[Dovecot] NTLM authentication does not work
Dear Experts, I configured Samba, Kerberos, etc., can login to my CentOS using ADS account, but missing something in my Dovecot config.
Windbind seems to work: [root@aCentOs2 dovecot]# wbinfo -a wAlex%pass plaintext password authentication succeeded challenge/response password authentication succeeded
Same is true for ntlm_auth helper: [root@aCentOs2 dovecot]# /usr/bin/ntlm_auth --username=wAlex --password=pass NT_STATUS_OK: Success (0x0)
But I couldn't get into Dovecot (with or without auth_use_winbind option): . login wAlex pass . NO [ALERT] Unsupported authentication mechanism.
Despite very verbose logging, there no clues there. Bellow's my dovecot -n output:
# 2.0.0: /etc/dovecot/dovecot.conf # OS: Linux 2.6.18-194.11.1.el5 i686 CentOS release 5.5 (Final) auth_debug = yes auth_debug_passwords = yes auth_master_user_separator = * auth_mechanisms = ntlm auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain debug_log_path = /var/log/Dovecot/dovecot_debug.log disable_plaintext_auth = no info_log_path = /var/log/Dovecot/dovecot_info.log log_path = /var/log/Dovecot/dovecot.log mail_location = maildir:~/Maildir protocols = imap ssl_cert =
It might be irrelevant, but although the lines "auth_use_winbind = yes" and "auth_winbind_helper_path = /usr/bin/ntlm_auth" are close together in the config file, I cannot see the latter when run dovecot -n.
I am quite new to Dovecot and will appreciate any help. Thanks, Alex.
On Mon, 2010-08-30 at 12:21 -0500, Alexander Cherniak wrote:
Windbind seems to work: [root@aCentOs2 dovecot]# wbinfo -a wAlex%pass plaintext password authentication succeeded challenge/response password authentication succeeded
Same is true for ntlm_auth helper: [root@aCentOs2 dovecot]# /usr/bin/ntlm_auth --username=wAlex --password=pass NT_STATUS_OK: Success (0x0)
I don't much know of NTLM, but..
But I couldn't get into Dovecot (with or without auth_use_winbind option): . login wAlex pass . NO [ALERT] Unsupported authentication mechanism. .. auth_mechanisms = ntlm
This error happens because you enabled NTLM mechanism, but disabled PLAIN mechanism (LOGIN command uses PLAIN mechanism). If you want both to work, use:
auth_mechanisms = plain ntlm
And note that winbind authentication only works for NTLM mechanism, not for anything else. Maybe you need to figure out some other passdb to use like LDAP or maybe some PAM plugin?..
Thank you Timo, I had a bad feeling that IMAP login always go for PLAIN authentication... What else can I use for debugging? In my case both wbinfo and ntlm_auth do work, but Outlook doesn't. I am new to Dovecot/Linux and running out of ideas. Can somebody recommend a good troubleshooting strategy? Regards, Alex
-----Original Message----- From: Timo Sirainen [mailto:tss@iki.fi] Sent: Tuesday, August 31, 2010 1:55 PM To: Alexander Cherniak Cc: dovecot@dovecot.org Subject: Re: [Dovecot] NTLM authentication does not work
On Mon, 2010-08-30 at 12:21 -0500, Alexander Cherniak wrote:
Windbind seems to work: [root@aCentOs2 dovecot]# wbinfo -a wAlex%pass plaintext password authentication succeeded challenge/response password authentication succeeded
Same is true for ntlm_auth helper: [root@aCentOs2 dovecot]# /usr/bin/ntlm_auth --username=wAlex --password=pass NT_STATUS_OK: Success (0x0)
I don't much know of NTLM, but..
But I couldn't get into Dovecot (with or without auth_use_winbind option): . login wAlex pass . NO [ALERT] Unsupported authentication mechanism. .. auth_mechanisms = ntlm
This error happens because you enabled NTLM mechanism, but disabled PLAIN mechanism (LOGIN command uses PLAIN mechanism). If you want both to work, use:
auth_mechanisms = plain ntlm
And note that winbind authentication only works for NTLM mechanism, not for anything else. Maybe you need to figure out some other passdb to use like LDAP or maybe some PAM plugin?..
participants (2)
-
Alexander Cherniak
-
Timo Sirainen