smtpauth - qmail-ldap with samba4
greetings I have been trying to get qmail-ldap to work with samba4's Active Directory implementation. It seems that all parts are working with the exception of smtpauth. WHAT WORKS: When I send a mail to the system, it successfully verifies if a user exists and denies if the user doesn't exist. qmail-ldaplookup -m/-u both run without error and report what I would expect to see. When I set samba4 into a debug mode, I can see the ldb query coming through in the logs. In fairness, those logs do not report success or failure of the lookup, or the values returned, but the fact that things work indicate the ldap communication to samba4 was a success. I also take these successes to mean my ~controls/ldap* files are set up correctly. I can also use ldbsearch to verify my user/pass info is correct. SMTPAUTH: I have compiled with TLS and enabled SMTPAUTH=TLSREQUIRED, I can verify the encryption is working because when I rename the cert, I get an error in qmail's logs when it is not working (presumably thanks to TLSDEBUG). I gather from what I have read that that is all I need to do. There were mentions in the life with qmail-ldap that some extra arguments are required in the run script, but I found some mailing list post that says that is not required. BROKEN:When I try to send a authenticated mail using thunderbird, I see the following in qmail logs: auth login authentication failed: authentication failure However, the samba4 logs continue to indicate a valid search query is being made. When I base64-encode my user/pass and use telnet to test the smtp connection, I get the exact same symptoms as using thunderbird; the samba4 logs indicate a good search string and the qmail logs say authentication failure. TRIED: I have scoured the mailing lists, there are those who say active directory works out of the box just by modifying qmail-ldap.h, there are those who say you need to modify qldap.c and/or qmail-ldaplookup.c in order to account for userAccountControl. Over the last days, I have tried any patches/suggestions that could apply to samba4 (as opposed to windows server), but not one of them has solved this problem. In the interest of not making this a novel nobody wants to read, I will leave out the remaining details on what I have done and which articles I have referenced, but I can make that info available. If anyone can get me pointed in the right direction, I would truly appreciate it... -- Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca b...@computerisms.ca Network, Internet, Server, and Open Source Solutions
Re: smtpauth - qmail-ldap with samba4
Hi, check that your /var/qmail/control/qmail-smtpd.rules have something like :allow,SMTPAUTH= On Fri, Mar 30, 2012 at 12:10 AM, Bob Miller b...@computerisms.ca wrote: greetings I have been trying to get qmail-ldap to work with samba4's Active Directory implementation. It seems that all parts are working with the exception of smtpauth. WHAT WORKS: When I send a mail to the system, it successfully verifies if a user exists and denies if the user doesn't exist. qmail-ldaplookup -m/-u both run without error and report what I would expect to see. When I set samba4 into a debug mode, I can see the ldb query coming through in the logs. In fairness, those logs do not report success or failure of the lookup, or the values returned, but the fact that things work indicate the ldap communication to samba4 was a success. I also take these successes to mean my ~controls/ldap* files are set up correctly. I can also use ldbsearch to verify my user/pass info is correct. SMTPAUTH: I have compiled with TLS and enabled SMTPAUTH=TLSREQUIRED, I can verify the encryption is working because when I rename the cert, I get an error in qmail's logs when it is not working (presumably thanks to TLSDEBUG). I gather from what I have read that that is all I need to do. There were mentions in the life with qmail-ldap that some extra arguments are required in the run script, but I found some mailing list post that says that is not required. BROKEN:When I try to send a authenticated mail using thunderbird, I see the following in qmail logs: auth login authentication failed: authentication failure However, the samba4 logs continue to indicate a valid search query is being made. When I base64-encode my user/pass and use telnet to test the smtp connection, I get the exact same symptoms as using thunderbird; the samba4 logs indicate a good search string and the qmail logs say authentication failure. TRIED: I have scoured the mailing lists, there are those who say active directory works out of the box just by modifying qmail-ldap.h, there are those who say you need to modify qldap.c and/or qmail-ldaplookup.c in order to account for userAccountControl. Over the last days, I have tried any patches/suggestions that could apply to samba4 (as opposed to windows server), but not one of them has solved this problem. In the interest of not making this a novel nobody wants to read, I will leave out the remaining details on what I have done and which articles I have referenced, but I can make that info available. If anyone can get me pointed in the right direction, I would truly appreciate it... -- Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca b...@computerisms.ca Network, Internet, Server, and Open Source Solutions -- nbari
Re: smtpauth - qmail-ldap with samba4
