[Dovecot] No NTLM with PAM after upgrade
Phil Quesinberry
philq at qsystemsengineering.com
Fri Mar 1 22:30:37 EET 2013
After updating From Dovecot 1.07 (included with CentOS 5) to 2.11, NTLM
authentication will not work. Attempts to authenticate against Samba
version 4.0.4-GIT-20cb7de also fail with 'auth: Info:
winbind(?,192.168.2.100): user not authenticated: NT_STATUS_UNSUCCESSFUL',
despite the fact that the same user can sign on to the Samba domain and
access files.
What I'm really trying to understand here though is why version 1.07 would
do NTLM with PAM just fine, but later versions I've tried will not. After
failing to get later versions to work, I decided to see if I could at least
get them to do NTLM by authenticating against a Samba domain but that won't
work either.
1.07 did NTLM just fine authenticating against a system user account with
PAM, as demonstrated by the following excerpt from the log:
dovecot: Feb 06 12:46:59 Info: imap-login: Login: user=<pquesinb>,
method=NTLM, rip=192.168.2.100, lip=192.168.2.102
dovecot: Feb 06 12:46:59 Info: imap-login: Login: user=<pquesinb>,
method=NTLM, rip=192.168.2.100, lip=192.168.2.102
dovecot: Feb 06 12:47:42 Info: IMAP(pquesinb): Disconnected: Logged out
dovecot: Feb 06 12:47:42 Info: IMAP(pquesinb): Disconnected: Logged out
dovecot: Feb 06 12:48:03 Info: imap-login: Login: user=<pquesinb>,
method=NTLM, rip=192.168.2.100, lip=192.168.2.102
dovecot: Feb 06 12:48:03 Info: imap-login: Login: user=<pquesinb>,
method=NTLM, rip=192.168.2.100, lip=192.168.2.102
dovecot: Feb 06 12:48:44 Info: IMAP(pquesinb): Disconnected: Logged out
dovecot: Feb 06 12:48:44 Info: IMAP(pquesinb): Disconnected: Logged out
Authentication settings for 1.07 were as follows (excerpt from -n output,
see below for full output):
auth default:
mechanisms: ntlm plain
passdb:
driver: passwd-file
args: /etc/dovecot.users
passdb:
driver: pam
args: cache_key=%u dovecot
userdb:
driver: passwd
Since 1.07 was such an old version, I first tried updating to 1.2.17 and
lost the ability to do NTLM authentication with the same settings:
Feb 06 16:09:32 dovecot: Info: Dovecot v1.2.17 starting up (core dumps
disabled)
Feb 06 16:09:46 auth(default): Info: password(pquesinb,192.168.2.100):
Requested NTLM scheme, but we have a NULL password
Feb 06 16:09:53 auth(default): Info: password(pquesinb,192.168.2.100):
Requested NTLM scheme, but we have a NULL password
Feb 06 16:10:05 imap-login: Info: Disconnected (auth failed, 2 attempts):
user=<pquesinb>, method=NTLM, rip=192.168.2.100, lip=192.168.2.102
Feb 06 16:11:54 auth(default): Info: password(pquesinb,192.168.2.100):
Requested NTLM scheme, but we have a NULL password
Feb 06 16:12:04 auth(default): Info: password(pquesinb,192.168.2.100):
Requested NTLM scheme, but we have a NULL password
Feb 06 16:12:16 imap-login: Info: Disconnected (auth failed, 2 attempts):
user=<pquesinb>, method=NTLM, rip=192.168.2.100, lip=192.168.2.102
Next I decided to try 2.x and since I had installed 1.2.17 from source, I
thought it would be wise to install from an RPM which had been "blessed" for
CentOS 5, so 2.1.1 was installed from the RPMs linked to on the Dovecot
download site:
http://dl.atrpms.net/all/dovecot-2.1.1-2_132.el5.x86_64.rpm
Still no NTLM authentication with 2.x using PAM, so I decided to try
authenticating against the Samba 4 domain using Samba's winbind daemon and
ntlm_auth helper. That still doesn't work however, as seen by the following
log excerpt but plaintext login which is also enabled, works:
Feb 28 23:29:13 auth: Debug: auth client connected (pid=18518)
Feb 28 23:29:13 auth: Debug: client in: AUTH 1 NTLM service=imap
lip=192.168.2.102 rip=192.168.2.100 lport=143 rport=4531
Feb 28 23:29:15 auth: Debug: client out: FAIL 1
Feb 28 23:29:15 auth: Debug: client in: AUTH 2 PLAIN service=imap
lip=192.168.2.102 rip=192.168.2.100 lport=143 rport=4530
resp=AHBxdWVzaW5iAFN0ZXdCMHkv
Feb 28 23:29:17 auth: Debug: client out: CONT 1
Feb 28 23:29:17 auth: Debug: client in: CONT 1
TlRMTVxxxxxxxAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
Feb 28 23:29:17 auth: Error: could not obtain winbind netbios name!
