smtpauth - qmail-ldap with samba4
greetings I have been trying to get qmail-ldap to work with samba4's Active Directory implementation. It seems that all parts are working with the exception of smtpauth. WHAT WORKS: When I send a mail to the system, it successfully verifies if a user exists and denies if the user doesn't exist. qmail-ldaplookup -m/-u both run without error and report what I would expect to see. When I set samba4 into a debug mode, I can see the ldb query coming through in the logs. In fairness, those logs do not report success or failure of the lookup, or the values returned, but the fact that things work indicate the ldap communication to samba4 was a success. I also take these successes to mean my ~controls/ldap* files are set up correctly. I can also use ldbsearch to verify my user/pass info is correct. SMTPAUTH: I have compiled with TLS and enabled SMTPAUTH="TLSREQUIRED", I can verify the encryption is working because when I rename the cert, I get an error in qmail's logs when it is not working (presumably thanks to TLSDEBUG). I gather from what I have read that that is all I need to do. There were mentions in the life with qmail-ldap that some extra arguments are required in the run script, but I found some mailing list post that says that is not required. BROKEN:When I try to send a authenticated mail using thunderbird, I see the following in qmail logs: auth login authentication failed: authentication failure However, the samba4 logs continue to indicate a valid search query is being made. When I base64-encode my user/pass and use telnet to test the smtp connection, I get the exact same symptoms as using thunderbird; the samba4 logs indicate a good search string and the qmail logs say authentication failure. TRIED: I have scoured the mailing lists, there are those who say active directory works out of the box just by modifying qmail-ldap.h, there are those who say you need to modify qldap.c and/or qmail-ldaplookup.c in order to account for userAccountControl. Over the last days, I have tried any patches/suggestions that could apply to samba4 (as opposed to windows server), but not one of them has solved this problem. In the interest of not making this a novel nobody wants to read, I will leave out the remaining details on what I have done and which articles I have referenced, but I can make that info available. If anyone can get me pointed in the right direction, I would truly appreciate it... -- Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca b...@computerisms.ca Network, Internet, Server, and Open Source Solutions
Re: smtpauth - qmail-ldap with samba4
Hi, check that your /var/qmail/control/qmail-smtpd.rules have something like :allow,SMTPAUTH="" On Fri, Mar 30, 2012 at 12:10 AM, Bob Miller wrote: > greetings > > I have been trying to get qmail-ldap to work with samba4's Active > Directory implementation. It seems that all parts are working with the > exception of smtpauth. > > WHAT WORKS: When I send a mail to the system, it successfully verifies > if a user exists and denies if the user doesn't exist. qmail-ldaplookup > -m/-u both run without error and report what I would expect to see. > When I set samba4 into a debug mode, I can see the ldb query coming > through in the logs. In fairness, those logs do not report success or > failure of the lookup, or the values returned, but the fact that things > work indicate the ldap communication to samba4 was a success. I also > take these successes to mean my ~controls/ldap* files are set up > correctly. I can also use ldbsearch to verify my user/pass info is > correct. > > SMTPAUTH: I have compiled with TLS and enabled SMTPAUTH="TLSREQUIRED", I > can verify the encryption is working because when I rename the cert, I > get an error in qmail's logs when it is not working (presumably thanks > to TLSDEBUG). I gather from what I have read that that is all I need to > do. There were mentions in the life with qmail-ldap that some extra > arguments are required in the run script, but I found some mailing list > post that says that is not required. > > BROKEN:When I try to send a authenticated mail