dovecot ntlm auth проблемы

[Evgeny Yugov <evgeny.yugov@gmail.com>]

Здравствуйте.

Дано:

dpkg -l *dovecot* | grep ^ii
ii  dovecot-core           1:2.2.25-1   amd64        secure POP3/IMAP server - core files
ii  dovecot-gssapi         1:2.2.25-1   amd64        secure POP3/IMAP server - GSSAPI support
ii  dovecot-imapd          1:2.2.25-1   amd64        secure POP3/IMAP server - IMAP daemon
ii  dovecot-ldap           1:2.2.25-1   amd64        secure POP3/IMAP server - LDAP support
ii  dovecot-lmtpd          1:2.2.25-1   amd64        secure POP3/IMAP server - LMTP server
ii  dovecot-managesieved   1:2.2.25-1   amd64        secure POP3/IMAP server - ManageSieve server
ii  dovecot-pop3d          1:2.2.25-1   amd64        secure POP3/IMAP server - POP3 daemon
ii  dovecot-sieve          1:2.2.25-1   amd64        secure POP3/IMAP server - Sieve filters support

dpkg -l *winbind* | grep ^ii        
ii  winbind        2:4.4.5+dfsg-3 amd64        service to resolve user and group information from Windows NT servers

Нужно сделать прозрачную NTLM-аутентификацию для MUA: Thunderbird, Outlook(2010), The Bat.

настраивалось по документации http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm

Сервер добавлен в AD

$ net ads status
...

distinguishedName: CN=imap,CN=Computers,DC=nsk,DC=lanta,DC=ru

...

Авторизация работает:

$ wbinfo -a john 

Enter john's password:  
plaintext password authentication succeeded
Enter john's password:  
challenge/response password authentication succeeded

Конфиги:

/etc/samba/smb.conf 

[global]
 workgroup = LANTA
 realm = nsk.lanta.ru
 security = ADS
 local master = no
 domain master = no
 preferred master = no
 dns proxy = no
 idmap uid = 10000-20000
 idmap gid = 10000-20000
 password server = domain3.nsk.lanta.ru
 encrypt passwords = yes
 #use kerberos keytab = true
 winbind use default domain = yes
 winbind offline logon = false
 winbind separator = +

/etc/dovecot/dovecot.conf 

...

auth_mechanisms = ntlm
auth_use_winbind = yes
auth_username_format = %Lu
auth_winbind_helper_path = /usr/bin/ntlm_auth
userdb {
 args = uid=vmail gid=vmail home=/srv/vmail/maildir/%Ln
 driver = static
}
...

Пришлось добавить:

service auth {
 user = root
}

потому что:

Sep 23 11:24:14 imap dovecot: auth: ntlm(?,192.168.66.236,<IgmkJiU9sdPAqELs>): ntlm_auth reports broken helper: NT_STATUS_UNSUCCESSFUL
Sep 23 11:24:14 imap dovecot: auth: Error: winbind: ntlm_auth exited with exit code 0

При попытке подключится MUA c Windows станции, включенной в домен, почему-то запрашивается пароль, при этом в логах:

DEBUG:

