From owner-freebsd-questions@FreeBSD.ORG Wed May 23 12:33:58 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C5DF4106564A for ; Wed, 23 May 2012 12:33:58 +0000 (UTC) (envelope-from kayasaman@gmail.com) Received: from mail-qa0-f47.google.com (mail-qa0-f47.google.com [209.85.216.47]) by mx1.freebsd.org (Postfix) with ESMTP id 81E9E8FC0C for ; Wed, 23 May 2012 12:33:58 +0000 (UTC) Received: by qabg1 with SMTP id g1so3527966qab.13 for ; Wed, 23 May 2012 05:33:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=E5xAWN4wTY1+xBT2CFx6CDvGYLWdodJUjvJxulh+36s=; b=pT76Zreit1PZyBCxyvVvIEfsA1Sdhxywcl8CP8tmB8EhbSkwnyGRxFS42zwMyAy8ud CkFIKNqafkG0ZDf1cJu1Mr9pibQ7EyjzTJ1oUimNW7jWWECAiB6erWMpeD9WGBaMmcCd 3Lzwza8zz2FdRD9CjFdhr9jCdtEi25+X4nnnpIcV4J1GsrKuxzU+E11eze1Exyl6spo1 OoH9Q33I+i6kAZG9NKVzWWR9tnBJe7zLvx34nivcl/+OFEZk/HX4C3PKR4Cksvrje53r v8YjbsU9N8Tm+w+aZACBXqE5k6VpLqRmMz/Xu6GBLYoQy0KkiAMYAE9vLv6D5wiHkzYH qaZw== MIME-Version: 1.0 Received: by 10.229.135.77 with SMTP id m13mr4616397qct.12.1337776432077; Wed, 23 May 2012 05:33:52 -0700 (PDT) Received: by 10.229.71.11 with HTTP; Wed, 23 May 2012 05:33:52 -0700 (PDT) Date: Wed, 23 May 2012 13:33:52 +0100 Message-ID: From: Kaya Saman To: freebsd-questions Content-Type: text/plain; charset=ISO-8859-1 Subject: Integrating FreeBSD with MS Active Directory in order to be able to Authenticate Dovecot IMAP server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 May 2012 12:33:58 -0000 Hi, I'm attempting to authenticate Dovecot to Active Directory, however, I'm failing quite badly. So far I have gone through the FreeBSD handbook on Kerberos authentication: http://www.freebsd.org/doc/handbook/kerberos5.html Additionally I have been through the Dovecot config: http://wiki2.dovecot.org/Authentication/Mechanisms/Winbind http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm I am running FreeBSD 8.2 x64 RELEASE edition with the Dovecot2 port installed, SAMBA 3.6, and the Heimdal version of Kerberos. I pulled the krb5.conf and smb.conf files from one of our production Linux boxes...... This is my dovecot.conf file: # v1.1: #auth_ntlm_use_winbind = yes # v1.2+: auth_use_winbind = yes auth_winbind_helper_path = /usr/local/bin/ntlm_auth protocols = imap # It's nice to have separate log files for Dovecot. You could do this # by changing syslog configuration also, but this is easier. log_path = /var/log/dovecot.log info_log_path = /var/log/dovecot-info.log # Disable SSL for now. ssl = no disable_plaintext_auth = no # We're using Maildir format #mail_location = maildir:~/Maildir mail_location = mbox:/mail:INBOX=/mail/%u # If you're using POP3, you'll need this: #pop3_uidl_format = %g # Authentication configuration: auth_verbose = yes auth_username_format = %n #auth_mechanisms = plain auth_mechanisms = plain ntlm login #passdb { # driver = passwd-file # args = /usr/local/etc/dovecot/passwd #} #userdb { # driver = static # args = uid=root gid=root home=/root/ # driver = static # args = uid=500 gid=500 home=/ZPOOL_1/%u #} #userdb static { # args= uid=501 gid=501 home=/mail/%1Ln/%Ln # mail=maildir:/mail/%d/%1Ln/%Ln:INBOX=/mail/%d/%1Ln/%Ln # allow_all_users=yes #} passdb { driver = static } userdb { driver = static args = uid=501 gid=501 home=/mail/%1Ln/%Ln } This is ther krb5.conf file: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] DOMAIN.COM = { kdc = :88 kdc = :88 admin_server = :749 kdc = DC.DOMAIN.COM } [domain_realm] domain.com = DOMAIN.COM .domain.com = DOMAIN.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } This is the smb.conf file: [global] #--authconfig--start-line-- # Generated by authconfig on 2011/04/11 15:41:02 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future workgroup = DOMAIN password server = DC.DOMAIN.COM realm = DOMAIN.COM security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind use default domain = true winbind offline logon = false winbind separator = + #--authconfig--end-line-- preferred master = no server string = FreeBSD IMAP Server encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups unix extensions = no winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes winbind cache time = 5 Running the command klist does give an output however, I am totally stuck as to why the Dovecot authentication isn't working.... This is the output from the dovecot.log: May 20 13:16:32 auth: Error: could not obtain winbind domain name! May 20 13:16:32 auth: Error: could not obtain winbind netbios name! May 20 13:16:32 auth: Error: could not obtain winbind domain name! May 20 13:16:42 auth: Fatal: master: service(auth): child 15253 killed with signal 11 (core not dumped - set service auth { drop_priv_before_exec=yes }) May 20 13:16:42 imap-login: Warning: Auth connection closed with 1 pending requests (max 8 secs, pid=15254, EOF) May 20 13:16:51 auth: Error: Ignoring unknown parameter "use kerberos keytab" May 20 13:16:51 auth: Error: could not obtain winbind domain name! May 20 13:16:51 auth: Error: could not obtain winbind netbios name! May 20 13:16:51 auth: Error: could not obtain winbind domain name! May 20 13:17:08 auth: Fatal: master: service(auth): child 15256 killed with signal 11 (core not dumped - set service auth { drop_priv_before_exec=yes }) May 20 13:17:08 imap-login: Warning: Auth connection closed with 1 pending requests (max 15 secs, pid=15257, EOF) May 23 12:18:31 imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=25437, EOF) May 23 12:18:31 auth: Fatal: master: service(auth): child 25439 killed with signal 11 (core not dumped - set service auth { drop_priv_before_exec=yes }) May 23 12:19:00 imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=25437, EOF) May 23 12:19:00 auth: Fatal: master: service(auth): child 25440 killed with signal 11 (core not dumped - set service auth { drop_priv_before_exec=yes }) May 23 12:37:16 master: Warning: Killed with signal 15 (by pid=25630 uid=0 code=kill) May 23 13:37:41 imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=1231, EOF) May 23 13:37:41 auth: Fatal: master: service(auth): child 1232 killed with signal 11 (core not dumped - set service auth { drop_priv_before_exec=yes }) May 23 13:38:12 imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=1231, EOF) May 23 13:38:12 auth: Fatal: master: service(auth): child 1233 killed with signal 11 (core not dumped - set service auth { drop_priv_before_exec=yes }) May 23 13:40:37 master: Warning: Killed with signal 15 (by pid=1384 uid=0 code=kill) May 23 13:42:47 imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=1208, EOF) May 23 13:42:47 auth: Fatal: master: service(auth): child 1209 killed with signal 11 (core not dumped - set service auth { drop_priv_before_exec=yes }) Can anybody help me figure this out? Regards, Kaya