[Dovecot] Samba4 Active Directory and Doveadm
When executing: doveadm search -A mailbox INBOX from SOMEBODY I am getting: doveadm(root): Error: user root: Invalid settings in userdb: userdb returned 0 as uid doveadm(root): Error: User lookup failed: Invalid user settings. Refer to server log for more information. doveadm(bin): Error: user bin: Couldn't drop privileges: Mail access for users with UID 1 not permitted (see first_valid_uid in config file). doveadm(bin): Error: User init failed doveadm: Error: Failed to iterate through some users
hosts =FQDN base = dc=example,dc=com ldap_version = 3 user_attrs = =homeDirectory=/home/vmail/%d/%n, =mail=maildir:/home/vmail/%d/%n, uid=vmail, gid=vmail user_filter = (&(objectClass=person)(|(mail=%u)(sAMAccountName=%u)(userPrinicipalName=%u)))
For using doveadm -A:
iterate_attrs = uid=samaccountname iterate_filter = (objectClass=person)
I can receive email and login just fine. The problem is when doing doveadm stuff. I do not know ldap (learning as I go). I need to set the uid/guid to vmail (500 in this case if vmail can't be used).
Any help would be greatly appreciated. I do not have sfu or rfc2xxx enabled as this requires changing things with Samba 4 that I would rather avoid at the moment.
Thank you for any help, Trever
"Virtue does not always demand a heavy sacrifice -- only the willingness to make it when necessary." -- Frederick Dunn
On Mon, 2010-10-11 at 11:13 -0600, Trever L. Adams wrote:
user_attrs = =homeDirectory=/home/vmail/%d/%n,
This can be alternatively done by putting to dovecot.conf:
mail_home = /home/vmail/%d/%n
=mail=maildir:/home/vmail/%d/%n,
Don't put this here, rather just do it like everyone else:
mail_location = maildir:~/
But then again, you should also read http://wiki2.dovecot.org/VirtualUsers/Home
uid=vmail, gid=vmail
This isn't right. You probably wanted =uid=vmail, =gid=vmail. But this is again done easier by setting:
mail_uid = vmail mail_gid = vmail
So all in all, your user_attrs could probably just be empty and you should probably remove userdb ldap completely from your config to avoid unnecessary userdb lookups.
On 10/14/2010 11:07 AM, Timo Sirainen wrote:
This can be alternatively done by putting to dovecot.conf:
mail_home = /home/vmail/%d/%n
I actually have that as well.
Don't put this here, rather just do it like everyone else:
mail_location = maildir:~/
But then again, you should also read http://wiki2.dovecot.org/VirtualUsers/Home I have this as well, or similar. I do not have a homedirectory set that seems to work at the moment, so I have it as a full path.
Thank you for the VirutalUsers/Home. This will help. I spent a lot of time reading various documentation and somehow missed this.
Is there some global option like mail_location for homedirectory? That is one I am not finding one with google or with grep in the configuration.
This isn't right. You probably wanted =uid=vmail, =gid=vmail. But this is again done easier by setting:
mail_uid = vmail mail_gid = vmail
So all in all, your user_attrs could probably just be empty and you should probably remove userdb ldap completely from your config to avoid unnecessary userdb lookups.
I have done this as well. The problem with removing all of this is I use Dovecot's deliver (LDA). It needs a way of finding which users do and do not exist. Is there a better way to do this?
I may be able to turn this off. I do use postfix and I believe it is already looking up the users. I seem to remember there was an option to turn this off in Dovecot (the looking up of the user for LDA).
The only problem that is there is this: I need doveadm expunge -A. This is where I am having the problem. I guess this doesn't use the user_ stuff. It uses the iterate_attrs right?
vmail and root are NOT in the AD LDAP.