Sep 23 11:29:29 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth 

Sep 23 11:29:29 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
Sep 23 11:29:29 auth: Debug: auth client connected (pid=15287)
Sep 23 11:29:34 auth: Debug: client in: AUTH    1       NTLM    service=imap    session=iwGtOSU9xtPAqELs        lip=192.168.66.50       rip=192.168.66.236      lport=143       rport=54214
Sep 23 11:29:34 auth: Debug: client passdb out: CONT    1
Sep 23 11:29:34 auth: Debug: client in: CONT    1       <SKIP> (previous base64 data may contain sensitive data)
Sep 23 11:29:34 auth: Debug: client passdb out: CONT    1       <SKIP> 
Sep 23 11:29:34 auth: Debug: client in: CONT    1       <SKIP> (previo
us base64 data may contain sensitive data)
Sep 23 11:29:34 auth: Debug: client passdb out: OK      1       user=john
Sep 23 11:29:34 auth: Debug: master in: REQUEST 3676962817      15287   1       26ff92e1a7584dd15f7569c89fd91da7        session_pid=15290       request_auth_token
Sep 23 11:29:34 auth: Debug: master userdb out: USER    3676962817      john    uid=5000        gid=5000        home=/srv/vmail/maildir/john    auth_token=78c6c23482422521f8b08967682ddf631694b876
Sep 23 11:29:34 imap(john): Debug: Loading modules from directory: /usr/lib/dovecot/modules
Sep 23 11:29:34 imap(john): Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so
Sep 23 11:29:34 imap(john): Debug: Module loaded: /usr/lib/dovecot/modules/lib02_imap_acl_plugin.so
Sep 23 11:29:34 imap(john): Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so
Sep 23 11:29:34 imap(john): Debug: Module loaded: /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so
Sep 23 11:29:34 imap(john): Debug: Module loaded: /usr/lib/dovecot/modules/lib15_notify_plugin.so
Sep 23 11:29:34 imap(john): Debug: Module loaded: /usr/lib/dovecot/modules/lib20_mail_log_plugin.so
Sep 23 11:29:34 imap(john): Debug: Effective uid=5000, gid=5000, home=/srv/vmail/maildir/john
Sep 23 11:29:34 imap(john): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled
Sep 23 11:29:34 imap(john): Debug: Quota root: name=user backend=dict args=:file:/srv/vmail/maildir/john/maildir/dovecot-quota
Sep 23 11:29:34 imap(john): Debug: Quota rule: root=user mailbox=* bytes=1073741824 messages=0
Sep 23 11:29:34 imap(john): Debug: Quota rule: root=user mailbox=Trash bytes=+107374182 (10%) messages=0
Sep 23 11:29:34 imap(john): Debug: Quota grace: root=user bytes=107374182 (10%)
Sep 23 11:29:34 imap(john): Debug: dict quota: user=john, uri=file:/srv/vmail/maildir/john/maildir/dovecot-quota, noenforcing=0
Sep 23 11:29:34 imap(john): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/maildir
Sep 23 11:29:34 imap(john): Debug: maildir++: root=/srv/vmail/maildir/john/maildir, index=, indexpvt=, control=, inbox=/srv/vmail/maildir/john/maildir, alt=
Sep 23 11:29:34 imap(john): Debug: acl: initializing backend with data: vfile:/srv/vmail/conf.d/acls:cache_secs=300
Sep 23 11:29:34 imap(john): Debug: acl: acl username = john
Sep 23 11:29:34 imap(john): Debug: acl: owner = 1
Sep 23 11:29:34 imap(john): Debug: acl vfile: Global ACL file: /srv/vmail/conf.d/acls
Sep 23 11:29:34 imap(john): Debug: quota: quota_over_flag check: STORAGE ret=1 value=4 limit=1048576
Sep 23 11:29:34 imap(john): Debug: quota: quota_over_flag check: MESSAGE ret=0 value=4 limit=0
Sep 23 11:29:34 imap(john): Debug: quota: quota_over_flag=0((null)) vs currently overquota=0
Sep 23 11:29:34 imap(john): Debug: acl vfile: file /srv/vmail/maildir/john/maildir/.&BB0ENQQ2BDUEOwQwBEIENQQ7BEwEPQQwBE8- &BD8EPgRHBEIEMA-/dovecot-acl not found
Sep 23 11:29:34 imap(john): Debug: acl vfile: file /srv/vmail/maildir/john/maildir/.&BCMENAQwBDsENQQ9BD0ESwQ1-/dovecot-acl not found
Sep 23 11:29:34 imap(john): Debug: acl vfile: file /srv/vmail/maildir/john/maildir/.&BB4EQgQ,BEAEMAQyBDsENQQ9BD0ESwQ1-/dovecot-acl not found
Sep 23 11:29:34 imap(john): Debug: acl vfile: file /srv/vmail/maildir/john/maildir/.Trash/dovecot-acl not found
Sep 23 11:29:34 imap(john): Debug: acl vfile: file /srv/vmail/maildir/john/maildir/dovecot-acl not found
Sep 23 11:29:34 imap(john): Debug: acl vfile: file /srv/vmail/maildir/john/maildir/dovecot-acl not found

...

Далее то же самое второй раз(Thunderbird) и третий раз если MUA Outlook.

mail.log:

Sep 23 11:29:34 imap dovecot: imap-login: Login: user=<john>, method=NTLM, rip=192.168.66.236, lip=192.168.66.50, mpid=15290, session=<iwGtOSU9xtPAqELs>
Sep 23 11:29:44 imap dovecot: imap-login: Login: user=<john>, method=NTLM, rip=192.168.66.236, lip=192.168.66.50, mpid=15292, session=<pCtMOiU9ytPAqELs>

Не могу разобраться, почему _каждый_ раз при подключении запрашивается пароль?