iPhone no longer authenticating

Mark Foley mfoley at ohprs.org
Fri Dec 1 21:35:14 EET 2017 

I've switched a user to being an active directory user. That user's email client authorizes
just fine with dovecot using GSSAPI. However, now his iPhone won't authorize. In the dovecot
log file I get:

Dec 01 14:27:28 auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured session=q4n3W0xfggBiZj9s        lip=98.102.63.107 rip=98.102.63.108       lport=993       rport=49538     resp=AG1wcmVzcwBEaW5va3JvbndhbGw0NQ== (previous base64 data may contain sensitive data)
Dec 01 14:27:32 auth-worker(5988): Debug: shadow(mpress,98.102.xx.yyy): lookup
Dec 01 14:27:32 auth-worker(5988): Info: shadow(mpress,98.102.xx.yyy): unknown user (given password: *******)
Dec 01 14:27:34 auth: Debug: client passdb out: FAIL    1       user=mpress
Dec 01 14:27:34 imap-login: Info: Aborted login (auth failed, 1 attempts in 6 secs): user=<mpress>, method=PLAIN, rip=98.102.xx.yyy, lip=98.102.63.107, TLS, session=<q4n3W0xfggBiZj9s>
Dec 01 14:27:34 imap-login: Debug: SSL alert: close notify [98.102.xx.yyy]

This same user will authenticate OK from his local domain workstation:

Dec 01 14:28:52 auth: Debug: master userdb out: USER    1948516353      mpress  system_groups_user=HPRS\mpress  uid=10005gid=10000        home=/home/HPRS/mpress  auth_token=ce3050035718ed0996af698400c4de1be453ec06     auth_user=mpress at HPRS.LOCAL
Dec 01 14:28:52 imap-login: Info: Login: user=<mpress>, method=GSSAPI, rip=192.168.0.54, lip=192.168.0.2, mpid=9755, TLS, session=<6MT1YExftwDAqAA2>

I'm pretty sure the reason has to do with Active Directory authenication locally, but of course
his iPhone is not a member of the domain, and he is no longer in /etc/passwd/shadow.

So, what is the best way to get the iPhone to authenticate?

Here's my current config:

> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 4.4.88 x86_64 Slackware 14.2 
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
  driver = passwd
}
verbose_ssl = yes


Thanks, --Mark

More information about the dovecot mailing list