This is what I get when I run doveadm search -A mailbox INBOX from VALID_FROM
Oct 15 05:48:06 TeaSet dovecot: auth: Error: auth worker: Aborted request: Worker process died unexpectedly Oct 15 05:48:06 TeaSet dovecot: auth: Debug: master in: USER#0112#011root#011service=doveadm Oct 15 05:48:06 TeaSet dovecot: auth: Debug: passwd(root): lookup Oct 15 05:48:06 TeaSet dovecot: auth: Debug: master out: USER#0112#011root#011system_groups_user=root#011uid=0#011gid=0#011home=/root Oct 15 05:48:06 TeaSet dovecot: auth: Debug: master in: USER#0113#011bin#011service=doveadm Oct 15 05:48:06 TeaSet dovecot: auth: Debug: passwd(bin): lookup Oct 15 05:48:06 TeaSet dovecot: auth: Debug: master out: USER#0113#011bin#011system_groups_user=bin#011uid=1#011gid=1#011home=/bin Oct 15 05:48:06 TeaSet dovecot: master: Error: service(auth-worker): child 16375 killed with signal 11 (core dumps disabled) Oct 15 05:48:06 TeaSet dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Oct 15 05:48:06 TeaSet dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Oct 15 05:48:06 TeaSet dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Oct 15 05:48:06 TeaSet dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so Oct 15 05:48:50 TeaSet dovecot: auth: Debug: master in: LIST#0111 Oct 15 05:48:50 TeaSet dovecot: auth: Debug: ldap: iterate: base=dc=example,dc=com scope=subtree filter=(objectClass=person) fields= Oct 15 05:48:50 TeaSet dovecot: auth: Error: auth worker: Aborted request: Worker process died unexpectedly Oct 15 05:48:50 TeaSet dovecot: auth: Debug: master in: USER#0112#011root#011service=doveadm Oct 15 05:48:50 TeaSet dovecot: auth: Debug: passwd(root): lookup Oct 15 05:48:50 TeaSet dovecot: auth: Debug: master out: USER#0112#011root#011system_groups_user=root#011uid=0#011gid=0#011home=/root Oct 15 05:48:50 TeaSet dovecot: auth: Debug: master in: USER#0113#011bin#011service=doveadm Oct 15 05:48:50 TeaSet dovecot: auth: Debug: passwd(bin): lookup Oct 15 05:48:50 TeaSet dovecot: auth: Debug: master out: USER#0113#011bin#011system_groups_user=bin#011uid=1#011gid=1#011home=/bin Oct 15 05:48:50 TeaSet dovecot: master: Error: service(auth-worker): child 16398 killed with signal 11 (core dumps disabled)
Thank you for your help, Trever
"The strength of the Constitution lies entirely in the determination of each citizen to defend it. Only if every single citizen feels duty bound to do his share in this defense are the constitutional rights secure." -- Albert Einstein
On Fri, 2010-10-15 at 06:14 -0600, Trever L. Adams wrote:
mail_home = /home/vmail/%d/%n I actually have that as well. .. Is there some global option like mail_location for homedirectory? That is one I am not finding one with google or with grep in the configuration.
That's exactly what the mail_home is. I don't know why it wouldn't work for you.
So all in all, your user_attrs could probably just be empty and you should probably remove userdb ldap completely from your config to avoid unnecessary userdb lookups. I have done this as well. The problem with removing all of this is I use Dovecot's deliver (LDA). It needs a way of finding which users do and do not exist. Is there a better way to do this?
Assuming you're not using auth_bind=yes with ldap, LDA can check the user's existence by doing a passdb lookup instead.
The only problem that is there is this: I need doveadm expunge -A. This is where I am having the problem. I guess this doesn't use the user_ stuff. It uses the iterate_attrs right?
Right.
Oct 15 05:48:06 TeaSet dovecot: master: Error: service(auth-worker): child 16375 killed with signal 11 (core dumps disabled)
Can you get a gdb backtrace? First enable core dumps with "ulimit -c unlimited" and once you have core file see http://dovecot.org/bugreport.html
Also:
iterate_attrs = uid=samaccountname
this should be:
iterate_attrs = samaccountname=user
On 10/15/2010 06:22 AM, Timo Sirainen wrote:
On Fri, 2010-10-15 at 06:14 -0600, Trever L. Adams wrote:
Is there some global option like mail_location for homedirectory? That is one I am not finding one with google or with grep in the configuration. That's exactly what the mail_home is. I don't know why it wouldn't work for you. My apologies, I misread it as mail_location. I have fixed this. Thank you. mail_home = /home/vmail/%d/%n mail_location = maildir:~/Maildir
I have done this as well. The problem with removing all of this is I use Dovecot's deliver (LDA). It needs a way of finding which users do and do not exist. Is there a better way to do this? Assuming you're not using auth_bind=yes with ldap, LDA can check the user's existence by doing a passdb lookup instead. Fantastic. I am not. Postfix, is validating user existence. I read somewhere I can turn off Dovecot LDA validation, but now I am unable to find the page. The only problem that is there is this: I need doveadm expunge -A. This is where I am having the problem. I guess this doesn't use the user_ stuff. It uses the iterate_attrs right? Right.
Oct 15 05:48:06 TeaSet dovecot: master: Error: service(auth-worker): child 16375 killed with signal 11 (core dumps disabled) Can you get a gdb backtrace? First enable core dumps with "ulimit -c unlimited" and once you have core file see http://dovecot.org/bugreport.html I am not sure this is necessary. The problem seems to be in this dovecot: auth: Debug: ldap(?): result: sAMAccountName(?unknown?)=
I get that for all fields in the AD. It looks like I am going to have to do a bind of some kind. I am having a heck of a time doing this. As I said, I am learning ldap as I am doing this. Samba4 (it seems) and Windows AD servers themselves do SASL authentication, but I am having a hard time getting this to work.
