From owner-freebsd-questions@FreeBSD.ORG Fri Jun 22 08:44:28 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2431D106564A for ; Fri, 22 Jun 2012 08:44:28 +0000 (UTC) (envelope-from kayasaman@gmail.com) Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id EF4B28FC08 for ; Fri, 22 Jun 2012 08:44:27 +0000 (UTC) Received: by dadv36 with SMTP id v36so2201439dad.13 for ; Fri, 22 Jun 2012 01:44:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=I7W1lQ4ygHpyrLVqzlpcg0JLHlxWHKYZbuvz0BHP3C8=; b=jGZzP+XBuzdm0Y/B3p6y2ks0N0LHpuau8CwaUp39IqO5u4P0z/BkABPc/biMEh1JCC I20CnA+yf3p+qE46Fs2hSDOPgzLbTL+SQHx1ebLIIYHP8BAZ2bWXgTRDvjZsm4jWwmlz 6k1ckyVVFj6A8pU1waEQ8iLwqN32Yxdo6YuLeVqEk6bw3/CradFcBUhuyHB40kwmo0JS HJlBonJqJaDYo5scQIXDBNzZAkVFDMYV5nh9OYFC8WCHDUZsbjLRIsH5OJULugDFmd3v Y67BIvGQgnsEpZtLon20+/FgHbyJo+MfaZHxhTy0FsuRhkIDhw7hr3WLOF0nVQTocRWi +55g== MIME-Version: 1.0 Received: by 10.68.228.39 with SMTP id sf7mr8137305pbc.45.1340354667545; Fri, 22 Jun 2012 01:44:27 -0700 (PDT) Received: by 10.142.79.13 with HTTP; Fri, 22 Jun 2012 01:44:27 -0700 (PDT) Date: Fri, 22 Jun 2012 09:44:27 +0100 Message-ID: From: Kaya Saman To: freebsd-questions Content-Type: text/plain; charset=ISO-8859-1 Subject: Could someone help me with Dovecot AD integration PAM setup? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jun 2012 08:44:28 -0000 Hi, I'm trying to authenticate Dovecot to Active Directory using the SAMBA/Winbind method and so far my setup seems that everything is working apart from the Dovecot authentication which I believe I have traced to PAM. I can login using an AD account using: wbinfo -K # wbinfo -K Enter 's password: plaintext kerberos password authentication for [] succeeded (requesting cctype: FILE) This is the current Dovecot config: # cat dovecot.conf # v1.1: #auth_ntlm_use_winbind = yes # v1.2+: auth_use_winbind = yes auth_winbind_helper_path = /usr/local/bin/ntlm_auth protocols = imap # It's nice to have separate log files for Dovecot. You could do this # by changing syslog configuration also, but this is easier. log_path = /var/log/dovecot.log info_log_path = /var/log/dovecot-info.log # Disable SSL for now. ssl = no disable_plaintext_auth = no # We're using Maildir format #mail_location = maildir:~/Maildir mail_location = mbox:/mail:INBOX=/mail/%u # If you're using POP3, you'll need this: #pop3_uidl_format = %g # Authentication configuration: auth_verbose = yes auth_debug = yes auth_username_format = %n auth_mechanisms = plain ntlm login userdb { driver = static args = uid=501 gid=501 home=/mail/%u driver = static } passdb { driver = pam } Here is a "test" login attempt: # telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=NTLM AUTH=LOGIN] Dovecot ready. a login a NO [AUTHENTICATIONFAILED] Authentication failed. b logout * BYE Logging out b OK Logout completed. - of course the proper credentials were put in..... Here is the details of pam.d/imap: # cat imap # # $FreeBSD: src/etc/pam.d/imap,v 1.7.10.1.6.1 2010/12/21 17:09:25 kensmith Exp $ # # PAM configuration for the "imap" service # # auth auth sufficient pam_winbind.so no_warn try_first_pass debug #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account #account required pam_nologin.so account required pam_unix.so #account required pam_winbind.so I also attempted a change in pam.d/system: # cat system # # $FreeBSD: src/etc/pam.d/system,v 1.1.32.1.6.1 2010/12/21 17:09:25 kensmith Exp $ # # System-wide defaults # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_lastlog.so