using thunderbird, I see > the following in qmail logs: > > auth login > authentication failed: authentication failure > > However, the samba4 logs continue to indicate a valid search query is > being made. When I base64-encode my user/pass and use telnet to test > the smtp connection, I get the exact same symptoms as using thunderbird; > the samba4 logs indicate a good search string and the qmail logs say > authentication failure. > > TRIED: I have scoured the mailing lists, there are those who say active > directory works out of the box just by modifying qmail-ldap.h, there are > those who say you need to modify qldap.c and/or qmail-ldaplookup.c in > order to account for userAccountControl. Over the last days, I have > tried any patches/suggestions that could apply to samba4 (as opposed to > windows server), but not one of them has solved this problem. > > In the interest of not making this a novel nobody wants to read, I will > leave out the remaining details on what I have done and which articles I > have referenced, but I can make that info available. > > If anyone can get me pointed in the right direction, I would truly > appreciate it... > > -- > Bob Miller > 867-334-7117 / 867-633-3760 > http://computerisms.ca > b...@computerisms.ca > Network, Internet, Server, > and Open Source Solutions > -- > nbari
Re: smtpauth - qmail-ldap with samba4
Hi Nicolas, Thank you for your response. I have tried both SMTPAUTH="" and SMTPAUTH="TLSREQUIRED". In both cases the authentication failed, even though the correct search string appears to have been passed to samba4's ldb. it's as though qmail is able to do a lookup, but isn't able to verify that the password is correct... On Fri, 2012-03-30 at 01:12 +0100, Nicolas de Bari Embriz Garcia Rojas wrote: > Hi, check that your /var/qmail/control/qmail-smtpd.rules have something like > > :allow,SMTPAUTH="" > > > > On Fri, Mar 30, 2012 at 12:10 AM, Bob Miller wrote: > > greetings > > > > I have been trying to get qmail-ldap to work with samba4's Active > > Directory implementation. It seems that all parts are working with the > > exception of smtpauth. > > > > WHAT WORKS: When I send a mail to the system, it successfully verifies > > if a user exists and denies if the user doesn't exist. qmail-ldaplookup > > -m/-u both run without error and report what I would expect to see. > > When I set samba4 into a debug mode, I can see the ldb query coming > > through in the logs. In fairness, those logs do not report success or > > failure of the lookup, or the values returned, but the fact that things > > work indicate the ldap communication to samba4 was a success. I also > > take these successes to mean my ~controls/ldap* files are set up > > correctly. I can also use ldbsearch to verify my user/pass info is > > correct. > > > > SMTPAUTH: I have compiled with TLS and enabled SMTPAUTH="TLSREQUIRED", I > > can verify the encryption is working because when I rename the cert, I > > get an error in qmail's logs when it is not working (presumably thanks > > to TLSDEBUG). I gather from what I have read that that is all I need to > > do. There were mentions in the life with qmail-ldap that some extra > > arguments are required in the run script, but I found some mailing list > > post that says that is not required. > > > > BROKEN:When I try to send a authenticated mail using thunderbird, I see > > the following in qmail logs: > > > > auth login > > authentication failed: authentication failure > > > > However, the samba4 logs continue to indicate a valid search query is > > being made. When I base64-encode my user/pass and use telnet to test > > the smtp connection, I get the exact same symptoms as using thunderbird; > > the samba4 logs indicate a good search string and the qmail logs say > > authentication failure. > > > > TRIED: I have scoured the mailing lists, there are those who say active > > directory works out of the box just by modifying qmail-ldap.h, there are > > those who say you need to modify qldap.c and/or qmail-ldaplookup.c in > > order to account for userAccountControl. Over the last days, I have > > tried any patches/suggestions that could apply to samba4 (as opposed to > > windows server), but not one of them has solved this problem. > > > > In the interest of not making this a novel nobody wants to read, I will > > leave out the remaining details on what I have done and which articles I > > have referenced, but I can make that info available. > > > > If anyone can get me pointed in the right direction, I would truly > > appreciate it... > > > > -- > > Bob Miller > > 867-334-7117 / 867-633-3760 > > http://computerisms.ca > > b...