Feb 28 23:29:17 auth: Error: could not obtain winbind domain name!
Feb 28 23:29:17 auth: Debug: client out: CONT 1
TlRMTVNTUAACAAAAGAAYADgAAAAFxxxxxxxxxSsAAAAAAAAAAIoAigBQAAAABgEAAAAAAA9IAEUA
UgBTAEMASABMxxxxxxxxxxUATgACABgASABFAFIAUwBDAEgATABBAFUAUgBFAE4AAQAOAFMARQBS
AFYARQBSADEABAAgAGgAZQByAHMAYwBoAGwAYQB1AHIAZQBuAC4AYwBvAG0AAwAwAFMAZQByAHYA
ZQByADEALgBoAGUAcgBzAGMAaABsAGEAdQByAGUAbgAuAGMAbwBtAAAAAAA=
Feb 28 23:29:17 auth: Debug: client in: CONT 1
TlRMTVNTUAADAAAAGAAYAGoAAAC6ALoAggAAAAAAAABIAAAAEAAQAEgAAAASABIAWAAAAAAAAAAx
xxxxxxxKIogUBKAoAAAAPcABxAHUAZQBzAGkAbgBiAFEAUwBFAC0AVwxxxxxxxx+cYeYzU98pxsa
17QyN6VD8kE2RibAjNedd/ooN2y4/uSr/ZQYxxxxxxxxxU1Fs4BjelQ/JBNkYkAAAAAAgAYAEgAR
QBSAFMAQwBIAEwAQQBVAFIARQBOAAEADgBTAEUAUgBWAEUAUgAxAAQAIABoAGUAcgBzAGMAaABsA
GEAdQBxxxxxxxxxxbwBtAAMAMABTAGUAcgB2AGUAcgAxAC4AaABlAHIAcwBjAGxxxxxxxxxxxxlA
G4ALgBjAG8AbQAAAAAAAAAAAA==
Feb 28 23:29:17 auth: Info: winbind(?,192.168.2.100): user not
authenticated: NT_STATUS_UNSUCCESSFUL
Feb 28 23:29:19 auth: Debug: cache(pquesinb,192.168.2.100): miss
Feb 28 23:29:19 auth-worker(18524): Debug: Loading modules from directory:
/usr/lib64/dovecot/auth
Feb 28 23:29:19 auth: Debug: client out: FAIL 1
Feb 28 23:29:19 auth: Debug: client in: AUTH 2 PLAIN service=imap
lip=192.168.2.102 rip=192.168.2.100 lport=143 rport=4531
resp=AHBxdWVzaW5iAFN0ZXdCMHkv
Feb 28 23:29:19 auth-worker(18524): Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_mysql.so
Feb 28 23:29:19 auth-worker(18524): Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_pgsql.so
Feb 28 23:29:19 auth-worker(18524): Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Feb 28 23:29:19 auth-worker(18524): Debug: pam(pquesinb,192.168.2.100):
lookup service=dovecot
Feb 28 23:29:19 auth-worker(18524): Debug: pam(pquesinb,192.168.2.100): #1/1
style=1 msg=Password:
Feb 28 23:29:19 auth: Debug: client out: OK 2 user=pquesinb
Feb 28 23:29:19 auth: Debug: master in: REQUEST 751435777 18513 2
db445872b80e33772b5f0d35d50af3d1
Feb 28 23:29:19 auth: Debug: userdb-cache(pquesinb,192.168.2.100): miss
Feb 28 23:29:19 auth: Debug: passwd(pquesinb,192.168.2.100): lookup
Feb 28 23:29:19 auth: Debug: master out: USER 751435777 pquesinb
system_groups_user=pquesinb uid=507 gid=508 home=/home/pquesinb
Feb 28 23:29:19 imap-login: Info: Login: user=<pquesinb>, method=PLAIN,
rip=192.168.2.100, lip=192.168.2.102, mpid=18526
Feb 28 23:29:27 auth: Debug: cache(pquesinb,192.168.2.100): hit:
{SHA1}+2ZUmdHOxxxxxxxxxxxxOLinOC0= user=pquesinb user=pquesinb
Feb 28 23:29:27 auth: Debug: client out: OK 2 user=pquesinb
Feb 28 23:29:27 auth: Debug: master in: REQUEST 3169320961 18518 2
6bd7b4fd283994029394360a2f5b4048
Feb 28 23:29:27 auth: Debug: userdb-cache(pquesinb,192.168.2.100): hit:
pquesinb system_groups_user=pquesinb uid=507 gid=508
home=/home/pquesinb
Feb 28 23:29:27 auth: Debug: master out: USER 3169320961 pquesinb
