Dovecot+Samba AD - authentication failure
Hi,
I have setup samba4 as AD and hoping to have dovecot authenticate users against it. I am facing challenges though and I am unable to figure it out. I could do with a third eye to help me spot what is wrong.
root@adc0:/etc# doveadm auth test -x service=imap odhiambo@newideatest.local Password: passdb: odhiambo@newideatest.local auth failed extra fields: temp Warning: auth-client: conn unix:/var/run/dovecot/auth-client: Auth connection closed with 1 pending requests (max 0 secs, pid=10537, EOF) Fatal: Couldn't connect to auth socket
A test against IMAP gives the following debug information: Nov 22 14:31:01 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Nov 22 14:31:01 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so Nov 22 14:31:01 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so Nov 22 14:31:01 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Nov 22 14:31:01 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libauthdb_ldap.so Nov 22 14:31:01 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Nov 22 14:31:01 auth: Debug: auth client connected (pid=10979) Nov 22 14:31:08 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=uPLvabC0RIh/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=34884 resp=<hidden> Nov 22 14:31:08 auth: Debug: ldap(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): Performing passdb lookup Nov 22 14:31:08 auth: Debug: ldap(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): bind search: base=cn=Users,dc=NEWIDEATEST,dc=LOCAL filter=(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=odhiambo@newideatest.local )) Nov 22 14:31:08 auth: Debug: ldap(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): no fields returned by the server *< ====================* Nov 22 14:31:08 auth: Debug: ldap(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): Finished passdb lookup Nov 22 14:31:08 auth: Debug: auth(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): Auth request finished Nov 22 14:31:10 auth: Debug: client passdb out: FAIL 1 user=odhiambo@newideatest.local
info.log:
Nov 22 14:31:08 auth: Info: ldap(odhiambo@newideatest.local ,127.0.0.1,<uPLvabC0RIh/AAAB>):* unknown user* (given password: XXXXXXX) Nov 22 14:31:15 imap-login: Info: Aborted login (auth failed, 1 attempts in 7 secs): user=<odhiambo@newideatest.local>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<uPLvabC0RIh/AAAB>
Here is my doveconf -n:
https://paste.ubuntu.com/p/SPmrxZxHPx/
My dovecot-ldap.cont.ext:
uris = ldap://localhost/ dn = "dovecot@newideatest.local" dnpass = "XXXXXXXX" sasl_bind = no tls = no ldap_version = 3 deref = never scope = subtree base = cn=Users,dc=NEWIDEATEST,dc=LOCAL auth_bind = yes user_filter = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(mail=%u)(sAMAccountName=%u)(otherMailbox=%u))) user_attrs = sAMAccountName=user,userPassword=password,=mail=maildir:/home/%n/Maildir/ pass_filter = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%u)) pass_attrs = sAMAccountName=user,userPassword=password
The use exists in the database:
*root@adc0:/var/log/dovecot# samba-tool user show odhiambo* ldb_wrap open of secrets.ldb dn: CN=Odhiambo Washington,CN=Users,DC=newideatest,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Odhiambo Washington sn: Washington givenName: Odhiambo instanceType: 4 whenCreated: 20201120101420.0Z displayName: Odhiambo Washington uSNCreated: 4086 name: Odhiambo Washington objectGUID: e6969596-8b28-41af-b5d8-cea63cc97f98 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-701866827-3355127779-3787685610-1106 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: odhiambo sAMAccountType: 805306368 userPrincipalName: odhiambo@newideatest.local objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=newideatest,DC=local mail: odhiambo@newideatest.local loginShell: /bin/bash userAccountControl: 512 pwdLastSet: 132505181852397220 whenChanged: 20201122112945.0Z uSNChanged: 4104 distinguishedName: CN=Odhiambo Washington,CN=Users,DC=newideatest,DC=local
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
On Sun, 22 Nov 2020 at 15:08, Odhiambo Washington <odhiambo@gmail.com> wrote:
Hi,
I have setup samba4 as AD and hoping to have dovecot authenticate users against it. I am facing challenges though and I am unable to figure it out. I could do with a third eye to help me spot what is wrong.