If you wouldn't mind helping there:
dn = CN=SMTP-SERVICE-PRINCIPAL-USER,CN=Users,DC=example,DC=org dnpass = correct password sasl_bind = yes sasl_mech = gssapi sasl_realm = EXAMPLE.ORG
So, the user is the same as is in the AD for the service principal smtp/host. So, it already has a ticket. The rest of the ldap file is pretty much the same as before (with the modifications we have been talking about).
With that I get: auth: Error: LDAP: binding failed (dn CN=SMTP-SERVICE-PRINCIPAL-USER,CN=Users,DC=example,DC=org): Local error, SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Cannot determine realm for numeric host address)
I am thinking I should add gss-spnego to the mech, but haven't done so.
Also:
iterate_attrs = uid=samaccountname this should be:
iterate_attrs = samaccountname=user Yes, that is working MUCH better. Still the problem with empty fields mentioned above is the killer.
Thank you, Trever
On Fri, 2010-10-15 at 07:17 -0600, Trever L. Adams wrote:
Fantastic. I am not. Postfix, is validating user existence. I read somewhere I can turn off Dovecot LDA validation, but now I am unable to find the page.
http://wiki2.dovecot.org/UserDatabase/Static / allow_all_users
Oct 15 05:48:06 TeaSet dovecot: master: Error: service(auth-worker): child 16375 killed with signal 11 (core dumps disabled) Can you get a gdb backtrace? First enable core dumps with "ulimit -c unlimited" and once you have core file see http://dovecot.org/bugreport.html I am not sure this is necessary.
A crash is a bug in any case that I'd like to fix. A good backtrace would make it easier for me to do that.
The problem seems to be in this dovecot: auth: Debug: ldap(?): result: sAMAccountName(?unknown?)=
I get that for all fields in the AD. It looks like I am going to have to do a bind of some kind.
You mean the "?unknown?" part? I think the problem here is that I hadn't thought that LDAP attributes are case-insensitive. You should have used sAMAccountName, not samaccountname in the iterate_attrs. But I suppose I'll need to fix this myself too.
auth: Error: LDAP: binding failed (dn CN=SMTP-SERVICE-PRINCIPAL-USER,CN=Users,DC=example,DC=org): Local error, SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Cannot determine realm for numeric host address)
No idea.
I am thinking I should add gss-spnego to the mech, but haven't done so.
No, anything outside dovecot-ldap.conf doesn't affect LDAP. OpenLDAP uses Cyrus SASL for doing the GSSAPI stuff, so you should try to look into that.
On 10/15/2010 07:46 AM, Timo Sirainen wrote:
On Fri, 2010-10-15 at 07:17 -0600, Trever L. Adams wrote:
Fantastic. I am not. Postfix, is validating user existence. I read somewhere I can turn off Dovecot LDA validation, but now I am unable to find the page. http://wiki2.dovecot.org/UserDatabase/Static / allow_all_users
Oct 15 05:48:06 TeaSet dovecot: master: Error: service(auth-worker): child 16375 killed with signal 11 (core dumps disabled) Can you get a gdb backtrace? First enable core dumps with "ulimit -c unlimited" and once you have core file see http://dovecot.org/bugreport.html I am not sure this is necessary. A crash is a bug in any case that I'd like to fix. A good backtrace would make it easier for me to do that. Alright, I will try to get that to you by Monday. I have to finish my messing with things until after business hours. The problem seems to be in this dovecot: auth: Debug: ldap(?): result: sAMAccountName(?unknown?)=
I get that for all fields in the AD. It looks like I am going to have to do a bind of some kind. You mean the "?unknown?" part? I think the problem here is that I hadn't thought that LDAP attributes are case-insensitive. You should have used sAMAccountName, not samaccountname in the iterate_attrs. But I suppose I'll need to fix this myself too. That was the problem. It seems to have fixed the ldap problem. Below is the auth log.
TeaSet dovecot: auth: Debug: ldap: iterate: base=dc=snowyriver,dc=sapphiresunday,dc=org scope=subtree filter=(objectClass=person) fields=sAMAccountName dovecot: auth: Debug: ldap(?): result: sAMAccountName(user)=SOME_USER1 dovecot: auth: Debug: ldap(?): result: sAMAccountName(user)=SOME_USER2 dovecot: auth: Debug: ldap(?): result: sAMAccountName(user)=... dovecot: auth: Debug: master in: USER#0112#011root#011service=doveadm dovecot: auth: Debug: passwd(root): lookup dovecot: auth: Debug: master out: USER#0112#011root#011system_groups_user=root#011uid=0#011gid=0#011home=/root dovecot: auth: Debug: master in: USER#0113#011bin#011service=doveadm dovecot: auth: Debug: passwd(bin): lookup dovecot: auth: Debug: master out: USER#0113#011bin#011system_groups_user=bin#011uid=1#011gid=1#011home=/bin
However, the problem is still there. I can't erase the root account. How do I use doveadm? I need the expunge command working. The below is why I wondered if the mail_uid and mail_gid were not being honored.
