[Dovecot] Dovecot NTLM Authentication
I'm working on getting authentication for Postfix smtpd clients working with Dovecot. I've got both plain text and GSSAPI mechanisms working. Winbind also works for shell access and the command line test work fine.
If I can get NTLM authentication working I can use Postfix as a drop in replacement for a MS MTA I want get rid of.
I'm hoping the community might be able to offer some insight into what I'm missing to get NTLM authentication working with Dovecot and Postfix. Something related to winbind I suspect.
When I use the NTLM mechanism I get this " auth: Debug: client out: FAIL#0112" message in my maillog file. Nothing seems to show up in the winbind files for this.
---- log file from NTLM mechanism used ----
Jun 26 17:02:53 SBSMTPNV05 postfix/smtpd[2221]: connect from nvit01b.mydomain.com[10.20.2.0] Jun 26 17:02:53 SBSMTPNV05 dovecot: auth: Debug: client in: AUTH#0112#011NTLM#011service=smtp#011nologin#011lip=10.20.4.12#011rip=10.20.2.0#011resp=TlRM...A= Jun 26 17:02:53 SBSMTPNV05 dovecot: auth: Debug: client out: CONT#0112#011TlRM....A Jun 26 17:02:53 SBSMTPNV05 dovecot: auth: Debug: client in: CONT#0112#011TlRM....Q= Jun 26 17:02:53 SBSMTPNV05 dovecot: auth: winbind(?,10.20.2.0): user not authenticated: NT_STATUS_UNSUCCESSFUL Jun 26 17:02:55 SBSMTPNV05 postfix/smtpd[2221]: warning: nvit01b.mydomain.com[10.20.2.0]: SASL NTLM authentication failed: TlRM....A Jun 26 17:02:55 SBSMTPNV05 dovecot: auth: Debug: client out: FAIL#0112 Jun 26 17:02:59 SBSMTPNV05 postfix/smtpd[2221]: disconnect from nvit01b.mydomain.com[10.20.2.0]
---- log file from GSSAPI mechanism used -----
Jun 26 17:02:08 SBSMTPNV05 postfix/smtpd[2221]: connect from nvit01b.mydomain.com[10.20.2.0] Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: auth client connected (pid=2221) Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=smtp#011nologin#011lip=10.20.4.12#011rip=10.20.2.0#011resp=YIIN.... Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: ....g== Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: gssapi(?,10.20.2.0): Obtaining credentials for smtp@ Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: gssapi(myusername@MYDOMAIN.COM,10.20.2.0): security context state completed. Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client out: CONT#0111#011YIGVB....E= Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client in: CONT#0111#011 Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: gssapi(myusername@MYDOMAIN.COM,10.20.2.0): Negotiated security layer Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client out: CONT#0111#011BQQF/w....M= Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client in: CONT#0111#011BQQE/w....u Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client out: OK#0111#011user=myusername Jun 26 17:02:08 SBSMTPNV05 postfix/smtpd[2221]: AE80A80592: client=nvit01b.mydomain.com[10.20.2.0], sasl_method=GSSAPI, sasl_username=myusername Jun 26 17:02:08 SBSMTPNV05 postfix/cleanup[2219]: AE80A80592: message-id=51CB8100.1010103@example.com Jun 26 17:02:08 SBSMTPNV05 postfix/qmgr[1999]: AE80A80592: from=matthew@example.com, size=2178, nrcpt=1 (queue active) Jun 26 17:02:08 SBSMTPNV05 postfix/smtpd[2221]: disconnect from nvit01b.mydomain.com[10.20.2.0] Jun 26 17:02:09 SBSMTPNV05 postfix/smtp[2220]: AE80A80592: to=utegrad@gmail.com, relay=gmail-smtp-in.l.google.com[74.125.129.27]:25, delay=0.93, delays=0.09/0/0.15/0.69, dsn=2.0.0, status=sent (250 2.0.0 OK 1372291329 y9si419401pay.83 - gsmtp) Jun 26 17:02:09 SBSMTPNV05 postfix/qmgr[1999]: AE80A80592: removed
---- log file from plain text mechanism -----
