[Dovecot] Active Directory and Dovecot NTLM Authentication problem

BINOTTO Luis SIDOR lbinotto at sidor.com
Tue Apr 2 18:11:10 EEST 2013


Hello everyone...

I have a problem when I use NTLM authentication with dovecot. The
authentication is made only in PLAIN TEXT.

 

The scenario is:

Debian Squeeze 6.0.6

Dovecot 2.1.7

Samba 3.5.6. Samba is correctly configured into the domain.

 

 

The error: (extract from syslog)

Apr  2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error:   Login for user
[]\[test2]@

[SIRP00000733] failed due to [winbind client not authorized to use
winbindd_pam

_auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are
set cor

rectly.]

Apr  2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: [2013/04/02
09:47:41.832579

,  0] utils/ntlm_auth.c:888(manage_squid_ntlmssp_request)

Apr  2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error:   NTLMSSP BH:
NT_STATUS_ACC

ESS_DENIED

Apr  2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: winbind: ntlm_auth
exited w

ith exit code 0

 

 

 

Dovecot configuration: (dovecot -n)

# 2.1.7: /etc/dovecot/dovecot.conf

# OS: Linux 2.6.32-5-686 i686 Debian 6.0.6 ext3

auth_mechanisms = plain login ntlm

auth_use_winbind = yes

disable_plaintext_auth = no

mail_location = maildir:/mailboxes/Administrativos/%Lu

namespace inbox {

  inbox = yes

  location =

  mailbox Drafts {

    special_use = \Drafts

  }

  mailbox Junk {

    special_use = \Junk

  }

  mailbox Sent {

    special_use = \Sent

  }

  mailbox "Sent Messages" {

    special_use = \Sent

  }

  mailbox Trash {

    special_use = \Trash

  }

  prefix =

}

passdb {

  driver = pam

}

protocols = " imap pop3"

ssl_cert = </etc/dovecot/dovecot.pem

ssl_key = </etc/dovecot/private/dovecot.pem

userdb {

  args = uid=16343 gid=16343 home=/mailboxes/Administrativos/%Lu

  driver = static

}

protocol imap {

  imap_client_workarounds = delay-newmail

  mail_plugins =

}

protocol pop3 {

  mail_plugins =

  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh

  pop3_uidl_format = %08Xu%08Xv

}

 

Pam configuration: /etc/pam.d/dovecot

 

auth        sufficient   pam_krb5.so

account     sufficient   pam_krb5.so

 

/etc/krb5.conf

 

[libdefaults]
        default_realm = SIDOR.NET
        clockskew =300
 
[realms]
        SIDOR.NET = {
                kdc = sirprddc1.sidor.net
                kdc = sirprddc2.sidor.net
                kdc = sirprddc3.sidor.net
                admin_server = sirprddc1.sidor.net
                default_domain = sidor.net
        }
 
[domain_realm]
        .sidor.net = SIDOR.NET
        sidor.net = SIDOR.NET
 
[login]
        krb4_convert = true
        krb4_get_tickets = false
 
[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
 
[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 0
                try_first_pass = true
        }
 

 

/etc/samba/smb.conf

 
#======================= Global Settings =======================
 
[global]
 
## Browsing/Identification ###
 
   security = ADS
   workgroup = sidorve
   realm = SIDOR.NET
   winbind use default domain = yes
   server string = %h
   wins support = no
   wins server = 10.50.30.51
   dns proxy = no
 
#### Debugging/Accounting ####
 
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
 
####### Authentication #######
 
   encrypt passwords = yes
 
############ Misc ############
 
   domain master = no
   local master = no
   prefered master = no
   winbind separator = \\
   idmap uid = 10000-29000
   idmap gid = 10000-29000
   template shell = /bin/bash
   template homedir = /home/%D/%U
   winbind enum groups = yes
   winbind enum users = yes
   winbind refresh tickets = yes
   auth methods = winbind
 
 

The Logs

 Syslog
Apr  2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: [2013/04/02
09:47:41.832426,0] 
utils/ntlm_auth.c:598(winbind_pw_check)
Apr  2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error:   Login for user
[]\[test2]@
[SIRP00000733] failed due to [winbind client not authorized to use
winbindd_pam
_auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are
set cor
rectly.]
Apr  2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: [2013/04/02
09:47:41.832579
,  0] utils/ntlm_auth.c:888(manage_squid_ntlmssp_request)
Apr  2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error:   NTLMSSP BH:
NT_STATUS_ACC
ESS_DENIED
Apr  2 09:47:41 sirprdsvcmsg02 dovecot: auth: Error: winbind: ntlm_auth
exited w
ith exit code 0
Apr  2 09:47:42 sirprdsvcmsg02 lrmd: [1598]: debug: rsc:Administr_fs:16:
monitor
Apr  2 09:47:47 sirprdsvcmsg02 dovecot: imap-login: Login: user=<test2>,
method=
PLAIN, rip=10.50.2.150, lip=10.50.30.90, mpid=23706,
session=<n/6DZmHZxAAKMgKW>
PLAIN, rip=10.50.2.150, lip=10.50.30.90, mpid=23706,
session=<n/6DZmHZxAAKMgKW>
Apr  2 09:47:47 sirprdsvcmsg02 dovecot: auth: Error: [2013/04/02
09:47:47.408887
,  0] utils/ntlm_auth.c:598(winbind_pw_check)
Apr  2 09:47:47 sirprdsvcmsg02 dovecot: auth: Error:   Login for user
[]\[test2]
@[SIRP00000733] failed due to [winbind client not authorized to use
winbindd_pam
_auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are
set cor
rectly.]
Apr  2 09:47:47 sirprdsvcmsg02 dovecot: auth: Error: [2013/04/02
09:47:47.409203
,  0] utils/ntlm_auth.c:888(manage_squid_ntlmssp_request)
Apr  2 09:47:47 sirprdsvcmsg02 dovecot: auth: Error:   NTLMSSP BH:
NT_STATUS_ACC
ESS_DENIED
Apr  2 09:47:47 sirprdsvcmsg02 dovecot: auth: Error: winbind: ntlm_auth
exited w
ith exit code 0
Apr  2 09:47:48 sirprdsvcmsg02 postfix/postfix-script[23819]: the
Postfix mail s
ystem is running: PID: 2390
Apr  2 09:47:53 sirprdsvcmsg02 dovecot: imap-login: Login: user=<test2>,
method=
PLAIN, rip=10.50.2.150, lip=10.50.30.90, mpid=23820,
session=<iBXZZmHZxQAKMgKW>
 
 
Auth.log
Apr  2 09:52:35 sirprdsvcmsg02 auth: pam_krb5(dovecot:auth): user test2
authenti
cated as test2 at SIDOR.NET
 
 
I hope someone could help me.
 
Thanks in advance,
 
Best Regards,
 
Luis


" Notificacion Automatica:
Este mensaje y cualquier archivo que se adjunte contiene informacion privilegiada y confidencial. Es para uso exclusivo del destinatario. Si usted ha recibido esta comunicacion por error, por favor avisenos inmediatamente.
Automatic notification: 
This e-mail and any file transmitted with it are confidential and may be legally privileged. It is intended solely for the addressee and may not be disclosed to or used by anyone other than the addressee. If you have received this e-mail by mistake , please advise the sender immediately"


More information about the dovecot mailing list