Hi again everybody !
Im still stuck with the dovecot ntlm authentication I configured dovecot to use winbind, and I would like winbind to authenticate against samba (samba, winbind and dovecot are running on the same box).
Here is the log I have (192.168.0.1 is the server box, 192.168.0.254 the client box)
dovecot: May 06 14:52:37 Info: auth(default): new auth connection: pid=25828
dovecot: May 06 14:52:38 Info: auth(default): client in: AUTH 1 NTLM
service=imap secured lip=192.168.0.1 rip=192.168.0.254 lport=143
rport=1084
dovecot: May 06 14:52:38 Info: auth(default): client out: CONT 1
dovecot: May 06 14:52:38 Info: auth(default): client in: CONT 1
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
dovecot: May 06 14:52:38 Info: auth(default): client out: CONT 1
TlRMTVNTUAACAAAADgAOADAAAAAFgomizPYc4ALWKQgAAAAAAAAAAIAAgAA+AAAAQQBMAFYA
TlRMTVNTUAACAAAADgAOADAAAAAFgomizPYc4ALWKQgAAAAAAAAAAIAAgAA+QQBS
AFUATQACAA4AQQBMAFYAQQBSAFUATQABABAASQBOAFQARQBSAE4AQQBMAAQAHgBhAGkAZABlAHIA
ZABvAG4AbgBlAHIALgBjAG8AbQADADAAaQBuAHQAZQByAG4AYQBsAC4AYQBpAGQAZQByAGQAbwBu
AG4AZQByAC4AYwBvAG0AAAAAAA==
dovecot: May 06 14:52:38 Info: auth(default): client in: CONT 1
TlRMTVNTUAADAAAAGAAYAF4AAAAYABgAdgAAAAAAAABIAAAABgAGAEgAAAAQABAATgAAAAAAAACO
AAAABYKIogUBKAoAAAAPZgBmAHMAQQBMAFYAQQBSAFUATQAzABXRN5WNNwAgAAAAAAAAAAAAAAAA
AAAAALm1ePVxjdOF1UPe8A/e1D6H0+jlJYQPUA==
dovecot: May 06 14:52:38 Info: auth(default): winbind(?,192.168.0.254): user not authenticated: NT_STATUS_NO_LOGON_SERVERS
dovecot: May 06 14:52:40 Info: auth(default): client out: FAIL 1
Please help, I really need to set this up and it begins to drive me really crazy
Cédric Laruelle
Have you confirmed winbind is configured and working correctly ?
"user not authenticated: NT_STATUS_NO_LOGON_SERVERS" suggests to me that you havent got a working winbind setup.
Rob
On Mon, 2009-05-11 at 10:01 +0200, Cédric Laruelle wrote:
Please consider the environment before printing this email.
GAME Group plc, winners of:
2009 Retail Week Awards - Speciality Retailer of the Year 2009 National Sales Awards - Sales Training Programme/Initiative of the Year 2008 Econsultancy Innovation Awards - Innovation in Online Acquisition 2008 MCV Awards - Specialist Retailer of the Year 2007 Golden Joystick Awards - Retailer of the Year 2007 MCV Awards - Specialist Retailer of the Year 2006 Golden Joystick Awards - Retailer of the Year
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the system manager at:
mailto:postmaster@game.co.ukThe recipient acknowledges that the transmissions made via the Internet can be corrupted and therefore THE GAME GROUP PLC and any of its subsidiaries do not give any warranty as to the quality or accuracy of any information contained in the message or assume any liability for it or for its transmission, reception or storage.
This footnote also confirms that this e-mail message has been swept by anti-virus software for the presence of computer viruses.
http://www.game.co.uk http://www.gamegroup.plc.uk
Registered Number: 1937170 Registered Office: Unity House, Telford Road, Basingstoke, Hampshire. RG21 6YJ Registered in England and Wales.
No, I haven't. The problem is I find nowhere explanations on how to configure winbind to authenticate against samba. All configurations I found were to configure it on AD. In samba docs, I found "Winbind is targeted at organizations that have an existing NT-based domain infrastructure into which they wish to put UNIX workstations or servers", but that's not my case ...
