Solved

get dovecot working with samba4/LDAP

Posted on 2015-01-09
54
547 Views
Last Modified: 2015-01-13
I have a slackware64 14.1 Linux host configured as a Domain Controller/Active Directory. I am using dovecot 2.2.15 as the IMAP mail server. This currently works fine using PLAIN TEXT password from Outlook clients.

Now, I want Domain Outlook clients to connect via AD Authenticiation. I've followed the instructions in http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds and https://help.ubuntu.com/community/DovecotLDAP, but probably not correctly.

My /usr/local/etc/dovecot/conf.d/auth-ldap.conf.ext has settings:
passdb {
  driver = ldap
}

userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
}

Open in new window

and /etc/dovecot/dovecot-ldap.conf.ext has:
uris = ldap://localhost

auth_bind = yes

base = dc=mail, dc=hprs, dc=local

scope = subtree

user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid

user_filter = (&(objectClass=posixAccount)(uid=%u))

pass_attrs = uid=user,userPassword=password

pass_filter = (&(objectClass=posixAccount)(uid=%u))

Open in new window

doveconf -n output is:
$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
disable_plaintext_auth = no
first_valid_gid = 200
first_valid_uid = 1100
last_valid_gid = 200
listen = 192.168.0.2
mail_location = maildir:~/Maildir
namespace inbox {
  inbox = yes
  location =
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
protocols = imap
ssl = no
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}

Open in new window

I've checked the "Log on using Secure Password Authentication" checkbox in the Outlook client. When I try to send/receive from Outlook I get in /var/log/maillog:
Jan  9 16:18:59 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.0.100, lip=192.168.0.2, session=<m3t+tD4M3gDAqABk>
Jan  9 16:18:59 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.0.100, lip=192.168.0.2, session=<X5Z+tD4M3wDAqABk>

Open in new window

What do I have wrong?
0
Comment
Question by:jmarkfoley
  • 25
  • 22
  • 7
54 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 40541857
You need SPNEGO or GSSAPI authentication to use AD authentication. Otherwise it will be domain password only.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40541988
Change the outlook account setting to use secure password and see what the log shows following the login attempt.

Configure the secure IMAP option
You would use openssl to setup local CA.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40541996
geist:
You need SPNEGO or GSSAPI authentication to use AD authentication
I'll research that. In all the searching I've done on this topic no one has mentioned that.

Arnold:
Configure the secure IMAP option
So, configure ssl, right? I'll give that a shot too.

Are these alternative solutions or do I need to do both (SPNEGO/GSSAPI and SSL)?

What about ntlm authentication?

I'll research suggestions and post back.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40542055
There is an issue with secure password authentication in your setup mainly because you have the data stored in samba4 included ldap, how is the password stored there.
Realized after posting that while I read the first portion of your question, skimmed the latter half which had some posting which when re looked addressed the suggestion of trying secure auth. The issue is that your current auth option in Dovecot does not include secure auth such that when outlook indicates secure password auth, Dovecot does not respond as it does not have that option.

while the exchange of username and password between your outlook client and Dovecot depends on the connection open or over ssl.
Is in plain text.

The exchange of that information between Dovecot currently over pam to the local ldap directory service could be exposed or encrypted.

I do not believe there is ever Outlook authenticating using AD.

With exchange, the data is transmitted from outlook to exchange which then queries the AD.

I believe the exchange supports secure password, given IIS has the auth setting, I.e. The secure password uses the same method as used to store the password in AD.

Look at the samba4/ldap settings on how the password is stored. If secure password option in Dovecot can not be enable without having to configure it to use direct ldap queries Dovecot-ldap.conf.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40542060
See if the discussion of using NTLM (windows integrated authentication)
Can be added.
http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM
0
 
LVL 76

Expert Comment

by:arnold
ID: 40542110
Yes,
If you secure the communication between the outlook client and the dovecot (SSL=yes) deals with having a signed certificate on the dovecot side, and having the signing CA's public certificate trusted by the system where outlook is running, the login information between the outlook and dovecot while being done in plain text will be done within the confined of an encrypted channel not observable on the LAN.

In your case, the dovecot is on the same system as the Smaba4/LDAP to observe data exchange between these two will require the "user" to be present on the system and .........

GSSAPI was one of the options during compile --with-gssapi
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40542326
Arnold:
I do not believe there is ever Outlook authenticating using AD.

Well, that is the crux of the matter. The idea is for Outlook to *not* have to pass a password to dovecot. Or if it does, Outlook is able to retrieve the current AD password.

Domain users must change their passwords every so often, but with Outlook/Exchange, they don't have to also go into Outlook and change their email password.

Somehow in the Outlook/Exchange handshake, the system knows the user has logged on as a domain user.

How would Exchange know this unless the Outlook client sent Exchange some such indicator? I just don't know enough about the whole mechanism.

The point of Active Directory (whether Samba4 or Microsoft) is to permit user logins and access in the domain without making the user enter ID/PW everywhere.

If I have to supply a PW with Outlook, then what I had originally (PLAIN) is as good as I'm going to get (possibly adding SSL or whatnot for security). In this case I'll have to create an email PW for users which doesn't need to be changed and doesn't depend on their AD password.

If the AD password must be hard-configured in Outlook's setup, then it really doesn't matter that I use the AD password and that I teach dovecot where the AD passwords are stored. In this case the user must change the Outlook password each time he changes his domain login password - not acceptable.

Is that how you think it works? Outlook must have a hard-configured password, period?
0
 
LVL 76

Expert Comment

by:arnold
ID: 40542331
Reviewing how outlook/exchange authenticate could help
Not sure (hve not looked at) but the only way for outlook to authenticate would be if both were using something like NTLM authentication I.e. Windows integrated.

Or a Kerberos key .........

the ntlm link I posted earlier deals with Dovecot connecting to dc ... While using NTLM.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40542342
Here's one link implying dovecot/AD/Samba4 should work: http://dev.nethserver.org/projects/nethserver/wiki/Samba4. However, it doesn't mention Outlook specifically other than in the section under OpenChange -- and there it sounds a bit negative.

So, I may be barking up the wrong tree. If Outlook cannot authenticate without being hard-configured with a password (other than when connecting via Exchange), then I need to stop the madness. It's not a big deal to add domain users to /etc/passwd and give everyone a unique, permanent mail password.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40542347
The other auth option is using certificates as a means to authenticate users.

Have not a system in either configuration to validate

http://wiki2.dovecot.org/SSL/DovecotConfiguration
Includes a portion on issuing client/user certificates.

In AD DC where enterprise CA exists, autoenrollment for users certificates including one that might be what is used

IMHO. As you are working on finishing up the Dovecot config for ssl.

It will leave the exploration of what the outlook/exchange where a user need to provide password ever versus once on initial connection or when the password changed.........
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40542353
the ntlm link I posted earlier deals with Dovecot connecting to dc ... While using NTLM.

