I'm trying to get NTLM authentication working with Dovecot to authenticate Postfix SMTP clients.
I can authenticate postfix smtp clients using the plain text login mechanism through winbind. However, using the NTLM mechanism gives me an error in my maillog that says: "dovecot: auth: winbind(?,10.20.2.0): user not authenticated: NT_STATUS_UNSUCCESSFUL".
At this point, I'm rather stuck. It appears PAM and winbind work for authenticating with AD because it works with the plain text mechanism, but I'm missing something with the NTLM authentication method.
Any suggestions as to what I've got wrong, or other logging I can turn up / examine that might shed some light on this?
When I use the LOGIN mechanism I see this in the mail logging and the message is relayed:
Jun 21 13:12:58 SBSMTPNV05 postfix/smtpd[1501]: connect from nvit01b.mydomain.com[10.20.2.0] Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: auth client connected (pid=1501) Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=10.20.4.12#011rip=10.20.2.0#011resp=AG[...snip...]g== Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: pam(myusername,10.20.2.0): lookup service=dovecot Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: pam(myusername,10.20.2.0): #1/1 style=1 msg=Password: Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: client out: OK#0111#011user=myusername Jun 21 13:12:58 SBSMTPNV05 postfix/smtpd[1501]: 54EAF8059B: client=nvit01b.mydomain.com[10.20.2.0], sasl_method=PLAIN, sasl_username=myusername Jun 21 13:12:58 SBSMTPNV05 postfix/cleanup[1504]: 54EAF8059B: message-id=51C4B3C8.30008@domain1.com Jun 21 13:12:58 SBSMTPNV05 postfix/qmgr[1499]: 54EAF8059B: from=someone@domain1.com, size=2700, nrcpt=1 (queue active) Jun 21 13:12:58 SBSMTPNV05 postfix/smtpd[1501]: disconnect from nvit01b.mydomain.com[10.20.2.0] Jun 21 13:12:59 SBSMTPNV05 postfix/smtp[1505]: 54EAF8059B: to=someone@gmail.com, relay=gmail-smtp-in.l.google.com[74.125.25.27]:25, delay=1.2, delays=0.23/0.04/0.16/0.72, dsn=2.0.0, status=sent (250 2.0.0 OK 1371845579 wf5si3786287pab.138 - gsmtp) Jun 21 13:12:59 SBSMTPNV05 postfix/qmgr[1499]: 54EAF8059B: removed
I also see this in the secure log:
Jun 21 13:12:58 SBSMTPNV05 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=myusername rhost=10.20.2.0 user=myusername Jun 21 13:12:58 SBSMTPNV05 auth: pam_winbind(dovecot:auth): getting password (0x00000010) Jun 21 13:12:58 SBSMTPNV05 auth: pam_winbind(dovecot:auth): pam_get_item returned a password Jun 21 13:12:58 SBSMTPNV05 auth: pam_winbind(dovecot:auth): user 'myusername' granted access Jun 21 13:12:58 SBSMTPNV05 auth: pam_winbind(dovecot:account): user 'myusername' granted access
However, when I switch the mechanism to NTLM in the Thurnderbird MUA I see this:
Jun 21 13:15:46 SBSMTPNV05 postfix/smtpd[1506]: connect from nvit01b.mydomain.com[10.20.2.0] Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: auth client connected (pid=1506) Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: client in: AUTH#0111#011NTLM#011service=smtp#011nologin#011lip=10.20.4.12#011rip=10.20.2.0#011resp=TlRMT[...snip...]A= Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: client out: CONT#0111#011TlRMT[[...snip...]A Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: client in: CONT#0111#011TlRMT[...snip...]A= Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: winbind(?,10.20.2.0): user not authenticated: NT_STATUS_UNSUCCESSFUL Jun 21 13:15:48 SBSMTPNV05 postfix/smtpd[1506]: warning: nvit01b.mydomain.com[10.20.2.0]: SASL NTLM authentication failed: TlRMT[...snip...]A Jun 21 13:15:48 SBSMTPNV05 dovecot: auth: Debug: client out: FAIL#0111 Jun 21 13:15:49 SBSMTPNV05 postfix/smtpd[1506]: disconnect from nvit01b.mydomain.com[10.20.2.0]
with nothing in the secure log and I don't see anything show up in the winbind logs either.
