I'm trying to get NTLM authentication working with Dovecot to authenticate Postfix SMTP clients.
I can authenticate postfix smtp clients using the plain text login mechanism through winbind. However, using the NTLM mechanism gives me an error in my maillog that says: "dovecot: auth: winbind(?,10.20.2.0): user not authenticated: NT_STATUS_UNSUCCESSFUL".
At this point, I'm rather stuck. It appears PAM and winbind work for authenticating with AD because it works with the plain text mechanism, but I'm missing something with the NTLM authentication method.
Any suggestions as to what I've got wrong, or other logging I can turn up / examine that might shed some light on this?
When I use the LOGIN mechanism I see this in the mail logging and the message is relayed:
Jun 21 13:12:58 SBSMTPNV05 postfix/smtpd[1501]: connect from nvit01b.mydomain.com[10.20.2.**0] Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: auth client connected (pid=1501) Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=**smtp#011nologin#011lip=10.20.**4 .12#011rip=10.20.2.0#011resp=**AG[...snip...]g== Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: pam(myusername,10.20.2.0): lookup service=dovecot Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: pam(myusername,10.20.2.0): #1/1 style=1 msg=Password: Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: client out: OK#0111#011user=myusername Jun 21 13:12:58 SBSMTPNV05 postfix/smtpd[1501]: 54EAF8059B: client= nvit01b.mydomain.com[**10.20.2.0], sasl_method=PLAIN, sasl_username=myusername Jun 21 13:12:58 SBSMTPNV05 postfix/cleanup[1504]: 54EAF8059B: message-id=< 51C4B3C8.30008@**domain1.com 51C4B3C8.30008@domain1.com> Jun 21 13:12:58 SBSMTPNV05 postfix/qmgr[1499]: 54EAF8059B: from=< someone@domain1.com>, size=2700, nrcpt=1 (queue active) Jun 21 13:12:58 SBSMTPNV05 postfix/smtpd[1501]: disconnect from nvit01b.mydomain.com[10.20.2.**0] Jun 21 13:12:59 SBSMTPNV05 postfix/smtp[1505]: 54EAF8059B: to=< someone@gmail.com>, relay=gmail-smtp-in.l.google.**comhttp://gmail-smtp-in.l.google.com/[74.125.25.27]:25, delay=1.2, delays=0.23/0.04/0.16/0.72, dsn=2.0.0, status=sent (250 2.0.0 OK 1371845579 wf5si3786287pab.138 - gsmtp) Jun 21 13:12:59 SBSMTPNV05 postfix/qmgr[1499]: 54EAF8059B: removed
I also see this in the secure log:
Jun 21 13:12:58 SBSMTPNV05 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=myusername rhost=10.20.2.0 user=myusername Jun 21 13:12:58 SBSMTPNV05 auth: pam_winbind(dovecot:auth): getting password (0x00000010) Jun 21 13:12:58 SBSMTPNV05 auth: pam_winbind(dovecot:auth): pam_get_item returned a password Jun 21 13:12:58 SBSMTPNV05 auth: pam_winbind(dovecot:auth): user 'myusername' granted access Jun 21 13:12:58 SBSMTPNV05 auth: pam_winbind(dovecot:account): user 'myusername' granted access
However, when I switch the mechanism to NTLM in the Thurnderbird MUA I see this:
Jun 21 13:15:46 SBSMTPNV05 postfix/smtpd[1506]: connect from nvit01b.mydomain.com[10.20.2.**0] Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/**libauthdb_ldap.so Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/**libdriver_sqlite.so Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/**libmech_gssapi.so Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: auth client connected (pid=1506) Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: client in: AUTH#0111#011NTLM#011service=**smtp#011nologin#011lip=10.20.**4. 12#011rip=10.20.2.0#011resp=**TlRMT[...snip...]A= Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: client out: CONT#0111#011TlRMT[[...snip...**]A Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: client in: CONT#0111#011TlRMT[...snip...]**A= Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: winbind(?,10.20.2.0): user not authenticated: NT_STATUS_UNSUCCESSFUL Jun 21 13:15:48 SBSMTPNV05 postfix/smtpd[1506]: warning: nvit01b.mydomain.com[10.20.2.**0]: SASL NTLM authentication failed: TlRMT[...snip...]A Jun 21 13:15:48 SBSMTPNV05 dovecot: auth: Debug: client out: FAIL#0111 Jun 21 13:15:49 SBSMTPNV05 postfix/smtpd[1506]: disconnect from nvit01b.mydomain.com[10.20.2.**0]
with nothing in the secure log and I don't see anything show up in the winbind logs either.
