Re: Dovecot+Samba AD - authentication failure - SOLVED

[Odhiambo Washington]

On Sun, 22 Nov 2020 at 15:08, Odhiambo Washington 
wrote:

> Hi,
>
> I have setup samba4 as AD and hoping to have dovecot authenticate users
> against it. I am facing challenges though and I am unable to figure it out.
> I could do with a third eye to help me spot what is wrong.
>
>
> root@adc0:/etc# doveadm auth test -x service=imap
> odhiambo@newideatest.local
> Password:
> passdb: odhiambo@newideatest.local auth failed
> extra fields:
>   temp
> Warning: auth-client: conn unix:/var/run/dovecot/auth-client: Auth
> connection closed with 1 pending requests (max 0 secs, pid=10537, EOF)
> Fatal: Couldn't connect to auth socket
>
> A test against IMAP gives the following debug information:
> Nov 22 14:31:01 auth: Debug: Loading modules from directory:
> /usr/lib/dovecot/modules/auth
> Nov 22 14:31:01 auth: Debug: Module loaded:
> /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so
> Nov 22 14:31:01 auth: Debug: Module loaded:
> /usr/lib/dovecot/modules/auth/libdriver_mysql.so
> Nov 22 14:31:01 auth: Debug: Loading modules from directory:
> /usr/lib/dovecot/modules/auth
> Nov 22 14:31:01 auth: Debug: Module loaded:
> /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
> Nov 22 14:31:01 auth: Debug: Read auth token secret from
> /var/run/dovecot/auth-token-secret.dat
> Nov 22 14:31:01 auth: Debug: auth client connected (pid=10979)
> Nov 22 14:31:08 auth: Debug: client in: AUTH1   PLAIN
>  service=imapsecured session=uPLvabC0RIh/AAABlip=127.0.0.1
>  rip=127.0.0.1   lport=143   rport=34884 resp=
> Nov 22 14:31:08 auth: Debug: 
> ldap(odhiambo@newideatest.local,127.0.0.1,):
> Performing passdb lookup
> Nov 22 14:31:08 auth: Debug: 
> ldap(odhiambo@newideatest.local,127.0.0.1,):
> bind search: base=cn=Users,dc=NEWIDEATEST,dc=LOCAL
> filter=(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=odhiambo@newideatest.local
> ))
> Nov 22 14:31:08 auth: Debug: 
> ldap(odhiambo@newideatest.local,127.0.0.1,):
> no fields returned by the server *< *
> Nov 22 14:31:08 auth: Debug: 
> ldap(odhiambo@newideatest.local,127.0.0.1,):
> Finished passdb lookup
> Nov 22 14:31:08 auth: Debug: 
> auth(odhiambo@newideatest.local,127.0.0.1,):
> Auth request finished
> Nov 22 14:31:10 auth: Debug: client passdb out: FAIL1
>  user=odhiambo@newideatest.local
>
> info.log:
>
> Nov 22 14:31:08 auth: Info: ldap(odhiambo@newideatest.local
> ,127.0.0.1,):* unknown user* (given password: XXX)
> Nov 22 14:31:15 imap-login: Info: Aborted login (auth failed, 1 attempts
> in 7 secs): user=, method=PLAIN,
> rip=127.0.0.1, lip=127.0.0.1, secured, session=
>
>
> Here is my doveconf -n:
>
> https://paste.ubuntu.com/p/SPmrxZxHPx/
>
> My dovecot-ldap.cont.ext:
>
> uris = ldap://localhost/
> dn   = "dovecot@newideatest.local"
> dnpass   = ""
> sasl_bind= no
> tls  = no
> ldap_version = 3
> deref= never
> scope= subtree
> base = cn=Users,dc=NEWIDEATEST,dc=LOCAL
> auth_bind= yes
> user_filter  =
> (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(mail=%u)(sAMAccountName=%u)(otherMailbox=%u)))
> user_attrs   =
> sAMAccountName=user,userPassword=password,=mail=maildir:/home/%n/Maildir/
> pass_filter  =
> (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%u))
> pass_attrs   = sAMAccountName=user,userPassword=password
>
> The use exists in the database:
>
> *root@adc0:/var/log/dovecot# samba-tool user show odhiambo*
> ldb_wrap open of secrets.ldb
> dn: CN=Odhiambo Washington,CN=Users,DC=newideatest,DC=local
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Odhiambo Washington
> sn: Washington
> givenName: Odhiambo
> instanceType: 4
> whenCreated: 20201120101420.0Z
> displayName: Odhiambo Washington
> uSNCreated: 4086
> name: Odhiambo Washington
> objectGUID: e6969596-8b28-41af-b5d8-cea63cc97f98
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-701866827-3355127779-3787685610-1106
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: odhiambo
> sAMAccountType: 805306368
> userPrincipalName: odhiambo@newideatest.local
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=newideatest,DC=local
> mail: odhiambo@newideatest.local
> loginShell: /bin/bash
> userAccountControl: 512
> pwdLastSet: 132505181852397220
> whenChanged: 20201122112945.0Z
> uSNChanged: 4104
> distinguishedName: CN=Odhiambo Washington,CN=Users,DC=newideatest,DC=local
>


