Winbind auhentication
Helo all!
I'm trying to set up a dovecot server so that it authenticates local
user via /etc/passwd (I'm on a Freebsd 13.1) and via winbindd for
those that it cannot find localy. The samba suite is alive and well,
postfix gets happily mail from domain users and saves it with correct
name and permissions from the windows domain. If I try to authenticate
a domain user via wbinfo it works, with dovecot it doesn't.
I guess I'v forgot something in the dovecot config... :)
Here is my doveconf -n:
# 2.3.20 (80a5ac675d): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.20 (149edcf2)
# OS: FreeBSD 13.1-RELEASE-p5 powerpc ufs
# Hostname: numeron.mcs.it
auth_cache_size = 30 k
auth_debug_passwords = yes
auth_mechanisms = plain ntlm login
auth_use_winbind = yes
auth_username_format = %n
auth_winbind_helper_path = /usr/local/bin/ntlm_auth
default_client_limit = 1128
default_vsz_limit = 712 M
disable_plaintext_auth = no
first_valid_uid = 0
info_log_path = /var/log/dovecot/logfile.info
listen = *
lock_method = flock
log_path = /var/log/dovecot/logfile
login_greeting = Dovecot at Nameron Ready.
mail_location = mbox:/var/spool/dovecot/%u:INBOX=/var/mail/%u
mail_plugins = fts
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext
passdb {
driver = passwd
}
protocols = imap pop3
service replication-notify-fifo {
name = aggregator
}
service anvil-auth-penalty {
name = anvil
}
service auth-worker {
name = auth-worker
}
service auth-client {
user = root
name = auth
}
service config {
name = config
}
service dict-async {
name = dict-async
}
service dict {
name = dict
}
service login/proxy-notify {
name = director
}
service dns-client {
name = dns-client
}
service doveadm-server {
name = doveadm
}
service imap-hibernate {
name = imap-hibernate
}
service imap {
service_count = 0
name = imap-login
}
service imap-urlauth {
name = imap-urlauth-login
}
service imap-urlauth-worker {
name = imap-urlauth-worker
}
service token-login/imap-urlauth {
name = imap-urlauth
}
service imap-master {
name = imap
}
service indexer-worker {
name = indexer-worker
}
service indexer {
name = indexer
}
service ipc {
name = ipc
}
service lmtp {
name = lmtp
}
service log-errors {
name = log
}
service sieve {
name = managesieve-login
}
service login/sieve {
name = managesieve
}
service old-stats-mail {
name = old-stats
}
service pop3 {
process_limit = 255
service_count = 1
name = pop3-login
}
service login/pop3 {
name = pop3
}
service replicator-doveadm {
name = replicator
}
service login/stats-writer {
unix_listener {
group = mail
mode = 0666
user = dovecot
path = stats-reader
}
unix_listener {
group = mail
mode = 0666
user = dovecot
path = stats-writer
}
name = stats
}
service submission {
name = submission-login
}
service login/submission {
name = submission
}
ssl = no
userdb {
driver = passwd
}
protocol pop3 {
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_enable_last = yes
pop3_uidl_format = %08Xu%08Xv
service replication-notify-fifo {
name = aggregator
}
service anvil-auth-penalty {
name = anvil
}
service auth-worker {
name = auth-worker
}
service auth-client {
name = auth
}
service config {
name = config
}
service dict-async {
name = dict-async
}
service dict {
name = dict
}
service login/proxy-notify {
name = director
}
service dns-client {
name = dns-client
}
service doveadm-server {
name = doveadm
}
service imap-hibernate {
name = imap-hibernate
}
service imap {
name = imap-login
}
service imap-urlauth {
name = imap-urlauth-login
}
service imap-urlauth-worker {
name = imap-urlauth-worker
}
service token-login/imap-urlauth {
name = imap-urlauth
}
service imap-master {
name = imap
}
service indexer-worker {
name = indexer-worker
}
service indexer {
name = indexer
}
service ipc {
name = ipc
}
service lmtp {
name = lmtp
}
service log-errors {
name = log
}
service sieve {
name = managesieve-login
}
service login/sieve {
name = managesieve
}
service old-stats-mail {
name = old-stats
}
service pop3 {
name = pop3-login
}
service login/pop3 {
name = pop3
}
service replicator-doveadm {
name = replicator
}
service login/stats-writer {
name = stats
}
service submission {
name = submission-login
}
service login/submission {
name = submission
}
}
protocol lda {
debug_log_path = /var/log/dovecot/lda-debug.log
info_log_path = /var/log/dovecot/lda.info
log_path = /var/log/dovecot/lda.err
mail_debug = yes
postmaster_address =
NFS and performances
Thanks
how to setup timestamp
*Thanks** Alessio Cecchi*
index locally
Thanks guys for all the help. I will check if i can do a rsync script.
