Winbind auhentication
Helo all! I'm trying to set up a dovecot server so that it authenticates local user via /etc/passwd (I'm on a Freebsd 13.1) and via winbindd for those that it cannot find localy. The samba suite is alive and well, postfix gets happily mail from domain users and saves it with correct name and permissions from the windows domain. If I try to authenticate a domain user via wbinfo it works, with dovecot it doesn't. I guess I'v forgot something in the dovecot config... :) Here is my doveconf -n: # 2.3.20 (80a5ac675d): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.5.20 (149edcf2) # OS: FreeBSD 13.1-RELEASE-p5 powerpc ufs # Hostname: numeron.mcs.it auth_cache_size = 30 k auth_debug_passwords = yes auth_mechanisms = plain ntlm login auth_use_winbind = yes auth_username_format = %n auth_winbind_helper_path = /usr/local/bin/ntlm_auth default_client_limit = 1128 default_vsz_limit = 712 M disable_plaintext_auth = no first_valid_uid = 0 info_log_path = /var/log/dovecot/logfile.info listen = * lock_method = flock log_path = /var/log/dovecot/logfile login_greeting = Dovecot at Nameron Ready. mail_location = mbox:/var/spool/dovecot/%u:INBOX=/var/mail/%u mail_plugins = fts managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext passdb { driver = passwd } protocols = imap pop3 service replication-notify-fifo { name = aggregator } service anvil-auth-penalty { name = anvil } service auth-worker { name = auth-worker } service auth-client { user = root name = auth } service config { name = config } service dict-async { name = dict-async } service dict { name = dict } service login/proxy-notify { name = director } service dns-client { name = dns-client } service doveadm-server { name = doveadm } service imap-hibernate { name = imap-hibernate } service imap { service_count = 0 name = imap-login } service imap-urlauth { name = imap-urlauth-login } service imap-urlauth-worker { name = imap-urlauth-worker } service token-login/imap-urlauth { name = imap-urlauth } service imap-master { name = imap } service indexer-worker { name = indexer-worker } service indexer { name = indexer } service ipc { name = ipc } service lmtp { name = lmtp } service log-errors { name = log } service sieve { name = managesieve-login } service login/sieve { name = managesieve } service old-stats-mail { name = old-stats } service pop3 { process_limit = 255 service_count = 1 name = pop3-login } service login/pop3 { name = pop3 } service replicator-doveadm { name = replicator } service login/stats-writer { unix_listener { group = mail mode = 0666 user = dovecot path = stats-reader } unix_listener { group = mail mode = 0666 user = dovecot path = stats-writer } name = stats } service submission { name = submission-login } service login/submission { name = submission } ssl = no userdb { driver = passwd } protocol pop3 { pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_enable_last = yes pop3_uidl_format = %08Xu%08Xv service replication-notify-fifo { name = aggregator } service anvil-auth-penalty { name = anvil } service auth-worker { name = auth-worker } service auth-client { name = auth } service config { name = config } service dict-async { name = dict-async } service dict { name = dict } service login/proxy-notify { name = director } service dns-client { name = dns-client } service doveadm-server { name = doveadm } service imap-hibernate { name = imap-hibernate } service imap { name = imap-login } service imap-urlauth { name = imap-urlauth-login } service imap-urlauth-worker { name = imap-urlauth-worker } service token-login/imap-urlauth { name = imap-urlauth } service imap-master { name = imap } service indexer-worker { name = indexer-worker } service indexer { name = indexer } service ipc { name = ipc } service lmtp { name = lmtp } service log-errors { name = log } service sieve { name = managesieve-login } service login/sieve { name = managesieve } service old-stats-mail { name = old-stats } service pop3 { name = pop3-login } service login/pop3 { name = pop3 } service replicator-doveadm { name = replicator } service login/stats-writer { name = stats } service submission { name = submission-login } service login/submission { name = submission } } protocol lda { debug_log_path = /var/log/dovecot/lda-debug.log info_log_path = /var/log/dovecot/lda.info log_path = /var/log/dovecot/lda.err mail_debug = yes postmaster_address = l...@m
index locally
Thanks guys for all the help. I will check if i can do a rsync script.