Yes, I tried that. Here is my dovecot.conf:
> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_mechanisms = plain ntlm login
auth_use_winbind = yes
first_valid_gid = 200
first_valid_uid = 1100
last_valid_gid = 200
mail_location = maildir:~/Maildir
namespace inbox {
  inbox = yes
  location =
  prefix =
}
passdb {
  driver = static
}
protocols = imap
ssl = no
userdb {
  driver = static
}

Open in new window

Here is the resulting /etc/log/maillog output
Jan 10 15:54:56 mail dovecot: auth: Error: GENSEC backend 'gssapi_spnego' registered
Jan 10 15:54:56 mail dovecot: auth: Error: GENSEC backend 'gssapi_krb5' registered
Jan 10 15:54:56 mail dovecot: auth: Error: GENSEC backend 'gssapi_krb5_sasl' registered
Jan 10 15:54:56 mail dovecot: auth: Error: GENSEC backend 'sasl-DIGEST-MD5' registered
Jan 10 15:54:56 mail dovecot: auth: Error: GENSEC backend 'schannel' registered
Jan 10 15:54:56 mail dovecot: auth: Error: GENSEC backend 'spnego' registered
Jan 10 15:54:56 mail dovecot: auth: Error: GENSEC backend 'ntlmssp' registered
Jan 10 15:54:56 mail dovecot: auth: Error: GENSEC backend 'krb5' registered
Jan 10 15:54:56 mail dovecot: auth: Error: GENSEC backend 'fake_gssapi_krb5' registered
Jan 10 15:54:56 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jan 10 15:54:56 mail dovecot: auth: Error: Got user=[mark] domain=[] workstation=[HPLAPTOP] len1=24 len2=250
Jan 10 15:54:56 mail dovecot: auth: Error: GENSEC login failed: NT_STATUS_LOGON_FAILURE

Open in new window

Maybe I need that gssapi or spnego setup that Geist mentioned?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40542357
The other auth option is using certificates as a means to authenticate users.

OK, I'm going to work on that now ...
0
 
LVL 76

Expert Comment

by:arnold
ID: 40542377
The error failing auth dealt with a non-AD based account (mark). Is the system from which you tried part of the samba/ad workstation and you loged in using the Samba/ad account?

Look at the last three line lines of the Dovecot log.
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 50 total points
ID: 40542501
is wbinfo -t succseful? Maybe winbind is not domain member & running?
0
 
LVL 76

Expert Comment

by:arnold
ID: 40542590
Gheist,

This is a followup to an earlier question.

OS Slackware 14.1
Samba4/LDAP as AD/DC setup
MTA sendmail
LDA procmail
Dovecot

Confirmed samba4/lDap
Sendmail as MTA delivers emails to the user.
Dovecot authenticates clients using clear text.

Info provided not sure used with auto discovery/configuration for outlook using DNS and webserver.


The goal of the asker is to have outlook clients auto discover/configure the user accounts without any need for users to provide/type password. I.e. Have the outlook/Dovecot behavior functionality as though it was outlook/exchange.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40542815
I understand. Since winbind is used in authentication chain but authentication fails, the most likely problem is 1) absence of winbind 2) protocol incompatibility  between AD and winbind
Either way wbinfo output will tell which is at fault...
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40543710
Arnold:
The error failing auth dealt with a non-AD based account (mark). Is the system from which you tried part of the samba/ad workstation and you loged in using the Samba/ad account?
The account 'mark' is an AD Account. The workstation from which user 'mark' is trying to connect via Outlook [LAPTOP] is a member of the domain.
$ samba-tool user list
ldb_wrap open of secrets.ldb
Administrator
mark
dns-mail
JohnDoe
krbtgt
Guest

Open in new window

gheist:
is wbinfo -t succseful? Maybe winbind is not domain member & running?

Output of wbinfo:
$ wbinfo -t
checking the trust secret for domain HPRS via RPC calls succeeded

Open in new window

0
 
LVL 76

Expert Comment

by:arnold
ID: 40543730
Could you double check whether you logged into the domain joined system using the domain account versus a local account.

Create or use the Johndoe account and see if it works for that account.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40543786
Create or use the Johndoe account and see if it works for that account.
Do you mean using ldap? Not sure why the results would be different? What are you suspecting is going on?
Could you double check whether you logged into the domain joined system using the domain account versus a local account.
Yes, I'm sure:
domain.jpg
0
 
LVL 61

Expert Comment

by:gheist
ID: 40543823
Domain is jouned and winbindd is running maintaining machine account. No need to re-join.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40544278
Interesting ... when I run `wbinfo -I mark` I get:

HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/false

I've manually set this domain user's home and Maildir to /domainusers/mark/Maildir. Perhaps I should change it to /home/HPRS/mark/Maildir? If so, how do I create owner, group and permissions on the folders /home/HPRS/mark?

So, what's next? I've followed the instruction in http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm. It looks simple, only 5 config directives:
auth_use_winbind = yes

auth_winbind_helper_path = /usr/bin/ntlm_auth
protocols = imap imaps pop3 pop3s
mechanisms = plain ntlm login
userdb static {
   args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln
   mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln
   allow_all_users=yes
}

Open in new window

I've got:
dovecot.conf
------------------
protocols = imap
dict {
}
!include conf.d/*.conf
!include_try local.conf

10-auth.conf
------------------
disable_plaintext_auth = no
auth_use_winbind = yes
auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_mechanisms = plain ntlm login
!include auth-static.conf.ext

auth-static-conf.ext
----------------------------
userdb {
  driver = static
}

Open in new window

At least one place I'm sure I'm messing up is in the userdb. For on thing, "userdb static {}" is invalid syntax. It has to be "userdb { driver = static }". Also, the allow_all_users parameter is illegal. Is this wiki doc too old?

Other than that, I'm a bit lost as to the args,etc. Examples throughout the wiki aren't consistent. Why uid=501, gid=501? Is that required? An example? whose uid/gid it is supposed to be?

Where are the parameter %1Ln, %Ln, %d, %u, etc. described? I can gather %u is the user name (or is it the uid?), but it would really help if these were defined somewhere.

Is the "args ... home=..." defining where the domain users' home directory should be? Should I use my /domainusers/<username> folder or should everything be pointed to that /home/HPRS/<username> revealed by the `wbinfo -I <username>` command?

Likewise in the mail= parameter ... should that point to /domainusers/mark/Maildir, /home/HPRS/mark/Maildir, or do I need a /home/vmail/.... folder?

My doveconf -n currently is:
$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_mechanisms = plain ntlm login
auth_use_winbind = yes
disable_plaintext_auth = no
first_valid_gid = 200
first_valid_uid = 1100
last_valid_gid = 200
mail_location = maildir:~/Maildir
namespace inbox {
  inbox = yes
  location =
  prefix =
}
protocols = imap
userdb {
  driver = static
}

Open in new window

(Are valid_gid/uid parameters meaningful with ntlm?)

Perhaps if I gain an understanding of these few settings I'll have it nailed.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40544437
You should not be statically setting the user within Dovecot, let it get the info from ldap.

