On Sun, 22 Nov 2020 at 15:08, Odhiambo Washington <odhia...@gmail.com> wrote:
> Hi, > > I have setup samba4 as AD and hoping to have dovecot authenticate users > against it. I am facing challenges though and I am unable to figure it out. > I could do with a third eye to help me spot what is wrong. > > > root@adc0:/etc# doveadm auth test -x service=imap > odhiambo@newideatest.local > Password: > passdb: odhiambo@newideatest.local auth failed > extra fields: > temp > Warning: auth-client: conn unix:/var/run/dovecot/auth-client: Auth > connection closed with 1 pending requests (max 0 secs, pid=10537, EOF) > Fatal: Couldn't connect to auth socket > > A test against IMAP gives the following debug information: > Nov 22 14:31:01 auth: Debug: Loading modules from directory: > /usr/lib/dovecot/modules/auth > Nov 22 14:31:01 auth: Debug: Module loaded: > /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so > Nov 22 14:31:01 auth: Debug: Module loaded: > /usr/lib/dovecot/modules/auth/libdriver_mysql.so > Nov 22 14:31:01 auth: Debug: Loading modules from directory: > /usr/lib/dovecot/modules/auth > Nov 22 14:31:01 auth: Debug: Module loaded: > /usr/lib/dovecot/modules/auth/libauthdb_ldap.so > Nov 22 14:31:01 auth: Debug: Read auth token secret from > /var/run/dovecot/auth-token-secret.dat > Nov 22 14:31:01 auth: Debug: auth client connected (pid=10979) > Nov 22 14:31:08 auth: Debug: client in: AUTH 1 PLAIN > service=imap secured session=uPLvabC0RIh/AAAB lip=127.0.0.1 > rip=127.0.0.1 lport=143 rport=34884 resp=<hidden> > Nov 22 14:31:08 auth: Debug: > ldap(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): > Performing passdb lookup > Nov 22 14:31:08 auth: Debug: > ldap(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): > bind search: base=cn=Users,dc=NEWIDEATEST,dc=LOCAL > filter=(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=odhiambo@newideatest.local > )) > Nov 22 14:31:08 auth: Debug: > ldap(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): > no fields returned by the server *< ====================* > Nov 22 14:31:08 auth: Debug: > ldap(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): > Finished passdb lookup > Nov 22 14:31:08 auth: Debug: > auth(odhiambo@newideatest.local,127.0.0.1,<uPLvabC0RIh/AAAB>): > Auth request finished > Nov 22 14:31:10 auth: Debug: client passdb out: FAIL 1 > user=odhiambo@newideatest.local > > info.log: > > Nov 22 14:31:08 auth: Info: ldap(odhiambo@newideatest.local > ,127.0.0.1,<uPLvabC0RIh/AAAB>):* unknown user* (given password: XXXXXXX) > Nov 22 14:31:15 imap-login: Info: Aborted login (auth failed, 1 attempts > in 7 secs): user=<odhiambo@newideatest.local>, method=PLAIN, > rip=127.0.0.1, lip=127.0.0.1, secured, session=<uPLvabC0RIh/AAAB> > > > Here is my doveconf -n: > > https://paste.ubuntu.com/p/SPmrxZxHPx/ > > My dovecot-ldap.cont.ext: > > uris = ldap://localhost/ > dn = "dovecot@newideatest.local" > dnpass = "XXXXXXXX" > sasl_bind = no > tls = no > ldap_version = 3 > deref = never > scope = subtree > base = cn=Users,dc=NEWIDEATEST,dc=LOCAL > auth_bind = yes > user_filter = > (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(mail=%u)(sAMAccountName=%u)(otherMailbox=%u))) > user_attrs = > sAMAccountName=user,userPassword=password,=mail=maildir:/home/%n/Maildir/ > pass_filter = > (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%u)) > pass_attrs = sAMAccountName=user,userPassword=password > > The use exists in the database: > > *root@adc0:/var/log/dovecot# samba-tool user show odhiambo* > ldb_wrap open of secrets.ldb > dn: CN=Odhiambo Washington,CN=Users,DC=newideatest,DC=local > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: Odhiambo Washington > sn: Washington > givenName: Odhiambo > instanceType: 4 > whenCreated: 20201120101420.0Z > displayName: Odhiambo Washington > uSNCreated: 4086 > name: Odhiambo Washington > objectGUID: e6969596-8b28-41af-b5d8-cea63cc97f98 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-701866827-3355127779-3787685610-1106 > accountExpires: 9223372036854775807 > logonCount: 0 > sAMAccountName: odhiambo > sAMAccountType: 805306368 > userPrincipalName: odhiambo@newideatest.local > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=newideatest,DC=local > mail: odhiambo@newideatest.local > loginShell: /bin/bash > userAccountControl: 512 > pwdLastSet: 132505181852397220 > whenChanged: 20201122112945.0Z > uSNChanged: 4104 > distinguishedName: CN=Odhiambo Washington,CN=Users,DC=newideatest,DC=local > For the record, this is what I finally came up with that worked - dovecot-ldap.conf.ext: ##### BEGIN uris = ldap://localhost/ dn = "dovecot@newideatest.local" dnpass = "verystupid" sasl_bind = no tls = no ldap_version = 3 deref = never scope = subtree base = cn=Users,dc=NEWIDEATEST,dc=LOCAL auth_bind = yes #user_filter = (mail=%u) #pass_filter = (mail=%u) #pass_attrs = mail=%u,= userPassword=password user_filter = (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) pass_filter = (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) pass_attrs = userPassword=password user_attrs = =home=/var/spool/virtual/%Ld/%Ln/Maildir/,=mail=maildir:/var/spool/virtual/%Ld/%Ln/Maildir/ default_pass_scheme = CRYPT ##### END Also to add: 1. If you use the commented out filters, the authentication is very fast 2. If you use the uncommented ones, it's a bit slow. Choose your poison, as YMMV. Adios. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)