@computerisms.ca > > Network, Internet, Server, > > and Open Source Solutions > > > > > -- Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca b...@computerisms.ca Network, Internet, Server, and Open Source Solutions
Re: smtpauth - qmail-ldap with samba4
Hello Bob, What state of ldapprebind file in qmail/control/ ? Best wishes, Gennady. Bob Miller писал 30.03.2012 04:47: Hi Nicolas, Thank you for your response. I have tried both SMTPAUTH="" and SMTPAUTH="TLSREQUIRED". In both cases the authentication failed, even though the correct search string appears to have been passed to samba4's ldb. it's as though qmail is able to do a lookup, but isn't able to verify that the password is correct... On Fri, 2012-03-30 at 01:12 +0100, Nicolas de Bari Embriz Garcia Rojas wrote: Hi, check that your /var/qmail/control/qmail-smtpd.rules have something like :allow,SMTPAUTH="" On Fri, Mar 30, 2012 at 12:10 AM, Bob Miller wrote: > greetings > > I have been trying to get qmail-ldap to work with samba4's Active > Directory implementation. It seems that all parts are working with the > exception of smtpauth. > > WHAT WORKS: When I send a mail to the system, it successfully verifies > if a user exists and denies if the user doesn't exist. qmail-ldaplookup > -m/-u both run without error and report what I would expect to see. > When I set samba4 into a debug mode, I can see the ldb query coming > through in the logs. In fairness, those logs do not report success or > failure of the lookup, or the values returned, but the fact that things > work indicate the ldap communication to samba4 was a success. I also > take these successes to mean my ~controls/ldap* files are set up > correctly. I can also use ldbsearch to verify my user/pass info is > correct. > > SMTPAUTH: I have compiled with TLS and enabled SMTPAUTH="TLSREQUIRED", I > can verify the encryption is working because when I rename the cert, I > get an error in qmail's logs when it is not working (presumably thanks > to TLSDEBUG). I gather from what I have read that that is all I need to > do. There were mentions in the life with qmail-ldap that some extra > arguments are required in the run script, but I found some mailing list > post that says that is not required. > > BROKEN:When I try to send a authenticated mail using thunderbird, I see > the following in qmail logs: > > auth login > authentication failed: authentication failure > > However, the samba4 logs continue to indicate a valid search query is > being made. When I base64-encode my user/pass and use telnet to test > the smtp connection, I get the exact same symptoms as using thunderbird; > the samba4 logs indicate a good search string and the qmail logs say > authentication failure. > > TRIED: I have scoured the mailing lists, there are those who say active > directory works out of the box just by modifying qmail-ldap.h, there are > those who say you need to modify qldap.c and/or qmail-ldaplookup.c in > order to account for userAccountControl. Over the last days, I have > tried any patches/suggestions that could apply to samba4 (as opposed to > windows server), but not one of them has solved this problem. > > In the interest of not making this a novel nobody wants to read, I will > leave out the remaining details on what I have done and which articles I > have referenced, but I can make that info available. > > If anyone can get me pointed in the right direction, I would truly > appreciate it... > > -- > Bob Miller > 867-334-7117 / 867-633-3760 > http://computerisms.ca > b...@computerisms.ca > Network, Internet, Server, > and Open Source Solutions > -- Best wishes, Gennady.
