[Dovecot] No NTLM with PAM after upgrade

Phil Quesinberry philq at qsystemsengineering.com
Fri Mar 1 22:30:37 EET 2013


After updating From Dovecot 1.07 (included with CentOS 5) to 2.11, NTLM
authentication will not work.  Attempts to authenticate against Samba
version 4.0.4-GIT-20cb7de also fail with 'auth: Info:
winbind(?,192.168.2.100): user not authenticated: NT_STATUS_UNSUCCESSFUL',
despite the fact that the same user can sign on to the Samba domain and
access files.

What I'm really trying to understand here though is why version 1.07 would
do NTLM with PAM just fine, but later versions I've tried will not.  After
failing to get later versions to work, I decided to see if I could at least
get them to do NTLM by authenticating against a Samba domain but that won't
work either.

1.07 did NTLM just fine authenticating against a system user account with
PAM, as demonstrated by the following excerpt from the log:
dovecot: Feb 06 12:46:59 Info: imap-login: Login: user=<pquesinb>,
method=NTLM, rip=192.168.2.100, lip=192.168.2.102
dovecot: Feb 06 12:46:59 Info: imap-login: Login: user=<pquesinb>,
method=NTLM, rip=192.168.2.100, lip=192.168.2.102
dovecot: Feb 06 12:47:42 Info: IMAP(pquesinb): Disconnected: Logged out
dovecot: Feb 06 12:47:42 Info: IMAP(pquesinb): Disconnected: Logged out
dovecot: Feb 06 12:48:03 Info: imap-login: Login: user=<pquesinb>,
method=NTLM, rip=192.168.2.100, lip=192.168.2.102
dovecot: Feb 06 12:48:03 Info: imap-login: Login: user=<pquesinb>,
method=NTLM, rip=192.168.2.100, lip=192.168.2.102
dovecot: Feb 06 12:48:44 Info: IMAP(pquesinb): Disconnected: Logged out
dovecot: Feb 06 12:48:44 Info: IMAP(pquesinb): Disconnected: Logged out

Authentication settings for 1.07 were as follows (excerpt from -n output,
see below for full output):
auth default:
  mechanisms: ntlm plain
  passdb:
    driver: passwd-file
    args: /etc/dovecot.users
  passdb:
    driver: pam
    args: cache_key=%u dovecot
  userdb:
    driver: passwd


Since 1.07 was such an old version, I first tried updating to 1.2.17 and
lost the ability to do NTLM authentication with the same settings:
Feb 06 16:09:32 dovecot: Info: Dovecot v1.2.17 starting up (core dumps
disabled)
Feb 06 16:09:46 auth(default): Info: password(pquesinb,192.168.2.100):
Requested NTLM scheme, but we have a NULL password
Feb 06 16:09:53 auth(default): Info: password(pquesinb,192.168.2.100):
Requested NTLM scheme, but we have a NULL password
Feb 06 16:10:05 imap-login: Info: Disconnected (auth failed, 2 attempts):
user=<pquesinb>, method=NTLM, rip=192.168.2.100, lip=192.168.2.102
Feb 06 16:11:54 auth(default): Info: password(pquesinb,192.168.2.100):
Requested NTLM scheme, but we have a NULL password
Feb 06 16:12:04 auth(default): Info: password(pquesinb,192.168.2.100):
Requested NTLM scheme, but we have a NULL password
Feb 06 16:12:16 imap-login: Info: Disconnected (auth failed, 2 attempts):
user=<pquesinb>, method=NTLM, rip=192.168.2.100, lip=192.168.2.102


Next I decided to try 2.x and since I had installed 1.2.17 from source, I
thought it would be wise to install from an RPM which had been "blessed" for
CentOS 5, so 2.1.1 was installed from the RPMs linked to on the Dovecot
download site:
http://dl.atrpms.net/all/dovecot-2.1.1-2_132.el5.x86_64.rpm