no_fail # password password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass Which don't let me login to the Dovecot service :-( The dovecot.log file shows this: Jun 20 11:30:40 master: Warning: Killed with signal 15 (by pid=4149 uid=0 code=kill) Jun 20 11:30:48 auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs one Jun 20 11:30:48 master: Error: service(auth): command startup failed, throttling for 2 secs Jun 20 11:30:59 master: Warning: Killed with signal 15 (by pid=4182 uid=0 code=kill) Jun 20 11:31:13 auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs one Jun 20 11:31:13 master: Error: service(auth): command startup failed, throttling for 2 secs Jun 20 11:32:38 master: Warning: Killed with signal 15 (by pid=4245 uid=0 code=kill) Jun 20 11:32:58 imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=4265, EOF) Jun 20 11:32:58 auth: Fatal: master: service(auth): child 4266 killed with signal 11 (core not dumped - set service auth { drop_priv_before_exec=yes }) Jun 20 11:46:21 master: Warning: Killed with signal 15 (by pid=4318 uid=0 code=kill) Jun 20 11:46:42 auth-worker(4340): Error: pam(,127.0.0.1): pam_authenticate() failed: authentication error (/etc/pam.d/dovecot missing?) Jun 20 11:46:55 auth: Error: Got NTLMSSP neg_flags=0xa2088207 Jun 20 11:46:55 auth: Error: Got user=[] domain=[] workstation=[WKS-42] len1=24 len2=270 Jun 20 11:46:55 auth: Error: Login for user []\[]@[WKS-42] failed due to [Reading winbind reply failed!] Jun 20 11:49:47 master: Warning: Killed with signal 15 (by pid=4400 uid=0 code=kill) Jun 20 11:49:53 auth: Fatal: passdb imap: Missing host parameter Jun 20 11:49:53 master: Error: service(auth): command startup failed, throttling for 2 secs Jun 20 11:50:10 master: Warning: Killed with signal 15 (by pid=4439 uid=0 code=kill) Jun 20 11:50:22 auth-worker(4461): Error: pam(,127.0.0.1): pam_authenticate() failed: authentication error (/etc/pam.d/dovecot missing?) Jun 20 11:51:19 master: Warning: Killed with signal 15 (by pid=4479 uid=0 code=kill) Jun 20 11:52:14 master: Warning: Killed with signal 15 (by pid=4647 uid=0 code=kill) Jun 20 12:26:12 master: Warning: Killed with signal 15 (by pid=1349 uid=0 code=kill) Jun 20 12:26:32 auth-worker(1371): Error: pam(,127.0.0.1): pam_authenticate() failed: authentication error (/etc/pam.d/dovecot missing?) Jun 20 12:40:20 master: Warning: Killed with signal 15 (by pid=1436 uid=0 code=kill) Jun 20 12:40:39 auth-worker(1458): Error: pam(,127.0.0.1): pam_authenticate() failed: authentication error (/etc/pam.d/dovecot missing?) Jun 20 13:06:03 master: Warning: Killed with signal 15 (by pid=1653 uid=0 code=kill) Jun 20 13:07:37 auth-worker(1222): Error: pam(,127.0.0.1): pam_authenticate() failed: authentication error (/etc/pam.d/dovecot missing?) Jun 20 15:05:11 master: Warning: Killed with signal 15 (by pid=91263 uid=0 code=kill) Jun 22 10:02:03 master: Warning: Killed with signal 15 (by pid=38998 uid=0 code=kill) Jun 22 10:04:08 auth-worker(1229): Error: pam(,127.0.0.1): pam_authenticate() failed: authentication error (/etc/pam.d/dovecot missing?) Jun 22 10:10:47 master: Warning: Killed with signal 15 (by pid=1394 uid=0 code=kill) Jun 22 10:12:36 auth-worker(1218): Error: pam(,127.0.0.1): pam_authenticate() failed: authentication error (/etc/pam.d/dovecot missing?) Jun 22 10:20:57 auth-worker(1232): Error: pam(,127.0.0.1): pam_authenticate() failed: authentication error (/etc/pam.d/dovecot missing?) Can anybody help me with this? Regards, Kaya