Re: Winbind auhentication
On Fri, 10 Mar 2023 14:22:26 -0500 "John Stoffel" wrote: > Now you don't say if your local user account works or not, > but I'd work on getting just the AD part (really, you're using > windind?) first. Yes the local user works. > Also, have you compared your postfix and dovecot setups? There are > good docs out there on how you combine them to use the same > authentication backend. Well, postfix doesn't need to authenticate users: it accepts all if it comes from mynetworks. I know it is not wise; it is just a test to explore single sign on with didderent sources. > And the info you posted really don't help much, since you don't post > any log messages from when the authentication fails. That will tell > you more I'm sure. Apologies, you are absolutely right. Here they are: Mar 10 14:59:12 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Mar 10 14:59:12 auth: Debug: Module loaded: /usr/local/lib/dovecot/auth/lib20_auth_var_expand_crypt.so Mar 10 14:59:12 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Mar 10 14:59:12 auth: Debug: auth client connected (pid=4221) Mar 10 14:59:25 auth: Debug: client in: AUTH1 PLAIN service=pop3 session=yQtBK4z2lOzAqIoPlip=192.168.138.18 rip=192.168.138.15 lport=110 rport=60564 resp=AG1jcwBrYXE5LnBpcA== (previous base64 data may contain sensitive data) Mar 10 14:59:25 auth: Debug: passwd(mcs,192.168.138.15,): Performing passdb lookup Mar 10 14:59:25 auth: Debug: passwd(mcs,192.168.138.15,): cache miss Mar 10 14:59:25 auth-worker(4223): Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Mar 10 14:59:25 auth-worker(4223): Debug: Module loaded: /usr/local/lib/dovecot/auth/lib20_auth_var_expand_crypt.so Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): Server accepted connection (fd=13) Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): Sending version handshake Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: Handling PASSV request Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: passwd(mcs,192.168.138.15,): Performing passdb lookup Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: passwd(mcs,192.168.138.15,): lookup Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: passwd(mcs,192.168.138.15,): Finished passdb lookup Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: Finished Mar 10 14:59:25 auth: Debug: passwd(mcs,192.168.138.15,): Finished passdb lookup Mar 10 14:59:25 auth: Debug: auth(mcs,192.168.138.15,): Auth request finished Mar 10 14:59:25 auth: Debug: client passdb out: OK 1 user=mcs Mar 10 14:59:25 auth: Debug: master in: REQUEST 980549633 42211 19c7b19fec4f0dee8512545a1ae27501session_pid=4224 Mar 10 14:59:25 auth: Debug: passwd(mcs,192.168.138.15,): Performing userdb lookup Mar 10 14:59:25 auth: Debug: passwd(mcs,192.168.138.15,): userdb cache miss Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<2>: Handling USER request Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<2>: passwd(mcs,192.168.138.15,): Performing userdb lookup Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<2>: passwd(mcs,192.168.138.15,): lookup Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<2>: passwd(mcs,192.168.138.15,): Finished userdb lookup Mar 10 14:59:25 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<2>: Finished Mar 10 14:59:25 auth: Debug: passwd(mcs,192.168.138.15,): Finished userdb lookup Mar 10 14:59:25 auth: Debug: master userdb out: USER980549633 mcs system_groups_user=mcs uid=1001gid=1001home=/home/mcs auth_mech=PLAIN Mar 10 14:59:25 pop3-login: Info: Login: user=, method=PLAIN, rip=192.168.138.15, lip=192.168.138.18, mpid=4224, session= Mar 