Note your Dovecot uid restriction is 1100 (Dovecot -n) is the lowest while the static uid you assigned to the mark account is 501.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40544706
You need dovecot to generate maildir names instead of trying home directories.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40544946
Arnold:
You should not be statically setting the user within Dovecot, let it get the info from ldap.
Where am I doing that?
Note your Dovecot uid restriction is 1100 (Dovecot -n) is the lowest while the static uid you assigned to the mark account is 501.
Again, not sure where you're seeing that. Are you looking at the args parameter in the "userdb static {}" setting? That's not my configuration, that's the example given in Dovecot's  http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm link. I've got no idea why they are setting a hard-coded uid/gid and have no idea what I should put in my "userdb {}" setting. Currenlty it's "userdb { driver = static }". See line 19 in my previous message where I list the contents of my auth-static-conf.ext.

geist:
You need dovecot to generate maildir names instead of trying home directories.
How? Example? Note that `wbinfo -I mark` shows
HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/false

Open in new window

with /home/HPRS/mark as the home directory. Something is auto-generating this pseudo-passwd entry. It is not in my /etc/passwd file and I don't believe I've hard-configured that anywhere.

Also note ls -l on the redirected folders:
$ ls -l /redirectedFolders/Users/mark/
drwxrwx---+ 6 3000026 users 4096 2014-10-09 00:04 My\ Documents/

Open in new window

Shows the same uid of 3000026. These redirected folders were created by the AD, so I think that must be where the pseudo-passwd info is coming from and the AD must somehow think the home directories are in /home/HPRS. This is all very mysterious to me and I can find very little out there explaining what's going on.

So, how do I let "dovecot to generate maildir names "?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40544997
Here's a bizarrely interteresting fact. When I did have the dovecot/Outlook working with PLAIN password lookup and "passdb { driver = shadow }", the Maildir files were auto-created in the /domainusers/mark folder with that 3000026 uid and 100 gid as shown by the wbinfo command, not with the uid of 1100, gid 200 I hand-configured the user with. So, clearly the AD told dovecot what to create these files/folders as.
> ls -ln /domainusers/mark/Maildir/
total 28
drwx------ 2 3000026 100 4096 2015-01-09 02:26 cur/
-rw------- 1 3000026 100   78 2015-01-09 02:26 dovecot-uidlist
-rw------- 1 3000026 100    8 2015-01-09 02:26 dovecot-uidvalidity
-r--r--r-- 1 3000026 100    0 2015-01-09 02:26 dovecot-uidvalidity.54af82a4
-rw------- 1 3000026 100  384 2015-01-09 02:26 dovecot.index.cache
-rw------- 1 3000026 100  556 2015-01-09 02:31 dovecot.index.log
drwx------ 2 3000026 100 4096 2015-01-09 16:15 new/
drwx------ 2 3000026 100 4096 2015-01-09 16:15 tmp/

Open in new window

0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40545029
OK, next test. I removed the first/last_valid_uid/gid settings from 10-mail.conf. I created the folder /home/HPRS/mark and change the uid/gid on that folder to 3000026 100. I moved the Maildir, etc. files from /domainusers/mark to /home/HPRS/mark. My current doveconf -n:
> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_mechanisms = ntlm plain login
auth_use_winbind = yes
disable_plaintext_auth = no
mail_location = maildir:~/Maildir
namespace inbox {
  inbox = yes
  location =
  prefix =
}
protocols = imap
userdb {
  driver = static
}

Open in new window

I then fired up dovecot. /var/log/maillog entries:
Jan 12 13:32:46 mail dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY
Jan 12 13:32:46 mail dovecot: master: Error: service(imap-login): command startup failed, throttling for 2 secs
Jan 12 13:32:48 mail dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY
Jan 12 13:32:48 mail dovecot: master: Error: service(imap-login): command startup failed, throttling for 4 secs
Jan 12 13:32:52 mail dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY
Jan 12 13:32:52 mail dovecot: master: Error: service(imap-login): command startup failed, throttling for 8 secs

Open in new window

I'm confused as to why it is moaning about ssl_key. I'm not referencing 10-ssl.conf. Do I need to?

Are we making progress?
0
 
LVL 76

Expert Comment

by:arnold
ID: 40545045
Your static entry for mark is using the UId=501 oops, read your comment dealing with static reference, and then the static userdb for vpopmail ........


Within Your samba4/ldap when you add the user, it should be matched to

You have /home/username/Maildir
While the delivery is occuring in /domainusers/mark/Maildir

The home dir set in LDAP should be the same as the one to which it will be delivered.

But this is neither here nor there, note the NT failed login, the domain is not reflected, you could configure winbind to auto/presume the user is in the HPRS realm/domain.

winbind use default domain = true

if not set already.  this way when it sees mark it will presume it is mark@hprs or HPRS\mark

See if that makes a difference for NTLM auth.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40545051
Sorry to be flooding you with messages ... next test: I decided to include 10-ssl.conf which has:
ssl = yes
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem

Open in new window

I removed the "login" method from auth_mechanisms (since it apparently requires a passdb). Fired up dovecot again. /var/log/messages:
Jan 12 13:46:14 mail dovecot: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.100, lip=192.168.0.2, session=<tv6663gMZQDAqABk>
Jan 12 13:46:16 mail dovecot: auth: Fatal: No passdbs specified in configuration file. PLAIN mechanism needs one
Jan 12 13:46:16 mail dovecot: master: Error: service(auth): command startup failed, throttling for 4 secs
Jan 12 13:46:16 mail dovecot: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 2 secs): user=<>, rip=192.168.0.100, lip=192.168.0.2, session=<cKPZ63gMZgDAqABk>

Open in new window

I'm out of ideas. I'll await your respective sagacities.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40545060
Arnold:
The home dir set in LDAP should be the same as the one to which it will be delivered.
You can see from the message I posed just ahead of yours that I did just that.
winbind use default domain = true
Where would I set this?

Is this still the think to try in light of my recent tests?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40545070
I next removed the 'plain' mechanism since it apparently also wants a passdb. Ran dovecot again. /var/log/messages:
Jan 12 13:54:38 mail dovecot: master: Dovecot v2.2.15 starting up for imap (core dumps disabled)
Jan 12 13:54:54 mail dovecot: auth: Error: GENSEC backend 'gssapi_spnego' registered
Jan 12 13:54:54 mail dovecot: auth: Error: GENSEC backend 'gssapi_krb5' registered
Jan 12 13:54:54 mail dovecot: auth: Error: GENSEC backend 'gssapi_krb5_sasl' registered
Jan 12 13:54:54 mail dovecot: auth: Error: GENSEC backend 'sasl-DIGEST-MD5' registered
Jan 12 13:54:54 mail dovecot: auth: Error: GENSEC backend 'schannel' registered
Jan 12 13:54:54 mail dovecot: auth: Error: GENSEC backend 'spnego' registered
Jan 12 13:54:54 mail dovecot: auth: Error: GENSEC backend 'ntlmssp' registered
Jan 12 13:54:54 mail dovecot: auth: Error: GENSEC backend 'krb5' registered
Jan 12 13:54:54 mail dovecot: auth: Error: GENSEC backend 'fake_gssapi_krb5' registered
Jan 12 13:54:54 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jan 12 13:54:54 mail dovecot: auth: Error: Got user=[mark] domain=[] workstation=[HPLAPTOP] len1=24 len2=250
Jan 12 13:54:54 mail dovecot: auth: Error: GENSEC login failed: NT_STATUS_LOGON_FAILURE

Open in new window

So, back to the errors I posted in 40542353. Now perhaps I need that "winbind use default domain = true". Where does that go?

