[Dovecot] No NTLM with PAM after upgrade
After updating From Dovecot 1.07 (included with CentOS 5) to 2.11, NTLM authentication will not work. Attempts to authenticate against Samba version 4.0.4-GIT-20cb7de also fail with 'auth: Info: winbind(?,192.168.2.100): user not authenticated: NT_STATUS_UNSUCCESSFUL', despite the fact that the same user can sign on to the Samba domain and access files.
What I'm really trying to understand here though is why version 1.07 would do NTLM with PAM just fine, but later versions I've tried will not. After failing to get later versions to work, I decided to see if I could at least get them to do NTLM by authenticating against a Samba domain but that won't work either.
1.07 did NTLM just fine authenticating against a system user account with PAM, as demonstrated by the following excerpt from the log: dovecot: Feb 06 12:46:59 Info: imap-login: Login: user=<pquesinb>, method=NTLM, rip=192.168.2.100, lip=192.168.2.102 dovecot: Feb 06 12:46:59 Info: imap-login: Login: user=<pquesinb>, method=NTLM, rip=192.168.2.100, lip=192.168.2.102 dovecot: Feb 06 12:47:42 Info: IMAP(pquesinb): Disconnected: Logged out dovecot: Feb 06 12:47:42 Info: IMAP(pquesinb): Disconnected: Logged out dovecot: Feb 06 12:48:03 Info: imap-login: Login: user=<pquesinb>, method=NTLM, rip=192.168.2.100, lip=192.168.2.102 dovecot: Feb 06 12:48:03 Info: imap-login: Login: user=<pquesinb>, method=NTLM, rip=192.168.2.100, lip=192.168.2.102 dovecot: Feb 06 12:48:44 Info: IMAP(pquesinb): Disconnected: Logged out dovecot: Feb 06 12:48:44 Info: IMAP(pquesinb): Disconnected: Logged out
Authentication settings for 1.07 were as follows (excerpt from -n output, see below for full output): auth default: mechanisms: ntlm plain passdb: driver: passwd-file args: /etc/dovecot.users passdb: driver: pam args: cache_key=%u dovecot userdb: driver: passwd
Since 1.07 was such an old version, I first tried updating to 1.2.17 and lost the ability to do NTLM authentication with the same settings: Feb 06 16:09:32 dovecot: Info: Dovecot v1.2.17 starting up (core dumps disabled) Feb 06 16:09:46 auth(default): Info: password(pquesinb,192.168.2.100): Requested NTLM scheme, but we have a NULL password Feb 06 16:09:53 auth(default): Info: password(pquesinb,192.168.2.100): Requested NTLM scheme, but we have a NULL password Feb 06 16:10:05 imap-login: Info: Disconnected (auth failed, 2 attempts): user=<pquesinb>, method=NTLM, rip=192.168.2.100, lip=192.168.2.102 Feb 06 16:11:54 auth(default): Info: password(pquesinb,192.168.2.100): Requested NTLM scheme, but we have a NULL password Feb 06 16:12:04 auth(default): Info: password(pquesinb,192.168.2.100): Requested NTLM scheme, but we have a NULL password Feb 06 16:12:16 imap-login: Info: Disconnected (auth failed, 2 attempts): user=<pquesinb>, method=NTLM, rip=192.168.2.100, lip=192.168.2.102
Next I decided to try 2.x and since I had installed 1.2.17 from source, I thought it would be wise to install from an RPM which had been "blessed" for CentOS 5, so 2.1.1 was installed from the RPMs linked to on the Dovecot download site: http://dl.atrpms.net/all/dovecot-2.1.1-2_132.el5.x86_64.rpm