root@adc0:/etc# doveadm auth test -x service=imap odhiambo@newideatest.local Password: passdb: odhiambo@newideatest.local auth failed extra fields: temp Warning: auth-client: conn unix:/var/run/dovecot/auth-client: Auth connection closed with 1 pending requests (max 0 secs, pid=10537, EOF) Fatal: Couldn't connect to auth socket
A test against IMAP gives the following debug information: Nov 22 14:31:01 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Nov 22 14:31:01 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so Nov 22 14:31:01 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so Nov 22 14:31:01 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Nov 22 14:31:01 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libauthdb_ldap.so Nov 22 14:31:01 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Nov 22 14:31:01 auth: Debug: auth client connected (pid=10979) Nov 22 14:31:08 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=uPLvabC0RIh/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=34884 resp=<hidden> Nov 22 14:31:08 auth: Debug: ldap(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): Performing passdb lookup Nov 22 14:31:08 auth: Debug: ldap(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): bind search: base=cn=Users,dc=NEWIDEATEST,dc=LOCAL filter=(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=odhiambo@newideatest.local )) Nov 22 14:31:08 auth: Debug: ldap(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): no fields returned by the server *< ====================* Nov 22 14:31:08 auth: Debug: ldap(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): Finished passdb lookup Nov 22 14:31:08 auth: Debug: auth(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): Auth request finished Nov 22 14:31:10 auth: Debug: client passdb out: FAIL 1 user=odhiambo@newideatest.local
info.log:
Nov 22 14:31:08 auth: Info: ldap(odhiambo@newideatest.local ,127.0.0.1,<uPLvabC0RIh/AAAB>):* unknown user* (given password: XXXXXXX) Nov 22 14:31:15 imap-login: Info: Aborted login (auth failed, 1 attempts in 7 secs): user=<odhiambo@newideatest.local>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<uPLvabC0RIh/AAAB>
Here is my doveconf -n:
https://paste.ubuntu.com/p/SPmrxZxHPx/
My dovecot-ldap.cont.ext:
uris = ldap://localhost/ dn = "dovecot@newideatest.local" dnpass = "XXXXXXXX" sasl_bind = no tls = no ldap_version = 3 deref = never scope = subtree base = cn=Users,dc=NEWIDEATEST,dc=LOCAL auth_bind = yes user_filter = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(mail=%u)(sAMAccountName=%u)(otherMailbox=%u))) user_attrs = sAMAccountName=user,userPassword=password,=mail=maildir:/home/%n/Maildir/ pass_filter = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%u)) pass_attrs = sAMAccountName=user,userPassword=password
The use exists in the database:
*root@adc0:/var/log/dovecot# samba-tool user show odhiambo* ldb_wrap open of secrets.ldb dn: CN=Odhiambo Washington,CN=Users,DC=newideatest,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Odhiambo Washington sn: Washington givenName: Odhiambo instanceType: 4 whenCreated: 20201120101420.0Z displayName: Odhiambo Washington uSNCreated: 4086 name: Odhiambo Washington objectGUID: e6969596-8b28-41af-b5d8-cea63cc97f98 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-701866827-3355127779-3787685610-1106 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: odhiambo sAMAccountType: 805306368 userPrincipalName: odhiambo@newideatest.local objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=newideatest,DC=local mail: odhiambo@newideatest.local loginShell: /bin/bash userAccountControl: 512 pwdLastSet: 132505181852397220 whenChanged: 20201122112945.0Z uSNChanged: 4104 distinguishedName: CN=Odhiambo Washington,CN=Users,DC=newideatest,DC=local
For the record, this is what I finally came up with that worked - dovecot-ldap.conf.ext:
##### BEGIN uris = ldap://localhost/ dn = "dovecot@newideatest.local" dnpass = "verystupid" sasl_bind = no tls = no ldap_version = 3 deref = never scope = subtree base = cn=Users,dc=NEWIDEATEST,dc=LOCAL auth_bind = yes
#user_filter = (mail=%u) #pass_filter = (mail=%u) #pass_attrs = mail=%u,= userPassword=password
user_filter = (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) pass_filter = (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) pass_attrs = userPassword=password user_attrs = =home=/var/spool/virtual/%Ld/%Ln/Maildir/,=mail=maildir:/var/spool/virtual/%Ld/%Ln/Maildir/
default_pass_scheme = CRYPT ##### END
Also to add:
- If you use the commented out filters, the authentication is very fast
- If you use the uncommented ones, it's a bit slow.
Choose your poison, as YMMV.
Adios.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
On 24/11/2020 13:20 Odhiambo Washington <odhiambo@gmail.com> wrote:
On Sun, 22 Nov 2020 at 15:08, Odhiambo Washington <odhiambo@gmail.com> wrote:
Hi,
I have setup samba4 as AD and hoping to have dovecot authenticate users against it. I am facing challenges though and I am unable to figure it out. I could do with a third eye to help me spot what is wrong.
