Could someone help me with Dovecot AD integration PAM setup?

2012-06-22 Thread Kaya Saman 
Hi,

I'm trying to authenticate Dovecot to Active Directory using the
SAMBA/Winbind method and so far my setup seems that everything is
working apart from the Dovecot authentication which I believe I have
traced to PAM.

I can login using an AD account using:

wbinfo -K user

# wbinfo -K user
Enter user's password:
plaintext kerberos password authentication for [user] succeeded
(requesting cctype: FILE)


This is the current Dovecot config:


# cat dovecot.conf
# v1.1:
#auth_ntlm_use_winbind = yes
# v1.2+:
auth_use_winbind = yes

auth_winbind_helper_path = /usr/local/bin/ntlm_auth

protocols = imap

# It's nice to have separate log files for Dovecot. You could do this
# by changing syslog configuration also, but this is easier.
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log

# Disable SSL for now.
ssl = no
disable_plaintext_auth = no

# We're using Maildir format
#mail_location = maildir:~/Maildir
mail_location = mbox:/mail:INBOX=/mail/%u

# If you're using POP3, you'll need this:
#pop3_uidl_format = %g

# Authentication configuration:
auth_verbose = yes
auth_debug = yes
auth_username_format = %n
auth_mechanisms = plain ntlm login
userdb {
  driver = static
  args = uid=501 gid=501 home=/mail/%u
  driver = static
}

passdb {
  driver = pam
}



Here is a test login attempt:


# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE AUTH=PLAIN AUTH=NTLM AUTH=LOGIN] Dovecot ready.
a login user password
a NO [AUTHENTICATIONFAILED] Authentication failed.
b logout
* BYE Logging out
b OK Logout completed.


- of course the proper credentials were put in.


Here is the details of pam.d/imap:


# cat imap
#
# $FreeBSD: src/etc/pam.d/imap,v 1.7.10.1.6.1 2010/12/21 17:09:25 kensmith Exp $
#
# PAM configuration for the imap service
#

# auth
authsufficient  pam_winbind.so  no_warn
try_first_pass debug
#auth   sufficient  pam_ssh.so  no_warn try_first_pass
authrequiredpam_unix.so no_warn try_first_pass

# account
#accountrequiredpam_nologin.so
account requiredpam_unix.so
#accountrequiredpam_winbind.so


I also attempted a change in pam.d/system:


# cat system
#
# $FreeBSD: src/etc/pam.d/system,v 1.1.32.1.6.1 2010/12/21 17:09:25
kensmith Exp $
#
# System-wide defaults
#

# auth
authsufficient  pam_opie.so no_warn no_fake_prompts
authrequisite   pam_opieaccess.so   no_warn allow_local
authsufficient  pam_krb5.so no_warn try_first_pass
#auth   sufficient  pam_ssh.so  no_warn try_first_pass
authrequiredpam_unix.so no_warn
try_first_pass nullok

# account
account requiredpam_krb5.so
account requiredpam_login_access.so
account requiredpam_unix.so

# session
#sessionoptionalpam_ssh.so
session requiredpam_lastlog.so  no_fail

# password
passwordsufficient  pam_krb5.so no_warn try_first_pass
passwordrequiredpam_unix.so no_warn try_first_pass



Which don't let me login to the Dovecot service :-(



The dovecot.log file shows this:


Jun 20 11:30:40 master: Warning: Killed with signal 15 (by pid=4149
uid=0 code=kill)
Jun 20 11:30:48 auth: Fatal: No passdbs specified in configuration
file. LOGIN mechanism needs one
Jun 20 11:30:48 master: Error: service(auth): command startup failed,
throttling for 2 secs
Jun 20 11:30:59 master: Warning: Killed with signal 15 (by pid=4182
uid=0 code=kill)
Jun 20 11:31:13 auth: Fatal: No passdbs specified in configuration
file. LOGIN mechanism needs one
Jun 20 11:31:13 master: Error: service(auth): command startup failed,
throttling for 2 secs
Jun 20 11:32:38 master: Warning: Killed with signal 15 (by pid=4245
uid=0 code=kill)
Jun 20 11:32:58 imap-login: Warning: Auth connection closed with 1
pending requests (max 0 secs, pid=4265, EOF)
Jun 20 11:32:58 auth: Fatal: master: service(auth): child 4266 killed
with signal 11 (core not dumped - set service auth {
drop_priv_before_exec=yes })
Jun 20 11:46:21 master: Warning: Killed with signal 15 (by pid=4318
uid=0 code=kill)
Jun 20 11:46:42 auth-worker(4340): Error: pam(user,127.0.0.1):
pam_authenticate() failed: authentication error (/etc/pam.d/dovecot
missing?)
Jun 20 11:46:55 auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jun 20 11:46:55 auth: Error: Got user=[user] domain=[]
workstation=[WKS-42] len1=24 len2=270
Jun 20 11:46:55 auth: Error: Login for user []\[user]@[WKS-42]
failed due to [Reading winbind reply failed!]
Jun 20 11:49:47 master: Warning: Killed with signal 15 (by pid=4400
uid=0 code=kill)
Jun 20 11:49:53 auth: Fatal: passdb imap: Missing host parameter
Jun 20 11:49:53 master: Error:

Re: Could someone help me with Dovecot AD integration PAM setup?