Still no NTLM authentication with 2.x using PAM, so I decided to try authenticating against the Samba 4 domain using Samba's winbind daemon and ntlm_auth helper. That still doesn't work however, as seen by the following log excerpt but plaintext login which is also enabled, works: Feb 28 23:29:13 auth: Debug: auth client connected (pid=18518) Feb 28 23:29:13 auth: Debug: client in: AUTH 1 NTLM service=imap lip=192.168.2.102 rip=192.168.2.100 lport=143 rport=4531 Feb 28 23:29:15 auth: Debug: client out: FAIL 1 Feb 28 23:29:15 auth: Debug: client in: AUTH 2 PLAIN service=imap lip=192.168.2.102 rip=192.168.2.100 lport=143 rport=4530 resp=AHBxdWVzaW5iAFN0ZXdCMHkv Feb 28 23:29:17 auth: Debug: client out: CONT 1 Feb 28 23:29:17 auth: Debug: client in: CONT 1 TlRMTVxxxxxxxAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== Feb 28 23:29:17 auth: Error: could not obtain winbind netbios name! Feb 28 23:29:17 auth: Error: could not obtain winbind domain name! Feb 28 23:29:17 auth: Debug: client out: CONT 1 TlRMTVNTUAACAAAAGAAYADgAAAAFxxxxxxxxxSsAAAAAAAAAAIoAigBQAAAABgEAAAAAAA9IAEUA UgBTAEMASABMxxxxxxxxxxUATgACABgASABFAFIAUwBDAEgATABBAFUAUgBFAE4AAQAOAFMARQBS AFYARQBSADEABAAgAGgAZQByAHMAYwBoAGwAYQB1AHIAZQBuAC4AYwBvAG0AAwAwAFMAZQByAHYA ZQByADEALgBoAGUAcgBzAGMAaABsAGEAdQByAGUAbgAuAGMAbwBtAAAAAAA= Feb 28 23:29:17 auth: Debug: client in: CONT 1 TlRMTVNTUAADAAAAGAAYAGoAAAC6ALoAggAAAAAAAABIAAAAEAAQAEgAAAASABIAWAAAAAAAAAAx xxxxxxxKIogUBKAoAAAAPcABxAHUAZQBzAGkAbgBiAFEAUwBFAC0AVwxxxxxxxx+cYeYzU98pxsa 17QyN6VD8kE2RibAjNedd/ooN2y4/uSr/ZQYxxxxxxxxxU1Fs4BjelQ/JBNkYkAAAAAAgAYAEgAR QBSAFMAQwBIAEwAQQBVAFIARQBOAAEADgBTAEUAUgBWAEUAUgAxAAQAIABoAGUAcgBzAGMAaABsA GEAdQBxxxxxxxxxxbwBtAAMAMABTAGUAcgB2AGUAcgAxAC4AaABlAHIAcwBjAGxxxxxxxxxxxxlA G4ALgBjAG8AbQAAAAAAAAAAAA== Feb 28 23:29:17 auth: Info: winbind(?,192.168.2.100): user not authenticated: NT_STATUS_UNSUCCESSFUL Feb 28 23:29:19 auth: Debug: cache(pquesinb,192.168.2.100): miss Feb 28 23:29:19 auth-worker(18524): Debug: Loading modules from directory: /usr/lib64/dovecot/auth Feb 28 23:29:19 auth: Debug: client out: FAIL 1 Feb 28 23:29:19 auth: Debug: client in: AUTH 2 PLAIN service=imap lip=192.168.2.102 rip=192.168.2.100 lport=143 rport=4531 resp=AHBxdWVzaW5iAFN0ZXdCMHkv Feb 28 23:29:19 auth-worker(18524): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so Feb 28 23:29:19 auth-worker(18524): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_pgsql.so Feb 28 23:29:19 auth-worker(18524): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Feb 28 23:29:19 auth-worker(18524): Debug: pam(pquesinb,192.168.2.100): lookup service=dovecot Feb 28 23:29:19 auth-worker(18524): Debug: pam(pquesinb,192.168.2.100): #1/1 style=1 msg=Password: Feb 28 23:29:19 auth: Debug: client out: OK 2 user=pquesinb Feb 28 23:29:19 auth: Debug: master in: REQUEST 751435777 18513 2 db445872b80e33772b5f0d35d50af3d1 Feb 28 23:29:19 auth: Debug: userdb-cache(pquesinb,192.168.2.100): miss Feb 28 23:29:19 auth: Debug: passwd(pquesinb,192.168.2.100): lookup Feb 28 23:29:19 auth: Debug: master out: USER 751435777 pquesinb