I'm trying to get NTLM authentication working with Dovecot to authenticate Postfix SMTP clients.

I can authenticate postfix smtp clients using the plain text login mechanism through winbind. However, using the NTLM mechanism gives me an error in my maillog that says: "dovecot: auth: winbind(?,10.20.2.0): user not authenticated: NT_STATUS_UNSUCCESSFUL".

At this point, I'm rather stuck. It appears PAM and winbind work for authenticating with AD because it works with the plain text mechanism, but I'm missing something with the NTLM authentication method.

Any suggestions as to what I've got wrong, or other logging I can turn up / examine that might shed some light on this?

When I use the LOGIN mechanism I see this in the mail logging and the message is relayed:

Jun 21 13:12:58 SBSMTPNV05 postfix/smtpd[1501]: connect from nvit01b.mydomain.com[10.20.2.**0] Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: auth client connected (pid=1501) Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=**smtp#011nologin#011lip=10.20.**4 .12#011rip=10.20.2.0#011resp=**AG[...snip...]g== Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: pam(myusername,10.20.2.0): lookup service=dovecot Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: pam(myusername,10.20.2.0): #1/1 style=1 msg=Password: Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: client out: OK#0111#011user=myusername Jun 21 13:12:58 SBSMTPNV05 postfix/smtpd[1501]: 54EAF8059B: client= nvit01b.mydomain.com[**10.20.2.0], sasl_method=PLAIN, sasl_username=myusername Jun 21 13:12:58 SBSMTPNV05 postfix/cleanup[1504]: 54EAF8059B: message-id=< 51C4B3C8.30008@**domain1.com 51C4B3C8.30008@domain1.com> Jun 21 13:12:58 SBSMTPNV05 postfix/qmgr[1499]: 54EAF8059B: from=< someone@domain1.com>, size=2700, nrcpt=1 (queue active) Jun 21 13:12:58 SBSMTPNV05 postfix/smtpd[1501]: disconnect from nvit01b.mydomain.com[10.20.2.**0] Jun 21 13:12:59 SBSMTPNV05 postfix/smtp[1505]: 54EAF8059B: to=< someone@gmail.com>, relay=gmail-smtp-in.l.google.**comhttp://gmail-smtp-in.l.google.com/[74.125.25.27]:25, delay=1.2, delays=0.23/0.04/0.16/0.72, dsn=2.0.0, status=sent (250 2.0.0 OK 1371845579 wf5si3786287pab.138 - gsmtp) Jun 21 13:12:59 SBSMTPNV05 postfix/qmgr[1499]: 54EAF8059B: removed

I also see this in the secure log:

Jun 21 13:12:58 SBSMTPNV05 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=myusername rhost=10.20.2.0 user=myusername Jun 21 13:12:58 SBSMTPNV05 auth: pam_winbind(dovecot:auth): getting password (0x00000010) Jun 21 13:12:58 SBSMTPNV05 auth: pam_winbind(dovecot:auth): pam_get_item returned a password Jun 21 13:12:58 SBSMTPNV05 auth: pam_winbind(dovecot:auth): user 'myusername' granted access Jun 21 13:12:58 SBSMTPNV05 auth: pam_winbind(dovecot:account): user 'myusername' granted access

However, when I switch the mechanism to NTLM in the Thurnderbird MUA I see this:

Jun 21 13:15:46 SBSMTPNV05 postfix/smtpd[1506]: connect from nvit01b.mydomain.com[10.20.2.**0] Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/**libauthdb_ldap.so Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/**libdriver_sqlite.so Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/**libmech_gssapi.so Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: auth client connected (pid=1506) Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: client in: AUTH#0111#011NTLM#011service=**smtp#011nologin#011lip=10.20.**4. 12#011rip=10.20.2.0#011resp=**TlRMT[...snip...]A= Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: client out: CONT#0111#011TlRMT[[...snip...**]A Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: client in: CONT#0111#011TlRMT[...snip...]**A= Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: winbind(?,10.20.2.0): user not authenticated: NT_STATUS_UNSUCCESSFUL Jun 21 13:15:48 SBSMTPNV05 postfix/smtpd[1506]: warning: nvit01b.mydomain.com[10.20.2.**0]: SASL NTLM authentication failed: TlRMT[...snip...]A Jun 21 13:15:48 SBSMTPNV05 dovecot: auth: Debug: client out: FAIL#0111 Jun 21 13:15:49 SBSMTPNV05 postfix/smtpd[1506]: disconnect from nvit01b.mydomain.com[10.20.2.**0]

with nothing in the secure log and I don't see anything show up in the winbind logs either.

I've reviewed these pages as reference, and I'm not sure what I'm missing: http://wiki2.dovecot.org/**HowTo/ActiveDirectoryNtlmhttp://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm http://wiki2.dovecot.org/**Authentication/Mechanisms/NTLMhttp://wiki2.dovecot.org/Authentication/Mechanisms/NTLM http://www.dovecot.org/list/**dovecot/2008-December/035630.**htmlhttp://www.dovecot.org/list/dovecot/2008-December/035630.html http://www.dovecot.org/list/**dovecot/2010-February/046763.**htmlhttp://www.dovecot.org/list/dovecot/2010-February/046763.html http://blog.al-shami.net/2008/**05/freebsd-postfix-dovecot-** and-active-directory/http://blog.al-shami.net/2008/05/freebsd-postfix-dovecot-and-active-director... http://wiki2.dovecot.org/**HowTo/PostfixAndDovecotSASLhttp://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL

Here's some of my relevant configuration as I understand it:

I've joined the computer to the AD domain. The wbinfo tests work fine: # wbinfo -t checking the trust secret for domain MYDOMAIN via RPC calls succeeded

# doveconf -n # 2.0.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-358.11.1.el6.x86_64 x86_64 CentOS release 6.4 (Final) auth_debug_passwords = yes auth_mechanisms = plain ntlm login auth_use_winbind = yes auth_username_format = %Lu listen = * mbox_write_locks = fcntl passdb { driver = pam } service auth { unix_listener /var/spool/postfix/private/**auth { group = postfix mode = 0666 user = postfix } } ssl_cert = dovecot.pem ssl_key =

////////////////////