I've reviewed these pages as reference, and I'm not sure what I'm missing: http://wiki2.dovecot.org/**HowTo/ActiveDirectoryNtlmhttp://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm http://wiki2.dovecot.org/**Authentication/Mechanisms/NTLMhttp://wiki2.dovecot.org/Authentication/Mechanisms/NTLM http://www.dovecot.org/list/**dovecot/2008-December/035630.**htmlhttp://www.dovecot.org/list/dovecot/2008-December/035630.html http://www.dovecot.org/list/**dovecot/2010-February/046763.**htmlhttp://www.dovecot.org/list/dovecot/2010-February/046763.html http://blog.al-shami.net/2008/**05/freebsd-postfix-dovecot-** and-active-directory/http://blog.al-shami.net/2008/05/freebsd-postfix-dovecot-and-active-director... http://wiki2.dovecot.org/**HowTo/PostfixAndDovecotSASLhttp://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
Here's some of my relevant configuration as I understand it:
I've joined the computer to the AD domain. The wbinfo tests work fine: # wbinfo -t checking the trust secret for domain MYDOMAIN via RPC calls succeeded
# doveconf -n
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-358.11.1.el6.x86_64 x86_64 CentOS release 6.4 (Final)
auth_debug_passwords = yes
auth_mechanisms = plain ntlm login
auth_use_winbind = yes
auth_username_format = %Lu
listen = *
mbox_write_locks = fcntl
passdb {
driver = pam
}
service auth {
unix_listener /var/spool/postfix/private/**auth {
group = postfix
mode = 0666
user = postfix
}
}
ssl_cert = dovecot.pem
ssl_key =
//////////////////// # postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 7
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
line_length_limit = 6144
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = srvsbsmtp05.mydomain.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/**README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/**samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_sasl_authenticated,**reje
ct_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
unknown_local_recipient_**reject_code = 550 ///////////////////// # cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log [libdefaults]
default_realm = MYDOMAIN.COM http://mydomain.com/
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true [domain_realm]
.mydomain.com = MYDOMAIN.COM http://mydomain.com/
mydomain.com = MYDOMAIN.COM http://mydomain.com/ //////////////////// 3 host/sbsmtpnv05.mydomain.com@**MYDOMAIN.COMsbsmtpnv05.mydomain.com@MYDOMAIN.COM
(des-cbc-crc)
3 host/sbsmtpnv05.mydomain.com@**MYDOMAIN.COMsbsmtpnv05.mydomain.com@MYDOMAIN.COM
(des-cbc-md5)
3 host/sbsmtpnv05.mydomain.com@**MYDOMAIN.COMsbsmtpnv05.mydomain.com@MYDOMAIN.COM
(arcfour-hmac)
3 host/sbsmtpnv05.mydomain.com@**MYDOMAIN.COMsbsmtpnv05.mydomain.com@MYDOMAIN.COM
(aes128-cts-hmac-sha1-96)
3 host/sbsmtpnv05.mydomain.com@**MYDOMAIN.COMsbsmtpnv05.mydomain.com@MYDOMAIN.COM
(aes256-cts-hmac-sha1-96)
3 host/sbsmtpnv05@MYDOMAIN.COM (des-cbc-crc)
3 host/sbsmtpnv05@MYDOMAIN.COM (des-cbc-md5)
3 host/sbsmtpnv05@MYDOMAIN.COM (arcfour-hmac)
3 host/sbsmtpnv05@MYDOMAIN.COM (aes128-cts-hmac-sha1-96)
3 host/sbsmtpnv05@MYDOMAIN.COM (aes256-cts-hmac-sha1-96)
3 SBSMTPNV05$@MYDOMAIN.COM http://mydomain.com/ (des-cbc-crc)
3 SBSMTPNV05$@MYDOMAIN.COM http://mydomain.com/ (des-cbc-md5)
3 SBSMTPNV05$@MYDOMAIN.COM http://mydomain.com/ (arcfour-hmac)
3 SBSMTPNV05$@MYDOMAIN.COM http://mydomain.com/
(aes128-cts-hmac-sha1-96)
3 SBSMTPNV05$@MYDOMAIN.COM http://mydomain.com/
(aes256-cts-hmac-sha1-96)
5 smtp/sbsmtpnv05.mydomain.com@**MYDOMAIN.COMsbsmtpnv05.mydomain.com@MYDOMAIN.COM
(des-cbc-crc)
5 smtp/sbsmtpnv05.mydomain.com@**MYDOMAIN.COMsbsmtpnv05.mydomain.com@MYDOMAIN.COM
(des-cbc-md5)
5 smtp/sbsmtpnv05.mydomain.com@**MYDOMAIN.COMsbsmtpnv05.mydomain.com@MYDOMAIN.COM
(arcfour-hmac)
5 smtp/sbsmtpnv05.mydomain.com@**MYDOMAIN.COMsbsmtpnv05.mydomain.com@MYDOMAIN.COM
(aes128-cts-hmac-sha1-96)
5 smtp/sbsmtpnv05.mydomain.com@**MYDOMAIN.COMsbsmtpnv05.mydomain.com@MYDOMAIN.COM
(aes256-cts-hmac-sha1-96) //////////////////// Samba config:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM http://mydomain.com/
server string = Samba Server Version %v
security = ADS
kerberos method = system keytab
log file = /var/log/samba/log.%m
max log size = 50
printcap name = /dev/null
domain master = No
template shell = /bin/bash
winbind separator = +
winbind use default domain = Yes
idmap config * : range = 10000-50000
idmap config * : backend = tdb
printing = bsd
cups options = raw
print command = lpr -r -P'%p' %s
lpq command = lpq -P'%p'
lprm command = lprm -P'%p' %jsystem keytab:
# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ------------------------------**------------------------------**