I've posted questions on this before, but now I really, really need a solution.
Using Dovecot 2.2.33.2
We've been using Dovecot as IMAP server for several years on a Linux host which is also the Active Directory / Domain Controller. We have both Thunderbird and Outlook clients. The Thunderbird clients authenticate w/o problem with AD credentials using Kerberos/GSSAPI.
I've never been able to get the Outlook clients to authenticate using domain credentials, so I've also hard-coded user and password into /etc/passwd and let the Dovecot authenticate via PLAIN LOGIN. Now, however, I am mandated to switch all users to Outlook, so I need an AD credential solution.
I found https://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm and followed those instructions. The first problem I ran into was in Step 3 where it said to put the following line in the config:
auth_ntlm_use_winbind = yes
This gave me an error when I restarted Dovecot:
Restarting Dovecotdoveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-auth.conf line 84: Unknown setting: auth_ntlm_use_winbind
googling this error indicated that this was a version 1.x directive and 2.x used only auth_use_winbind. I removed the auth_ntlm_use_winbind and Dovecot restart. If this is true, the wiki should be updated since it purports to be a version 2.x wiki. I followed the rest of the instructions on that wiki and my modified config is:
$ doveconf -n # 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf # OS: Linux 4.4.157 x86_64 Slackware 14.2 auth_debug = yes auth_debug_passwords = yes auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi ntlm auth_use_winbind = yes auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt ssl_key = # hidden, use -P to show it userdb { driver = passwd } verbose_ssl = yes
New additions to my pre-ntlm conf is only the 'ntlm' added the the auth_mechanism and:
auth_winbind_helper_path = /usr/bin/ntlm_auth
which interestingly doesn't show into the 'doveconf -n' output, above. Is it a default?
I then attempted to connect from Outlook and got the error:
auth: Info: ntlm(?,192.168.0.58,<qd9nulmB4sLAqAA6>): ntlm_auth reports broken helper: NT_STATUS_UNSUCCESSFUL
After more searching I came across this post, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263 which, in summary, said that ntlm_auth had to run as root. So, I added the following to my dovecot config per that post's suggestion:
service auth { user = root }
After restarting and trying again to connect from Outlook I got the message:
auth: Info: ntlm(?,192.168.0.58,<SCINjFqBKcXAqAA6>): user not authenticated: NT_STATUS_NO_MEMORY
At this point I've been unable to find a solution to this error. I've listed the entire dovecot log output for this last attempt to connect from Outlook below.
Has anyone in the Universe successfully connected from Outlook using active domain credentials? If so, what's the secret? What am I not doing correctly?
Thanks for any and all help! --Mark
dovecot log:
Feb 07 23:39:40 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Feb 07 23:39:40 auth: Debug: Module loaded: /usr/local/lib/dovecot/auth/lib20_auth_var_expand_crypt.so Feb 07 23:39:40 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Feb 07 23:39:40 auth: Debug: auth client connected (pid=16357) Feb 07 23:39:40 auth: Debug: client in: AUTH 1 NTLM service=imap session=SCINjFqBKcXAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=50473 Feb 07 23:39:40 auth: Debug: client passdb out: CONT 1 Feb 07 23:39:40 auth: Debug: client in: CONT 1 TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== (previous base64 data may contain sensitive data) Feb 07 23:39:40 auth: Debug: client passdb out: CONT 1 TlRMTVNTUAACAAAACAAIADgAAAAFgomifTyOI3AwfogAAAAAAAAAAGIAYgBAAAAABgEAAAAAAA9IAFAAUgBTAAIACABIAFAAUgBTAAEACABNAEEASQBMAAQAFABoAHAAcgBzAC4AbABvAGMAYQBsAAMAHgBtAGEAaQBsAC4AaABwAHIAcwAuAGwAbwBjAGEAbAAHAAgAVIrLTWi/1AEAAAAA Feb 07 23:39:40 auth: Debug: client in: CONT 1 TlRMTVNTUAADAAAAGAAYAGwAAAD8APwAhAAAAAAAAABYAAAACAAIAFgAAAAMAAwAYAAAAAAAAACAAQAABYKIogYBsR0AAAAPEulY2h+wL/nnNAXbmMSVx20AYQByAGsAQwBPAE0ATQBPAE4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA5+rNhVU1odt5650z/pNVpQEBAAAAAAAAVIrLTWi/1AFg5+W08PtmxQAAAAACAAgASABQAFIAUwABAAgATQBBAEkATAAEABQAaABwAHIAcwAuAGwAbwBjAGEAbAADAB4AbQBhAGkAbAAuAGgAcAByAHMALgBsAG8AYwBhAGwABwAIAFSKy01ov9QBBgAEAAIAAAAIADAAMAAAAAAAAAABAAAAACAAAOity40ZG1J9BpqGn4TwBjP02UByQ6D/OUD6DrRDhg+3CgAQAAAAAAAAAAAAAAAAAAAAAAAJABIAaQBtAGEAcAAvAG0AYQBpAGwAAAAAAAAAAAAAAAAA (previous base64 data may contain sensitive data) Feb 07 23:39:40 auth: Info: ntlm(?,192.168.0.58,<SCINjFqBKcXAqAA6>): user not authenticated: NT_STATUS_NO_MEMORY Feb 07 23:39:42 auth: Debug: client passdb out: FAIL 1