For the record, this is what I finally came up with that worked -
dovecot-ldap.conf.ext:

# BEGIN
uris = ldap://localhost/
dn   = "dovecot@newideatest.local"
dnpass   = "verystupid"
sasl_bind= no
tls  = no
ldap_version = 3
deref= never
scope= subtree
base 

Error: Mailbox INBOX: Sync failed

[Jos Chrispijn]

Just saw in my logfile this line appeared:

imap(xx)<56614>: Error: Mailbox INBOX: Sync failed 
for mbox: Expunged message reappeared to mailbox (UID 174550 < 174552, 
seq=11, idx_msgs=9)


Looks like messages' UIDs are mixed up?
I thought that if Dovecot sees broken X-UID headers for "new" messages, 
they're silently fixed?


Can you tell how I can correct this error/warning? Thanks!

BR, Jos

Re: Dovecot+Samba AD - authentication failure - SOLVED

[Aki Tuomi]

> On 24/11/2020 13:20 Odhiambo Washington  wrote:
> 
> 
> 
> 
> 
> On Sun, 22 Nov 2020 at 15:08, Odhiambo Washington  wrote:
> > Hi,
> > 
> > I have setup samba4 as AD and hoping to have dovecot authenticate users 
> > against it. I am facing challenges though and I am unable to figure it out.
> > I could do with a third eye to help me spot what is wrong.
> > 
> > 
> > 
> > root@adc0:/etc# doveadm auth test -x service=imap odhiambo@newideatest.local
> > Password:
> > passdb: odhiambo@newideatest.local auth failed
> > extra fields:
> > 
> > info.log:
> > 
> > Nov 22 14:31:08 auth: Info: > > 
> > 
> > Here is my doveconf -n:
> > 
> > https://paste.ubuntu.com/p/SPmrxZxHPx/
> > 
> > My dovecot-ldap.cont.ext:
> > 
> > uris = ldap://localhost/
> > dn = "dovecot@newideatest.local"
> > dnpass = ""
> > sasl_bind = no
> > tls = no
> > ldap_version = 3
> > deref = never
> > scope = subtree
> > base = cn=Users,dc=NEWIDEATEST,dc=LOCAL
> > auth_bind = yes
> > user_filter = 
> > (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(mail=%u)(sAMAccountName=%u)(otherMailbox=%u)))
> > user_attrs = 
> > sAMAccountName=user,userPassword=password,=mail=maildir:/home/%n/Maildir/
> > pass_filter = 
> > (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%u))
> > pass_attrs = sAMAccountName=user,userPassword=password
> > 
> > The use exists in the database:
> > 
> 
> 
> For the record, this is what I finally came up with that worked - 
> dovecot-ldap.conf.ext:
> 
> 
> # BEGIN
> uris = ldap://localhost/
> dn = "dovecot@newideatest.local"
> dnpass = "verystupid"
> sasl_bind = no
> tls = no
> ldap_version = 3
> deref = never
> scope = subtree
> base = cn=Users,dc=NEWIDEATEST,dc=LOCAL
> auth_bind = yes

You probably would want to set this to 'no', it causes dovecot to rebind after 
authentication. This is not required when you can return password from LDAP, it 
is only required when you have to do first a lookup and then authenticate as 
the user to verify password.

> 
> #user_filter = (mail=%u)
> #pass_filter = (mail=%u)
> #pass_attrs = mail=%u,= userPassword=password
> 
> user_filter = 
> (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
> pass_filter = 
> (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
> pass_attrs = userPassword=password
> 
> user_attrs = 
> =home=/var/spool/virtual/%Ld/%Ln/Maildir/,=mail=maildir:/var/spool/virtual/%Ld/%Ln/Maildir/
> 
> default_pass_scheme = CRYPT
> # END
> 
> Also to add:
> 1. If you use the commented out filters, the authentication is very fast
> 2. If you use the uncommented ones, it's a bit slow.
> 
> Choose your poison, as YMMV.
> 
> Adios.
> 
> 
> 
> -- 
> 
> Best regards,
> Odhiambo WASHINGTON,

Regards,

Aki