system_groups_user=pquesinb uid=507 gid=508 home=/home/pquesinb Feb 28 23:29:19 imap-login: Info: Login: user=<pquesinb>, method=PLAIN, rip=192.168.2.100, lip=192.168.2.102, mpid=18526 Feb 28 23:29:27 auth: Debug: cache(pquesinb,192.168.2.100): hit: {SHA1}+2ZUmdHOxxxxxxxxxxxxOLinOC0= user=pquesinb user=pquesinb Feb 28 23:29:27 auth: Debug: client out: OK 2 user=pquesinb Feb 28 23:29:27 auth: Debug: master in: REQUEST 3169320961 18518 2 6bd7b4fd283994029394360a2f5b4048 Feb 28 23:29:27 auth: Debug: userdb-cache(pquesinb,192.168.2.100): hit: pquesinb system_groups_user=pquesinb uid=507 gid=508 home=/home/pquesinb Feb 28 23:29:27 auth: Debug: master out: USER 3169320961 pquesinb system_groups_user=pquesinb uid=507 gid=508 home=/home/pquesinb Feb 28 23:29:27 imap-login: Info: Login: user=<pquesinb>, method=PLAIN, rip=192.168.2.100, lip=192.168.2.102, mpid=18531 Feb 28 23:30:00 imap(pquesinb): Info: Disconnected: Logged out in=861 out=31433 Feb 28 23:30:00 imap(pquesinb): Info: Disconnected: Logged out in=120 out=739
Here is the -n output for both 2.11 and 1.07, login/mail executables and plugins are present within the configured paths for both versions:
Config output for 2.11: [root@Server1 log]# dovecot -n # 2.1.1: /etc/dovecot/dovecot.conf # OS: Linux 2.6.18-348.1.1.el5.centos.plusxen x86_64 CentOS release 5.9 (Final) auth_cache_size = 16 M auth_debug = yes auth_debug_passwords = yes auth_mechanisms = ntlm plain auth_use_winbind = yes auth_verbose = yes disable_plaintext_auth = no info_log_path = /var/log/dovecot.log listen = * log_path = /var/log/dovecot.log mail_location = maildir:~/Maildir maildir_very_dirty_syncs = yes passdb { args = cache_key=%u dovecot driver = pam } passdb { driver = shadow } protocols = imap pop3 service auth { executable = /usr/libexec/dovecot/auth user = root } service imap-login { client_limit = 256 executable = /usr/libexec/dovecot/imap-login process_limit = 128 user = dovecot vsz_limit = 64 M } service imap { executable = /usr/libexec/dovecot/imap process_limit = 64 } service pop3-login { client_limit = 256 process_limit = 128 user = dovecot vsz_limit = 64 M } service pop3 { process_limit = 64 } ssl_cert =
Here is the config output from the 1.07 version, which worked:
[root@Server1 init.d]# dovecot107 -n # 1.0.7: /etc/dovecot.conf login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login mail_location: maildir:~/Maildir mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 auth default: mechanisms: ntlm plain passdb: driver: passwd-file args: /etc/dovecot.users passdb: driver: pam args: cache_key=%u dovecot userdb: driver: passwd
I'm fairly new to Dovecot, so if someone out there could at least point me in the right direction in order to help me better understand why things aren't working with the newer versions I would really appreciate it.
Many thanks,
Phil Quesinberry Q Systems Engineering, Inc. Embedded Systems Hardware/Software Development and VoIP Business Telephone Hosting Improve your business telephone services and save money (410) 969-8002 http://www.qsystemsengineering.com
participants (1)
-
Phil Quesinberry