Working with Active Directory on Windows Server 2012 R2

[Aaron Jenkins]

Hi all,

I’m having issues getting Dovecot to work with AD on 2012 R2 in a test 
environment.

Background:

AD is running on dc1.ad.automaton.uk<http://dc1.ad.automaton.uk>, the domain is 
ad.automaton.uk<http://ad.automaton.uk>. The DNS server is running on 
ad.automaton.uk<http://ad.automaton.uk> and the 
automaton.uk<http://automaton.uk> DNS is set up correctly in the test 
environment in that everything resolves to the correct IP address and I can 
authenticate with whichever LDAP clients (ldapsearch, ApacheDS, sssd). It 
refuses to bind on Dovecot for some reason.

aaron@mail:/var/log$ uname -a
Linux mail.ad.automaton.uk 3.16.0-23-generic #31-Ubuntu SMP Tue Oct 21 17:56:17 
UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
aaron@mail:/var/log$ dovecot --version
2.2.9
aaron@mail:/var/log$ dpkg -l | grep dovecot
ii  dovecot-core                          1:2.2.9-1ubuntu5                      
   amd64        secure POP3/IMAP server - core files
ii  dovecot-gssapi                        1:2.2.9-1ubuntu5                      
   amd64        secure POP3/IMAP server - GSSAPI support
ii  dovecot-imapd                         1:2.2.9-1ubuntu5                      
   amd64        secure POP3/IMAP server - IMAP daemon
ii  dovecot-ldap                          1:2.2.9-1ubuntu5                      
   amd64        secure POP3/IMAP server - LDAP support
aaron@mail:/var/log/$ cat dovecot-debug.log
…
Nov 19 09:22:23 auth: Debug: auth client connected (pid=10345)
Nov 19 09:22:23 auth: Debug: client in: AUTH 1 PLAIN service=imap secured 
session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395
Nov 19 09:22:23 auth: Debug: client passdb out: CONT 1
Nov 19 09:22:23 auth: Debug: client in: CONT 1  (previous base64 data may 
contain sensitive data)
Nov 19 09:22:29 auth: Debug: client passdb out: FAIL 1 user=aaron.jenkins temp
Nov 19 09:22:29 auth: Debug: client in: AUTH 2 PLAIN service=imap secured 
session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395 
resp= (previous base64 data may contain sensitive data)
Nov 19 09:22:39 auth: Debug: client passdb out: FAIL 2 user=aaron.jenkins temp
Nov 19 09:22:40 auth: Debug: client in: AUTH 3 PLAIN service=imap secured 
session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395
Nov 19 09:22:44 auth: Debug: client passdb out: CONT 3
Nov 19 09:22:44 auth: Debug: client in: CONT 3  (previous base64 data may 
contain sensitive data)
Nov 19 09:22:50 auth: Debug: client passdb out: FAIL 3 user=aaron.jenkins temp
Nov 19 09:22:50 auth: Debug: client in: AUTH 4 PLAIN service=imap secured 
session=pkJxdDkISwAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=993 rport=56395 
resp= (previous base64 data may contain sensitive data)
Nov 19 09:22:56 auth: Debug: client passdb out: FAIL 4 user=aaron.jenkins temp

(I’ve removed the base64 as it might contain passwords I actually use, if it’s 
important I’ll re-run it with a different password unredacted)

Do you guys have any  ideas on how to get it working with 2012 R2? I know the 
LDAP is quite funky but I suspect that’s why it doesn’t work. Also, attached is 
my sssd config as it’s working fine in case it might provide any insights.

dovecot-ldap.conf.ext
Description: dovecot-ldap.conf.ext

sssd.conf
Description: sssd.conf