Connecting FreeBSD to Active Directory for Dovecot IMAP authentication

[sparky]

Hi,

I'm attempting to authenticate Dovecot to Active Directory, however,
I'm failing quite badly.


So far I have gone through the FreeBSD handbook on Kerberos authentication:

http://www.freebsd.org/doc/handbook/kerberos5.html


Additionally I have been through the Dovecot config:

http://wiki2.dovecot.org/Authenticat...anisms/Winbind

http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm


I am running FreeBSD 8.2 x64 RELEASE edition with the Dovecot2 port
installed, SAMBA 3.6, and the Heimdal version of Kerberos.


I pulled the krb5.conf and smb.conf files from one of our production
Linux boxes......

This is my dovecot.conf file:

Code:

# v1.1:
#auth_ntlm_use_winbind = yes
# v1.2+:
auth_use_winbind = yes

auth_winbind_helper_path = /usr/local/bin/ntlm_auth

protocols = imap

# It's nice to have separate log files for Dovecot. You could do this
# by changing syslog configuration also, but this is easier.
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log

# Disable SSL for now.
ssl = no
disable_plaintext_auth = no

# We're using Maildir format
#mail_location = maildir:~/Maildir
mail_location = mbox:/mail:INBOX=/mail/%u

# If you're using POP3, you'll need this:
#pop3_uidl_format = %g

# Authentication configuration:
auth_verbose = yes
auth_username_format = %n
#auth_mechanisms = plain
auth_mechanisms = plain ntlm login
#passdb {
#  driver = passwd-file
#  args = /usr/local/etc/dovecot/passwd
#}
#userdb {
#  driver = static
#  args = uid=root gid=root home=/root/
#  driver = static
#  args = uid=500 gid=500 home=/ZPOOL_1/%u
#}

#userdb static {
#   args= uid=501 gid=501 home=/mail/%1Ln/%Ln
#   mail=maildir:/mail/%d/%1Ln/%Ln:INBOX=/mail/%d/%1Ln/%Ln
#   allow_all_users=yes
#}

passdb {
 driver          = static
}

userdb {
 driver          = static
 args            = uid=501 gid=501 home=/mail/%1Ln/%Ln
}

This is ther krb5.conf file:

Code:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 DOMAIN.COM = {
 kdc = <IP>:88
 kdc = <IP>:88
 admin_server = <IP>:749
 kdc = DC.DOMAIN.COM
 }

[domain_realm]
 domain.com = DOMAIN.COM
 .domain.com = DOMAIN.COM
[appdefaults]
 pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
 }

This is the smb.conf file:

Code:

[global]
#--authconfig--start-line--

# Generated by authconfig on 2011/04/11 15:41:02
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

  workgroup = DOMAIN
  password server = DC.DOMAIN.COM
  realm = DOMAIN.COM
  security = ads
  idmap uid = 16777216-33554431
  idmap gid = 16777216-33554431
  template shell = /bin/bash
  winbind use default domain = true
  winbind offline logon = false
  winbind separator = +

#--authconfig--end-line--

  preferred master = no
  server string = FreeBSD IMAP Server
  encrypt passwords = yes
  log level = 3
  log file = /var/log/samba/%m
  max log size = 50
  printcap name = cups
  printing = cups
  unix extensions = no
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind nested groups = Yes
  winbind cache time = 5

Running the command klist does give an output however, I am totally
stuck as to why the Dovecot authentication isn't working....


This is the output from the dovecot.log:

Code:

May 20 13:16:32 auth: Error: could not obtain winbind domain name!
May 20 13:16:32 auth: Error: could not obtain winbind netbios name!
May 20 13:16:32 auth: Error: could not obtain winbind domain name!
May 20 13:16:42 auth: Fatal: master: service(auth): child 15253 killed
with signal 11 (core not dumped - set service auth {
drop_priv_before_exec=yes })
May 20 13:16:42 imap-login: Warning: Auth connection closed with 1
pending requests (max 8 secs, pid=15254, EOF)
May 20 13:16:51 auth: Error: Ignoring unknown parameter "use kerberos keytab"
May 20 13:16:51 auth: Error: could not obtain winbind domain name!
May 20 13:16:51 auth: Error: could not obtain winbind netbios name!
May 20 13:16:51 auth: Error: could not obtain winbind domain name!
May 20 13:17:08 auth: Fatal: master: service(auth): child 15256 killed
with signal 11 (core not dumped - set service auth {
drop_priv_before_exec=yes })
May 20 13:17:08 imap-login: Warning: Auth connection closed with 1
pending requests (max 15 secs, pid=15257, EOF)
May 23 12:18:31 imap-login: Warning: Auth connection closed with 1
pending requests (max 0 secs, pid=25437, EOF)
May 23 12:18:31 auth: Fatal: master: service(auth): child 25439 killed
with signal 11 (core not dumped - set service auth {
drop_priv_before_exec=yes })
May 23 12:19:00 imap-login: Warning: Auth connection closed with 1
pending requests (max 0 secs, pid=25437, EOF)
May 23 12:19:00 auth: Fatal: master: service(auth): child 25440 killed
with signal 11 (core not dumped - set service auth {
drop_priv_before_exec=yes })
May 23 12:37:16 master: Warning: Killed with signal 15 (by pid=25630
uid=0 code=kill)
May 23 13:37:41 imap-login: Warning: Auth connection closed with 1
pending requests (max 0 secs, pid=1231, EOF)
May 23 13:37:41 auth: Fatal: master: service(auth): child 1232 killed
with signal 11 (core not dumped - set service auth {
drop_priv_before_exec=yes })
May 23 13:38:12 imap-login: Warning: Auth connection closed with 1
pending requests (max 0 secs, pid=1231, EOF)
May 23 13:38:12 auth: Fatal: master: service(auth): child 1233 killed
with signal 11 (core not dumped - set service auth {
drop_priv_before_exec=yes })
May 23 13:40:37 master: Warning: Killed with signal 15 (by pid=1384
uid=0 code=kill)
May 23 13:42:47 imap-login: Warning: Auth connection closed with 1
pending requests (max 0 secs, pid=1208, EOF)
May 23 13:42:47 auth: Fatal: master: service(auth): child 1209 killed
with signal 11 (core not dumped - set service auth {
drop_priv_before_exec=yes })

Can anybody help me figure this out?


Regards,


Kaya