10 14:59:32 pop3(mcs)<4224>: Info: Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0 Mar 10 14:59:35 auth: Debug: auth client connected (pid=4225) Mar 10 14:59:59 auth: Debug: client in: AUTH1 PLAIN service=pop3 session=q5FJLYz2n+zAqIoPlip=192.168.138.18 rip=192.168.138.15 lport=110 rport=60575 resp=** (previous base64 data may contain sensitive data) Mar 10 14:59:59 auth: Debug: passwd(geoplan,192.168.138.15,): Performing passdb lookup Mar 10 14:59:59 auth: Debug: passwd(geoplan,192.168.138.15,): cache miss Mar 10 14:59:59 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<3>: Handling PASSV request Mar 10 14:59:59 auth-worker(4223): Debug: conn unix:auth-worker (uid=0): auth-worker<3>: passwd(geoplan,192.168.138.15,):
Re: Winbind auhentication
> "Luciano" == Luciano Mannucci writes: > I'm trying to set up a dovecot server so that it authenticates local > user via /etc/passwd (I'm on a Freebsd 13.1) and via winbindd for > those that it cannot find localy. The samba suite is alive and well, > postfix gets happily mail from domain users and saves it with > correct name and permissions from the windows domain. If I try to > authenticate a domain user via wbinfo it works, with dovecot it > doesn't. I guess I'v forgot something in the dovecot config... :) I can't help you with your config, but I would *strongly* recommend that you just make all your users virtual ones, and all using the same backend. Now you don't say if your local user account works or not, but I'd work on getting just the AD part (really, you're using windind?) first. Also, have you compared your postfix and dovecot setups? There are good docs out there on how you combine them to use the same authentication backend. And the info you posted really don't help much, since you don't post any log messages from when the authentication fails. That will tell you more I'm sure. John
Re: Inconsistent filtering with debugging
Op 24-2-2023 om 14:03 schreef Christian Wolf:
Hello,
I have the problem, that I have a Postfix/Dovecot combination running
with Sieve activated. The sieve script is running in general as some
messages get filtered and moved to the appropriate folders.
Now, I see that for the envelope filter, the behavior differs
depending if I am debugging the rules or if the mails are received in
a regular way.
I have something like this:
require "envelope";
# ...
if envelope :is "to" "f...@subdaomin.example.com" {
fileinto "INBOX.bar";
stop;
}
# ...
The thing is if I call sieve-filter on the INBOX, I get the
information that the mail is to be moved to the appropriate folder.
However during delivery the mail is not moved there. Other rules in
the script are working so it is installed in general.
Of course, I could send mails to the mail address for testing but I
have no clue on where to look for issues, especially as the "main
debugging tool" for the rules (sieve-filter) is strangely behaving
differently.
The reason, I wanted to use the envelope was because the mails are
delivered to f...@subdomain.example.com. From there, some virtual
aliases are forwarded to a cental account b...@example.net using
postfix virtual aliases. Thus, the Delivered-To header is always
showing the value b...@example.net which is not suited for filtering.
I could filter the Received headers but hoped for a more "high level"
solution.
You can fill in the envelope addresses using command line options (see
man pages). If you don't, it will fill in some defaults based on the
provided message.
You can debug the actual delivery by using the sieve_trace setting.
Regards,
Stephan.
