iPhone no longer authenticating
I've switched a user to being an active directory user. That user's email client authorizes just fine with dovecot using GSSAPI. However, now his iPhone won't authorize. In the dovecot log file I get:
Dec 01 14:27:28 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=q4n3W0xfggBiZj9s lip=98.102.63.107 rip=98.102.63.108 lport=993 rport=49538 resp=AG1wcmVzcwBEaW5va3JvbndhbGw0NQ== (previous base64 data may contain sensitive data) Dec 01 14:27:32 auth-worker(5988): Debug: shadow(mpress,98.102.xx.yyy): lookup Dec 01 14:27:32 auth-worker(5988): Info: shadow(mpress,98.102.xx.yyy): unknown user (given password: *******) Dec 01 14:27:34 auth: Debug: client passdb out: FAIL 1 user=mpress Dec 01 14:27:34 imap-login: Info: Aborted login (auth failed, 1 attempts in 6 secs): user=<mpress>, method=PLAIN, rip=98.102.xx.yyy, lip=98.102.63.107, TLS, session=<q4n3W0xfggBiZj9s> Dec 01 14:27:34 imap-login: Debug: SSL alert: close notify [98.102.xx.yyy]
This same user will authenticate OK from his local domain workstation:
Dec 01 14:28:52 auth: Debug: master userdb out: USER 1948516353 mpress system_groups_user=HPRS\mpress uid=10005gid=10000 home=/home/HPRS/mpress auth_token=ce3050035718ed0996af698400c4de1be453ec06 auth_user=mpress@HPRS.LOCAL Dec 01 14:28:52 imap-login: Info: Login: user=<mpress>, method=GSSAPI, rip=192.168.0.54, lip=192.168.0.2, mpid=9755, TLS, session=<6MT1YExftwDAqAA2>
I'm pretty sure the reason has to do with Active Directory authenication locally, but of course his iPhone is not a member of the domain, and he is no longer in /etc/passwd/shadow.
So, what is the best way to get the iPhone to authenticate?
Here's my current config:
doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 4.4.88 x86_64 Slackware 14.2 auth_debug = yes auth_debug_passwords = yes auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi auth_use_winbind = yes auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes
Thanks, --Mark
I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via shadow first and. failing that, it does authenticate via GSSAPI.
Smartphones connect to Dovecot via port 143 and SSL. They are not domain members so if the shadow authentication fails, no other methods are tried and no connection is made.
What can I do with my dovecot config to fix this?
doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 4.4.88 x86_64 Slackware 14.2 auth_debug = yes auth_debug_passwords = yes auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi auth_use_winbind = yes auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes
Thanks, Mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sat, 2 Dec 2017, Mark Foley wrote:
I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via ^^^^^^^^^^ ???? shadow first and. failing that, it does authenticate via GSSAPI.
Smartphones connect to Dovecot via port 143 and SSL. They are not domain members so if the shadow authentication fails, no other methods are tried and no connection is made.
What can I do with my dovecot config to fix this?
If you are asking about how to auth against AD with plain credentials, see https://wiki2.dovecot.org/AuthDatabase/LDAP
You can add another passdb {} . However, this enables any client to use plain credentials, incl. Thunderbird.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWi4pxMQnQQNheMxiAQJeKQf/UmSsc1YRSgPAJKEjB12lJCpCX2oj8Wfd qV9by9tyU942gNsAArBzMaSxgRWYb8yr6lmuPer0/HZJCQyExchjGgzc/HDeMJPU uxt0dOVvY4SXmfwv+phwlDO3UvDt5sagLNNx54v8nal+OIxAZ+juAxs/NiNPTlt+ 78R7TGaRj6Fxoyc/Ssf1CbCVr2ECK6m1YtJ+Jpe6Zi5FPMndx9rwWj/MMp5CW93/ UDUMM2wWoYBavzBXIEVb8Xi9n7PYJH8kdA4YILQdNrYTQR5k6XDLsKH9UYc/n216 CjktUGSC75E3zUk8a665gDJ+D/CjPfJSz/DICgkIeGAzweUfvVZk3Q== =L5oG -----END PGP SIGNATURE-----
participants (2)
-
Mark Foley
-
Steffen Kaiser