I'll stop now and wait patiently for feedback.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40545080
winbind use default domain can be looked up on goofle, that points you to smb.conf
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40545265
OK, I put "winbind use default domain " in /etc/samba/smb.conf and restarted samba. I then ran dovecot and got in /etc/logs/maillog:
Jan 12 15:09:11 mail dovecot: auth: Error: GENSEC backend 'gssapi_spnego' registered
Jan 12 15:09:11 mail dovecot: auth: Error: GENSEC backend 'gssapi_krb5' registered
Jan 12 15:09:11 mail dovecot: auth: Error: GENSEC backend 'gssapi_krb5_sasl' registered
Jan 12 15:09:11 mail dovecot: auth: Error: GENSEC backend 'sasl-DIGEST-MD5' registered
Jan 12 15:09:11 mail dovecot: auth: Error: GENSEC backend 'schannel' registered
Jan 12 15:09:11 mail dovecot: auth: Error: GENSEC backend 'spnego' registered
Jan 12 15:09:11 mail dovecot: auth: Error: GENSEC backend 'ntlmssp' registered
Jan 12 15:09:11 mail dovecot: auth: Error: GENSEC backend 'krb5' registered
Jan 12 15:09:11 mail dovecot: auth: Error: GENSEC backend 'fake_gssapi_krb5' registered
Jan 12 15:09:11 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jan 12 15:09:11 mail dovecot: auth: Error: Got user=[mark] domain=[] workstation=[HPLAPTOP] len1=24 len2=250
Jan 12 15:09:11 mail dovecot: auth: Error: GENSEC login failed: NT_STATUS_LOGON_FAILURE
Jan 12 15:09:16 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jan 12 15:09:16 mail dovecot: auth: Error: Got user=[mark] domain=[] workstation=[HPLAPTOP] len1=24 len2=250
Jan 12 15:09:16 mail dovecot: auth: Error: GENSEC login failed: NT_STATUS_LOGON_FAILURE

Open in new window

Which looks pretty much the same as before. This time, however, Outlook gave me a login dialog asking for password and domain (maybe it did so before but I didn't notice), so I filled those in and got (/etc/log/maillog):
glacon_9Jan 12 15:09:54 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jan 12 15:09:54 mail dovecot: auth: Error: Got user=[mark] domain=[hprs.local] workstation=[HPLAPTOP] len1=24 len2=250
Jan 12 15:09:54 mail dovecot: auth: Error: NTLMSSP Sign/Seal - Initialising with flags:
Jan 12 15:09:54 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088205
Jan 12 15:09:54 mail dovecot: imap-login: Login: user=<mark@hprs>, method=NTLM, rip=192.168.0.100, lip=192.168.0.2, mpid=28349, session=<jT55FHoMzgDAqABk>
Jan 12 15:09:54 mail dovecot: imap(mark@hprs): Error: user mark@hprs: Couldn't drop privileges: User is missing UID (see mail_uid setting)
Jan 12 15:09:54 mail dovecot: imap(mark@hprs): Error: Internal error occurred. Refer to server log for more information.
Jan 12 15:09:54 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jan 12 15:09:54 mail dovecot: auth: Error: Got user=[mark] domain=[HPRS] workstation=[HPLAPTOP] len1=24 len2=250
Jan 12 15:09:54 mail dovecot: auth: Error: NTLMSSP Sign/Seal - Initialising with flags:
Jan 12 15:09:54 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088205
Jan 12 15:09:54 mail dovecot: imap-login: Login: user=<mark@hprs>, method=NTLM, rip=192.168.0.100, lip=192.168.0.2, mpid=28351, session=<1JT1FnoM0ADAqABk>
Jan 12 15:09:54 mail dovecot: imap(mark@hprs): Error: user mark@hprs: Couldn't drop privileges: User is missing UID (see mail_uid setting)
Jan 12 15:09:54 mail dovecot: imap(mark@hprs): Error: Internal error occurred. Refer to server log for more information.
Jan 12 15:09:54 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jan 12 15:09:54 mail dovecot: auth: Error: Got user=[mark] domain=[HPRS] workstation=[HPLAPTOP] len1=24 len2=250
Jan 12 15:09:54 mail dovecot: auth: Error: NTLMSSP Sign/Seal - Initialising with flags:
Jan 12 15:09:54 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088205
Jan 12 15:09:54 mail dovecot: imap-login: Login: user=<mark@hprs>, method=NTLM, rip=192.168.0.100, lip=192.168.0.2, mpid=28353, session=<uxH2FnoM0QDAqABk>
Jan 12 15:09:54 mail dovecot: imap(mark@hprs): Error: user mark@hprs: Couldn't drop privileges: User is missing UID (see mail_uid setting)
Jan 12 15:09:54 mail dovecot: imap(mark@hprs): Error: Internal error occurred. Refer to server log for more information.

Open in new window

Interestingly, the password is shown at the beginning of line 1. Notice in line 2 the domain name is now present. Nevertheless, I've got an error "Couldn't drop privileges: User is missing UID (see mail_uid setting)" which has me stumped.

Not sure the "winbind use default domain" helped much. Hard to grasp why this is so hard to configure!
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40545312
More testing. Based on error message I added mail_gid and mail_uid (dovecot = 151.151), first_value_uid = 150. Then when I started dovecot I got the same GENSEC messages as in the first listing in my previous message (which I won't repeat). Then I filled in the password and domain in the Outlook dialog and got:
Jan 12 15:35:05 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jan 12 15:35:05 mail dovecot: auth: Error: Got user=[mark] domain=[hprs.local] workstation=[HPLAPTOP] len1=24 len2=250
Jan 12 15:35:05 mail dovecot: auth: Error: NTLMSSP Sign/Seal - Initialising with flags:
Jan 12 15:35:05 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088205
Jan 12 15:35:05 mail dovecot: imap-login: Login: user=<mark@hprs>, method=NTLM, rip=192.168.0.100, lip=192.168.0.2, mpid=1296, session=<twCdb3oM6gDAqABk>
Jan 12 15:35:05 mail dovecot: imap(mark@hprs): Error: user mark@hprs: Initialization failed: Initializing mail storage from mail_location setting failed: Home directory not set for user. Can't expand ~/ for mail root dir in: ~/Maildir
Jan 12 15:35:05 mail dovecot: imap(mark@hprs): Error: Invalid user settings. Refer to server log for more information.
Jan 12 15:35:05 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jan 12 15:35:05 mail dovecot: auth: Error: Got user=[mark] domain=[HPRS] workstation=[HPLAPTOP] len1=24 len2=250
Jan 12 15:35:05 mail dovecot: auth: Error: NTLMSSP Sign/Seal - Initialising with flags:
Jan 12 15:35:05 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088205
Jan 12 15:35:05 mail dovecot: imap-login: Login: user=<mark@hprs>, method=NTLM, rip=192.168.0.100, lip=192.168.0.2, mpid=1298, session=<AUsEcXoM7ADAqABk>
Jan 12 15:35:05 mail dovecot: imap(mark@hprs): Error: user mark@hprs: Initialization failed: Initializing mail storage from mail_location setting failed: Home directory not set for user. Can't expand ~/ for mail root dir in: ~/Maildir
Jan 12 15:35:05 mail dovecot: imap(mark@hprs): Error: Invalid user settings. Refer to server log for more information.
Jan 12 15:35:05 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jan 12 15:35:05 mail dovecot: auth: Error: Got user=[mark] domain=[HPRS] workstation=[HPLAPTOP] len1=24 len2=250
Jan 12 15:35:05 mail dovecot: auth: Error: NTLMSSP Sign/Seal - Initialising with flags:
Jan 12 15:35:05 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088205
Jan 12 15:35:05 mail dovecot: imap-login: Login: user=<mark@hprs>, method=NTLM, rip=192.168.0.100, lip=192.168.0.2, mpid=1300, session=<f70EcXoM7QDAqABk>
Jan 12 15:35:05 mail dovecot: imap(mark@hprs): Error: user mark@hprs: Initialization failed: Initializing mail storage from mail_location setting failed: Home directory not set for user. Can't expand ~/ for mail root dir in: ~/Maildir
Jan 12 15:35:05 mail dovecot: imap(mark@hprs): Error: Invalid user settings. Refer to server log for more information.