system_groups_user=pquesinb uid=507 gid=508 home=/home/pquesinb
Feb 28 23:29:27 imap-login: Info: Login: user=<pquesinb>, method=PLAIN,
rip=192.168.2.100, lip=192.168.2.102, mpid=18531
Feb 28 23:30:00 imap(pquesinb): Info: Disconnected: Logged out in=861
out=31433
Feb 28 23:30:00 imap(pquesinb): Info: Disconnected: Logged out in=120
out=739
Here is the -n output for both 2.11 and 1.07, login/mail executables and
plugins
are present within the configured paths for both versions:
Config output for 2.11:
[root at Server1 log]# dovecot -n
# 2.1.1: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-348.1.1.el5.centos.plusxen x86_64 CentOS release 5.9
(Final)
auth_cache_size = 16 M
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = ntlm plain
auth_use_winbind = yes
auth_verbose = yes
disable_plaintext_auth = no
info_log_path = /var/log/dovecot.log
listen = *
log_path = /var/log/dovecot.log
mail_location = maildir:~/Maildir
maildir_very_dirty_syncs = yes
passdb {
args = cache_key=%u dovecot
driver = pam
}
passdb {
driver = shadow
}
protocols = imap pop3
service auth {
executable = /usr/libexec/dovecot/auth
user = root
}
service imap-login {
client_limit = 256
executable = /usr/libexec/dovecot/imap-login
process_limit = 128
user = dovecot
vsz_limit = 64 M
}
service imap {
executable = /usr/libexec/dovecot/imap
process_limit = 64
}
service pop3-login {
client_limit = 256
process_limit = 128
user = dovecot
vsz_limit = 64 M
}
service pop3 {
process_limit = 64
}
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
driver = passwd
}
verbose_proctitle = yes
protocol imap {
imap_client_workarounds =
mail_plugin_dir = /usr/local/lib/dovecot/imap
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
}
protocol lda {
mail_plugin_dir = /usr/local/lib/dovecot/lda
}
Here is the config output from the 1.07 version, which worked:
[root at Server1 init.d]# dovecot107 -n
# 1.0.7: /etc/dovecot.conf
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
mail_location: maildir:~/Maildir
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/lib64/dovecot/imap
mail_plugin_dir(imap): /usr/lib64/dovecot/imap
mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
auth default:
mechanisms: ntlm plain
passdb:
driver: passwd-file
args: /etc/dovecot.users
passdb:
driver: pam
args: cache_key=%u dovecot
userdb:
driver: passwd
I'm fairly new to Dovecot, so if someone out there could at least point me
in the right direction in order to help me better understand why things
aren't working with the newer versions I would really appreciate it.
Many thanks,
Phil Quesinberry
Q Systems Engineering, Inc.
Embedded Systems Hardware/Software Development and VoIP Business Telephone
Hosting
Improve your business telephone services and save money
(410) 969-8002
http://www.qsystemsengineering.com
More information about the dovecot
mailing list