[Dovecot] NTLM authentication mechanism with Postfix
I'm working on getting authentication for Postfix smtpd clients working with Dovecot. I've got both plain text and GSSAPI mechanisms working. Winbind also works for shell access and the command line test work fine.
If I can get NTLM authentication working I can use Postfix as a drop in replacement for a MS MTA I want get rid of.
I'm hoping the community might be able to offer some insight into what I'm missing to get NTLM authentication working with Dovecot and Postfix. Something related to winbind I suspect.
When I use the NTLM mechanism I get this in my maillog file. Nothing seems to show up in the winbind files for this.
---- log file from NTLM mechanism used ----
Jun 26 17:02:53 SBSMTPNV05 postfix/smtpd[2221]: connect from nvit01b.mydomain.com[10.20.2.0] Jun 26 17:02:53 SBSMTPNV05 dovecot: auth: Debug: client in: AUTH#0112#011NTLM#011service=smtp#011nologin#011lip=10.20.4.12#011rip=10.20.2.0#011resp=TlRM...A= Jun 26 17:02:53 SBSMTPNV05 dovecot: auth: Debug: client out: CONT#0112#011TlRM....A Jun 26 17:02:53 SBSMTPNV05 dovecot: auth: Debug: client in: CONT#0112#011TlRM....Q= Jun 26 17:02:53 SBSMTPNV05 dovecot: auth: winbind(?,10.20.2.0): user not authenticated: NT_STATUS_UNSUCCESSFUL Jun 26 17:02:55 SBSMTPNV05 postfix/smtpd[2221]: warning: nvit01b.mydomain.com[10.20.2.0]: SASL NTLM authentication failed: TlRM....A Jun 26 17:02:55 SBSMTPNV05 dovecot: auth: Debug: client out: FAIL#0112 Jun 26 17:02:59 SBSMTPNV05 postfix/smtpd[2221]: disconnect from nvit01b.mydomain.com[10.20.2.0]
---- log file from GSSAPI mechanism used -----
Jun 26 17:02:08 SBSMTPNV05 postfix/smtpd[2221]: connect from nvit01b.mydomain.com[10.20.2.0] Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: auth client connected (pid=2221) Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=smtp#011nologin#011lip=10.20.4.12#011rip=10.20.2.0#011resp=YIIN.... Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: ....g== Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: gssapi(?,10.20.2.0): Obtaining credentials for smtp@ Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: gssapi(myusername@MYDOMAIN.COM,10.20.2.0): security context state completed. Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client out: CONT#0111#011YIGVB....E= Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client in: CONT#0111#011 Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: gssapi(myusername@MYDOMAIN.COM,10.20.2.0): Negotiated security layer Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client out: CONT#0111#011BQQF/w....M= Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client in: CONT#0111#011BQQE/w....u Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client out: OK#0111#011user=myusername Jun 26 17:02:08 SBSMTPNV05 postfix/smtpd[2221]: AE80A80592: client=nvit01b.mydomain.com[10.20.2.0], sasl_method=GSSAPI, sasl_username=myusername Jun 26 17:02:08 SBSMTPNV05 postfix/cleanup[2219]: AE80A80592: message-id=51CB8100.1010103@example.com Jun 26 17:02:08 SBSMTPNV05 postfix/qmgr[1999]: AE80A80592: from=matthew@example.com, size=2178, nrcpt=1 (queue active) Jun 26 17:02:08 SBSMTPNV05 postfix/smtpd[2221]: disconnect from nvit01b.mydomain.com[10.20.2.0] Jun 26 17:02:09 SBSMTPNV05 postfix/smtp[2220]: AE80A80592: to=utegrad@gmail.com, relay=gmail-smtp-in.l.google.com[74.125.129.27]:25, delay=0.93, delays=0.09/0/0.15/0.69, dsn=2.0.0, status=sent (250 2.0.0 OK 1372291329 y9si419401pay.83 - gsmtp) Jun 26 17:02:09 SBSMTPNV05 postfix/qmgr[1999]: AE80A80592: removed
---- log file from plain text mechanism -----
Jun 26 17:01:08 SBSMTPNV05 postfix/smtpd[2209]: connect from nvit01b.mydomain.com[10.20.2.0] Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: auth client connected (pid=2209) Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=10.20.4.12#011rip=10.20.2.0#011secured#011resp=AG1sYXJzZW4ASWRvbnR3YW50Mg== Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: pam(myusername,10.20.2.0): lookup service=dovecot Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: pam(myusername,10.20.2.0): #1/1 style=1 msg=Password: Jun 26 17:01:09 SBSMTPNV05 dovecot: auth: Debug: client out: OK#0111#011user=myusername Jun 26 17:01:09 SBSMTPNV05 postfix/smtpd[2209]: 82C3780592: client=nvit01b.mydomain.com[10.20.2.0], sasl_method=PLAIN, sasl_username=myusername Jun 26 17:01:09 SBSMTPNV05 postfix/cleanup[2219]: 82C3780592: message-id=51CB80C4.6020107@example.com Jun 26 17:01:09 SBSMTPNV05 postfix/qmgr[1999]: 82C3780592: from=matthew@example.com, size=2728, nrcpt=1 (queue active) Jun 26 17:01:09 SBSMTPNV05 postfix/smtpd[2209]: disconnect from nvit01b.mydomain.com[10.20.2.0] Jun 26 17:01:10 SBSMTPNV05 postfix/smtp[2220]: 82C3780592: to=utegrad@gmail.com, relay=gmail-smtp-in.l.google.com[74.125.129.27]:25, delay=1.3, delays=0.05/0.04/0.46/0.74, dsn=2.0.0, status=sent (250 2.0.0 OK 1372291270 sb1si125565pbb.232 - gsmtp) Jun 26 17:01:10 SBSMTPNV05 postfix/qmgr[1999]: 82C3780592: removed
Here's some of the supporting configuration information:
---- postconf -n -----------
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 1 debug_peer_list = html_directory = no inet_interfaces = all inet_protocols = ipv4 line_length_limit = 6144 mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost myhostname = srvsbsmtp05.mydomain.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous,noplaintext smtpd_sasl_type = dovecot unknown_local_recipient_reject_code = 550
---- doveconf -n ----
# 2.0.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-358.11.1.el6.x86_64 x86_64 CentOS release 6.4 (Final) auth_debug_passwords = yes auth_mechanisms = plain gssapi ntlm login auth_use_winbind = yes listen = * mbox_write_locks = fcntl passdb { driver = pam } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } } ssl_cert =
---- Samba configuration ----
[global] workgroup = MYDOMAIN realm = MYDOMAIN.COM server string = Samba Server Version %v security = ADS kerberos method = system keytab log file = /var/log/samba/log.%m max log size = 50 printcap name = /dev/null domain master = No template shell = /bin/bash winbind separator = + winbind use default domain = Yes idmap config * : range = 10000-50000 idmap config * : backend = tdb printing = bsd cups options = raw print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j
participants (1)
-
Matthew Larsen