If you have any clues where I could find or ask the info it would be mulch appreciated.
Best regards,
Cédric Laruelle
-----Message d'origine----- De : dovecot-bounces+laruellec=aiderdonner.com@dovecot.org [mailto:dovecot-bounces+laruellec=aiderdonner.com@dovecot.org] De la part de Rob Coward Envoyé : lundi 11 mai 2009 10:20 À : Cédric Laruelle Cc : dovecot@dovecot.org Objet : Re: [Dovecot] NTLM configuration
Have you confirmed winbind is configured and working correctly ?
"user not authenticated: NT_STATUS_NO_LOGON_SERVERS" suggests to me that you havent got a working winbind setup.
Rob
On Mon, 2009-05-11 at 10:01 +0200, Cédric Laruelle wrote:
Please consider the environment before printing this email.
GAME Group plc, winners of:
2009 Retail Week Awards - Speciality Retailer of the Year 2009 National Sales Awards - Sales Training Programme/Initiative of the Year 2008 Econsultancy Innovation Awards - Innovation in Online Acquisition 2008 MCV Awards - Specialist Retailer of the Year 2007 Golden Joystick Awards - Retailer of the Year 2007 MCV Awards - Specialist Retailer of the Year 2006 Golden Joystick Awards - Retailer of the Year
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the system manager at:
mailto:postmaster@game.co.ukThe recipient acknowledges that the transmissions made via the Internet can be corrupted and therefore THE GAME GROUP PLC and any of its subsidiaries do not give any warranty as to the quality or accuracy of any information contained in the message or assume any liability for it or for its transmission, reception or storage.
This footnote also confirms that this e-mail message has been swept by anti-virus software for the presence of computer viruses.
http://www.game.co.uk http://www.gamegroup.plc.uk
Registered Number: 1937170 Registered Office: Unity House, Telford Road, Basingstoke, Hampshire. RG21 6YJ Registered in England and Wales.
Actually, I found the winbind problem : I was using samba 3.0.28 which is bugged on using winbind on a samba PDC. I upgraded to 3.0.33 and now winbind is working correctly, meaning I can authenticate a user using ntlm_auth --username=xxx and I have "NT_STATUS_OK: Success (0x0)". However, it is still failing when I try to authenticate with dovecot and ntlm. Here is the log I have :
dovecot: May 11 11:40:35 Info: auth(default): client in: AUTH 1 NTLM service=imap secured lip=192.168.0.1 rip=192.168.0.254 lport=143 rport=1210 dovecot: May 11 11:40:35 Info: auth(default): client out: CONT 1 dovecot: May 11 11:40:35 Info: auth(default): client in: CONT 1 TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== dovecot: May 11 11:40:35 Info: auth(default): client out: CONT 1 TlRMTVNTUAACAAAADgAOADAAAAAFgomiYLxtMH3H1LwAAAAAAAAAAIAAgAA+AAAAQQBMAFYAQQBSAFUATQACAA4AQQBMAFYAQQBSAFUATQABABAASQBOAFQARQBSAE4AQQBMAAQAHgBhAGkAZABlAHIAZABvAG4AbgBlAHIALgBjAG8AbQADADAAaQBuAHQAZQByAG4AYQBsAC4AYQBpAGQAZQByAGQAbwBuAG4AZQByAC4AYwBvAG0AAAAAAA== dovecot: May 11 11:40:35 Info: auth(default): client in: CONT 1 TlRMTVNTUAADAAAAGAAYAF4AAAAYABgAdgAAAAAAAABIAAAABgAGAEgAAAAQABAATgAAAAAAAACOAAAABYKIogUBKAoAAAAPZgBmAHMAQQBMAFYAQQBSAFUATQAzAH7tuJu/R/lTAAAAAAAAAAAAAAAAAAAAAB9dNIf6uB8KWG4KjG7hod/cNrCJsS5DpQ== dovecot: May 11 11:40:35 Info: auth(default): winbind(?,192.168.0.254): user not authenticated: NT_STATUS_NO_SUCH_USER dovecot: May 11 11:40:37 Info: auth(default): client out: FAIL 1
It says the user does not exist, but I use the same user as the one in command line with ntlm_auth. Actually, I'm not sure which user is passed in, as it is Outlook that send the NTLM hash to dovecot. Is there a way to track ? Is it the auth_username_format which is incorrect ?
