<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, 22 Nov 2020 at 15:08, Odhiambo Washington <<a href="mailto:odhiambo@gmail.com">odhiambo@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hi,</div><div><br></div><div dir="ltr">I have setup samba4 as AD and hoping to have dovecot authenticate users against it. I am facing challenges though and I am unable to figure it out.</div><div dir="ltr">I could do with a third eye to help me spot what is wrong.</div><div dir="ltr"><br><div><br></div><div><div>root@adc0:/etc# doveadm auth test -x service=imap odhiambo@newideatest.local</div><div>Password:</div><div>passdb: odhiambo@newideatest.local auth failed</div><div>extra fields:</div><div>  temp</div><div>Warning: auth-client: conn unix:/var/run/dovecot/auth-client: Auth connection closed with 1 pending requests (max 0 secs, pid=10537, EOF)</div><div>Fatal: Couldn't connect to auth socket</div><div><br></div><div>A test against IMAP gives the following debug information:</div><div><div>Nov 22 14:31:01 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth</div><div>Nov 22 14:31:01 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so</div><div>Nov 22 14:31:01 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so</div><div>Nov 22 14:31:01 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth</div><div>Nov 22 14:31:01 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libauthdb_ldap.so</div><div>Nov 22 14:31:01 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat</div><div>Nov 22 14:31:01 auth: Debug: auth client connected (pid=10979)</div><div>Nov 22 14:31:08 auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured session=uPLvabC0RIh/AAAB        lip=127.0.0.1   rip=127.0.0.1   lport=143       rport=34884     resp=<hidden></div><div>Nov 22 14:31:08 auth: Debug: ldap(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): Performing passdb lookup</div><div>Nov 22 14:31:08 auth: Debug: ldap(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): bind search: base=cn=Users,dc=NEWIDEATEST,dc=LOCAL filter=(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=odhiambo@newideatest.local))</div><div>Nov 22 14:31:08 auth: Debug: ldap(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): no fields returned by the server <b>< ====================</b></div><div>Nov 22 14:31:08 auth: Debug: ldap(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): Finished passdb lookup</div><div>Nov 22 14:31:08 auth: Debug: auth(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): Auth request finished</div><div>Nov 22 14:31:10 auth: Debug: client passdb out: FAIL    1       user=odhiambo@newideatest.local</div></div><div><br></div><div>info.log:</div><div><br></div><div><div>Nov 22 14:31:08 auth: Info: ldap(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>):<b> unknown user</b> (given password: XXXXXXX)</div><div>Nov 22 14:31:15 imap-login: Info: Aborted login (auth failed, 1 attempts in 7 secs): user=<odhiambo@newideatest.local>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<uPLvabC0RIh/AAAB></div></div><div><br></div><div><br></div><div>Here is my doveconf -n: </div><div><br></div><div><a href="https://paste.ubuntu.com/p/SPmrxZxHPx/" target="_blank">https://paste.ubuntu.com/p/SPmrxZxHPx/</a></div><div><br></div><div>My dovecot-ldap.cont.ext:</div><div><br></div><div><div>uris         = ldap://localhost/</div><div>dn           = "dovecot@newideatest.local"</div><div>dnpass       = "XXXXXXXX"</div><div>sasl_bind    = no</div><div>tls          = no</div><div>ldap_version = 3</div><div>deref        = never</div><div>scope        = subtree</div><div>base         = cn=Users,dc=NEWIDEATEST,dc=LOCAL</div><div>auth_bind    = yes</div><div>user_filter  = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(mail=%u)(sAMAccountName=%u)(otherMailbox=%u)))</div><div>user_attrs   = sAMAccountName=user,userPassword=password,=mail=maildir:/home/%n/Maildir/</div><div>pass_filter  = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%u))</div><div>pass_attrs   = sAMAccountName=user,userPassword=password</div></div><div><br></div><div>The use exists in the database:</div><div><br></div><div><div><b>root@adc0:/var/log/dovecot# samba-tool user show odhiambo</b></div><div>ldb_wrap open of secrets.ldb</div><div>dn: CN=Odhiambo Washington,CN=Users,DC=newideatest,DC=local</div><div>objectClass: top</div><div>objectClass: person</div><div>objectClass: organizationalPerson</div><div>objectClass: user</div><div>cn: Odhiambo Washington</div><div>sn: Washington</div><div>givenName: Odhiambo</div><div>instanceType: 4</div><div>whenCreated: 20201120101420.0Z</div><div>displayName: Odhiambo Washington</div><div>uSNCreated: 4086</div><div>name: Odhiambo Washington</div><div>objectGUID: e6969596-8b28-41af-b5d8-cea63cc97f98</div><div>badPwdCount: 0</div><div>codePage: 0</div><div>countryCode: 0</div><div>badPasswordTime: 0</div><div>lastLogoff: 0</div><div>lastLogon: 0</div><div>primaryGroupID: 513</div><div>objectSid: S-1-5-21-701866827-3355127779-3787685610-1106</div><div>accountExpires: 9223372036854775807</div><div>logonCount: 0</div><div>sAMAccountName: odhiambo</div><div>sAMAccountType: 805306368</div><div>userPrincipalName: odhiambo@newideatest.local</div><div>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=newideatest,DC=local</div><div>mail: odhiambo@newideatest.local</div><div>loginShell: /bin/bash</div><div>userAccountControl: 512</div><div>pwdLastSet: 132505181852397220</div><div>whenChanged: 20201122112945.0Z</div><div>uSNChanged: 4104</div><div>distinguishedName: CN=Odhiambo Washington,CN=Users,DC=newideatest,DC=local</div></div></div></div></div></div></div></div></div></div></blockquote><div><br></div><div></div></div><div><br></div>For the record, this is what I finally came up with that worked - dovecot-ldap.conf.ext:</div><div dir="ltr"><br><div>##### BEGIN</div><div><div>uris             = ldap://localhost/</div><div>dn               = "dovecot@newideatest.local"</div><div>dnpass           = "verystupid"</div><div>sasl_bind        = no</div><div>tls              = no</div><div>ldap_version     = 3</div><div>deref            = never</div><div>scope            = subtree</div><div>base             = cn=Users,dc=NEWIDEATEST,dc=LOCAL</div><div>auth_bind        = yes</div><div><br></div><div>#user_filter      = (mail=%u)<br></div><div>#pass_filter      = (mail=%u)</div><div>#pass_attrs       = mail=%u,= userPassword=password</div><div><br></div><div>user_filter       = (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))<br></div><div>pass_filter       = (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))</div><div>pass_attrs        = userPassword=password</div><div></div><div>user_attrs        = =home=/var/spool/virtual/%Ld/%Ln/Maildir/,=mail=maildir:/var/spool/virtual/%Ld/%Ln/Maildir/</div><div><br></div><div>default_pass_scheme = CRYPT<br></div><div>##### END</div><div><br></div><div>Also to add:</div><div>1. If you use the commented out filters, the authentication is very fast</div><div>2. If you use the uncommented ones, it's a bit slow.</div><div><br></div><div>Choose your poison, as YMMV.</div><div><br></div><div>Adios.</div><div><div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>Best regards,<br>Odhiambo WASHINGTON,<br>Nairobi,KE<br>+254 7 3200 0004/+254 7 2274 3223<br>"<span style="font-size:12.8px">Oh, the cruft.</span><span style="font-size:12.8px">", </span><span style="font-size:12.8px">grep ^[^#] :-)</span></div></div></div></div></div></div></div></div></div></div></div>