Re: smtpauth - qmail-ldap with samba4
Gennedy, Thank you so much, enabling ldaprebind solved the problem On Fri, 2012-03-30 at 07:54 +0400, Геннадий Марченко wrote: > Hello Bob, > > What state of ldapprebind file in qmail/control/ ? > > Best wishes, > Gennady. > > Bob Miller писал 30.03.2012 04:47: > > Hi Nicolas, > > > > Thank you for your response. > > > > I have tried both SMTPAUTH="" and SMTPAUTH="TLSREQUIRED". In both > > cases > > the authentication failed, even though the correct search string > > appears > > to have been passed to samba4's ldb. it's as though qmail is able to > > do > > a lookup, but isn't able to verify that the password is correct... > > > > > > On Fri, 2012-03-30 at 01:12 +0100, Nicolas de Bari Embriz Garcia > > Rojas > > wrote: > >> Hi, check that your /var/qmail/control/qmail-smtpd.rules have > >> something like > >> > >> :allow,SMTPAUTH="" > >> > >> > >> > >> On Fri, Mar 30, 2012 at 12:10 AM, Bob Miller > >> wrote: > >> > greetings > >> > > >> > I have been trying to get qmail-ldap to work with samba4's Active > >> > Directory implementation. It seems that all parts are working > >> with the > >> > exception of smtpauth. > >> > > >> > WHAT WORKS: When I send a mail to the system, it successfully > >> verifies > >> > if a user exists and denies if the user doesn't exist. > >> qmail-ldaplookup > >> > -m/-u both run without error and report what I would expect to > >> see. > >> > When I set samba4 into a debug mode, I can see the ldb query > >> coming > >> > through in the logs. In fairness, those logs do not report > >> success or > >> > failure of the lookup, or the values returned, but the fact that > >> things > >> > work indicate the ldap communication to samba4 was a success. I > >> also > >> > take these successes to mean my ~controls/ldap* files are set up > >> > correctly. I can also use ldbsearch to verify my user/pass info > >> is > >> > correct. > >> > > >> > SMTPAUTH: I have compiled with TLS and enabled > >> SMTPAUTH="TLSREQUIRED", I > >> > can verify the encryption is working because when I rename the > >> cert, I > >> > get an error in qmail's logs when it is not working (presumably > >> thanks > >> > to TLSDEBUG). I gather from what I have read that that is all I > >> need to > >> > do. There were mentions in the life with qmail-ldap that some > >> extra > >> > arguments are required in the run script, but I found some mailing > >> list > >> > post that says that is not required. > >> > > >> > BROKEN:When I try to send a authenticated mail using thunderbird, > >> I see > >> > the following in qmail logs: > >> > > >> > auth login > >> > authentication failed: authentication failure > >> > > >> > However, the samba4 logs continue to indicate a valid search query > >> is > >> > being made. When I base64-encode my user/pass and use telnet to > >> test > >> > the smtp connection, I get the exact same symptoms as using > >> thunderbird; > >> > the samba4 logs indicate a good search string and the qmail logs > >> say > >> > authentication failure. > >> > > >> > TRIED: I have scoured the mailing lists, there are those who say > >> active > >> > directory works out of the box just by modifying qmail-ldap.h, > >> there are > >> > those who say you need to modify qldap.c and/or qmail-ldaplookup.c > >> in > >> > order to account for userAccountControl. Over the last days, I > >> have > >> > tried any patches/suggestions that could apply to samba4 (as > >> opposed to > >> > windows server), but not one of them has solved this problem. > >> > > >> > In the interest of not making this a novel nobody wants to read, I > >> will > >> > leave out the remaining details on what I have done and which > >> articles I > >> > have referenced, but I can make that info available. > >> > > >> > If anyone can get me pointed in the right direction, I would truly > >> > appreciate it... > >> > > >> > -- > >> > Bob Miller > >> > 867-334-7117 / 867-633-3760 > >> > http://computerisms.ca > >> > b...@computerisms.ca > >> > Network, Internet, Server, > >> > and Open Source Solutions > >> > > >> > >> > >> > -- Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca b...@computerisms.ca Network, Internet, Server, and Open Source Solutions
Re: smtpauth - qmail-ldap with samba4