root@adc0:/etc# doveadm auth test -x service=imap odhiambo@newideatest.local Password: passdb: odhiambo@newideatest.local auth failed extra fields:
info.log:
Nov 22 14:31:08 auth: Info: > >
Here is my doveconf -n:
https://paste.ubuntu.com/p/SPmrxZxHPx/
My dovecot-ldap.cont.ext:
uris = ldap://localhost/ dn = "dovecot@newideatest.local" dnpass = "XXXXXXXX" sasl_bind = no tls = no ldap_version = 3 deref = never scope = subtree base = cn=Users,dc=NEWIDEATEST,dc=LOCAL auth_bind = yes user_filter = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(mail=%u)(sAMAccountName=%u)(otherMailbox=%u))) user_attrs = sAMAccountName=user,userPassword=password,=mail=maildir:/home/%n/Maildir/ pass_filter = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%u)) pass_attrs = sAMAccountName=user,userPassword=password
The use exists in the database:
For the record, this is what I finally came up with that worked - dovecot-ldap.conf.ext:
##### BEGIN uris = ldap://localhost/ dn = "dovecot@newideatest.local" dnpass = "verystupid" sasl_bind = no tls = no ldap_version = 3 deref = never scope = subtree base = cn=Users,dc=NEWIDEATEST,dc=LOCAL auth_bind = yes
You probably would want to set this to 'no', it causes dovecot to rebind after authentication. This is not required when you can return password from LDAP, it is only required when you have to do first a lookup and then authenticate as the user to verify password.
#user_filter = (mail=%u) #pass_filter = (mail=%u) #pass_attrs = mail=%u,= userPassword=password
user_filter = (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) pass_filter = (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) pass_attrs = userPassword=password
user_attrs = =home=/var/spool/virtual/%Ld/%Ln/Maildir/,=mail=maildir:/var/spool/virtual/%Ld/%Ln/Maildir/
default_pass_scheme = CRYPT ##### END
Also to add:
- If you use the commented out filters, the authentication is very fast
- If you use the uncommented ones, it's a bit slow.
Choose your poison, as YMMV.
Adios.
--
Best regards, Odhiambo WASHINGTON,
Regards,
Aki
On Tue, 24 Nov 2020 at 14:51, Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
On 24/11/2020 13:20 Odhiambo Washington <odhiambo@gmail.com> wrote:
On Sun, 22 Nov 2020 at 15:08, Odhiambo Washington <odhiambo@gmail.com> wrote:
Hi,
I have setup samba4 as AD and hoping to have dovecot authenticate users against it. I am facing challenges though and I am unable to figure it out. I could do with a third eye to help me spot what is wrong.
root@adc0:/etc# doveadm auth test -x service=imap odhiambo@newideatest.local Password: passdb: odhiambo@newideatest.local auth failed extra fields:
info.log:
Nov 22 14:31:08 auth: Info: > >
Here is my doveconf -n:
https://paste.ubuntu.com/p/SPmrxZxHPx/
My dovecot-ldap.cont.ext:
uris = ldap://localhost/ dn = "dovecot@newideatest.local" dnpass = "XXXXXXXX" sasl_bind = no tls = no ldap_version = 3 deref = never scope = subtree base = cn=Users,dc=NEWIDEATEST,dc=LOCAL auth_bind = yes user_filter = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(mail=%u)(sAMAccountName=%u)(otherMailbox=%u))) user_attrs = sAMAccountName=user,userPassword=password,=mail=maildir:/home/%n/Maildir/ pass_filter = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%u)) pass_attrs = sAMAccountName=user,userPassword=password
The use exists in the database:
For the record, this is what I finally came up with that worked - dovecot-ldap.conf.ext:
##### BEGIN uris = ldap://localhost/ dn = "dovecot@newideatest.local" dnpass = "verystupid" sasl_bind = no tls = no ldap_version = 3 deref = never scope = subtree base = cn=Users,dc=NEWIDEATEST,dc=LOCAL auth_bind = yes
You probably would want to set this to 'no', it causes dovecot to rebind after authentication. This is not required when you can return password
from LDAP, it is only required when you have to do first a lookup and then
authenticate as the user to verify password.
Hello Aki,
Thanks for looking at this.
In my case, when I change to "auth_bind = no", then this happens:
root@adc0:/etc/dovecot# telnet 0 143 Trying 0.0.0.0... Connected to 0. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready. 1 login odhiambo@newideatest.local XXXXXXX 1 NO [AUTHENTICATIONFAILED] Authentication failed. 1 logout
Auth succeeds though when I have it set to "yes".
My conf.d/auth-ldap.conf.ext contains: passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext } userdb { driver = static args = uid=Debian-exim gid=Debian-exim home=/var/spool/virtual/%Ld/%Ln }
How can I return the password from LDAP? I'd be happy to know what I need to do so that I can use your suggestion. This LDAP stuff is still quite some "greek" to me.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
participants (2)
-
Aki Tuomi
-
Odhiambo Washington