[Dovecot] Getting NTLM authentication for Postfix SMTP clients to work

Matthew Larsen utegrad at gmail.com
Sat Jun 22 02:11:11 EEST 2013


I'm trying to get NTLM authentication working with Dovecot to authenticate
Postfix SMTP clients.

I can authenticate postfix smtp clients using the plain text login
mechanism through winbind.  However, using the NTLM mechanism gives me an
error in my maillog that says:
     "dovecot: auth: winbind(?,10.20.2.0): user not authenticated:
NT_STATUS_UNSUCCESSFUL".

At this point, I'm rather stuck.  It appears PAM and winbind work for
authenticating with AD because it works with the plain text mechanism, but
I'm missing something with the NTLM authentication method.

Any suggestions as to what I've got wrong, or other logging I can turn up /
examine that might shed some light on this?

When I use the LOGIN mechanism I see this in the mail logging and the
message is relayed:

Jun 21 13:12:58 SBSMTPNV05 postfix/smtpd[1501]: connect from
nvit01b.mydomain.com[10.20.2.**0]
Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: auth client connected
(pid=1501)
Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=**smtp#011nologin#011lip=10.20.**4
.12#011rip=10.20.2.0#011resp=**AG[...snip...]g==
Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: pam(myusername,10.20.2.0):
lookup service=dovecot
Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: pam(myusername,10.20.2.0):
#1/1 style=1 msg=Password:
Jun 21 13:12:58 SBSMTPNV05 dovecot: auth: Debug: client out:
OK#0111#011user=myusername
Jun 21 13:12:58 SBSMTPNV05 postfix/smtpd[1501]: 54EAF8059B: client=
nvit01b.mydomain.com[**10.20.2.0], sasl_method=PLAIN,
sasl_username=myusername
Jun 21 13:12:58 SBSMTPNV05 postfix/cleanup[1504]: 54EAF8059B: message-id=<
51C4B3C8.30008@**domain1.com <51C4B3C8.30008 at domain1.com>>
Jun 21 13:12:58 SBSMTPNV05 postfix/qmgr[1499]: 54EAF8059B: from=<
someone at domain1.com>, size=2700, nrcpt=1 (queue active)
Jun 21 13:12:58 SBSMTPNV05 postfix/smtpd[1501]: disconnect from
nvit01b.mydomain.com[10.20.2.**0]
Jun 21 13:12:59 SBSMTPNV05 postfix/smtp[1505]: 54EAF8059B: to=<
someone at gmail.com>,
relay=gmail-smtp-in.l.google.**com<http://gmail-smtp-in.l.google.com/>[74.125.25.27]:25,
delay=1.2, delays=0.23/0.04/0.16/0.72, dsn=2.0.0, status=sent (250 2.0.0 OK
1371845579 wf5si3786287pab.138 - gsmtp)
Jun 21 13:12:59 SBSMTPNV05 postfix/qmgr[1499]: 54EAF8059B: removed

I also see this in the secure log:

Jun 21 13:12:58 SBSMTPNV05 auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot ruser=myusername rhost=10.20.2.0
 user=myusername
Jun 21 13:12:58 SBSMTPNV05 auth: pam_winbind(dovecot:auth): getting
password (0x00000010)
Jun 21 13:12:58 SBSMTPNV05 auth: pam_winbind(dovecot:auth): pam_get_item
returned a password
Jun 21 13:12:58 SBSMTPNV05 auth: pam_winbind(dovecot:auth): user
'myusername' granted access
Jun 21 13:12:58 SBSMTPNV05 auth: pam_winbind(dovecot:account): user
'myusername' granted access

However, when I switch the mechanism to NTLM in the Thurnderbird MUA I see
this:

Jun 21 13:15:46 SBSMTPNV05 postfix/smtpd[1506]: connect from
nvit01b.mydomain.com[10.20.2.**0]
Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/**libauthdb_ldap.so
Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/**libdriver_sqlite.so
Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/**libmech_gssapi.so
Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: auth client connected
(pid=1506)
Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: client in:
AUTH#0111#011NTLM#011service=**smtp#011nologin#011lip=10.20.**4.
12#011rip=10.20.2.0#011resp=**TlRMT[...snip...]A=
Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: client out:
CONT#0111#011TlRMT[[...snip...**]A
Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: Debug: client in:
CONT#0111#011TlRMT[...snip...]**A=
Jun 21 13:15:46 SBSMTPNV05 dovecot: auth: winbind(?,10.20.2.0): user not
authenticated: NT_STATUS_UNSUCCESSFUL
Jun 21 13:15:48 SBSMTPNV05 postfix/smtpd[1506]: warning:
nvit01b.mydomain.com[10.20.2.**0]: SASL NTLM authentication failed:
TlRMT[...snip...]A
Jun 21 13:15:48 SBSMTPNV05 dovecot: auth: Debug: client out: FAIL#0111
Jun 21 13:15:49 SBSMTPNV05 postfix/smtpd[1506]: disconnect from
nvit01b.mydomain.com[10.20.2.**0]

with nothing in the secure log and I don't see anything show up in the
winbind logs either.