Jun 26 17:01:08 SBSMTPNV05 postfix/smtpd[2209]: connect from nvit01b.mydomain.com[10.20.2.0] Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: auth client connected (pid=2209) Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=10.20.4.12#011rip=10.20.2.0#011secured#011resp=AG1sYXJzZW4ASWRvbnR3YW50Mg== Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: pam(myusername,10.20.2.0): lookup service=dovecot Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: pam(myusername,10.20.2.0): #1/1 style=1 msg=Password: Jun 26 17:01:09 SBSMTPNV05 dovecot: auth: Debug: client out: OK#0111#011user=myusername Jun 26 17:01:09 SBSMTPNV05 postfix/smtpd[2209]: 82C3780592: client=nvit01b.mydomain.com[10.20.2.0], sasl_method=PLAIN, sasl_username=myusername Jun 26 17:01:09 SBSMTPNV05 postfix/cleanup[2219]: 82C3780592: message-id=51CB80C4.6020107@example.com Jun 26 17:01:09 SBSMTPNV05 postfix/qmgr[1999]: 82C3780592: from=matthew@example.com, size=2728, nrcpt=1 (queue active) Jun 26 17:01:09 SBSMTPNV05 postfix/smtpd[2209]: disconnect from nvit01b.mydomain.com[10.20.2.0] Jun 26 17:01:10 SBSMTPNV05 postfix/smtp[2220]: 82C3780592: to=utegrad@gmail.com, relay=gmail-smtp-in.l.google.com[74.125.129.27]:25, delay=1.3, delays=0.05/0.04/0.46/0.74, dsn=2.0.0, status=sent (250 2.0.0 OK 1372291270 sb1si125565pbb.232 - gsmtp) Jun 26 17:01:10 SBSMTPNV05 postfix/qmgr[1999]: 82C3780592: removed
Here's some of the supporting configuration information:
---- postconf -n -----------
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 1 debug_peer_list = html_directory = no inet_interfaces = all inet_protocols = ipv4 line_length_limit = 6144 mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost myhostname = srvsbsmtp05.mydomain.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous,noplaintext smtpd_sasl_type = dovecot unknown_local_recipient_reject_code = 550
---- doveconf -n ----
# 2.0.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-358.11.1.el6.x86_64 x86_64 CentOS release 6.4 (Final) auth_debug_passwords = yes auth_mechanisms = plain gssapi ntlm login auth_use_winbind = yes listen = * mbox_write_locks = fcntl passdb { driver = pam } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } } ssl_cert =
---- Samba configuration ----
[global] workgroup = MYDOMAIN realm = MYDOMAIN.COM server string = Samba Server Version %v security = ADS kerberos method = system keytab log file = /var/log/samba/log.%m max log size = 50 printcap name = /dev/null domain master = No template shell = /bin/bash winbind separator = + winbind use default domain = Yes idmap config * : range = 10000-50000 idmap config * : backend = tdb printing = bsd cups options = raw print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j
On 27.6.2013, at 19.50, Matthew Larsen matthew@utegrads.com wrote:
Jun 26 17:02:53 SBSMTPNV05 dovecot: auth: winbind(?,10.20.2.0): user not authenticated: NT_STATUS_UNSUCCESSFUL
This is all Dovecot knows about. I can't help you further, since I know just about nothing of NTLM, Winbind or GSSAPI. Since nobody else has answered to your 5 mails to the exact same question, I doubt anyone else knows much either. Stop sending new mails asking the same thing over and over again.
On 27.6.2013, at 20.53, Timo Sirainen tss@iki.fi wrote:
On 27.6.2013, at 19.50, Matthew Larsen matthew@utegrads.com wrote:
Jun 26 17:02:53 SBSMTPNV05 dovecot: auth: winbind(?,10.20.2.0): user not authenticated: NT_STATUS_UNSUCCESSFUL
This is all Dovecot knows about. I can't help you further, since I know just about nothing of NTLM, Winbind or GSSAPI. Since nobody else has answered to your 5 mails to the exact same question, I doubt anyone else knows much either. Stop sending new mails asking the same thing over and over again.
Oh, and forgot to say: Try asking in Samba lists, they should know how to debug Winbind.
On 6/27/2013 10:53 AM, Timo Sirainen wrote:
This is all Dovecot knows about. I can't help you further, since I know just about nothing of NTLM, Winbind or GSSAPI. Since nobody else has answered to your 5 mails to the exact same question, I doubt anyone else knows much either. Stop sending new mails asking the same thing over and over again.
My apologies. I didn't mean to be annoying. I didn't see the mailing list message from my other messages come through to my mailbox so I thought something was wrong with my subscription. I should have checked the archive first.
Thank you for the response. I'll dig into the Winbind stuff some more with that documentation and community.
participants (2)
-
Matthew Larsen
-
Timo Sirainen