Re: 10.7.3 AD authentication
    Tenn_Surety Level 1 Level 1 (0 points)

    I get that dovecot error only when I try to authenticate an AD user on webmail from outside our firewall via NAT translation. If I try from inside the network to its private IP ad auth on webmail works great.  It also works if I setup an email client, but webmail is a big no.

     

    So you're saying that Trying to login to webmail with an AD account doesn't work at all for you? Inside or outside?

  • 4. Re: 10.7.3 AD authentication
    Tenn_Surety Level 1 Level 1 (0 points)

    Did kerberize services? Under server admin/OD there is an option to do so.

  • 5. Re: 10.7.3 AD authentication
    elifrombrooklyn Level 1 Level 1 (0 points)

    It does not work with any AD accounts, only local accounts.

     

    I'm at the point of just re-doing the whole server.

     

     

    yes I kerbilized the services and I also ran through those same guides that you had posted.

     

    Maybe Ill just take a step back before I chuck it out the window here.

  • 6. Re: 10.7.3 AD authentication
    Tenn_Surety Level 1 Level 1 (0 points)

    On your ad bind adv options, I pointed mine to the DC.

     

    Also your ad may require Kerberos for authentication. I would try to kerberize the services.

     

    In your dns, it should list the ip of your dc or at least one running the directory DNA along with 127.0.0.1

  • 7. Re: 10.7.3 AD authentication
    Tenn_Surety Level 1 Level 1 (0 points)

    Try this (unless you already have) support.apple.com/kb/HT4778

  • 8. Re: 10.7.3 AD authentication
    elifrombrooklyn Level 1 Level 1 (0 points)

    I pretty much have tried everything here.

     

    Maybe Ill setup a 2008 DNS and see if I can connect it to that with any more luck.

  • 9. Re: 10.7.3 AD authentication
    elifrombrooklyn Level 1 Level 1 (0 points)

    Ok so far here is what I have tried:

     

    I did this:

     

    http://support.apple.com/kb/HT4778

     

    But I didnt even need to edit the file it was already correct.

     

    And I did this:

     

    http://support.apple.com/kb/HT4776

     

    and nothing seems to have changed my situation.

     

    I'm getting this error:

     

    I get this error in the log when I try and login to webmail (with an AD user).

    dovecot[17052]: auth: Error: od(username ipaddress): verify plain: user account: username not enabled for mail

     

    Username = Whatever account I try with (AD Users)

    Ip address = The server IP address

     

     

    The error seems to only be with my active directory users. The local users on the machine itself can login to the webmail just fine.

  • 10. Re: 10.7.3 AD authentication
    Tenn_Surety Level 1 Level 1 (0 points)

    Check your dovecot.conf file. We have similar issues, mine was just outside our firewall it wouldn't work. I had to change the login_trusted_networks to include our entire private ip range and the public ip of the NAT.