Hello everyone...

I have a problem when I use NTLM authentication with dovecot. The authentication is made only in PLAIN TEXT.

The scenario is:

Debian Squeeze 6.0.6

Dovecot 2.1.7

Samba 3.5.6. Samba is correctly configured into the domain.

The error: (extract from syslog)

Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: Login for user []\[test2]@

[SIRP00000733] failed due to [winbind client not authorized to use winbindd_pam

_auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are set cor

rectly.]

Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: [2013/04/02 09:47:41.832579

, 0] utils/ntlm_auth.c:888(manage_squid_ntlmssp_request)

Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: NTLMSSP BH: NT_STATUS_ACC

ESS_DENIED

Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: winbind: ntlm_auth exited w

ith exit code 0

Dovecot configuration: (dovecot -n)

# 2.1.7: /etc/dovecot/dovecot.conf

# OS: Linux 2.6.32-5-686 i686 Debian 6.0.6 ext3

auth_mechanisms = plain login ntlm

auth_use_winbind = yes

disable_plaintext_auth = no

mail_location = maildir:/mailboxes/Administrativos/%Lu

namespace inbox {

inbox = yes

location =

mailbox Drafts {

special_use = \Drafts

}

mailbox Junk {

special_use = \Junk

}

mailbox Sent {

special_use = \Sent

}

mailbox "Sent Messages" {

special_use = \Sent

}

mailbox Trash {

special_use = \Trash

}

prefix =

}

passdb {

driver = pam

}

protocols = " imap pop3"

ssl_cert =

ssl_key =

userdb {

args = uid=16343 gid=16343 home=/mailboxes/Administrativos/%Lu

driver = static

}

protocol imap {

imap_client_workarounds = delay-newmail

mail_plugins =

}

protocol pop3 {

mail_plugins =

pop3_client_workarounds = outlook-no-nuls oe-ns-eoh

pop3_uidl_format = %08Xu%08Xv

}

Pam configuration: /etc/pam.d/dovecot

auth sufficient pam_krb5.so

account sufficient pam_krb5.so

/etc/krb5.conf

[libdefaults] default_realm = SIDOR.NET clockskew =300

[realms] SIDOR.NET = { kdc = sirprddc1.sidor.net kdc = sirprddc2.sidor.net kdc = sirprddc3.sidor.net admin_server = sirprddc1.sidor.net default_domain = sidor.net }

[domain_realm] .sidor.net = SIDOR.NET sidor.net = SIDOR.NET

[login] krb4_convert = true krb4_get_tickets = false

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log

[appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 try_first_pass = true }

/etc/samba/smb.conf

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

security = ADS workgroup = sidorve realm = SIDOR.NET winbind use default domain = yes server string = %h wins support = no wins server = 10.50.30.51 dns proxy = no

#### Debugging/Accounting ####

syslog = 0 panic action = /usr/share/samba/panic-action %d

####### Authentication #######

encrypt passwords = yes

############ Misc ############

domain master = no local master = no prefered master = no winbind separator = \\ idmap uid = 10000-29000 idmap gid = 10000-29000 template shell = /bin/bash template homedir = /home/%D/%U winbind enum groups = yes winbind enum users = yes winbind refresh tickets = yes auth methods = winbind

The Logs

Syslog Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: [2013/04/02 09:47:41.832426,0] utils/ntlm_auth.c:598(winbind_pw_check) Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: Login for user []\[test2]@ [SIRP00000733] failed due to [winbind client not authorized to use winbindd_pam _auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are set cor rectly.] Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: [2013/04/02 09:47:41.832579 , 0] utils/ntlm_auth.c:888(manage_squid_ntlmssp_request) Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: NTLMSSP BH: NT_STATUS_ACC ESS_DENIED Apr 2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: winbind: ntlm_auth exited w ith exit code 0 Apr 2 09:47:42 sirprdsvcmsg02 lrmd: [1598]: debug: rsc:Administr_fs:16: monitor Apr 2 09:47:47 sirprdsvcmsg02 dovecot: imap-login: Login: user=<test2>, method= PLAIN, rip=10.50.2.150, lip=10.50.30.90, mpid=23706, session= PLAIN, rip=10.50.2.150, lip=10.50.30.90, mpid=23706, session= Apr 2 09:47:47 sirprdsvcmsg02 dovecot: auth: Error: [2013/04/02 09:47:47.408887 , 0] utils/ntlm_auth.c:598(winbind_pw_check) Apr 2 09:47:47 sirprdsvcmsg02 dovecot: auth: Error: Login for user []\[test2] @[SIRP00000733] failed due to [winbind client not authorized to use winbindd_pam _auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are set cor rectly.] Apr 2 09:47:47 sirprdsvcmsg02 dovecot: auth: Error: [2013/04/02 09:47:47.409203 , 0] utils/ntlm_auth.c:888(manage_squid_ntlmssp_request) Apr 2 09:47:47 sirprdsvcmsg02 dovecot: auth: Error: NTLMSSP BH: NT_STATUS_ACC ESS_DENIED Apr 2 09:47:47 sirprdsvcmsg02 dovecot: auth: Error: winbind: ntlm_auth exited w ith exit code 0 Apr 2 09:47:48 sirprdsvcmsg02 postfix/postfix-script[23819]: the Postfix mail s ystem is running: PID: 2390 Apr 2 09:47:53 sirprdsvcmsg02 dovecot: imap-login: Login: user=<test2>, method= PLAIN, rip=10.50.2.150, lip=10.50.30.90, mpid=23820, session=<iBXZZmHZxQAKMgKW>

Auth.log Apr 2 09:52:35 sirprdsvcmsg02 auth: pam_krb5(dovecot:auth): user test2 authenti cated as test2@SIDOR.NET

I hope someone could help me.

Thanks in advance,

Best Regards,

Luis

" Notificacion Automatica: Este mensaje y cualquier archivo que se adjunte contiene informacion privilegiada y confidencial. Es para uso exclusivo del destinatario. Si usted ha recibido esta comunicacion por error, por favor avisenos inmediatamente. Automatic notification: This e-mail and any file transmitted with it are confidential and may be legally privileged. It is intended solely for the addressee and may not be disclosed to or used by anyone other than the addressee. If you have received this e-mail by mistake , please advise the sender immediately"