Hi Bob, By default qmail-ldap login to LDAP with by ldapuser/ldappasword defined in control/ files and get userPassword entry then compares passwords. If you enable ldaprebind, qmail-ldap first get DN of the smtp auth user from LDAP/AD with ldapuser/ldappasword in control/ files. and make a another connection to AD/LDAP with the smtp auth username's DN and password. By the way, Can you please tell us what you did to enable AD support in qmail-ldap? I am trying to integrate all useful patches into qmail-ldap as a tarball. I would like to enable AD support too. Thanks Ismail YENIGUL Team Leader / Takim Lideri SurGATE Labs Phone :+90 216-4709423 | Mobile:+90 533 747 36 65 SurGATE: West Coast Labs Premium Anti-Spam Certificated Twitter: http://www.twitter.com/surgate Blog: http://www.surgate.com/blog On 30.03.2012 07:13, Bob Miller wrote: Gennedy, Thank you so much, enabling ldaprebind solved the problem On Fri, 2012-03-30 at 07:54 +0400, Геннадий Марченко wrote: Hello Bob, What state of ldapprebind file in qmail/control/ ? Best wishes, Gennady. Bob Miller писал 30.03.2012 04:47: Hi Nicolas, Thank you for your response. I have tried both SMTPAUTH="" and SMTPAUTH="TLSREQUIRED". In both cases the authentication failed, even though the correct search string appears to have been passed to samba4's ldb. it's as though qmail is able to do a lookup, but isn't able to verify that the password is correct... On Fri, 2012-03-30 at 01:12 +0100, Nicolas de Bari Embriz Garcia Rojas wrote: Hi, check that your /var/qmail/control/qmail-smtpd.rules have something like :allow,SMTPAUTH="" On Fri, Mar 30, 2012 at 12:10 AM, Bob Miller wrote: greetings I have been trying to get qmail-ldap to work with samba4's Active Directory implementation. It seems that all parts are working with the exception of smtpauth. WHAT WORKS: When I send a mail to the system, it successfully verifies if a user exists and denies if the user doesn't exist. qmail-ldaplookup -m/-u both run without error and report what I would expect to see. When I set samba4 into a debug mode, I can see the ldb query coming through in the logs. In fairness, those logs do not report success or failure of the lookup, or the values returned, but the fact that things work indicate the ldap communication to samba4 was a success. I also take these successes to mean my ~controls/ldap* files are set up correctly. I can also use ldbsearch to verify my user/pass info is correct. SMTPAUTH: I have compiled with TLS and enabled SMTPAUTH="TLSREQUIRED", I can verify the encryption is working because when I rename the cert, I get an error in qmail's logs when it is not working (presumably thanks to TLSDEBUG). I gather from what I have read that that is all I need to do. There were mentions in the life with qmail-ldap that some extra arguments are required in the run script, but I found some mailing list post that says that is not required. BROKEN:When I try to send a authenticated mail using thunderbird, I see the following in qmail logs: auth login authentication failed: authentication failure However, the samba4 logs continue to indicate a valid search query is being made. When I base64-encode my user/pass and use telnet to test the smtp connection, I get the exact same symptoms as using thunderbird; the samba4 logs indicate a good search string and the qmail logs say authentication failure. TRIED: I have scoured the mailing lists, there are those who say active directory works out of the box just by modifying qmail-ldap.h, there are those who say you need to modify qldap.c and/or qmail-ldaplookup.c in order to account for userAccountControl. Over the last days, I have tried any patches/suggestions that could apply to samba4 (as opposed to windows server), but not one of them has solved this problem. In the interest of not making this a novel nobody wants to read, I will leave out the remaining details on what I have done and which articles I have referenced, but I can make that info available. If anyone can get me pointed in the right direction, I would truly appreciate it... -- Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca b...@computerisms.ca Network, Internet, Server, and Open Source Solutions
Re: smtpauth - qmail-ldap with samba4