Open in new window

So, I'm getting "Home directory not set for user", but I think it is. My doveconf -n is:
> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_mechanisms = ntlm
auth_use_winbind = yes
first_valid_uid = 150
mail_gid = dovecot
mail_location = maildir:~/Maildir
mail_uid = dovecot
protocols = imap
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  driver = static
}

Open in new window

which does show the mail_location, but I suppose not the HOME directory. But `wbinfo -I mark` gives the home directory and it is also configured in /etc/passwd. Hmmm ... maybe I need a different userdb?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40545328
Changed my userdb to "userdb { drive = passwd }". Got error:
Jan 12 15:52:43 mail dovecot: imap: Error: Authenticated user not found from userdb, auth lookup id=351141889 (client-pid=4730 client-id=1)

Open in new window

Yet the user is in /etc/passwd.

Ok, I'm out of ideas.

Final doveconf -n:
> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_mechanisms = ntlm
auth_use_winbind = yes
first_valid_uid = 150
mail_gid = dovecot
mail_location = maildir:~/Maildir
mail_uid = dovecot
protocols = imap
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  driver = passwd
}

Open in new window

0
 
LVL 61

Expert Comment

by:gheist
ID: 40545397
User must be logged in to domain. particular mark is logged in locally to hplaptop
0
 
LVL 76

Expert Comment

by:arnold
ID: 40545447
Try changing the auth order, ntlm plain and allow plain login.

Actually in your 3:36 pm post it worked, but failed because of the home dir interpretation.

Jan 12 15:35:05 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jan 12 15:35:05 mail dovecot: auth: Error: Got user=[mark] domain=[hprs.local] workstation=[HPLAPTOP] len1=24 len2=250
Jan 12 15:35:05 mail dovecot: auth: Error: NTLMSSP Sign/Seal - Initialising with flags:
Jan 12 15:35:05 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088205
Jan 12 15:35:05 mail dovecot: imap-login: Login: user=<mark@hprs>, method=NTLM, rip=192.168.0.100, lip=192.168.0.2, mpid=1296, session=<twCdb3oM6gDAqABk>
Jan 12 15:35:05 mail dovecot: imap(mark@hprs): Error: user mark@hprs: Initialization failed: Initializing mail storage from mail_location setting failed: Home directory not set for user. Can't expand ~/ for mail root dir in: ~/Maildir
Jan 12 15:35:05 mail dovecot: imap(mark@hprs): Error: Invalid user settings. Refer to server log for more information.
Jan 12 15:35:05 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207

This is the log from the following post: http://www.experts-exchange.com/OS/Linux/Q_28593992.html#a40545312

Your LDAP response said us /home/mark

try in dovecot.conf to make it more verbose and debug

auth_verbose = yes
auth_verbose_passwords = plain
debug_log_path = /var/log/Dovecot/dovecot_debug.log

I think the ~/Maildir for mark is /home/hprs/mark which does not exist or is /domainusers a short cut (symbolic link) to  /home/hprs or vice versa.

Update the home dir in Samba4/ldap to /domainusers/mark and see if that makes a difference
or you can do ln -s /domainusers /home/hprs (the hprs renamed to hprs.orig

and see if that works.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40545584
geist:
User must be logged in to domain. particular mark is logged in locally to hplaptop
Don't follow you. HPLAPTOP is a WIN7 Domain computer from which Outlook is being run. These messages are all a result of Outlook trying to connect. mark is not logged in locally if by "locally" you mean logged into the Linux DC/AD.

Arnold:
Your LDAP response said us /home/mark
I'm not seeing this anywhere.

Arnold:
I think the ~/Maildir for mark is /home/hprs/mark which does not exist or is /domainusers a short cut (symbolic link) to  /home/hprs or vice versa.
Yes, /home/HPRS/mark does exist, but /home/hprs/mark does not.
$ ls -lr /home
drwxr-xr-x 3 root   root  4096 2015-01-12 13:20 HPRS/

Open in new window

I got the uppercase version from `wbinfo -I mark`:
$ wbinfo -I mark
HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/false

Open in new window

Try changing the auth order, ntlm plain and allow plain login.
Can't do that. plain and login require a passdb and I don't have a passdb. See http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm: "Dovecot employs winbind internally, so we don’t need to specify any password database"

Update the home dir in Samba4/ldap  ...
Not using auth-ldap-conf.ext - using ntlm. Exclusive?

I've added the debug log info and make /home/hprs/ foldername lowercase. /var/log/maillog has more stuff:
Jan 12 17:39:13 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jan 12 17:39:13 mail dovecot: auth: Error: Got user=[mark] domain=[HPRS] workstation=[HPLAPTOP] len1=24 len2=250
Jan 12 17:39:13 mail dovecot: auth: Error: NTLMSSP Sign/Seal - Initialising with flags:
Jan 12 17:39:13 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088205
Jan 12 17:39:13 mail dovecot: auth-worker(29805): Panic: file auth-request.c: line 2151 (get_log_prefix): assertion failed: (auth_request->passdb != NULL)
Jan 12 17:39:13 mail dovecot: auth-worker(29805): Error: Raw backtrace: /usr/local/lib/dovecot/libdovecot.so.0(+0x70cb0) [0x7f47bd2bccb0] -> /usr/local/lib/dovecot/libdovecot.so.0(+0x70d8e) [0x7f47bd2bcd8e] -> /usr/local/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f47bd2706f5] -> dovecot/auth() [0x41133a] -> dovecot/auth(auth_request_log_unknown_user+0x6b) [0x4132db] -> dovecot/auth() [0x42617d] -> dovecot/auth() [0x418e0d] -> /usr/local/lib/dovecot/libdovecot.so.0(io_loop_call_io+0x4c) [0x7f47bd2ce20c] -> /usr/local/lib/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xbb) [0x7f47bd2cf14b] -> /usr/local/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0x9) [0x7f47bd2ce279] -> /usr/local/lib/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f47bd2ce2f8] -> /usr/local/lib/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f47bd275953] -> dovecot/auth(main+0x2db) [0x40c6fb] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f47bc611d85] -> dovecot/auth() [0x40c925]
Jan 12 17:39:13 mail dovecot: auth: Error: auth worker: Aborted USER request for mark@hprs: Worker process died unexpectedly
Jan 12 17:39:13 mail dovecot: auth-worker(29805): Fatal: master: service(auth-worker): child 29805 killed with signal 6 (core dumps disabled)
Jan 12 17:39:13 mail dovecot: imap: Error: Internal auth failure (client-pid=29806 client-id=1)
Jan 12 17:39:13 mail dovecot: imap-login: Internal login failure (pid=29806 id=1) (internal failure, 1 successful auths): user=<mark@hprs>, method=NTLM, rip=192.168.0.100, lip=192.168.0.2, mpid=29807, session=<ms/wLHwMMwDAqABk>