#doveadm search -A mailbox INBOX from VALID_FROM doveadm(root): Error: user root: Invalid settings in userdb: userdb returned 0 as uid doveadm(root): Error: User lookup failed: Invalid user settings. Refer to server log for more information. doveadm(bin): Error: user bin: Couldn't drop privileges: Mail access for users with UID 1 not permitted (see first_valid_uid in config file). doveadm(bin): Error: User init failed doveadm: Error: Failed to iterate through some users
If I can fix this, I only have two problems left.
If I have a auth_default_realm the plain/login users (smart phones and the like) cannot connect (via pam_krb5 kerberos method).
Second, using dovecot auth with postfix, kerberos logins do not work. The plain/login do.
I have been trying to figure out the FAIL code. I haven't been able to. I have the ticket in the right place, it has the right formats (imap one works from the same file). It has the right password. dovecot: auth: Debug: auth client connected (pid=9022) dovecot: auth: Debug: client in: AUTH#01111#011GSSAPI#011service=smtp#011nologin#011lip=10.0.1.13#011rip=IP_ADDR#011secured#011resp=<hidden> dovecot: auth: Debug: gssapi(?,IP_ADDR): Obtaining credentials for smtp@FQDN dovecot: auth: gssapi(?,IP_ADDR): While processing incoming data: Unspecified GSS failure. Minor code may provide more information dovecot: auth: gssapi(?,IP_ADDR): While processing incoming data: Invalid message type postfix/smtpd[9022]: warning: CLIENT_FQDN[IP_ADDR]: SASL GSSAPI authentication failed: dovecot: auth: Debug: client out: FAIL#01111 postfix/smtpd[9022]: disconnect from CLIENT_FQDN[IP_ADDR] postfix/smtpd[9022]: connect from CLIENT_FQDN[IP_ADDR] postfix/smtpd[9022]: warning: CLIENT_FQDN[IP_ADDR]: request longer than 2048: AUTH GSSAPI AUTH_DATA dovecot: auth: Debug: client in: AUTH#01112#011GSSAPI#011service=smtp#011nologin#011lip=10.0.1.13#011rip=IP_ADDR#011secured#011resp=<hidden> dovecot: auth: Debug: gssapi(?,IP_ADDR): Obtaining credentials for smtp@FQDN dovecot: auth: gssapi(?,IP_ADDR): While processing incoming data: Unspecified GSS failure. Minor code may provide more information dovecot: auth: gssapi(?,IP_ADDR): While processing incoming data: Invalid message type postfix/smtpd[9022]: warning: CLIENT_FQDN[IP_ADDR]: SASL GSSAPI authentication failed: dovecot: auth: Debug: client out: FAIL#01112
I cannot find the fail codes. What does 01112 mean?
Thank you, Trever
"Seize the day, put no trust in the morrow!" -- Quintus Horatius Flaccus (Horace)
On Fri, 2010-10-15 at 08:20 -0600, Trever L. Adams wrote:
dovecot: auth: Debug: ldap(?): result: sAMAccountName(user)=SOME_USER1 dovecot: auth: Debug: ldap(?): result: sAMAccountName(user)=SOME_USER2 dovecot: auth: Debug: ldap(?): result: sAMAccountName(user)=...
These are the iterate results.
dovecot: auth: Debug: master in: USER#0112#011root#011service=doveadm dovecot: auth: Debug: passwd(root): lookup
Here it shows it's doing a passwd lookup for user root and
dovecot: auth: Debug: passwd(bin): lookup
for bin. So is the problem simply that you haven't removed userdb passwd from your config file, and it's now using both ldap and passwd?
If I have a auth_default_realm the plain/login users (smart phones and the like) cannot connect (via pam_krb5 kerberos method).
Huh? I thought you were using LDAP. And again, logs would show what's happening.
Second, using dovecot auth with postfix, kerberos logins do not work.
I don't really know about the GSSAPI stuff. Try asking about it in another thread with subject mentioning it, maybe someone else notices it then.
dovecot: auth: Debug: client out: FAIL#01112
I cannot find the fail codes. What does 01112 mean?
It's not a failure code. It's just a "tag" that is increased for every lookup.
participants (2)
-
Timo Sirainen
-
Trever L. Adams