Hi, I have setup samba4 as AD and hoping to have dovecot authenticate users against it. I am facing challenges though and I am unable to figure it out. I could do with a third eye to help me spot what is wrong. root at adc0:/etc# doveadm auth test -x service=imap odhiambo at newideatest.local Password: passdb: odhiambo at newideatest.local auth failed extra fields: temp Warning: auth-client: conn unix:/var/run/dovecot/auth-client: Auth connection closed with 1 pending requests (max 0 secs, pid=10537, EOF) Fatal: Couldn't connect to auth socket A test against IMAP gives the following debug information: Nov 22 14:31:01 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Nov 22 14:31:01 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so Nov 22 14:31:01 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so Nov 22 14:31:01 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Nov 22 14:31:01 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libauthdb_ldap.so Nov 22 14:31:01 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Nov 22 14:31:01 auth: Debug: auth client connected (pid=10979) Nov 22 14:31:08 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=uPLvabC0RIh/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=34884 resp=<hidden> Nov 22 14:31:08 auth: Debug: ldap(odhiambo at newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): Performing passdb lookup Nov 22 14:31:08 auth: Debug: ldap(odhiambo at newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): bind search: base=cn=Users,dc=NEWIDEATEST,dc=LOCAL filter=(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=odhiambo at newideatest.local )) Nov 22 14:31:08 auth: Debug: ldap(odhiambo at newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): no fields returned by the server *< ====================* Nov 22 14:31:08 auth: Debug: ldap(odhiambo at newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): Finished passdb lookup Nov 22 14:31:08 auth: Debug: auth(odhiambo at newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): Auth request finished Nov 22 14:31:10 auth: Debug: client passdb out: FAIL 1 user=odhiambo at newideatest.local info.log: Nov 22 14:31:08 auth: Info: ldap(odhiambo at newideatest.local ,127.0.0.1,<uPLvabC0RIh/AAAB>):* unknown user* (given password: XXXXXXX) Nov 22 14:31:15 imap-login: Info: Aborted login (auth failed, 1 attempts in 7 secs): user=<odhiambo at newideatest.local>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<uPLvabC0RIh/AAAB> Here is my doveconf -n: https://paste.ubuntu.com/p/SPmrxZxHPx/ My dovecot-ldap.cont.ext: uris = ldap://localhost/ dn = "dovecot at newideatest.local" dnpass = "XXXXXXXX" sasl_bind = no tls = no ldap_version = 3 deref = never scope = subtree base = cn=Users,dc=NEWIDEATEST,dc=LOCAL auth_bind = yes user_filter (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(mail=%u)(sAMAccountName=%u)(otherMailbox=%u))) user_attrs sAMAccountName=user,userPassword=password,=mail=maildir:/home/%n/Maildir/ pass_filter (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%u)) pass_attrs = sAMAccountName=user,userPassword=password The use exists in the database: *root at adc0:/var/log/dovecot# samba-tool user show odhiambo* ldb_wrap open of secrets.ldb dn: CN=Odhiambo Washington,CN=Users,DC=newideatest,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Odhiambo Washington sn: Washington givenName: Odhiambo instanceType: 4 whenCreated: 20201120101420.0Z displayName: Odhiambo Washington uSNCreated: 4086 name: Odhiambo Washington objectGUID: e6969596-8b28-41af-b5d8-cea63cc97f98 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-701866827-3355127779-3787685610-1106 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: odhiambo sAMAccountType: 805306368 userPrincipalName: odhiambo at newideatest.local objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=newideatest,DC=local mail: odhiambo at newideatest.local loginShell: /bin/bash userAccountControl: 512 pwdLastSet: 132505181852397220 whenChanged: 20201122112945.0Z uSNChanged: 4104 distinguishedName: CN=Odhiambo Washington,CN=Users,DC=newideatest,DC=local -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20201122/f2a61ec6/attachment.html>