2012-06-22 Thread Waitman Gobble 
On Jun 22, 2012 1:45 AM, Kaya Saman kayasa...@gmail.com wrote:

 Hi,

 I'm trying to authenticate Dovecot to Active Directory using the
 SAMBA/Winbind method and so far my setup seems that everything is
 working apart from the Dovecot authentication which I believe I have
 traced to PAM.

 I can login using an AD account using:

 wbinfo -K user

 # wbinfo -K user
 Enter user's password:
 plaintext kerberos password authentication for [user] succeeded
 (requesting cctype: FILE)


 This is the current Dovecot config:


 # cat dovecot.conf
 # v1.1:
 #auth_ntlm_use_winbind = yes
 # v1.2+:
 auth_use_winbind = yes

 auth_winbind_helper_path = /usr/local/bin/ntlm_auth

 protocols = imap

 # It's nice to have separate log files for Dovecot. You could do this
 # by changing syslog configuration also, but this is easier.
 log_path = /var/log/dovecot.log
 info_log_path = /var/log/dovecot-info.log

 # Disable SSL for now.
 ssl = no
 disable_plaintext_auth = no

 # We're using Maildir format
 #mail_location = maildir:~/Maildir
 mail_location = mbox:/mail:INBOX=/mail/%u

 # If you're using POP3, you'll need this:
 #pop3_uidl_format = %g

 # Authentication configuration:
 auth_verbose = yes
 auth_debug = yes
 auth_username_format = %n
 auth_mechanisms = plain ntlm login
 userdb {
  driver = static
  args = uid=501 gid=501 home=/mail/%u
  driver = static
 }

 passdb {
  driver = pam
 }



 Here is a test login attempt:


 # telnet localhost 143
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
 IDLE AUTH=PLAIN AUTH=NTLM AUTH=LOGIN] Dovecot ready.
 a login user password
 a NO [AUTHENTICATIONFAILED] Authentication failed.
 b logout
 * BYE Logging out
 b OK Logout completed.


 - of course the proper credentials were put in.


 Here is the details of pam.d/imap:


 # cat imap
 #
 # $FreeBSD: src/etc/pam.d/imap,v 1.7.10.1.6.1 2010/12/21 17:09:25
kensmith Exp $
 #
 # PAM configuration for the imap service
 #

 # auth
 authsufficient  pam_winbind.so  no_warn
 try_first_pass debug
 #auth   sufficient  pam_ssh.so  no_warn
try_first_pass
 authrequiredpam_unix.so no_warn
try_first_pass

 # account
 #accountrequiredpam_nologin.so
 account requiredpam_unix.so
 #accountrequiredpam_winbind.so


 I also attempted a change in pam.d/system:


 # cat system
 #
 # $FreeBSD: src/etc/pam.d/system,v 1.1.32.1.6.1 2010/12/21 17:09:25
 kensmith Exp $
 #
 # System-wide defaults
 #

 # auth
 authsufficient  pam_opie.so no_warn
no_fake_prompts
 authrequisite   pam_opieaccess.so   no_warn
allow_local
 authsufficient  pam_krb5.so no_warn
try_first_pass
 #auth   sufficient  pam_ssh.so  no_warn
try_first_pass
 authrequiredpam_unix.so no_warn
 try_first_pass nullok

 # account
 account requiredpam_krb5.so
 account requiredpam_login_access.so
 account requiredpam_unix.so

 # session
 #sessionoptionalpam_ssh.so
 session requiredpam_lastlog.so  no_fail

 # password
 passwordsufficient  pam_krb5.so no_warn
try_first_pass
 passwordrequiredpam_unix.so no_warn
try_first_pass



 Which don't let me login to the Dovecot service :-(



 The dovecot.log file shows this:


 Jun 20 11:30:40 master: Warning: Killed with signal 15 (by pid=4149
 uid=0 code=kill)
 Jun 20 11:30:48 auth: Fatal: No passdbs specified in configuration
 file. LOGIN mechanism needs one
 Jun 20 11:30:48 master: Error: service(auth): command startup failed,
 throttling for 2 secs
 Jun 20 11:30:59 master: Warning: Killed with signal 15 (by pid=4182
 uid=0 code=kill)
 Jun 20 11:31:13 auth: Fatal: No passdbs specified in configuration
 file. LOGIN mechanism needs one
 Jun 20 11:31:13 master: Error: service(auth): command startup failed,
 throttling for 2 secs
 Jun 20 11:32:38 master: Warning: Killed with signal 15 (by pid=4245
 uid=0 code=kill)
 Jun 20 11:32:58 imap-login: Warning: Auth connection closed with 1
 pending requests (max 0 secs, pid=4265, EOF)
 Jun 20 11:32:58 auth: Fatal: master: service(auth): child 4266 killed
 with signal 11 (core not dumped - set service auth {
 drop_priv_before_exec=yes })
 Jun 20 11:46:21 master: Warning: Killed with signal 15 (by pid=4318
 uid=0 code=kill)
 Jun 20 11:46:42 auth-worker(4340): Error: pam(user,127.0.0.1):
 pam_authenticate() failed: authentication error (/etc/pam.d/dovecot
 missing?)
 Jun 20 11:46:55 auth: Error: Got NTLMSSP neg_flags=0xa2088207
 Jun 20 11:46:55 auth: Error: Got user=[user] domain=[]
 workstation=[WKS-42] len1=24 len2=270
 Jun 20 11:46:55 auth: Error: Login for user []\[user]@[WKS-42]
 failed due to [Reading winbind reply