Aaron Jenkins
2014-Nov-26 07:31 UTC
Working with Active Directory on Windows Server 2012 R2
I?ve attempted the user Mail with the same password with the same result (binding as my own user was a last-ditch attempt). aaron at aaron-Parallels-Virtual-Platform:/etc/sssd$ ldapsearch -x -H ldap://dc1.ad.automaton.uk -D CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W - -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk Enter LDAP Password: # extended LDIF # # LDAPv3 # base <CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk> with scope subtree # filter: (objectclass=*) # requesting: - # # aaron.jenkins, Users, ad.automaton.uk dn: CN=aaron.jenkins,CN=Users,DC=ad,DC=automaton,DC=uk # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Same with the user Mail On November 25, 2014 at 2:18:26 AM, Steffen Kaiser (skdovecot at smail.inf.fh-brs.de<mailto:skdovecot at smail.inf.fh-brs.de>) wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 25 Nov 2014, Aaron Jenkins wrote:> I?m having issues getting Dovecot to work with AD on 2012 R2 in a test environment. > ? > Nov 19 09:22:23 auth: Debug: auth client connected (pid=10345) > Nov 19 09:22:23 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395 > Nov 19 09:22:23 auth: Debug: client passdb out: CONT 1 > Nov 19 09:22:23 auth: Debug: client in: CONT 1 (previous base64 data may contain sensitive data) > Nov 19 09:22:29 auth: Debug: client passdb out: FAIL 1 user=aaron.jenkins tempYour conf: auth_bind = yes dn = aaron.jenkins dnpass = dummypass1 auth_bind_userdn = CN=%u,CN=users,DC=ad,DC=automaton,DC=uk Can you really succeed a simple auth with the dn aaron.jenkins ? This ought to be a full DN. As I understand auth_bind_userdn, you do not need dn/dnpass anyway, because auth_bind_userdn prevents searching for the user's DN, in which case Dovecot requires a connection before any user bind takes place. I wonder if the log shows the error from this setting or from the user's login attempt. Could you try another user? Can you auth from command line via ldapsearch -x -H ldap://dc1.ad.automaton.uk -D \ CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W \ - -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBVHRYQ3z1H7kL/d9rAQLlKgf9GB2o0/T84E9KykVU/IkoCuLQLfaNeTzg tI26Puwl1+tHXY+WkJs8uHTsKWaI5Qyh0Fv/6bR3ZSB5QhEkAQSE87WKfSJCe6FX i1261C5oLSqA8mWYoyPnkeHuHDFKp9YULnfqgBbLzz/7Y63i0dDgaql5stELZSwa XCzUwrEWdxdzgt8h7mnfG6fHn4xxfLeKCiA5e62afjXux4eCGclcytXOpIgl8z7u bULhGmxqyYDvjkGXCex/LYtKx+S6zSIMg/8Ior6SrPBy+IK0qUtwPoOssCY4cycd 4ZRVdvxjmjbHrzQdV/ZJn+jLqSI016l/lzASP7SUptHb8CjwxZxeCw==6Zsw -----END PGP SIGNATURE-----
Steffen Kaiser
2014-Nov-26 08:20 UTC
Working with Active Directory on Windows Server 2012 R2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 26 Nov 2014, Aaron Jenkins wrote:> I?ve attempted the user Mail with the same password with the same result (binding as my own user was a last-ditch attempt).OK, what about the:> As I understand auth_bind_userdn, you do not need > dn/dnpass anyway, because auth_bind_userdn prevents searching for the > user's DNDid you removed the dn/dnpass settings? What about the:> I wonder if the log shows the error from this setting or from the user's > login attempt. Could you try another user?If you login with another user (not aaron.jenkins) to IMAP, which username is listed in the logs then.