[Dovecot] Problem with pam-auth and winbind
Hi I try to use windbind rule to authenticate users in dovecot login procedure. /etc/nsswitch.conf file: passwd: files winbind shadow: files winbind group: files winbind Configuration of the dovecot is follows: log_path: /var/log/dovecot/error.log info_log_path: /var/log/dovecot/info.log protocols: imap imaps pop3 pop3s ssl_cert_file: /etc/pki/tls/certs/dovecot.pem ssl_key_file: /etc/pki/tls/private/dovecot.pem login_dir: /var/run/dovecot/login login_executable(default): /usr/lib64/dovecot/imap-login login_executable(imap): /usr/lib64/dovecot/imap-login login_executable(pop3): /usr/lib64/dovecot/pop3-login mail_executable(default): /usr/lib64/dovecot/imap mail_executable(imap): /usr/lib64/dovecot/imap mail_executable(pop3): /usr/lib64/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib64/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/modules/pop3 auth default: mechanisms: plain login use_winbind: yes passdb: driver: pam args: dovecot userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix and configuration of the /etc/pam.d/dovecot is follows: #%PAM-1.0 auth required pam_env.so debug auth sufficient pam_winbind.so #auth sufficient pam_unix.so likeauth nullok use_first_pass auth required pam_deny.so # when I try logon from my console: # telnet komp14 110 Trying 10.10.10.38... Connected to komp.xxx.xxx (10.10.10.38). Escape character is '^]'. +OK Dovecot ready. user tt1 +OK pass xxxxxxxxx -ERR Authentication failed. quit +OK Logging out Connection closed by foreign host.
Of course password is corret becouse #wbinfo -K tt1 Enter tt1's password: plaintext kerberos password authentication for [tt1] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 In the logs files I can find coresponding to the telnet command to dovecot: /var/log/auth.log Mar 14 09:43:22 komp14 dovecot-auth: pam_winbind(dovecot:auth): getting password (0x00000000) Mar 14 09:43:22 komp14 dovecot-auth: pam_winbind(dovecot:auth): user 'tt1' granted access /var/log/dovecot/info.log Mar 14 09:43:29 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<tt1>, method=PLAIN, rip=10.10.10.38, lip=10.10.10.38, secured I'll be apreciate for any hints. but in /var/log/dovecot/error.log we have information: Mar 14 09:43:29 auth-worker(default): Error: pam(tt1,10.10.10.38): pam_acct_mgmt() failed: Authentication failure
This test was done with windbindd Version 3.5.3. When I test it on another machine with windbind Version 3.0.24 (config file are the same) authentication prosess is done properly. Any HINTS????
On Fri, 2011-03-18 at 09:46 +0100, pk10@ksiaznica.torun.pl wrote:
auth default: mechanisms: plain login use_winbind: yes
This use_winbind setting doesn't do anything. It's only used for authentication with NTLM mechanisms.
passdb: driver: pam args: dovecot
So Dovecot only knows that it's using PAM.
Setting auth_debug=yes may also show up something useful in logs.
Mar 14 09:43:22 komp14 dovecot-auth: pam_winbind(dovecot:auth): user 'tt1' granted access
So pam_authenticate() succeeded. This is where it fails if password is incorrect.
Mar 14 09:43:29 auth-worker(default): Error: pam(tt1,10.10.10.38): pam_acct_mgmt() failed: Authentication failure
But pam_acct_mgmt() doesn't like the user. I have no idea why. I've never used winbind. Maybe you could find some winbind mailing list or something. But man page of pam_acct_mgmt() may help you do guesses:
The pam_acct_mgmt function is used to determine if the users account is
valid. It checks for authentication token and account expiration and
verifies access restrictions. It is typically called after the user has
been authenticated.
participants (2)
-
pk10ļ¼ ksiaznica.torun.pl
-
Timo Sirainen