Dovecot+Samba AD - authentication failure - SOLVED
Odhiambo Washington
odhiambo at gmail.com
Tue Nov 24 13:20:43 EET 2020
On Sun, 22 Nov 2020 at 15:08, Odhiambo Washington <odhiambo at gmail.com>
wrote:
> Hi,
>
> I have setup samba4 as AD and hoping to have dovecot authenticate users
> against it. I am facing challenges though and I am unable to figure it out.
> I could do with a third eye to help me spot what is wrong.
>
>
> root at adc0:/etc# doveadm auth test -x service=imap
> odhiambo at newideatest.local
> Password:
> passdb: odhiambo at newideatest.local auth failed
> extra fields:
> temp
> Warning: auth-client: conn unix:/var/run/dovecot/auth-client: Auth
> connection closed with 1 pending requests (max 0 secs, pid=10537, EOF)
> Fatal: Couldn't connect to auth socket
>
> A test against IMAP gives the following debug information:
> Nov 22 14:31:01 auth: Debug: Loading modules from directory:
> /usr/lib/dovecot/modules/auth
> Nov 22 14:31:01 auth: Debug: Module loaded:
> /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so
> Nov 22 14:31:01 auth: Debug: Module loaded:
> /usr/lib/dovecot/modules/auth/libdriver_mysql.so
> Nov 22 14:31:01 auth: Debug: Loading modules from directory:
> /usr/lib/dovecot/modules/auth
> Nov 22 14:31:01 auth: Debug: Module loaded:
> /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
> Nov 22 14:31:01 auth: Debug: Read auth token secret from
> /var/run/dovecot/auth-token-secret.dat
> Nov 22 14:31:01 auth: Debug: auth client connected (pid=10979)
> Nov 22 14:31:08 auth: Debug: client in: AUTH 1 PLAIN
> service=imap secured session=uPLvabC0RIh/AAAB lip=127.0.0.1
> rip=127.0.0.1 lport=143 rport=34884 resp=<hidden>
> Nov 22 14:31:08 auth: Debug: ldap(odhiambo at newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>):
> Performing passdb lookup
> Nov 22 14:31:08 auth: Debug: ldap(odhiambo at newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>):
> bind search: base=cn=Users,dc=NEWIDEATEST,dc=LOCAL
> filter=(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=odhiambo at newideatest.local
> ))
> Nov 22 14:31:08 auth: Debug: ldap(odhiambo at newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>):
> no fields returned by the server *< ====================*
> Nov 22 14:31:08 auth: Debug: ldap(odhiambo at newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>):
> Finished passdb lookup
> Nov 22 14:31:08 auth: Debug: auth(odhiambo at newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>):
> Auth request finished
> Nov 22 14:31:10 auth: Debug: client passdb out: FAIL 1
> user=odhiambo at newideatest.local
>
> info.log:
>
> Nov 22 14:31:08 auth: Info: ldap(odhiambo at newideatest.local
> ,127.0.0.1,<uPLvabC0RIh/AAAB>):* unknown user* (given password: XXXXXXX)
> Nov 22 14:31:15 imap-login: Info: Aborted login (auth failed, 1 attempts
> in 7 secs): user=<odhiambo at newideatest.local>, method=PLAIN,
> rip=127.0.0.1, lip=127.0.0.1, secured, session=<uPLvabC0RIh/AAAB>
>
>
> Here is my doveconf -n:
>
> https://paste.ubuntu.com/p/SPmrxZxHPx/
>
> My dovecot-ldap.cont.ext:
>
> uris = ldap://localhost/
> dn = "dovecot at newideatest.local"
> dnpass = "XXXXXXXX"
> sasl_bind = no
> tls = no
> ldap_version = 3
> deref = never
> scope = subtree
> base = cn=Users,dc=NEWIDEATEST,dc=LOCAL
> auth_bind = yes
> user_filter =
> (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(mail=%u)(sAMAccountName=%u)(otherMailbox=%u)))
> user_attrs =
> sAMAccountName=user,userPassword=password,=mail=maildir:/home/%n/Maildir/
> pass_filter =
> (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%u))
> pass_attrs = sAMAccountName=user,userPassword=password
>
> The use exists in the database:
>
> *root at adc0:/var/log/dovecot# samba-tool user show odhiambo*
> ldb_wrap open of secrets.ldb
> dn: CN=Odhiambo Washington,CN=Users,DC=newideatest,DC=local
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Odhiambo Washington
> sn: Washington
> givenName: Odhiambo
> instanceType: 4
> whenCreated: 20201120101420.0Z
> displayName: Odhiambo Washington
> uSNCreated: 4086
> name: Odhiambo Washington
> objectGUID: e6969596-8b28-41af-b5d8-cea63cc97f98
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-701866827-3355127779-3787685610-1106
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: odhiambo
> sAMAccountType: 805306368
> userPrincipalName: odhiambo at newideatest.local
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=newideatest,DC=local
> mail: odhiambo at newideatest.local
> loginShell: /bin/bash
> userAccountControl: 512
> pwdLastSet: 132505181852397220
> whenChanged: 20201122112945.0Z
> uSNChanged: 4104
> distinguishedName: CN=Odhiambo Washington,CN=Users,DC=newideatest,DC=local
>
For the record, this is what I finally came up with that worked -
dovecot-ldap.conf.ext:
##### BEGIN
uris = ldap://localhost/
dn = "dovecot at newideatest.local"
dnpass = "verystupid"
sasl_bind = no
tls = no
ldap_version = 3
deref = never
scope = subtree
base = cn=Users,dc=NEWIDEATEST,dc=LOCAL
auth_bind = yes
#user_filter = (mail=%u)
#pass_filter = (mail=%u)
#pass_attrs = mail=%u,= userPassword=password
user_filter =
(&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter =
(&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs = userPassword=password
user_attrs =
=home=/var/spool/virtual/%Ld/%Ln/Maildir/,=mail=maildir:/var/spool/virtual/%Ld/%Ln/Maildir/
default_pass_scheme = CRYPT
##### END
Also to add:
1. If you use the commented out filters, the authentication is very fast
2. If you use the uncommented ones, it's a bit slow.
Choose your poison, as YMMV.
Adios.
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20201124/1171222e/attachment.html>
More information about the dovecot
mailing list