> > aaron at aaron-Parallels-Virtual-Platform:/etc/sssd$ ldapsearch -x -H ldap://dc1.ad.automaton.uk -D CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W - -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk> with scope subtree > # filter: (objectclass=*) > # requesting: - > # > > # aaron.jenkins, Users, ad.automaton.uk > dn: CN=aaron.jenkins,CN=Users,DC=ad,DC=automaton,DC=uk > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > Same with the user Mail > > > > On November 25, 2014 at 2:18:26 AM, Steffen Kaiser (skdovecot at smail.inf.fh-brs.de<mailto:skdovecot at smail.inf.fh-brs.de>) wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 25 Nov 2014, Aaron Jenkins wrote: > >> I?m having issues getting Dovecot to work with AD on 2012 R2 in a test environment. >> ? >> Nov 19 09:22:23 auth: Debug: auth client connected (pid=10345) >> Nov 19 09:22:23 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395 >> Nov 19 09:22:23 auth: Debug: client passdb out: CONT 1 >> Nov 19 09:22:23 auth: Debug: client in: CONT 1 (previous base64 data may contain sensitive data) >> Nov 19 09:22:29 auth: Debug: client passdb out: FAIL 1 user=aaron.jenkins temp > > Your conf: > auth_bind = yes > dn = aaron.jenkins > dnpass = dummypass1 > auth_bind_userdn = CN=%u,CN=users,DC=ad,DC=automaton,DC=uk > > Can you really succeed a simple auth with the dn aaron.jenkins ? This > ought to be a full DN. As I understand auth_bind_userdn, you do not need > dn/dnpass anyway, because auth_bind_userdn prevents searching for the > user's DN, in which case Dovecot requires a connection before any user > bind takes place. > > I wonder if the log shows the error from this setting or from the user's > login attempt. Could you try another user? > > Can you auth from command line via > > ldapsearch -x -H ldap://dc1.ad.automaton.uk -D \ > CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W \ > - -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk > > - -- > Steffen Kaiser > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQEVAwUBVHRYQ3z1H7kL/d9rAQLlKgf9GB2o0/T84E9KykVU/IkoCuLQLfaNeTzg > tI26Puwl1+tHXY+WkJs8uHTsKWaI5Qyh0Fv/6bR3ZSB5QhEkAQSE87WKfSJCe6FX > i1261C5oLSqA8mWYoyPnkeHuHDFKp9YULnfqgBbLzz/7Y63i0dDgaql5stELZSwa > XCzUwrEWdxdzgt8h7mnfG6fHn4xxfLeKCiA5e62afjXux4eCGclcytXOpIgl8z7u > bULhGmxqyYDvjkGXCex/LYtKx+S6zSIMg/8Ior6SrPBy+IK0qUtwPoOssCY4cycd > 4ZRVdvxjmjbHrzQdV/ZJn+jLqSI016l/lzASP7SUptHb8CjwxZxeCw=> =6Zsw > -----END PGP SIGNATURE----- > ---------------Output of GPG------------------ > Decryption of block failed > gpg: Signature made Tue 25 Nov 2014 11:21:55 AM CET using RSA key ID 0BFDDF6B > gpg: BAD signature from "Steffen Kaiser <skdovecot at smail.inf.fh-brs.de>" > >- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBVHWNNXz1H7kL/d9rAQLnnAf7B2u8IlAG8ayWgsGSOF6JQCYE071r8fvd 3QS5d8kLw59wDocUaRgDDZKflk3AJkpQVb4SNsrTKaESHk9W6vpG9U9LMoQH9Kcg w2R9nr/m5AH7GKx/aZSYpuJYCHZ9uMIv2lMorgUQb8iZdFcSdTa3p/aiDQf/yvjv yEB4W/tXugLZXsP43sEUjjM4yqaYRDM0D1d9GtohaxuZS+VxuZBEPRLD5Wlkh8cj 4NMrvdgPsAAu3jnhpkOkfRnx6mQ6wyPdd7tU0U8QRFtJcae24c7l8jlK785oEREM wCPRfp+HejnQWUzZ2XRjevv58LWa2teQ+U36zutN5Aj2/VTo+U7H+g==P2I4 -----END PGP SIGNATURE-----
Aaron Jenkins
2014-Nov-27 08:15 UTC
Working with Active Directory on Windows Server 2012 R2
I?ve removed the dn / dnpass. When attempting with new user: $ cat /var/log/dovecot-info.log Nov 27 00:09:29 imap-login: Info: Internal login failure (pid=5553 id=1) (internal failure, 1 successful auths): user=<test.user>, method=PLAIN, rip=10.211.55.29, lip=10.211.55.33, mpid=5558, TLS, session=<rQXRqdIIZwAK0zcd> Nov 27 00:09:29 imap-login: Info: Internal login failure (pid=5559 id=1) (internal failure, 1 successful auths): user=<test.user>, method=PLAIN, rip=10.211.55.29, lip=10.211.55.33, mpid=5560, TLS, session=<A/TdqdIIaAAK0zcd> Nov 27 00:09:29 auth: Info: ldap(test.user at ad.automaton.uk,10.211.55.29,<mFneqdIIaQAK0zcd>): invalid credentials (given password: ThisIsAPass123) Nov 27 00:09:35 auth: Info: ldap(test.user at ad.automaton.uk,10.211.55.29,<mFneqdIIaQAK0zcd>): invalid credentials (given password: ThisIsAPass123) Nov 27 00:09:37 imap-login: Info: Disconnected (auth failed, 2 attempts in 8 secs): user=<test.user at ad.automaton.uk>, method=PLAIN, rip=10.211.55.29, lip=10.211.55.33, TLS, session=<mFneqdIIaQAK0zcd> $ cat /var/log/dovecot-debug.log