My parameters are : auth_ntlm_use_winbind = yes auth_username_format = %n auth_winbind_helper_path = /usr/bin/ntlm_auth
Best regards,
Cédric Laruelle
-----Message d'origine----- De : dovecot-bounces+laruellec=aiderdonner.com@dovecot.org [mailto:dovecot-bounces+laruellec=aiderdonner.com@dovecot.org] De la part de Cédric Laruelle Envoyé : lundi 11 mai 2009 10:46 À : dovecot@dovecot.org Objet : Re: [Dovecot] NTLM configuration
No, I haven't. The problem is I find nowhere explanations on how to configure winbind to authenticate against samba. All configurations I found were to configure it on AD. In samba docs, I found "Winbind is targeted at organizations that have an existing NT-based domain infrastructure into which they wish to put UNIX workstations or servers", but that's not my case ...
If you have any clues where I could find or ask the info it would be mulch appreciated.
Best regards,
Cédric Laruelle
-----Message d'origine----- De : dovecot-bounces+laruellec=aiderdonner.com@dovecot.org [mailto:dovecot-bounces+laruellec=aiderdonner.com@dovecot.org] De la part de Rob Coward Envoyé : lundi 11 mai 2009 10:20 À : Cédric Laruelle Cc : dovecot@dovecot.org Objet : Re: [Dovecot] NTLM configuration
Have you confirmed winbind is configured and working correctly ?
"user not authenticated: NT_STATUS_NO_LOGON_SERVERS" suggests to me that you havent got a working winbind setup.
Rob
On Mon, 2009-05-11 at 10:01 +0200, Cédric Laruelle wrote:
Please consider the environment before printing this email.
GAME Group plc, winners of:
2009 Retail Week Awards - Speciality Retailer of the Year 2009 National Sales Awards - Sales Training Programme/Initiative of the Year 2008 Econsultancy Innovation Awards - Innovation in Online Acquisition 2008 MCV Awards - Specialist Retailer of the Year 2007 Golden Joystick Awards - Retailer of the Year 2007 MCV Awards - Specialist Retailer of the Year 2006 Golden Joystick Awards - Retailer of the Year
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the system manager at:
mailto:postmaster@game.co.ukThe recipient acknowledges that the transmissions made via the Internet can be corrupted and therefore THE GAME GROUP PLC and any of its subsidiaries do not give any warranty as to the quality or accuracy of any information contained in the message or assume any liability for it or for its transmission, reception or storage.
This footnote also confirms that this e-mail message has been swept by anti-virus software for the presence of computer viruses.
http://www.game.co.uk http://www.gamegroup.plc.uk
Registered Number: 1937170 Registered Office: Unity House, Telford Road, Basingstoke, Hampshire. RG21 6YJ Registered in England and Wales.
On Mon, 2009-05-11 at 11:47 +0200, Cédric Laruelle wrote:
I've no idea what the problem is exactly, but the "winbind(?,..)" part shows the username being "?", which means Dovecot doesn't know it. That's because winbind does all the NTLM parsing and Dovecot doesn't know the username until the authentication succeeds. So auth_username_format etc. won't have any effect on winbind authentication.
Maybe you can enable some debug logging in Samba side?
I figured out what the problem was. I had to setup samba with "winbind use default domain = true" and I had a firewall rule blocking winbind to samba discussion (for some reason, the discussion appears to be on the internet network adapter and not on the local network adapter ...).
Thanks again for all the help provided
Best regards,
Cédric Laruelle
participants (3)
-
Cédric Laruelle
-
Rob Coward
-
Timo Sirainen