Still no NTLM authentication with 2.x using PAM, so I decided to try
authenticating against the Samba 4 domain using Samba's winbind daemon and
ntlm_auth helper.  That still doesn't work however, as seen by the following
log excerpt but plaintext login which is also enabled, works:
Feb 28 23:29:13 auth: Debug: auth client connected (pid=18518)
Feb 28 23:29:13 auth: Debug: client in: AUTH    1       NTLM    service=imap
lip=192.168.2.102       rip=192.168.2.100       lport=143       rport=4531
Feb 28 23:29:15 auth: Debug: client out: FAIL   1
Feb 28 23:29:15 auth: Debug: client in: AUTH    2       PLAIN   service=imap
lip=192.168.2.102       rip=192.168.2.100       lport=143       rport=4530
resp=AHBxdWVzaW5iAFN0ZXdCMHkv
Feb 28 23:29:17 auth: Debug: client out: CONT   1
Feb 28 23:29:17 auth: Debug: client in: CONT    1
TlRMTVxxxxxxxAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
Feb 28 23:29:17 auth: Error: could not obtain winbind netbios name!
Feb 28 23:29:17 auth: Error: could not obtain winbind domain name!
Feb 28 23:29:17 auth: Debug: client out: CONT   1
TlRMTVNTUAACAAAAGAAYADgAAAAFxxxxxxxxxSsAAAAAAAAAAIoAigBQAAAABgEAAAAAAA9IAEUA
UgBTAEMASABMxxxxxxxxxxUATgACABgASABFAFIAUwBDAEgATABBAFUAUgBFAE4AAQAOAFMARQBS
AFYARQBSADEABAAgAGgAZQByAHMAYwBoAGwAYQB1AHIAZQBuAC4AYwBvAG0AAwAwAFMAZQByAHYA
ZQByADEALgBoAGUAcgBzAGMAaABsAGEAdQByAGUAbgAuAGMAbwBtAAAAAAA=
Feb 28 23:29:17 auth: Debug: client in: CONT    1
TlRMTVNTUAADAAAAGAAYAGoAAAC6ALoAggAAAAAAAABIAAAAEAAQAEgAAAASABIAWAAAAAAAAAAx
xxxxxxxKIogUBKAoAAAAPcABxAHUAZQBzAGkAbgBiAFEAUwBFAC0AVwxxxxxxxx+cYeYzU98pxsa
17QyN6VD8kE2RibAjNedd/ooN2y4/uSr/ZQYxxxxxxxxxU1Fs4BjelQ/JBNkYkAAAAAAgAYAEgAR
QBSAFMAQwBIAEwAQQBVAFIARQBOAAEADgBTAEUAUgBWAEUAUgAxAAQAIABoAGUAcgBzAGMAaABsA
GEAdQBxxxxxxxxxxbwBtAAMAMABTAGUAcgB2AGUAcgAxAC4AaABlAHIAcwBjAGxxxxxxxxxxxxlA
G4ALgBjAG8AbQAAAAAAAAAAAA==
Feb 28 23:29:17 auth: Info: winbind(?,192.168.2.100): user not
authenticated: NT_STATUS_UNSUCCESSFUL
Feb 28 23:29:19 auth: Debug: cache(pquesinb,192.168.2.100): miss
Feb 28 23:29:19 auth-worker(18524): Debug: Loading modules from directory:
/usr/lib64/dovecot/auth
Feb 28 23:29:19 auth: Debug: client out: FAIL   1
Feb 28 23:29:19 auth: Debug: client in: AUTH    2       PLAIN   service=imap
lip=192.168.2.102       rip=192.168.2.100       lport=143       rport=4531
resp=AHBxdWVzaW5iAFN0ZXdCMHkv
Feb 28 23:29:19 auth-worker(18524): Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_mysql.so
Feb 28 23:29:19 auth-worker(18524): Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_pgsql.so
Feb 28 23:29:19 auth-worker(18524): Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Feb 28 23:29:19 auth-worker(18524): Debug: pam(pquesinb,192.168.2.100):
lookup service=dovecot
Feb 28 23:29:19 auth-worker(18524): Debug: pam(pquesinb,192.168.2.100): #1/1
style=1 msg=Password:
Feb 28 23:29:19 auth: Debug: client out: OK     2       user=pquesinb
Feb 28 23:29:19 auth: Debug: master in: REQUEST 751435777       18513   2
db445872b80e33772b5f0d35d50af3d1
Feb 28 23:29:19 auth: Debug: userdb-cache(pquesinb,192.168.2.100): miss
Feb 28 23:29:19 auth: Debug: passwd(pquesinb,192.168.2.100): lookup
Feb 28 23:29:19 auth: Debug: master out: USER   751435777       pquesinb
system_groups_user=pquesinb     uid=507 gid=508 home=/home/pquesinb
Feb 28 23:29:19 imap-login: Info: Login: user=<pquesinb>, method=PLAIN,
rip=192.168.2.100, lip=192.168.2.102, mpid=18526
Feb 28 23:29:27 auth: Debug: cache(pquesinb,192.168.2.100): hit:
{SHA1}+2ZUmdHOxxxxxxxxxxxxOLinOC0=     user=pquesinb   user=pquesinb
Feb 28 23:29:27 auth: Debug: client out: OK     2       user=pquesinb
Feb 28 23:29:27 auth: Debug: master in: REQUEST 3169320961      18518   2
6bd7b4fd283994029394360a2f5b4048
Feb 28 23:29:27 auth: Debug: userdb-cache(pquesinb,192.168.2.100): hit:
pquesinb        system_groups_user=pquesinb     uid=507 gid=508
home=/home/pquesinb
Feb 28 23:29:27 auth: Debug: master out: USER   3169320961      pquesinb
system_groups_user=pquesinb     uid=507 gid=508 home=/home/pquesinb
Feb 28 23:29:27 imap-login: Info: Login: user=<pquesinb>, method=PLAIN,
rip=192.168.2.100, lip=192.168.2.102, mpid=18531
Feb 28 23:30:00 imap(pquesinb): Info: Disconnected: Logged out in=861
out=31433
Feb 28 23:30:00 imap(pquesinb): Info: Disconnected: Logged out in=120
out=739