Nov 27 00:13:07 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Nov 27 00:13:07 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Nov 27 00:13:07 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libauthdb_ldap.so Nov 27 00:13:07 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Nov 27 00:13:07 auth: Debug: auth client connected (pid=6219) Nov 27 00:13:07 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=/xfdttIIagAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44650 Nov 27 00:13:07 auth: Debug: client passdb out: CONT 1 Nov 27 00:13:07 auth: Debug: client in: CONT 1 AHRlc3QudXNlcgBUaGlzSXNBUGFzczEyMw== (previous base64 data may contain sensitive data) Nov 27 00:13:07 auth: Debug: client passdb out: OK 1 user=test.user Nov 27 00:13:07 auth: Debug: master in: REQUEST 2256273409 6219 1 a99d65893905abf592245098b369359e session_pid=6223 request_auth_token Nov 27 00:13:07 auth: Debug: ldap(test.user,10.211.55.29,</xfdttIIagAK0zcd>): user search: base=cn=users,dc=ad,dc=automaton,dc=uk scope=subtree filter=(&(name=test.user)(objectClass=person)) fields=homeDirectory,uidNumber,gidNumber Nov 27 00:13:07 auth: Debug: master userdb out: FAIL 2256273409 Nov 27 00:13:07 auth: Debug: auth client connected (pid=6224) Nov 27 00:13:07 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=gn7dttIIawAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44651 Nov 27 00:13:07 auth: Debug: client passdb out: CONT 1 Nov 27 00:13:07 auth: Debug: client in: CONT 1 AHRlc3QudXNlcgBUaGlzSXNBUGFzczEyMw== (previous base64 data may contain sensitive data) Nov 27 00:13:07 auth: Debug: client passdb out: OK 1 user=test.user Nov 27 00:13:07 auth: Debug: master in: REQUEST 1233256449 6224 1 587c0fc0406dbbdac1ccf4bb6267ff59 session_pid=6225 request_auth_token Nov 27 00:13:07 auth: Debug: ldap(test.user,10.211.55.29,<gn7dttIIawAK0zcd>): user search: base=cn=users,dc=ad,dc=automaton,dc=uk scope=subtree filter=(&(name=test.user)(objectClass=person)) fields=homeDirectory,uidNumber,gidNumber Nov 27 00:13:07 auth: Debug: master userdb out: FAIL 1233256449 Nov 27 00:13:07 auth: Debug: auth client connected (pid=6226) Nov 27 00:13:07 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=Ic3dttIIbAAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44652 Nov 27 00:13:07 auth: Debug: client passdb out: CONT 1 Nov 27 00:13:07 auth: Debug: client in: CONT 1 AHRlc3QudXNlckBhZC5hdXRvbWF0b24udWsAVGhpc0lzQVBhc3MxMjM= (previous base64 data may contain sensitive data) Nov 27 00:13:09 auth: Debug: client passdb out: FAIL 1 user=test.user at ad.automaton.uk Nov 27 00:13:09 auth: Debug: client in: AUTH 2 PLAIN service=imap secured session=Ic3dttIIbAAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44652 resp=AHRlc3QudXNlckBhZC5hdXRvbWF0b24udWsAVGhpc0lzQVBhc3MxMjM= (previous base64 data may contain sensitive data) Nov 27 00:13:15 auth: Debug: client passdb out: FAIL 2 user=test.user at ad.automaton.uk $ ldapsearch -x -H ldap://dc1.ad.automaton.uk -D CN=test.user,CN=users,DC=ad,DC=automaton,DC=uk -W - -b CN=test.user,CN=users,DC=ad,DC=automaton,DC=uk # extended LDIF # # LDAPv3 # base <CN=test.user,CN=users,DC=ad,DC=automaton,DC=uk> with scope subtree # filter: (objectclass=*) # requesting: - # # test.user, Users, ad.automaton.uk dn: CN=test.user,CN=Users,DC=ad,DC=automaton,DC=uk # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 And the password on AD for test.user is 100% ThisIsAPass123. On November 26, 2014 at 12:16:34 AM, Steffen Kaiser (skdovecot at smail.inf.fh-brs.de<mailto:skdovecot at smail.inf.fh-brs.de>) wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 26 Nov 2014, Aaron Jenkins wrote:> I?ve attempted the user Mail with the same password with the same result (binding as my own user was a last-ditch attempt).OK, what about the:> As I understand auth_bind_userdn, you do not need > dn/dnpass anyway, because auth_bind_userdn prevents searching for the > user's DNDid you removed the dn/dnpass settings? What about the:> I wonder if the log shows the error from this setting or from the user's > login attempt. Could you try another user?If you login with another user (not aaron.jenkins) to IMAP, which username is listed in the logs then.