how to setup timestamp
*Thanks** Alessio Cecchi*
NFS and performances
Thanks
Re: Winbind auhentication
> "Luciano" == Luciano Mannucci writes: > I'm trying to set up a dovecot server so that it authenticates local > user via /etc/passwd (I'm on a Freebsd 13.1) and via winbindd for > those that it cannot find localy. The samba suite is alive and well, > postfix gets happily mail from domain users and saves it with > correct name and permissions from the windows domain. If I try to > authenticate a domain user via wbinfo it works, with dovecot it > doesn't. I guess I'v forgot something in the dovecot config... :) I can't help you with your config, but I would *strongly* recommend that you just make all your users virtual ones, and all using the same backend. Now you don't say if your local user account works or not, but I'd work on getting just the AD part (really, you're using windind?) first. Also, have you compared your postfix and dovecot setups? There are good docs out there on how you combine them to use the same authentication backend. And the info you posted really don't help much, since you don't post any log messages from when the authentication fails. That will tell you more I'm sure. John
Re: Winbind auhentication
On Fri, 10 Mar 2023 14:22:26 -0500 "John Stoffel" wrote: > Now you don't say if your local user account works or not, > but I'd work on getting just the AD part (really, you're using > windind?) first. Yes the local user works. > Also, have you compared your postfix and dovecot setups? There are > good docs out there on how you combine them to use the same > authentication backend. Well, postfix doesn't need to authenticate users: it accepts all if it comes from mynetworks. I know it is not wise; it is just a test to explore single sign on with didderent sources. > And the info you posted really don't help much, since you don't post > any log messages from when the authentication fails. That will tell > you more I'm sure. Apologies, you are absolutely right. Here they are: Mar 10 14:59:12 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Mar 10 14:59:12 auth: Debug: Module loaded: /usr/local/lib/dovecot/auth/lib20_auth_var_expand_crypt.so Mar 10 14:59:12 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Mar 10 14:59:12 auth: Debug: auth client connected (pid=4221) Mar 10 14:59:25 auth: Debug: client in: AUTH1 PLAIN service=pop3 session=yQtBK4z2lOzAqIoPlip=192.168.138.18 rip=192.168.138.15 lport=110 rport=60564 resp=AG1jcwBrYXE5LnBpcA== (previous base64 data may contain sensitive data) Mar 10 14:59:25 auth: Debug: passwd(mcs,192.168.138.15,): Performing passdb lookup Mar 10 14:59:25 auth: Debug: passwd(mcs,192.168.138.15,): cache miss Mar 10 14:59:25 auth-worker(4223): Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Mar 10 14:59:25 auth-worker(4223): Debug: Module loaded: /usr/local/lib/dovecot/auth/lib20_auth_var_expand_crypt.so Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): Server accepted connection (fd=13) Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): Sending version handshake Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: Handling PASSV request Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: passwd(mcs,192.168.138.15,): Performing passdb lookup Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: passwd(mcs,192.168.138.15,): lookup Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: passwd(mcs,192.168.138.15,): Finished passdb lookup Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: Finished Mar 10 14:59:25 auth: Debug: passwd(mcs,192.168.138.15,): Finished passdb lookup Mar 10 14:59:25 auth: Debug: auth(mcs,192.168.138.15,): Auth request finished Mar 10 14:59:25 auth: Debug: client passdb out: OK 1 user=mcs Mar 10 14:59:25 auth: Debug: master in: REQUEST 980549633 42211 19c7b19fec4f0dee8512545a1ae27501session_pid=4224 Mar 10 14:59:25 auth: Debug: passwd(mcs,192.168.138.15,): Performing userdb lookup Mar 10 14:59:25 auth: Debug: passwd(mcs,192.168.138.15,): userdb cache miss Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<2>: Handling USER request Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<2>: passwd(mcs,192.168.138.15,): Performing userdb lookup Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<2>: passwd(mcs,192.168.138.15,): lookup Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<2>: passwd(mcs,192.168.138.15,): Finished userdb lookup Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<2>: Finished Mar 10 14:59:25 auth: Debug: passwd(mcs,192.168.138.15,): Finished userdb lookup Mar 10 14:59:25 auth: Debug: master userdb out: USER980549633 mcs system_groups_user=mcs uid=1001gid=1001home=/home/mcs auth_mech=PLAIN Mar 10 14:59:25 pop3-login: Info: Login: user=, method=PLAIN, rip=192.168.138.15, lip=192.168.138.18, mpid=4224, session= Mar 10 14:59:32 pop3(mcs)<4224>: Info: Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0 Mar 10 14:59:35 auth: Debug: auth client connected (pid=4225) Mar 10 14:59:59 auth: Debug: client in: AUTH1 PLAIN service=pop3 session=q5FJLYz2n+zAqIoPlip=192.168.138.18 rip=192.168.138.15 lport=110 rport=60575 resp=** (previous base64 data may contain sensitive data) Mar 10 14:59:59 auth: Debug: passwd(geoplan,192.168.138.15,): Performing passdb lookup Mar 10 14:59:59 auth: Debug: passwd(geoplan,192.168.138.15,): cache miss Mar 10 14:59:59 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<3>: Handling PASSV request Mar 10 14:59:59 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<3>: passwd(geoplan,192.168.138.15,): Perform
Re: Inconsistent filtering with debugging
Op 24-2-2023 om 14:03 schreef Christian Wolf: Hello, I have the problem, that I have a Postfix/Dovecot combination running with Sieve activated. The sieve script is running in general as some messages get filtered and moved to the appropriate folders. Now, I see that for the envelope filter, the behavior differs depending if I am debugging the rules or if the mails are received in a regular way. I have something like this: require "envelope"; # ... if envelope :is "to" "f...@subdaomin.example.com" { fileinto "INBOX.bar"; stop; } # ... The thing is if I call sieve-filter on the INBOX, I get the information that the mail is to be moved to the appropriate folder. However during delivery the mail is not moved there. Other rules in the script are working so it is installed in general. Of course, I could send mails to the mail address for testing but I have no clue on where to look for issues, especially as the "main debugging tool" for the rules (sieve-filter) is strangely behaving differently. The reason, I wanted to use the envelope was because the mails are delivered to f...@subdomain.example.com. From there, some virtual aliases are forwarded to a cental account b...@example.net using postfix virtual aliases. Thus, the Delivered-To header is always showing the value b...@example.net which is not suited for filtering. I could filter the Received headers but hoped for a more "high level" solution. You can fill in the envelope addresses using command line options (see man pages). If you don't, it will fill in some defaults based on the provided message. You can debug the actual delivery by using the sieve_trace setting. Regards, Stephan.