Hi Nicolas, Thank you for your response. I have tried both SMTPAUTH= and SMTPAUTH=TLSREQUIRED. In both cases the authentication failed, even though the correct search string appears to have been passed to samba4's ldb. it's as though qmail is able to do a lookup, but isn't able to verify that the password is correct... On Fri, 2012-03-30 at 01:12 +0100, Nicolas de Bari Embriz Garcia Rojas wrote: Hi, check that your /var/qmail/control/qmail-smtpd.rules have something like :allow,SMTPAUTH= On Fri, Mar 30, 2012 at 12:10 AM, Bob Miller b...@computerisms.ca wrote: greetings I have been trying to get qmail-ldap to work with samba4's Active Directory implementation. It seems that all parts are working with the exception of smtpauth. WHAT WORKS: When I send a mail to the system, it successfully verifies if a user exists and denies if the user doesn't exist. qmail-ldaplookup -m/-u both run without error and report what I would expect to see. When I set samba4 into a debug mode, I can see the ldb query coming through in the logs. In fairness, those logs do not report success or failure of the lookup, or the values returned, but the fact that things work indicate the ldap communication to samba4 was a success. I also take these successes to mean my ~controls/ldap* files are set up correctly. I can also use ldbsearch to verify my user/pass info is correct. SMTPAUTH: I have compiled with TLS and enabled SMTPAUTH=TLSREQUIRED, I can verify the encryption is working because when I rename the cert, I get an error in qmail's logs when it is not working (presumably thanks to TLSDEBUG). I gather from what I have read that that is all I need to do. There were mentions in the life with qmail-ldap that some extra arguments are required in the run script, but I found some mailing list post that says that is not required. BROKEN:When I try to send a authenticated mail using thunderbird, I see the following in qmail logs: auth login authentication failed: authentication failure However, the samba4 logs continue to indicate a valid search query is being made. When I base64-encode my user/pass and use telnet to test the smtp connection, I get the exact same symptoms as using thunderbird; the samba4 logs indicate a good search string and the qmail logs say authentication failure. TRIED: I have scoured the mailing lists, there are those who say active directory works out of the box just by modifying qmail-ldap.h, there are those who say you need to modify qldap.c and/or qmail-ldaplookup.c in order to account for userAccountControl. Over the last days, I have tried any patches/suggestions that could apply to samba4 (as opposed to windows server), but not one of them has solved this problem. In the interest of not making this a novel nobody wants to read, I will leave out the remaining details on what I have done and which articles I have referenced, but I can make that info available. If anyone can get me pointed in the right direction, I would truly appreciate it... -- Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca b...@computerisms.ca Network, Internet, Server, and Open Source Solutions -- Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca b...@computerisms.ca Network, Internet, Server, and Open Source Solutions
Re: smtpauth - qmail-ldap with samba4
Hello Bob, What state of ldapprebind file in qmail/control/ ? Best wishes, Gennady. Bob Miller писал 30.03.2012 04:47: Hi Nicolas, Thank you for your response. I have tried both SMTPAUTH= and SMTPAUTH=TLSREQUIRED. In both cases the authentication failed, even though the correct search string appears to have been passed to samba4's ldb. it's as though qmail is able to do a lookup, but isn't able to verify that the password is correct... On Fri, 2012-03-30 at 01:12 +0100, Nicolas de Bari Embriz Garcia Rojas wrote: Hi, check that your /var/qmail/control/qmail-smtpd.rules have something like :allow,SMTPAUTH= On Fri, Mar 30, 2012 at 12:10 AM, Bob Miller b...@computerisms.ca wrote: greetings I have been trying to get qmail-ldap to work with samba4's Active Directory implementation. It seems that all parts are working with the exception of smtpauth. WHAT WORKS: When I send a mail to the system, it successfully verifies if a user exists and denies if the user doesn't exist. qmail-ldaplookup -m/-u both run without error and report what I would expect to see. When I set samba4 into a debug mode, I can see the ldb query coming through in the logs. In fairness, those logs do not report success or failure of the lookup, or the values returned, but the fact that things work indicate the ldap communication to samba4 was a success. I also take these successes to mean my ~controls/ldap* files are set up correctly. I can also use ldbsearch to verify my user/pass info is correct. SMTPAUTH: I have compiled with TLS and enabled SMTPAUTH=TLSREQUIRED, I can verify the encryption is working because when I rename the cert, I get an error in qmail's logs when it is not working (presumably thanks to TLSDEBUG). I gather from what I have read that that is all I need to do. There were mentions in the life with qmail-ldap that some extra arguments are required in the run script, but I found some mailing list post that says that is not required. BROKEN:When I try to send a authenticated mail using thunderbird, I see the following in qmail logs: auth login authentication failed: authentication failure However, the samba4 logs continue to indicate a valid search query is being made. When I base64-encode my user/pass and use telnet to test the smtp connection, I get the exact same symptoms as using thunderbird; the samba4 logs indicate a good search string and the qmail logs say authentication failure. TRIED: I have scoured the mailing lists, there are those who say active directory works out of the box just by modifying qmail-ldap.h, there are those who say you need to modify qldap.c and/or qmail-ldaplookup.c in order to account for userAccountControl. Over the last days, I have tried any patches/suggestions that could apply to samba4 (as opposed to windows server), but not one of them has solved this problem. In the interest of not making this a novel nobody wants to read, I will leave out the remaining details on what I have done and which articles I have referenced, but I can make that info available. If anyone can get me pointed in the right direction, I would truly appreciate it... -- Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca b...@computerisms.ca Network, Internet, Server, and Open Source Solutions -- Best wishes, Gennady.