I've reviewed these pages as reference, and I'm not sure what I'm missing: http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM http://www.dovecot.org/list/dovecot/2008-December/035630.html http://www.dovecot.org/list/dovecot/2010-February/046763.html http://blog.al-shami.net/2008/05/freebsd-postfix-dovecot-and-active-director... http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
Here's some of my relevant configuration as I understand it:
I've joined the computer to the AD domain. The wbinfo tests work fine: # wbinfo -t checking the trust secret for domain MYDOMAIN via RPC calls succeeded
# doveconf -n # 2.0.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-358.11.1.el6.x86_64 x86_64 CentOS release 6.4 (Final) auth_debug_passwords = yes auth_mechanisms = plain ntlm login auth_use_winbind = yes auth_username_format = %Lu listen = * mbox_write_locks = fcntl passdb { driver = pam } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } } ssl_cert =
////////////////////
# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 7 html_directory = no inet_interfaces = all inet_protocols = ipv4 line_length_limit = 6144 mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost myhostname = srvsbsmtp05.mydomain.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot unknown_local_recipient_reject_code = 550
/////////////////////
# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = MYDOMAIN.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true
[domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM
////////////////////
system keytab: # klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal
3 host/sbsmtpnv05.mydomain.com@MYDOMAIN.COM (des-cbc-crc)
3 host/sbsmtpnv05.mydomain.com@MYDOMAIN.COM (des-cbc-md5)
3 host/sbsmtpnv05.mydomain.com@MYDOMAIN.COM (arcfour-hmac)
3 host/sbsmtpnv05.mydomain.com@MYDOMAIN.COM (aes128-cts-hmac-sha1-96)
3 host/sbsmtpnv05.mydomain.com@MYDOMAIN.COM (aes256-cts-hmac-sha1-96)
3 host/sbsmtpnv05@MYDOMAIN.COM (des-cbc-crc)
3 host/sbsmtpnv05@MYDOMAIN.COM (des-cbc-md5)
3 host/sbsmtpnv05@MYDOMAIN.COM (arcfour-hmac)
3 host/sbsmtpnv05@MYDOMAIN.COM (aes128-cts-hmac-sha1-96)
3 host/sbsmtpnv05@MYDOMAIN.COM (aes256-cts-hmac-sha1-96)
3 SBSMTPNV05$@MYDOMAIN.COM (des-cbc-crc)
3 SBSMTPNV05$@MYDOMAIN.COM (des-cbc-md5)
3 SBSMTPNV05$@MYDOMAIN.COM (arcfour-hmac)
3 SBSMTPNV05$@MYDOMAIN.COM (aes128-cts-hmac-sha1-96)
3 SBSMTPNV05$@MYDOMAIN.COM (aes256-cts-hmac-sha1-96)
5 smtp/sbsmtpnv05.mydomain.com@MYDOMAIN.COM (des-cbc-crc)
5 smtp/sbsmtpnv05.mydomain.com@MYDOMAIN.COM (des-cbc-md5)
5 smtp/sbsmtpnv05.mydomain.com@MYDOMAIN.COM (arcfour-hmac)
5 smtp/sbsmtpnv05.mydomain.com@MYDOMAIN.COM (aes128-cts-hmac-sha1-96)
5 smtp/sbsmtpnv05.mydomain.com@MYDOMAIN.COM (aes256-cts-hmac-sha1-96)////////////////////
Samba config: [global] workgroup = MYDOMAIN realm = MYDOMAIN.COM server string = Samba Server Version %v security = ADS kerberos method = system keytab log file = /var/log/samba/log.%m max log size = 50 printcap name = /dev/null domain master = No template shell = /bin/bash winbind separator = + winbind use default domain = Yes idmap config * : range = 10000-50000 idmap config * : backend = tdb printing = bsd cups options = raw print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j