[Dovecot] Samba4 Active Directory and Doveadm

Trever L. Adams trever.adams at gmail.com
Fri Oct 15 17:20:01 EEST 2010 

 On 10/15/2010 07:46 AM, Timo Sirainen wrote:
> On Fri, 2010-10-15 at 07:17 -0600, Trever L. Adams wrote:
>
>> Fantastic. I am not. Postfix, is validating user existence. I read
>> somewhere I can turn off Dovecot LDA validation, but now I am unable to
>> find the page.
> http://wiki2.dovecot.org/UserDatabase/Static / allow_all_users
>
>>>>> Oct 15 05:48:06 TeaSet dovecot: master: Error: service(auth-worker): child 16375 killed with signal 11 (core dumps disabled)
>>> Can you get a gdb backtrace? First enable core dumps with "ulimit -c
>>> unlimited" and once you have core file see
>>> http://dovecot.org/bugreport.html
>> I am not sure this is necessary. 
> A crash is a bug in any case that I'd like to fix. A good backtrace
> would make it easier for me to do that.
Alright, I will try to get that to you by Monday. I have to finish my
messing with things until after business hours.
>> The problem seems to be in this
>> dovecot: auth: Debug: ldap(?): result: sAMAccountName(?unknown?)=
>>
>> I get that for all fields in the AD. It looks like I am going to have to
>> do a bind of some kind. 
> You mean the "?unknown?" part? I think the problem here is that I hadn't
> thought that LDAP attributes are case-insensitive. You should have used
> sAMAccountName, not samaccountname in the iterate_attrs. But I suppose
> I'll need to fix this myself too.
That was the problem. It seems to have fixed the ldap problem. Below is
the auth log.

TeaSet dovecot: auth: Debug: ldap: iterate:
base=dc=snowyriver,dc=sapphiresunday,dc=org scope=subtree
filter=(objectClass=person) fields=sAMAccountName
 dovecot: auth: Debug: ldap(?): result: sAMAccountName(user)=SOME_USER1
 dovecot: auth: Debug: ldap(?): result: sAMAccountName(user)=SOME_USER2
 dovecot: auth: Debug: ldap(?): result: sAMAccountName(user)=...
dovecot: auth: Debug: master in: USER#0112#011root#011service=doveadm
 dovecot: auth: Debug: passwd(root): lookup
 dovecot: auth: Debug: master out:
USER#0112#011root#011system_groups_user=root#011uid=0#011gid=0#011home=/root
 dovecot: auth: Debug: master in: USER#0113#011bin#011service=doveadm
 dovecot: auth: Debug: passwd(bin): lookup
 dovecot: auth: Debug: master out:
USER#0113#011bin#011system_groups_user=bin#011uid=1#011gid=1#011home=/bin

However, the problem is still there. I can't erase the root account. How
do I use doveadm? I need the expunge command working. The below is why I
wondered if the mail_uid and mail_gid were not being honored.

#doveadm search -A mailbox INBOX from VALID_FROM
doveadm(root): Error: user root: Invalid settings in userdb: userdb
returned 0 as uid
doveadm(root): Error: User lookup failed: Invalid user settings. Refer
to server log for more information.
doveadm(bin): Error: user bin: Couldn't drop privileges: Mail access for
users with UID 1 not permitted (see first_valid_uid in config file).
doveadm(bin): Error: User init failed
doveadm: Error: Failed to iterate through some users

If I can fix this, I only have two problems left.

If I have a auth_default_realm the plain/login users (smart phones and
the like) cannot connect (via pam_krb5 kerberos method).

Second, using dovecot auth with postfix, kerberos logins do not work.
The plain/login do.

I have been trying to figure out the FAIL code. I haven't been able to.
I have the ticket in the right place, it has the right formats (imap one
works from the same file). It has the right password.
dovecot: auth: Debug: auth client connected (pid=9022)
dovecot: auth: Debug: client in:
AUTH#01111#011GSSAPI#011service=smtp#011nologin#011lip=10.0.1.13#011rip=IP_ADDR#011secured#011resp=<hidden>
dovecot: auth: Debug: gssapi(?,IP_ADDR): Obtaining credentials for smtp at FQDN
dovecot: auth: gssapi(?,IP_ADDR): While processing incoming data:
Unspecified GSS failure.  Minor code may provide more information
dovecot: auth: gssapi(?,IP_ADDR): While processing incoming data:
Invalid message type
postfix/smtpd[9022]: warning: CLIENT_FQDN[IP_ADDR]: SASL GSSAPI
authentication failed:
dovecot: auth: Debug: client out: FAIL#01111
postfix/smtpd[9022]: disconnect from CLIENT_FQDN[IP_ADDR]
postfix/smtpd[9022]: connect from CLIENT_FQDN[IP_ADDR]
postfix/smtpd[9022]: warning: CLIENT_FQDN[IP_ADDR]: request longer than
2048: AUTH GSSAPI AUTH_DATA
dovecot: auth: Debug: client in:
AUTH#01112#011GSSAPI#011service=smtp#011nologin#011lip=10.0.1.13#011rip=IP_ADDR#011secured#011resp=<hidden>
dovecot: auth: Debug: gssapi(?,IP_ADDR): Obtaining credentials for smtp at FQDN
dovecot: auth: gssapi(?,IP_ADDR): While processing incoming data:
Unspecified GSS failure.  Minor code may provide more information
dovecot: auth: gssapi(?,IP_ADDR): While processing incoming data:
Invalid message type
postfix/smtpd[9022]: warning: CLIENT_FQDN[IP_ADDR]: SASL GSSAPI
authentication failed:
dovecot: auth: Debug: client out: FAIL#01112

I cannot find the fail codes. What does 01112 mean?

Thank you,
Trever
-- 
"Seize the day, put no trust in the morrow!" -- Quintus Horatius Flaccus
(Horace)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20101015/8680a94c/attachment.bin

More information about the dovecot mailing list