Re: smtpauth - qmail-ldap with samba4
Hi Bob, By default qmail-ldap login to LDAP with by ldapuser/ldappasword defined in control/ files and get userPassword entry then compares passwords. If you enable ldaprebind, qmail-ldap first get DN of the smtp auth user from LDAP/AD with ldapuser/ldappasword in control/ files. and make a another connection to AD/LDAP with the smtp auth username's DN and password. By the way, Can you please tell us what you did to enable AD support in qmail-ldap? I am trying to integrate all useful patches into qmail-ldap as a tarball. I would like to enable AD support too. Thanks Ismail YENIGUL Team Leader / Takim Lideri SurGATE Labs Phone :+90 216-4709423 | Mobile:+90 533 747 36 65 SurGATE: West Coast Labs Premium Anti-Spam Certificated Twitter: http://www.twitter.com/surgate Blog: http://www.surgate.com/blog On 30.03.2012 07:13, Bob Miller wrote: Gennedy, Thank you so much, enabling ldaprebind solved the problem On Fri, 2012-03-30 at 07:54 +0400, Геннадий Марченко wrote: Hello Bob, What state of ldapprebind file in qmail/control/ ? Best wishes, Gennady. Bob Miller писал 30.03.2012 04:47: Hi Nicolas, Thank you for your response. I have tried both SMTPAUTH= and SMTPAUTH=TLSREQUIRED. In both cases the authentication failed, even though the correct search string appears to have been passed to samba4's ldb. it's as though qmail is able to do a lookup, but isn't able to verify that the password is correct... On Fri, 2012-03-30 at 01:12 +0100, Nicolas de Bari Embriz Garcia Rojas wrote: Hi, check that your /var/qmail/control/qmail-smtpd.rules have something like :allow,SMTPAUTH= On Fri, Mar 30, 2012 at 12:10 AM, Bob Millerb...@computerisms.ca wrote: greetings I have been trying to get qmail-ldap to work with samba4's Active Directory implementation. It seems that all parts are working with the exception of smtpauth. WHAT WORKS: When I send a mail to the system, it successfully verifies if a user exists and denies if the user doesn't exist. qmail-ldaplookup -m/-u both run without error and report what I would expect to see. When I set samba4 into a debug mode, I can see the ldb query coming through in the logs. In fairness, those logs do not report success or failure of the lookup, or the values returned, but the fact that things work indicate the ldap communication to samba4 was a success. I also take these successes to mean my ~controls/ldap* files are set up correctly. I can also use ldbsearch to verify my user/pass info is correct. SMTPAUTH: I have compiled with TLS and enabled SMTPAUTH=TLSREQUIRED, I can verify the encryption is working because when I rename the cert, I get an error in qmail's logs when it is not working (presumably thanks to TLSDEBUG). I gather from what I have read that that is all I need to do. There were mentions in the life with qmail-ldap that some extra arguments are required in the run script, but I found some mailing list post that says that is not required. BROKEN:When I try to send a authenticated mail using thunderbird, I see the following in qmail logs: auth login authentication failed: authentication failure However, the samba4 logs continue to indicate a valid search query is being made. When I base64-encode my user/pass and use telnet to test the smtp connection, I get the exact same symptoms as using thunderbird; the samba4 logs indicate a good search string and the qmail logs say authentication failure. TRIED: I have scoured the mailing lists, there are those who say active directory works out of the box just by modifying qmail-ldap.h, there are those who say you need to modify qldap.c and/or qmail-ldaplookup.c in order to account for userAccountControl. Over the last days, I have tried any patches/suggestions that could apply to samba4 (as opposed to windows server), but not one of them has solved this problem. In the interest of not making this a novel nobody wants to read, I will leave out the remaining details on what I have done and which articles I have referenced, but I can make that info available. If anyone can get me pointed in the right direction, I would truly appreciate it... -- Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca b...@computerisms.ca Network, Internet, Server, and Open Source Solutions