Open in new window

/var/log/Dovecot/dovecot_debug.log was created but is empty. Probably extra stuff went into /var/log/maillog.

Should I really have to fill in password and domain on an AD authentication?
0
 
LVL 76

Expert Comment

by:arnold
ID: 40545656
Look at the initial log in the comment http:#a40545312

The first five lines indicate the NTLm login successful, but an issue with resolving mail_location home is the cause of failure.

Is there a Maildir in /home/HPRS/mark?
Why the split?

The webinfo -I mark?
Sendmail is storing the emails in /domainusers/mark/Maildir

Why the different set/location?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40545737
Arnold:
The first five lines indicate the NTLm login successful, but an issue with resolving mail_location home is the cause of failure.
Yes, exactly. The question is why it can't find home.
Is there a Maildir in /home/HPRS/mark?
yes:
$ ls -ln /home/hprs/mark/
total 4
drwx------ 5 3000026 100 4096 2015-01-09 02:31 Maildir/

Open in new window

Note that "hprs" is currently lowercase because I've been experimenting.
The webinfo -I mark?
$ wbinfo -i mark
HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/false

Open in new window

Note that this output is the reason I tried "HPRS" uppercase.
Sendmail is storing the emails in /domainusers/mark/Maildir
No, it's not. I did have it that way in the previous question, but I've changed this based on the output from wbinfo. I want everything to point to the same place.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40545766
Is the Maildir /home/HPRS/mark has new cur and tmp subfolders? Based on 5, it seems there are.

Is mark the account that exists in both passwd and samba4/ldap?

Either that, or Dovecot can not determine the meaning of ~/Maildir

Let me see if I can find a way to have the homedir output in the debug to see whether .............
0
 
LVL 76

Expert Comment

by:arnold
ID: 40545770
Have not found the item I am looking for, but here is a logging settings/options.

http://wiki2.dovecot.org/Logging
0
 
LVL 76

Expert Comment

by:arnold
ID: 40545781
Re looked at the original message, the issue reported says Dovecot could not interpret the meaning of ~/

Look within /etc/samba/smb.conf do you set homedir here?

Also revert your doveot configuration settings for back to the Jan 12 15:09:54
As that setting worked for auth, leaving resolving the path to where the Maildir is for Dovecot.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40545797
Try mail_location = maildir:/domainusers/%u/Maildir

Let's see if NTLM works again, what %u will be set to if it does not work.

I still think uniformity with sendmail/procmail, Dovecot and samba to have them pointing to the same start point
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40545818
Is the Maildir /home/HPRS/mark has new cur and tmp subfolders? Based on 5, it seems there are
No, they are unchanged (by me) since we succeeded in the plain text/shadow lookup a few days again. I've merely move the folders from /domainusers/mark/Maildir to /home/hprs/mark/Maildir. However, to verify smtp and sendmail, I've just sent another message from the outside:
$ ls -l /home/hprs/mark/Maildir/new
total 8
-rw------- 1 mark users  675 2015-01-09 16:15 1420838136.11843_0.mail
-rw------- 1 mark users 1873 2015-01-12 20:17 1421111872.18221_0.mail

Open in new window

Is mark the account that exists in both passwd and samba4/ldap?
Yes:
$ grep mark /etc/passwd
mark:x:3000026:100:Mark Foley:/home/hprs/mark:/bin/bash

$ samba-tool user list
ldb_wrap open of secrets.ldb
Administrator
mark   <--
dns-mail
JohnDoe
krbtgt
Guest

Open in new window

Re looked at the original message, the issue reported says Dovecot could not interpret the meaning of ~/

 Look within /etc/samba/smb.conf do you set homedir here?
No. Here is my smb.conf
[global]
        workgroup = HPRS
        realm = hprs.local
        netbios name = MAIL
        interfaces = lo, eth1
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

    winbind use default domain = yes

    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

   log level = 3 passdb:5 auth:10 winbind:2
   max log size = 5000

[netlogon]
        path = /var/lib/samba/sysvol/hprs.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[Users]
    path = /redirectedFolders/Users
    comment = user folders for redirection
    read only = No

Open in new window

Also revert your doveot configuration settings for back to the Jan 12 15:09:54
 As that setting worked for auth, leaving resolving the path to where the Maildir is for Dovecot.
OK, we can try going back to that, but first I'll try your next suggestion posted while I was writing this.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40545828
Try mail_location = maildir:/domainusers/%u/Maildir
No, no, /domainusers is *GONE*. I now point everything, including sendmail, /etc/passwd, etc. to /home/hprs/<user>/Maildir. I've set:
mail_location = maildir:/home/hprs/%u/Maildir

Open in new window

I still think uniformity with sendmail/procmail, Dovecot and samba to have them pointing to the same start point
Yes, they are uniform. Really. I know, it's tough to keep track with all these messages!

Here's the log with the new mail_location. First, initial start of Outlook before entering PW and domain:
Jan 12 20:37:02 mail dovecot: auth: Error: GENSEC backend 'gssapi_spnego' registered
Jan 12 20:37:02 mail dovecot: auth: Error: GENSEC backend 'gssapi_krb5' registered
Jan 12 20:37:02 mail dovecot: auth: Error: GENSEC backend 'gssapi_krb5_sasl' registered
Jan 12 20:37:02 mail dovecot: auth: Error: GENSEC backend 'sasl-DIGEST-MD5' registered
Jan 12 20:37:02 mail dovecot: auth: Error: GENSEC backend 'schannel' registered
Jan 12 20:37:02 mail dovecot: auth: Error: GENSEC backend 'spnego' registered
Jan 12 20:37:02 mail dovecot: auth: Error: GENSEC backend 'ntlmssp' registered
Jan 12 20:37:02 mail dovecot: auth: Error: GENSEC backend 'krb5' registered
Jan 12 20:37:02 mail dovecot: auth: Error: GENSEC backend 'fake_gssapi_krb5' registered
Jan 12 20:37:02 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jan 12 20:37:02 mail dovecot: auth: Error: Got user=[mark] domain=[] workstation=[HPLAPTOP] len1=24 len2=250
Jan 12 20:37:02 mail dovecot: auth: Error: GENSEC login failed: NT_STATUS_LOGON_FAILURE
Jan 12 20:37:02 mail dovecot: auth: ntlm(?,192.168.0.100,<Tt/qqH4MiADAqABk>): user not authenticated: NT_STATUS_LOGON_FAILURE
Jan 12 20:37:07 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jan 12 20:37:07 mail dovecot: auth: Error: Got user=[mark] domain=[] workstation=[HPLAPTOP] len1=24 len2=250
Jan 12 20:37:07 mail dovecot: auth: Error: GENSEC login failed: NT_STATUS_LOGON_FAILURE
Jan 12 20:37:07 mail dovecot: auth: ntlm(?,192.168.0.100,<fo/6qH4MiQDAqABk>): user not authenticated: NT_STATUS_LOGON_FAILURE

