BINOTTO Luis SIDOR
2013-Apr-02 15:11 UTC
[Dovecot] Active Directory and Dovecot NTLM Authentication problem
Hello everyone...
I have a problem when I use NTLM authentication with dovecot. The
authentication is made only in PLAIN TEXT.
The scenario is:
Debian Squeeze 6.0.6
Dovecot 2.1.7
Samba 3.5.6. Samba is correctly configured into the domain.
The error: (extract from syslog)
Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: Login for user
[]\[test2]@
[SIRP00000733] failed due to [winbind client not authorized to use
winbindd_pam
_auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are
set cor
rectly.]
Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: [2013/04/02
09:47:41.832579
, 0] utils/ntlm_auth.c:888(manage_squid_ntlmssp_request)
Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: NTLMSSP BH:
NT_STATUS_ACC
ESS_DENIED
Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: winbind: ntlm_auth
exited w
ith exit code 0
Dovecot configuration: (dovecot -n)
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-686 i686 Debian 6.0.6 ext3
auth_mechanisms = plain login ntlm
auth_use_winbind = yes
disable_plaintext_auth = no
mail_location = maildir:/mailboxes/Administrativos/%Lu
namespace inbox {
inbox = yes
location
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix
}
passdb {
driver = pam
}
protocols = " imap pop3"
ssl_cert = </etc/dovecot/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem
userdb {
args = uid=16343 gid=16343 home=/mailboxes/Administrativos/%Lu
driver = static
}
protocol imap {
imap_client_workarounds = delay-newmail
mail_plugins
}
protocol pop3 {
mail_plugins
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_uidl_format = %08Xu%08Xv
}
Pam configuration: /etc/pam.d/dovecot
auth sufficient pam_krb5.so
account sufficient pam_krb5.so
/etc/krb5.conf
[libdefaults]
default_realm = SIDOR.NET
clockskew =300
[realms]
SIDOR.NET = {
kdc = sirprddc1.sidor.net
kdc = sirprddc2.sidor.net
kdc = sirprddc3.sidor.net
admin_server = sirprddc1.sidor.net
default_domain = sidor.net
}
[domain_realm]
.sidor.net = SIDOR.NET
sidor.net = SIDOR.NET
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true
}
/etc/samba/smb.conf
#======================= Global Settings ======================
[global]
## Browsing/Identification ###
security = ADS
workgroup = sidorve
realm = SIDOR.NET
winbind use default domain = yes
server string = %h
wins support = no
wins server = 10.50.30.51
dns proxy = no
#### Debugging/Accounting ####
syslog = 0
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
encrypt passwords = yes
############ Misc ############
domain master = no
local master = no
prefered master = no
winbind separator = \\
idmap uid = 10000-29000
idmap gid = 10000-29000
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
winbind refresh tickets = yes
auth methods = winbind
The Logs
Syslog
Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: [2013/04/02
09:47:41.832426,0]
utils/ntlm_auth.c:598(winbind_pw_check)
Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: Login for user
[]\[test2]@
[SIRP00000733] failed due to [winbind client not authorized to use
winbindd_pam
_auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are
set cor
rectly.]
Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: [2013/04/02
09:47:41.832579
, 0] utils/ntlm_auth.c:888(manage_squid_ntlmssp_request)
Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: NTLMSSP BH:
NT_STATUS_ACC
ESS_DENIED
Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: winbind: ntlm_auth
exited w
ith exit code 0
Apr 2 09:47:42 sirprdsvcmsg02 lrmd: [1598]: debug: rsc:Administr_fs:16:
monitor
Apr 2 09:47:47 sirprdsvcmsg02 dovecot: imap-login: Login: user=<test2>,
methodPLAIN, rip=10.50.2.150, lip=10.50.30.90, mpid=23706,
session=<n/6DZmHZxAAKMgKW>
PLAIN, rip=10.50.2.150, lip=10.50.30.90, mpid=23706,
session=<n/6DZmHZxAAKMgKW>
Apr 2 09:47:47 sirprdsvcmsg02 dovecot: auth: Error: [2013/04/02
09:47:47.408887
, 0] utils/ntlm_auth.c:598(winbind_pw_check)
Apr 2 09:47:47 sirprdsvcmsg02 dovecot: auth: Error: Login for user
[]\[test2]
@[SIRP00000733] failed due to [winbind client not authorized to use
winbindd_pam
_auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are
set cor
rectly.]
Apr 2 09:47:47 sirprdsvcmsg02 dovecot: auth: Error: [2013/04/02
09:47:47.409203
, 0] utils/ntlm_auth.c:888(manage_squid_ntlmssp_request)
Apr 2 09:47:47 sirprdsvcmsg02 dovecot: auth: Error: NTLMSSP BH:
NT_STATUS_ACC
ESS_DENIED
Apr 2 09:47:47 sirprdsvcmsg02 dovecot: auth: Error: winbind: ntlm_auth
exited w
ith exit code 0
Apr 2 09:47:48 sirprdsvcmsg02 postfix/postfix-script[23819]: the
Postfix mail s
ystem is running: PID: 2390
Apr 2 09:47:53 sirprdsvcmsg02 dovecot: imap-login: Login: user=<test2>,
methodPLAIN, rip=10.50.2.150, lip=10.50.30.90, mpid=23820,
session=<iBXZZmHZxQAKMgKW>
Auth.log
Apr 2 09:52:35 sirprdsvcmsg02 auth: pam_krb5(dovecot:auth): user test2
authenti
cated as test2 at SIDOR.NET
I hope someone could help me.
Thanks in advance,
Best Regards,
Luis
" Notificacion Automatica:
Este mensaje y cualquier archivo que se adjunte contiene informacion
privilegiada y confidencial. Es para uso exclusivo del destinatario. Si usted ha
recibido esta comunicacion por error, por favor avisenos inmediatamente.
Automatic notification:
This e-mail and any file transmitted with it are confidential and may be legally
privileged. It is intended solely for the addressee and may not be disclosed to
or used by anyone other than the addressee. If you have received this e-mail by
mistake , please advise the sender immediately"