> > aaron at aaron-Parallels-Virtual-Platform:/etc/sssd$ ldapsearch -x -H ldap://dc1.ad.automaton.uk -D CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W - -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk> with scope subtree > # filter: (objectclass=*) > # requesting: - > # > > # aaron.jenkins, Users, ad.automaton.uk > dn: CN=aaron.jenkins,CN=Users,DC=ad,DC=automaton,DC=uk > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > Same with the user Mail > > > > On November 25, 2014 at 2:18:26 AM, Steffen Kaiser (skdovecot at smail.inf.fh-brs.de<mailto:skdovecot at smail.inf.fh-brs.de>) wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 25 Nov 2014, Aaron Jenkins wrote: > >> I?m having issues getting Dovecot to work with AD on 2012 R2 in a test environment. >> ? >> Nov 19 09:22:23 auth: Debug: auth client connected (pid=10345) >> Nov 19 09:22:23 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395 >> Nov 19 09:22:23 auth: Debug: client passdb out: CONT 1 >> Nov 19 09:22:23 auth: Debug: client in: CONT 1 (previous base64 data may contain sensitive data) >> Nov 19 09:22:29 auth: Debug: client passdb out: FAIL 1 user=aaron.jenkins temp > > Your conf: > auth_bind = yes > dn = aaron.jenkins > dnpass = dummypass1 > auth_bind_userdn = CN=%u,CN=users,DC=ad,DC=automaton,DC=uk > > Can you really succeed a simple auth with the dn aaron.jenkins ? This > ought to be a full DN. As I understand auth_bind_userdn, you do not need > dn/dnpass anyway, because auth_bind_userdn prevents searching for the > user's DN, in which case Dovecot requires a connection before any user > bind takes place. > > I wonder if the log shows the error from this setting or from the user's > login attempt. Could you try another user? > > Can you auth from command line via > > ldapsearch -x -H ldap://dc1.ad.automaton.uk -D \ > CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk -W \ > - -b CN=aaron.jenkins,CN=users,DC=ad,DC=automaton,DC=uk > > - -- > Steffen Kaiser > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQEVAwUBVHRYQ3z1H7kL/d9rAQLlKgf9GB2o0/T84E9KykVU/IkoCuLQLfaNeTzg > tI26Puwl1+tHXY+WkJs8uHTsKWaI5Qyh0Fv/6bR3ZSB5QhEkAQSE87WKfSJCe6FX > i1261C5oLSqA8mWYoyPnkeHuHDFKp9YULnfqgBbLzz/7Y63i0dDgaql5stELZSwa > XCzUwrEWdxdzgt8h7mnfG6fHn4xxfLeKCiA5e62afjXux4eCGclcytXOpIgl8z7u > bULhGmxqyYDvjkGXCex/LYtKx+S6zSIMg/8Ior6SrPBy+IK0qUtwPoOssCY4cycd > 4ZRVdvxjmjbHrzQdV/ZJn+jLqSI016l/lzASP7SUptHb8CjwxZxeCw=> =6Zsw > -----END PGP SIGNATURE----- > ---------------Output of GPG------------------ > Decryption of block failed > gpg: Signature made Tue 25 Nov 2014 11:21:55 AM CET using RSA key ID 0BFDDF6B > gpg: BAD signature from "Steffen Kaiser <skdovecot at smail.inf.fh-brs.de>" > >- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBVHWNNXz1H7kL/d9rAQLnnAf7B2u8IlAG8ayWgsGSOF6JQCYE071r8fvd 3QS5d8kLw59wDocUaRgDDZKflk3AJkpQVb4SNsrTKaESHk9W6vpG9U9LMoQH9Kcg w2R9nr/m5AH7GKx/aZSYpuJYCHZ9uMIv2lMorgUQb8iZdFcSdTa3p/aiDQf/yvjv yEB4W/tXugLZXsP43sEUjjM4yqaYRDM0D1d9GtohaxuZS+VxuZBEPRLD5Wlkh8cj 4NMrvdgPsAAu3jnhpkOkfRnx6mQ6wyPdd7tU0U8QRFtJcae24c7l8jlK785oEREM wCPRfp+HejnQWUzZ2XRjevv58LWa2teQ+U36zutN5Aj2/VTo+U7H+g==P2I4 -----END PGP SIGNATURE-----
Reasonably Related Threads
- Working with Active Directory on Windows Server 2012 R2
- Working with Active Directory on Windows Server 2012 R2
- Working with Active Directory on Windows Server 2012 R2
- Working with Active Directory on Windows Server 2012 R2
- [LLVMdev] llvm-gcc compile failure on darwin8.8