Open in new window

Now, extra verbosity after entering PW and domain into Outlook dialog:
Jan 12 20:37:31 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jan 12 20:37:31 mail dovecot: auth: Error: Got user=[mark] domain=[hprs.local] workstation=[HPLAPTOP] len1=24 len2=250
Jan 12 20:37:31 mail dovecot: auth: Error: NTLMSSP Sign/Seal - Initialising with flags:
Jan 12 20:37:31 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088205
Jan 12 20:37:31 mail dovecot: auth-worker(25929): Panic: file auth-request.c: line 2151 (get_log_prefix): assertion failed: (auth_request->passdb != NULL)
Jan 12 20:37:31 mail dovecot: auth-worker(25929): Error: Raw backtrace: /usr/local/lib/dovecot/libdovecot.so.0(+0x70cb0) [0x7f96699e9cb0] -> /usr/local/lib/dovecot/libdovecot.so.0(+0x70d8e) [0x7f96699e9d8e] -> /usr/local/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f966999d6f5] -> dovecot/auth() [0x41133a] -> dovecot/auth(auth_request_log_unknown_user+0x6b) [0x4132db] -> dovecot/auth() [0x42617d] -> dovecot/auth() [0x418e0d] -> /usr/local/lib/dovecot/libdovecot.so.0(io_loop_call_io+0x4c) [0x7f96699fb20c] -> /usr/local/lib/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xbb) [0x7f96699fc14b] -> /usr/local/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0x9) [0x7f96699fb279] -> /usr/local/lib/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f96699fb2f8] -> /usr/local/lib/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f96699a2953] -> dovecot/auth(main+0x2db) [0x40c6fb] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f9668d3ed85] -> dovecot/auth() [0x40c925]
Jan 12 20:37:31 mail dovecot: auth: Error: auth worker: Aborted USER request for mark@hprs: Worker process died unexpectedly
Jan 12 20:37:31 mail dovecot: imap: Error: Internal auth failure (client-pid=25927 client-id=2)
Jan 12 20:37:31 mail dovecot: imap-login: Internal login failure (pid=25927 id=2) (internal failure, 1 successful auths): user=<mark@hprs>, method=NTLM, rip=192.168.0.100, lip=192.168.0.2, mpid=25928, session=<fo/6qH4MiQDAqABk>
Jan 12 20:37:31 mail dovecot: auth-worker(25929): Fatal: master: service(auth-worker): child 25929 killed with signal 6 (core dumps disabled)
Jan 12 20:37:31 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jan 12 20:37:31 mail dovecot: auth: Error: Got user=[mark] domain=[HPRS] workstation=[HPLAPTOP] len1=24 len2=250
Jan 12 20:37:31 mail dovecot: auth: Error: NTLMSSP Sign/Seal - Initialising with flags:
Jan 12 20:37:31 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088205
Jan 12 20:37:31 mail dovecot: auth-worker(25930): Panic: file auth-request.c: line 2151 (get_log_prefix): assertion failed: (auth_request->passdb != NULL)
Jan 12 20:37:31 mail dovecot: auth-worker(25930): Error: Raw backtrace: /usr/local/lib/dovecot/libdovecot.so.0(+0x70cb0) [0x7ff8d1956cb0] -> /usr/local/lib/dovecot/libdovecot.so.0(+0x70d8e) [0x7ff8d1956d8e] -> /usr/local/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7ff8d190a6f5] -> dovecot/auth() [0x41133a] -> dovecot/auth(auth_request_log_unknown_user+0x6b) [0x4132db] -> dovecot/auth() [0x42617d] -> dovecot/auth() [0x418e0d] -> /usr/local/lib/dovecot/libdovecot.so.0(io_loop_call_io+0x4c) [0x7ff8d196820c] -> /usr/local/lib/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xbb) [0x7ff8d196914b] -> /usr/local/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0x9) [0x7ff8d1968279] -> /usr/local/lib/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7ff8d19682f8] -> /usr/local/lib/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7ff8d190f953] -> dovecot/auth(main+0x2db) [0x40c6fb] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7ff8d0cabd85] -> dovecot/auth() [0x40c925]
Jan 12 20:37:31 mail dovecot: auth: Error: auth worker: Aborted USER request for mark@hprs: Worker process died unexpectedly
Jan 12 20:37:31 mail dovecot: imap: Error: Internal auth failure (client-pid=25931 client-id=1)
Jan 12 20:37:31 mail dovecot: imap-login: Internal login failure (pid=25931 id=1) (internal failure, 1 successful auths): user=<mark@hprs>, method=NTLM, rip=192.168.0.100, lip=192.168.0.2, mpid=25932, session=<ISWaqn4MigDAqABk>
Jan 12 20:37:31 mail dovecot: auth-worker(25930): Fatal: master: service(auth-worker): child 25930 killed with signal 6 (core dumps disabled)
Jan 12 20:37:31 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088207
Jan 12 20:37:31 mail dovecot: auth: Error: Got user=[mark] domain=[HPRS] workstation=[HPLAPTOP] len1=24 len2=250
Jan 12 20:37:31 mail dovecot: auth: Error: NTLMSSP Sign/Seal - Initialising with flags:
Jan 12 20:37:31 mail dovecot: auth: Error: Got NTLMSSP neg_flags=0xa2088205
Jan 12 20:37:31 mail dovecot: auth-worker(25933): Panic: file auth-request.c: line 2151 (get_log_prefix): assertion failed: (auth_request->passdb != NULL)
Jan 12 20:37:31 mail dovecot: auth-worker(25933): Error: Raw backtrace: /usr/local/lib/dovecot/libdovecot.so.0(+0x70cb0) [0x7ff5ed922cb0] -> /usr/local/lib/dovecot/libdovecot.so.0(+0x70d8e) [0x7ff5ed922d8e] -> /usr/local/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7ff5ed8d66f5] -> dovecot/auth() [0x41133a] -> dovecot/auth(auth_request_log_unknown_user+0x6b) [0x4132db] -> dovecot/auth() [0x42617d] -> dovecot/auth() [0x418e0d] -> /usr/local/lib/dovecot/libdovecot.so.0(io_loop_call_io+0x4c) [0x7ff5ed93420c] -> /usr/local/lib/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xbb) [0x7ff5ed93514b] -> /usr/local/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0x9) [0x7ff5ed934279] -> /usr/local/lib/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7ff5ed9342f8] -> /usr/local/lib/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7ff5ed8db953] -> dovecot/auth(main+0x2db) [0x40c6fb] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7ff5ecc77d85] -> dovecot/auth() [0x40c925]
Jan 12 20:37:31 mail dovecot: auth: Error: auth worker: Aborted USER request for mark@hprs: Worker process died unexpectedly
Jan 12 20:37:31 mail dovecot: imap: Error: Internal auth failure (client-pid=25934 client-id=1)
Jan 12 20:37:31 mail dovecot: auth-worker(25933): Fatal: master: service(auth-worker): child 25933 killed with signal 6 (core dumps disabled)
Jan 12 20:37:31 mail dovecot: imap-login: Internal login failure (pid=25934 id=1) (internal failure, 1 successful auths): user=<mark@hprs>, method=NTLM, rip=192.168.0.100, lip=192.168.0.2, mpid=25935, session=<fWGaqn4MiwDAqABk>

Open in new window

Sheesh, there's only 16 lines +/- to doveconf, you'd think the proverbial Shakespearian monkey-typist would have by-chance happened upon the right combination by now!