Odhiambo Washington
2020-Nov-24 11:20 UTC
Dovecot+Samba AD - authentication failure - SOLVED
On Sun, 22 Nov 2020 at 15:08, Odhiambo Washington <odhiambo at gmail.com> wrote:> Hi, > > I have setup samba4 as AD and hoping to have dovecot authenticate users > against it. I am facing challenges though and I am unable to figure it out. > I could do with a third eye to help me spot what is wrong. > > > root at adc0:/etc# doveadm auth test -x service=imap > odhiambo at newideatest.local > Password: > passdb: odhiambo at newideatest.local auth failed > extra fields: > temp > Warning: auth-client: conn unix:/var/run/dovecot/auth-client: Auth > connection closed with 1 pending requests (max 0 secs, pid=10537, EOF) > Fatal: Couldn't connect to auth socket > > A test against IMAP gives the following debug information: > Nov 22 14:31:01 auth: Debug: Loading modules from directory: > /usr/lib/dovecot/modules/auth > Nov 22 14:31:01 auth: Debug: Module loaded: > /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so > Nov 22 14:31:01 auth: Debug: Module loaded: > /usr/lib/dovecot/modules/auth/libdriver_mysql.so > Nov 22 14:31:01 auth: Debug: Loading modules from directory: > /usr/lib/dovecot/modules/auth > Nov 22 14:31:01 auth: Debug: Module loaded: > /usr/lib/dovecot/modules/auth/libauthdb_ldap.so > Nov 22 14:31:01 auth: Debug: Read auth token secret from > /var/run/dovecot/auth-token-secret.dat > Nov 22 14:31:01 auth: Debug: auth client connected (pid=10979) > Nov 22 14:31:08 auth: Debug: client in: AUTH 1 PLAIN > service=imap secured session=uPLvabC0RIh/AAAB lip=127.0.0.1 > rip=127.0.0.1 lport=143 rport=34884 resp=<hidden> > Nov 22 14:31:08 auth: Debug: ldap(odhiambo at newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): > Performing passdb lookup > Nov 22 14:31:08 auth: Debug: ldap(odhiambo at newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): > bind search: base=cn=Users,dc=NEWIDEATEST,dc=LOCAL > filter=(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=odhiambo at newideatest.local > )) > Nov 22 14:31:08 auth: Debug: ldap(odhiambo at newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): > no fields returned by the server *< ====================* > Nov 22 14:31:08 auth: Debug: ldap(odhiambo at newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): > Finished passdb lookup > Nov 22 14:31:08 auth: Debug: auth(odhiambo at newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): > Auth request finished > Nov 22 14:31:10 auth: Debug: client passdb out: FAIL 1 > user=odhiambo at newideatest.local > > info.log: > > Nov 22 14:31:08 auth: Info: ldap(odhiambo at newideatest.local > ,127.0.0.1,<uPLvabC0RIh/AAAB>):* unknown user* (given password: XXXXXXX) > Nov 22 14:31:15 imap-login: Info: Aborted login (auth failed, 1 attempts > in 7 secs): user=<odhiambo at newideatest.local>, method=PLAIN, > rip=127.0.0.1, lip=127.0.0.1, secured, session=<uPLvabC0RIh/AAAB> > > > Here is my doveconf -n: > > https://paste.ubuntu.com/p/SPmrxZxHPx/ > > My dovecot-ldap.cont.ext: > > uris = ldap://localhost/ > dn = "dovecot at newideatest.local" > dnpass = "XXXXXXXX" > sasl_bind = no > tls = no > ldap_version = 3 > deref = never > scope = subtree > base = cn=Users,dc=NEWIDEATEST,dc=LOCAL > auth_bind = yes > user_filter > (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(mail=%u)(sAMAccountName=%u)(otherMailbox=%u))) > user_attrs > sAMAccountName=user,userPassword=password,=mail=maildir:/home/%n/Maildir/ > pass_filter > (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%u)) > pass_attrs = sAMAccountName=user,userPassword=password > > The use exists in the database: > > *root at adc0:/var/log/dovecot# samba-tool user show odhiambo* > ldb_wrap open of secrets.ldb > dn: CN=Odhiambo Washington,CN=Users,DC=newideatest,DC=local > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: Odhiambo Washington > sn: Washington > givenName: Odhiambo > instanceType: 4 > whenCreated: 20201120101420.0Z > displayName: Odhiambo Washington > uSNCreated: 4086 > name: Odhiambo Washington > objectGUID: e6969596-8b28-41af-b5d8-cea63cc97f98 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-701866827-3355127779-3787685610-1106 > accountExpires: 9223372036854775807 > logonCount: 0 > sAMAccountName: odhiambo > sAMAccountType: 805306368 > userPrincipalName: odhiambo at newideatest.local > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=newideatest,DC=local > mail: odhiambo at newideatest.local > loginShell: /bin/bash > userAccountControl: 512 > pwdLastSet: 132505181852397220 > whenChanged: 20201122112945.0Z > uSNChanged: 4104 > distinguishedName: CN=Odhiambo Washington,CN=Users,DC=newideatest,DC=local >For the record, this is what I finally came up with that worked - dovecot-ldap.conf.ext: ##### BEGIN uris = ldap://localhost/ dn = "dovecot at newideatest.local" dnpass = "verystupid" sasl_bind = no tls = no ldap_version = 3 deref = never scope = subtree base = cn=Users,dc=NEWIDEATEST,dc=LOCAL auth_bind = yes #user_filter = (mail=%u) #pass_filter = (mail=%u) #pass_attrs = mail=%u,= userPassword=password user_filter (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) pass_filter (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) pass_attrs = userPassword=password user_attrs =home=/var/spool/virtual/%Ld/%Ln/Maildir/,=mail=maildir:/var/spool/virtual/%Ld/%Ln/Maildir/ default_pass_scheme = CRYPT ##### END Also to add: 1. If you use the commented out filters, the authentication is very fast 2. If you use the uncommented ones, it's a bit slow. Choose your poison, as YMMV. Adios. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20201124/1171222e/attachment.html>
> On 24/11/2020 13:20 Odhiambo Washington <odhiambo at gmail.com> wrote: > > > > > > On Sun, 22 Nov 2020 at 15:08, Odhiambo Washington <odhiambo at gmail.com> wrote: > > Hi, > > > > I have setup samba4 as AD and hoping to have dovecot authenticate users against it. I am facing challenges though and I am unable to figure it out. > > I could do with a third eye to help me spot what is wrong. > > > > > > > > root at adc0:/etc# doveadm auth test -x service=imap odhiambo at newideatest.local > > Password: > > passdb: odhiambo at newideatest.local auth failed > > extra fields: > > > > info.log: > > > > Nov 22 14:31:08 auth: Info: > > > > > > Here is my doveconf -n: > > > > https://paste.ubuntu.com/p/SPmrxZxHPx/ > > > > My dovecot-ldap.cont.ext: > > > > uris = ldap://localhost/ > > dn = "dovecot at newideatest.local" > > dnpass = "XXXXXXXX" > > sasl_bind = no > > tls = no > > ldap_version = 3 > > deref = never > > scope = subtree > > base = cn=Users,dc=NEWIDEATEST,dc=LOCAL > > auth_bind = yes > > user_filter = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(mail=%u)(sAMAccountName=%u)(otherMailbox=%u))) > > user_attrs = sAMAccountName=user,userPassword=password,=mail=maildir:/home/%n/Maildir/ > > pass_filter = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%u)) > > pass_attrs = sAMAccountName=user,userPassword=password > > > > The use exists in the database: > > > > > For the record, this is what I finally came up with that worked - dovecot-ldap.conf.ext: > > > ##### BEGIN > uris = ldap://localhost/ > dn = "dovecot at newideatest.local" > dnpass = "verystupid" > sasl_bind = no > tls = no > ldap_version = 3 > deref = never > scope = subtree > base = cn=Users,dc=NEWIDEATEST,dc=LOCAL > auth_bind = yesYou probably would want to set this to 'no', it causes dovecot to rebind after authentication. This is not required when you can return password from LDAP, it is only required when you have to do first a lookup and then authenticate as the user to verify password.> > #user_filter = (mail=%u) > #pass_filter = (mail=%u) > #pass_attrs = mail=%u,= userPassword=password > > user_filter = (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) > pass_filter = (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) > pass_attrs = userPassword=password > > user_attrs = =home=/var/spool/virtual/%Ld/%Ln/Maildir/,=mail=maildir:/var/spool/virtual/%Ld/%Ln/Maildir/ > > default_pass_scheme = CRYPT > ##### END > > Also to add: > 1. If you use the commented out filters, the authentication is very fast > 2. If you use the uncommented ones, it's a bit slow. > > Choose your poison, as YMMV. > > Adios. > > > > -- > > Best regards, > Odhiambo WASHINGTON,Regards, Aki