I've reviewed these pages as reference, and I'm not sure what I'm missing:
http://wiki2.dovecot.org/**HowTo/ActiveDirectoryNtlm<http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm>
http://wiki2.dovecot.org/**Authentication/Mechanisms/NTLM<http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM>
http://www.dovecot.org/list/**dovecot/2008-December/035630.**html<http://www.dovecot.org/list/dovecot/2008-December/035630.html>
http://www.dovecot.org/list/**dovecot/2010-February/046763.**html<http://www.dovecot.org/list/dovecot/2010-February/046763.html>
http://blog.al-shami.net/2008/**05/freebsd-postfix-dovecot-**
and-active-directory/<http://blog.al-shami.net/2008/05/freebsd-postfix-dovecot-and-active-directory/>
http://wiki2.dovecot.org/**HowTo/PostfixAndDovecotSASL<http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL>


Here's some of my relevant configuration as I understand it:

I've joined the computer to the AD domain.  The wbinfo tests work fine:
# wbinfo -t
checking the trust secret for domain MYDOMAIN via RPC calls succeeded


# doveconf -n
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-358.11.1.el6.x86_64 x86_64 CentOS release 6.4 (Final)
auth_debug_passwords = yes
auth_mechanisms = plain ntlm login
auth_use_winbind = yes
auth_username_format = %Lu
listen = *
mbox_write_locks = fcntl
passdb {
  driver = pam
}
service auth {
  unix_listener /var/spool/postfix/private/**auth {
    group = postfix
    mode = 0666
    user = postfix
  }
}
ssl_cert = </etc/pki/dovecot/certs/**dovecot.pem
ssl_key = </etc/pki/dovecot/private/**dovecot.pem
userdb {
  driver = passwd
}

////////////////////

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 7
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
line_length_limit = 6144
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = srvsbsmtp05.mydomain.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/**README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/**samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_sasl_authenticated,**reje
ct_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
unknown_local_recipient_**reject_code = 550

/////////////////////

# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYDOMAIN.COM <http://mydomain.com/>
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[domain_realm]
 .mydomain.com = MYDOMAIN.COM <http://mydomain.com/>
 mydomain.com = MYDOMAIN.COM <http://mydomain.com/>

////////////////////

system keytab:
# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ------------------------------**------------------------------**
--------------
   3 host/sbsmtpnv05.mydomain.com@**MYDOMAIN.COM<sbsmtpnv05.mydomain.com at MYDOMAIN.COM>
 (des-cbc-crc)
   3 host/sbsmtpnv05.mydomain.com@**MYDOMAIN.COM<sbsmtpnv05.mydomain.com at MYDOMAIN.COM>
 (des-cbc-md5)
   3 host/sbsmtpnv05.mydomain.com@**MYDOMAIN.COM<sbsmtpnv05.mydomain.com at MYDOMAIN.COM>
 (arcfour-hmac)
   3 host/sbsmtpnv05.mydomain.com@**MYDOMAIN.COM<sbsmtpnv05.mydomain.com at MYDOMAIN.COM>
 (aes128-cts-hmac-sha1-96)
   3 host/sbsmtpnv05.mydomain.com@**MYDOMAIN.COM<sbsmtpnv05.mydomain.com at MYDOMAIN.COM>
 (aes256-cts-hmac-sha1-96)
   3 host/sbsmtpnv05 at MYDOMAIN.COM (des-cbc-crc)
   3 host/sbsmtpnv05 at MYDOMAIN.COM (des-cbc-md5)
   3 host/sbsmtpnv05 at MYDOMAIN.COM (arcfour-hmac)
   3 host/sbsmtpnv05 at MYDOMAIN.COM (aes128-cts-hmac-sha1-96)
   3 host/sbsmtpnv05 at MYDOMAIN.COM (aes256-cts-hmac-sha1-96)
   3 SBSMTPNV05$@MYDOMAIN.COM <http://mydomain.com/> (des-cbc-crc)
   3 SBSMTPNV05$@MYDOMAIN.COM <http://mydomain.com/> (des-cbc-md5)
   3 SBSMTPNV05$@MYDOMAIN.COM <http://mydomain.com/> (arcfour-hmac)
   3 SBSMTPNV05$@MYDOMAIN.COM <http://mydomain.com/>
 (aes128-cts-hmac-sha1-96)
   3 SBSMTPNV05$@MYDOMAIN.COM <http://mydomain.com/>
 (aes256-cts-hmac-sha1-96)
   5 smtp/sbsmtpnv05.mydomain.com@**MYDOMAIN.COM<sbsmtpnv05.mydomain.com at MYDOMAIN.COM>
 (des-cbc-crc)
   5 smtp/sbsmtpnv05.mydomain.com@**MYDOMAIN.COM<sbsmtpnv05.mydomain.com at MYDOMAIN.COM>
 (des-cbc-md5)
   5 smtp/sbsmtpnv05.mydomain.com@**MYDOMAIN.COM<sbsmtpnv05.mydomain.com at MYDOMAIN.COM>
 (arcfour-hmac)
   5 smtp/sbsmtpnv05.mydomain.com@**MYDOMAIN.COM<sbsmtpnv05.mydomain.com at MYDOMAIN.COM>
 (aes128-cts-hmac-sha1-96)
   5 smtp/sbsmtpnv05.mydomain.com@**MYDOMAIN.COM<sbsmtpnv05.mydomain.com at MYDOMAIN.COM>
 (aes256-cts-hmac-sha1-96)

////////////////////

Samba config:
[global]
        workgroup = MYDOMAIN
        realm = MYDOMAIN.COM <http://mydomain.com/>
        server string = Samba Server Version %v
        security = ADS
        kerberos method = system keytab
        log file = /var/log/samba/log.%m
        max log size = 50
        printcap name = /dev/null
        domain master = No
        template shell = /bin/bash
        winbind separator = +
        winbind use default domain = Yes
        idmap config * : range = 10000-50000
        idmap config * : backend = tdb
        printing = bsd
        cups options = raw
        print command = lpr -r -P'%p' %s
        lpq command = lpq -P'%p'
        lprm command = lprm -P'%p' %j


More information about the dovecot mailing list