Line 5 mentions panicking about passdb, of which I have none. A clue?
0
 
LVL 76

Expert Comment

by:arnold
ID: 40545879
Auth setting, NTLm, plain
Plain text allow
Outlook should be set to use NTLM.
No point testing with username/password as we know it works.
The other issue deals with your use of a username that exists in two places. Passwd and samba/ldap.


Not sure what your current Dovecot.conf is but it is not matching to the one that existed jan 12 15:09:54.
If need be return the userdb reference.

Presumably you have /home/HPRS pointed to by /home/HPRS or vice versa.
Hopefully, we can get to that stage.

Making one change/adjustment at a time.

Referring to the logs both messages/syslog and any other of the logging recomendations as well as the debug log.
Combining data from all these sources may/should lead to a resolution.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40545885
Try  using the %H/Maildir after you get the same error as received on Jan 12 15:09:54 %H is supposed to be set as the homedir by samba matching.

Failed to interpret ~/ or if gets a deny error on acces to /home/HPRS/%u/Maildir
I.e. %u comes back as HPRS\mark .......
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40545982
Not sure what your current Dovecot.conf is but it is not matching to the one that existed jan 12 15:09:54.
Actually, they are basically the same. The 1st listing is the same -- that's the initial connection attempt, before Outlook displays the login prompt. The difference in the more recent output, after entering login information, is the extra debugging turned on.

Here's what I'm going to do. I've been doing some more reading on Outlook and I think the first thing to do is upgrade my Outlook to a newer version. The version installed has web comments about modifying registry settings for ntlm and other scarey stuff. So, I'll upgrade that tomorrow and resume. That would simultaneously suck and be sweet if this is all about Outlook versions.

I'll be back ...
0
 
LVL 76

Expert Comment

by:arnold
ID: 40545996
The jan 12 15:09:54 reflects an NTLMmautenticattion that was successful, but the failure occurred in the Dovecot not being able to interpret the MIldir location ~/

Account setup using, exchange type.

I would advise against upgrading unless you have two systems. In the date I keep repeating, you were nearly there I think, but the flurry of activity was too fast to notice the different notice pointing to ..........

The upgrade starts the process a new for working with the new client .........
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40546012
Actually, I got it working ... sort of. I noticed the error:
Jan 13 00:36:42 mail dovecot: imap(mark@hprs): Error: user mark@hprs: Initialization failed: Initializing mail storage from mail_location setting failed: mkdir(/home/hprs/mark@hprs/Maildir) failed: Permission denied (euid=151(dovecot) egid=100(users) missing +w perm: /home/hprs, dir owned by 0:0 mode=0755)

Open in new window

It was looking for /home/hprs/mark@hprs/Maildir. So, I made the following config changes:
mail_location = maildir:/home/hprs/%n/Maildir
userdb {
  args = gid=151 home=/home/hprs/%n
  driver = static
}

Open in new window

basically replacing the %u with %n (username only). Then I got the errors:
Jan 13 00:40:44 mail dovecot: imap(mark@hprs): Error: stat(/home/hprs/mark/Maildir/tmp) failed: Permission denied (euid=151(dovecot) egid=100(users) missing +x perm: /home/hprs/mark/Maildir, dir owned by 3000026:100 mode=0700)
Jan 13 00:40:44 mail dovecot: imap(mark@hprs): Error: opendir(/home/hprs/mark/Maildir) failed: Permission denied (euid=151(dovecot) egid=100(users) missing +r perm: /home/hprs/mark/Maildir, dir owned by 3000026:100 mode=0755)

Open in new window

So, the dovecot process uid 151 did not have permission to list or read files in this folder and presumably could not write either. So I changed group ownership of all /home/hprs/* files to 151 and set group +rw on all files and group +s on all folders.

I was then able to get mail. I haven't quite figured out why I didn't have these permission problems the other day with plain/login mechanism. I'll sleep on it.

Still problems though ...

For one thing, I still have to log on with an Outlook dialog each time I start Outlook. In fact, I have to enter the login dialog twice. Perhaps that will get fixed with an Outlook upgrade?

For another, the mail ends up in "Inbox in mail.hprs.local", not in plain 'ole "Inbox" like it did the other day, and like it does on the regular Outlook/Exchange mail boxes. (see attached image) You will notice the new message (Subject *should be* "test to /home/hprs/mail/Maildir"), which I sent a few hours ago.

BUT ... maybe it is now a matter of tweaking? We'll see if the updated Outlook makes any difference. If not, I'm getting to the point that I might try some other method (LDAP or SSL), or revert back to PLAIN / login like the other day and tell the users "too bad, you have a separate mail login!"
outlookmbox.jpg
0
 
LVL 76

Accepted Solution

by:
arnold earned 450 total points
ID: 40546035
The issue with permission when dir stat deals with Dovecot not getting the UID/gid set based on the wbinfo -i mark parameters.

The use of userdb and static might be what causes it.
Another option is to remove the reference to gid=151 to see what the impact if any.

Does commenting out the userdb entirely after the prior attempt make any difference.

http://wiki2.dovecot.org/UserDatabase
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40548210
The use of userdb and static might be what causes it.
 Another option is to remove the reference to gid=151 to see what the impact if any.
OK, I'm taking your suggestions to heart. I've now installed Outlook 2007 on the domain workstation. I've removed the folders /domainusers and /home/hprs from the domain controller and removed mark from /etc/passwd. There is now no userdb, no static db's, no preconfigured mail folders. no mail for mark.

I think it's time for a fresh start, so I've created a new question: http://www.experts-exchange.com/OS/Linux/Q_28596234.html

I'll close this on and we can continue dealing with this ntlm method.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 40548214
Thanks for sticking with this. Even though geist has dropped off I'm giving him a few points for his excellent and revealing suggestion with wbinfo.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40548216
Dovecot can not create directories beyond one level.

You should have /home/HPRS and a symbolic link for /home/hprs pointing to  HPRS.

I'll follow to the next question to see where your fresh starts begins.
0

Join & Write a Comment

Workplace bullying has increased with the use of email and social media. Retain evidence of this with email archiving to protect your employees.
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now