Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 23 May 2012 13:33:52 +0100
From:      Kaya Saman <kayasaman@gmail.com>
To:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Integrating FreeBSD with MS Active Directory in order to be able to Authenticate Dovecot IMAP server
Message-ID:  <CAPj0R5Kuv7K6vSZUx0FupRei9UGP6k9__PvhSLZGssLMp4FO5A@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Hi,

I'm attempting to authenticate Dovecot to Active Directory, however,
I'm failing quite badly.


So far I have gone through the FreeBSD handbook on Kerberos authentication:

http://www.freebsd.org/doc/handbook/kerberos5.html


Additionally I have been through the Dovecot config:

http://wiki2.dovecot.org/Authentication/Mechanisms/Winbind

http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm


I am running FreeBSD 8.2 x64 RELEASE edition with the Dovecot2 port
installed, SAMBA 3.6, and the Heimdal version of Kerberos.


I pulled the krb5.conf and smb.conf files from one of our production
Linux boxes......

This is my dovecot.conf file:

# v1.1:
#auth_ntlm_use_winbind = yes
# v1.2+:
auth_use_winbind = yes

auth_winbind_helper_path = /usr/local/bin/ntlm_auth

protocols = imap

# It's nice to have separate log files for Dovecot. You could do this
# by changing syslog configuration also, but this is easier.
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log

# Disable SSL for now.
ssl = no
disable_plaintext_auth = no

# We're using Maildir format
#mail_location = maildir:~/Maildir
mail_location = mbox:/mail:INBOX=/mail/%u

# If you're using POP3, you'll need this:
#pop3_uidl_format = %g

# Authentication configuration:
auth_verbose = yes
auth_username_format = %n
#auth_mechanisms = plain
auth_mechanisms = plain ntlm login
#passdb {
#  driver = passwd-file
#  args = /usr/local/etc/dovecot/passwd
#}
#userdb {
#  driver = static
#  args = uid=root gid=root home=/root/
#  driver = static
#  args = uid=500 gid=500 home=/ZPOOL_1/%u
#}

#userdb static {
#   args= uid=501 gid=501 home=/mail/%1Ln/%Ln
#   mail=maildir:/mail/%d/%1Ln/%Ln:INBOX=/mail/%d/%1Ln/%Ln
#   allow_all_users=yes
#}

passdb {
  driver          = static
}

userdb {
  driver          = static
  args            = uid=501 gid=501 home=/mail/%1Ln/%Ln
}


This is ther krb5.conf file:



[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 DOMAIN.COM = {
  kdc = <IP>:88
  kdc = <IP>:88
  admin_server = <IP>:749
  kdc = DC.DOMAIN.COM
 }

[domain_realm]
 domain.com = DOMAIN.COM
 .domain.com = DOMAIN.COM
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }



This is the smb.conf file:


[global]
#--authconfig--start-line--

# Generated by authconfig on 2011/04/11 15:41:02
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = DOMAIN
   password server = DC.DOMAIN.COM
   realm = DOMAIN.COM
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind separator = +

#--authconfig--end-line--

   preferred master = no
   server string = FreeBSD IMAP Server
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   printcap name = cups
   printing = cups
   unix extensions = no
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind nested groups = Yes
   winbind cache time = 5


Running the command klist does give an output however, I am totally
stuck as to why the Dovecot authentication isn't working....


This is the output from the dovecot.log:

May 20 13:16:32 auth: Error: could not obtain winbind domain name!
May 20 13:16:32 auth: Error: could not obtain winbind netbios name!
May 20 13:16:32 auth: Error: could not obtain winbind domain name!
May 20 13:16:42 auth: Fatal: master: service(auth): child 15253 killed
with signal 11 (core not dumped - set service auth {
drop_priv_before_exec=yes })
May 20 13:16:42 imap-login: Warning: Auth connection closed with 1
pending requests (max 8 secs, pid=15254, EOF)
May 20 13:16:51 auth: Error: Ignoring unknown parameter "use kerberos keytab"
May 20 13:16:51 auth: Error: could not obtain winbind domain name!
May 20 13:16:51 auth: Error: could not obtain winbind netbios name!
May 20 13:16:51 auth: Error: could not obtain winbind domain name!
May 20 13:17:08 auth: Fatal: master: service(auth): child 15256 killed
with signal 11 (core not dumped - set service auth {
drop_priv_before_exec=yes })
May 20 13:17:08 imap-login: Warning: Auth connection closed with 1
pending requests (max 15 secs, pid=15257, EOF)
May 23 12:18:31 imap-login: Warning: Auth connection closed with 1
pending requests (max 0 secs, pid=25437, EOF)
May 23 12:18:31 auth: Fatal: master: service(auth): child 25439 killed
with signal 11 (core not dumped - set service auth {
drop_priv_before_exec=yes })
May 23 12:19:00 imap-login: Warning: Auth connection closed with 1
pending requests (max 0 secs, pid=25437, EOF)
May 23 12:19:00 auth: Fatal: master: service(auth): child 25440 killed
with signal 11 (core not dumped - set service auth {
drop_priv_before_exec=yes })
May 23 12:37:16 master: Warning: Killed with signal 15 (by pid=25630
uid=0 code=kill)
May 23 13:37:41 imap-login: Warning: Auth connection closed with 1
pending requests (max 0 secs, pid=1231, EOF)
May 23 13:37:41 auth: Fatal: master: service(auth): child 1232 killed
with signal 11 (core not dumped - set service auth {
drop_priv_before_exec=yes })
May 23 13:38:12 imap-login: Warning: Auth connection closed with 1
pending requests (max 0 secs, pid=1231, EOF)
May 23 13:38:12 auth: Fatal: master: service(auth): child 1233 killed
with signal 11 (core not dumped - set service auth {
drop_priv_before_exec=yes })
May 23 13:40:37 master: Warning: Killed with signal 15 (by pid=1384
uid=0 code=kill)
May 23 13:42:47 imap-login: Warning: Auth connection closed with 1
pending requests (max 0 secs, pid=1208, EOF)
May 23 13:42:47 auth: Fatal: master: service(auth): child 1209 killed
with signal 11 (core not dumped - set service auth {
drop_priv_before_exec=yes })



Can anybody help me figure this out?


Regards,


Kaya



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPj0R5Kuv7K6vSZUx0FupRei9UGP6k9__PvhSLZGssLMp4FO5A>