 
Here is the -n output for both 2.11 and 1.07, login/mail executables and
plugins
are present within the configured paths for both versions:

Config output for 2.11:
[root at Server1 log]# dovecot -n
# 2.1.1: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-348.1.1.el5.centos.plusxen x86_64 CentOS release 5.9
(Final)
auth_cache_size = 16 M
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = ntlm plain
auth_use_winbind = yes
auth_verbose = yes
disable_plaintext_auth = no
info_log_path = /var/log/dovecot.log
listen = *
log_path = /var/log/dovecot.log
mail_location = maildir:~/Maildir
maildir_very_dirty_syncs = yes
passdb {
  args = cache_key=%u dovecot
  driver = pam
}
passdb {
  driver = shadow
}
protocols = imap pop3
service auth {
  executable = /usr/libexec/dovecot/auth
  user = root
}
service imap-login {
  client_limit = 256
  executable = /usr/libexec/dovecot/imap-login
  process_limit = 128
  user = dovecot
  vsz_limit = 64 M
}
service imap {
  executable = /usr/libexec/dovecot/imap
  process_limit = 64
}
service pop3-login {
  client_limit = 256
  process_limit = 128
  user = dovecot
  vsz_limit = 64 M
}
service pop3 {
  process_limit = 64
}
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
  driver = passwd
}
verbose_proctitle = yes
protocol imap {
  imap_client_workarounds =
  mail_plugin_dir = /usr/local/lib/dovecot/imap
}
protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv
}
protocol lda {
  mail_plugin_dir = /usr/local/lib/dovecot/lda
}



Here is the config output from the 1.07 version, which worked:

[root at Server1 init.d]# dovecot107 -n
# 1.0.7: /etc/dovecot.conf
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
mail_location: maildir:~/Maildir
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/lib64/dovecot/imap
mail_plugin_dir(imap): /usr/lib64/dovecot/imap
mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
auth default:
  mechanisms: ntlm plain
  passdb:
    driver: passwd-file
    args: /etc/dovecot.users
  passdb:
    driver: pam
    args: cache_key=%u dovecot
  userdb:
    driver: passwd


I'm fairly new to Dovecot, so if someone out there could at least point me
in the right direction in order to help me better understand why things
aren't working with the newer versions I would really appreciate it.

Many thanks,

Phil Quesinberry
Q Systems Engineering, Inc.
Embedded Systems Hardware/Software Development and VoIP Business Telephone
Hosting
Improve your business telephone services and save money
(410) 969-8002
http://www.qsystemsengineering.com
 


More information about the dovecot mailing list