Hi Ismail > By the way, Can you please tell us what you did to enable AD support in > qmail-ldap? I am trying to integrate all useful patches into qmail-ldap > as a tarball. > I would like to enable AD support too. I got most of my info from the mailing list archives for qmail-ldap. There are several posts with people who say it is possible to query AD just by changing the ldap values in qmail-ldap.h. I can confirm that, because that is what I have working. For example, set "#define LDAP_UID" as sAMAccountName or userPrincipalName depending on how you want your users to log in. There is a thread where I found a patch to deal with the userAccountControl attribute of AD. http://marc.info/?l=qmail-ldap&m=117031804500233&w=2 I wasn't able to get these patches working off the bat, but now that I have a working system, I may go back and take another crack at them. In the meantime, I have set LDAP_ISACTIVE to userAccountControl, and ISACTIVE_ACTIVE to 66048 and ISACTIVE_BOUNCE to 66050 (the correct valued for a normal AD user account with password never expires), which gives me the same results as these patches, except that I can't have some users with passwords that never expire and some that do. I found another thread: http://marc.info/?l=qmail-ldap&m=117581086321393&w=2 that describes setting the AD user up with unix attributes by using SFU on a windows server. Didn't fit my situation, but is definitely relevant here. I hope you find that useful... > > Thanks > > > Ismail YENIGUL > Team Leader / Takim Lideri > SurGATE Labs > Phone :+90 216-4709423 | Mobile:+90 533 747 36 65 > SurGATE: West Coast Labs Premium Anti-Spam Certificated > Twitter: http://www.twitter.com/surgate > Blog: http://www.surgate.com/blog > > On 30.03.2012 07:13, Bob Miller wrote: > > Gennedy, > > > > Thank you so much, enabling ldaprebind solved the problem > > > > > > On Fri, 2012-03-30 at 07:54 +0400, Геннадий Марченко wrote: > >> Hello Bob, > >> > >> What state of ldapprebind file in qmail/control/ ? > >> > >> Best wishes, > >> Gennady. > >> > >> Bob Miller писал 30.03.2012 04:47: > >>> Hi Nicolas, > >>> > >>> Thank you for your response. > >>> > >>> I have tried both SMTPAUTH="" and SMTPAUTH="TLSREQUIRED". In both > >>> cases > >>> the authentication failed, even though the correct search string > >>> appears > >>> to have been passed to samba4's ldb. it's as though qmail is able to > >>> do > >>> a lookup, but isn't able to verify that the password is correct... > >>> > >>> > >>> On Fri, 2012-03-30 at 01:12 +0100, Nicolas de Bari Embriz Garcia > >>> Rojas > >>> wrote: > Hi, check that your /var/qmail/control/qmail-smtpd.rules have > something like > > :allow,SMTPAUTH="" > > > > On Fri, Mar 30, 2012 at 12:10 AM, Bob Miller > wrote: > > greetings > > > > I have been trying to get qmail-ldap to work with samba4's Active > > Directory implementation. It seems that all parts are working > with the > > exception of smtpauth. > > > > WHAT WORKS: When I send a mail to the system, it successfully > verifies > > if a user exists and denies if the user doesn't exist. > qmail-ldaplookup > > -m/-u both run without error and report what I would expect to > see. > > When I set samba4 into a debug mode, I can see the ldb query > coming > > through in the logs. In fairness, those logs do not report > success or > > failure of the lookup, or the values returned, but the fact that > things > > work indicate the ldap communication to samba4 was a success. I > also > > take these successes to mean my ~controls/ldap* files are set up > > correctly. I can also use ldbsearch to verify my user/pass info > is > > correct. > > > > SMTPAUTH: I have compiled with TLS and enabled > SMTPAUTH="TLSREQUIRED", I > > can verify the encryption is working because when I rename the > cert, I > > get an error in qmail's logs when it is not working (presumably > thanks > > to TLSDEBUG). I gather from what I have read that that is all I > need to > > do. There were mentions in the life with qmail-ldap that some > extra > > arguments are required in the run script, but I found some mailing > list > > post that says that is not required. > > > > BROKEN:When I try to send a authenticated mail using thunderbird, > I see > > the following in qmail logs: > > > > auth login > > authentication failed: authentication failure > > > > However, the samba4 logs continue to indicate a valid search query > is > > being made. When I base64-encode my user/pass and use telnet to > test > > the smtp connection, I get the exact same symptoms as using > thunderbird; > > the samba4 logs indicate a good search string and the qmail logs > say > > authentication failure. > > > >