Здравствуйте.
Дано:
dpkg -l *dovecot* | grep ^ii
ii dovecot-core 1:2.2.25-1 amd64 secure POP3/IMAP server - core files
ii dovecot-gssapi 1:2.2.25-1 amd64 secure POP3/IMAP server - GSSAPI support
ii dovecot-imapd 1:2.2.25-1 amd64 secure POP3/IMAP server - IMAP daemon
ii dovecot-ldap 1:2.2.25-1 amd64 secure POP3/IMAP server - LDAP support
ii dovecot-lmtpd 1:2.2.25-1 amd64 secure POP3/IMAP server - LMTP server
ii dovecot-managesieved 1:2.2.25-1 amd64 secure POP3/IMAP server - ManageSieve server
ii dovecot-pop3d 1:2.2.25-1 amd64 secure POP3/IMAP server - POP3 daemon
ii dovecot-sieve 1:2.2.25-1 amd64 secure POP3/IMAP server - Sieve filters support
dpkg -l *winbind* | grep ^ii
ii winbind 2:4.4.5+dfsg-3 amd64 service to resolve user and group information from Windows NT servers
Нужно сделать прозрачную NTLM-аутентификацию для MUA: Thunderbird, Outlook(2010), The Bat.
Сервер добавлен в AD
$ net ads status
...
distinguishedName: CN=imap,CN=Computers,DC=nsk,DC=lanta,DC=ru
...
Авторизация работает:
$ wbinfo -a john
Enter john's password:
plaintext password authentication succeeded
Enter john's password:
challenge/response password authentication succeeded
Конфиги:
/etc/samba/smb.conf
[global]
workgroup = LANTA
realm = nsk.lanta.ru
security = ADS
local master = no
domain master = no
preferred master = no
dns proxy = no
idmap uid = 10000-20000
idmap gid = 10000-20000
password server = domain3.nsk.lanta.ru
encrypt passwords = yes
#use kerberos keytab = true
winbind use default domain = yes
winbind offline logon = false
winbind separator = +
/etc/dovecot/dovecot.conf
...
auth_mechanisms = ntlm
auth_use_winbind = yes
auth_username_format = %Lu
auth_winbind_helper_path = /usr/bin/ntlm_auth
userdb {
args = uid=vmail gid=vmail home=/srv/vmail/maildir/%Ln
driver = static
}
...
Пришлось добавить:
service auth {
user = root
}
потому что:
Sep 23 11:24:14 imap dovecot: auth: ntlm(?,192.168.66.236,<IgmkJiU9sdPAqELs>): ntlm_auth reports broken helper: NT_STATUS_UNSUCCESSFUL
Sep 23 11:24:14 imap dovecot: auth: Error: winbind: ntlm_auth exited with exit code 0
При попытке подключится MUA c Windows станции, включенной в домен, почему-то запрашивается пароль, при этом в логах:
DEBUG:
Sep 23 11:29:29 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
Sep 23 11:29:29 auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
Sep 23 11:29:29 auth: Debug: auth client connected (pid=15287)
Sep 23 11:29:34 auth: Debug: client in: AUTH 1 NTLM service=imap session=iwGtOSU9xtPAqELs lip=192.168.66.50 rip=192.168.66.236 lport=143 rport=54214
Sep 23 11:29:34 auth: Debug: client passdb out: CONT 1
Sep 23 11:29:34 auth: Debug: client in: CONT 1 <SKIP> (previous base64 data may contain sensitive data)
Sep 23 11:29:34 auth: Debug: client passdb out: CONT 1 <SKIP>
Sep 23 11:29:34 auth: Debug: client in: CONT 1 <SKIP> (previo
us base64 data may contain sensitive data)
Sep 23 11:29:34 auth: Debug: client passdb out: OK 1 user=john
Sep 23 11:29:34 auth: Debug: master in: REQUEST 3676962817 15287 1 26ff92e1a7584dd15f7569c89fd91da7 session_pid=15290 request_auth_token
Sep 23 11:29:34 auth: Debug: master userdb out: USER 3676962817 john uid=5000 gid=5000 home=/srv/vmail/maildir/john auth_token=78c6c23482422521f8b08967682ddf631694b876
Sep 23 11:29:34 imap(john): Debug: Loading modules from directory: /usr/lib/dovecot/modules
Sep 23 11:29:34 imap(john): Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so
Sep 23 11:29:34 imap(john): Debug: Module loaded: /usr/lib/dovecot/modules/lib02_imap_acl_plugin.so
Sep 23 11:29:34 imap(john): Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so
Sep 23 11:29:34 imap(john): Debug: Module loaded: /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so
Sep 23 11:29:34 imap(john): Debug: Module loaded: /usr/lib/dovecot/modules/lib15_notify_plugin.so
Sep 23 11:29:34 imap(john): Debug: Module loaded: /usr/lib/dovecot/modules/lib20_mail_log_plugin.so
Sep 23 11:29:34 imap(john): Debug: Effective uid=5000, gid=5000, home=/srv/vmail/maildir/john
Sep 23 11:29:34 imap(john): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled
Sep 23 11:29:34 imap(john): Debug: Quota root: name=user backend=dict args=:file:/srv/vmail/maildir/john/maildir/dovecot-quota
Sep 23 11:29:34 imap(john): Debug: Quota rule: root=user mailbox=* bytes=1073741824 messages=0
Sep 23 11:29:34 imap(john): Debug: Quota rule: root=user mailbox=Trash bytes=+107374182 (10%) messages=0
Sep 23 11:29:34 imap(john): Debug: Quota grace: root=user bytes=107374182 (10%)
Sep 23 11:29:34 imap(john): Debug: dict quota: user=john, uri=file:/srv/vmail/maildir/john/maildir/dovecot-quota, noenforcing=0
Sep 23 11:29:34 imap(john): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/maildir
Sep 23 11:29:34 imap(john): Debug: maildir++: root=/srv/vmail/maildir/john/maildir, index=, indexpvt=, control=, inbox=/srv/vmail/maildir/john/maildir, alt=
Sep 23 11:29:34 imap(john): Debug: acl: initializing backend with data: vfile:/srv/vmail/conf.d/acls:cache_secs=300
Sep 23 11:29:34 imap(john): Debug: acl: acl username = john
Sep 23 11:29:34 imap(john): Debug: acl: owner = 1
Sep 23 11:29:34 imap(john): Debug: acl vfile: Global ACL file: /srv/vmail/conf.d/acls
Sep 23 11:29:34 imap(john): Debug: quota: quota_over_flag check: STORAGE ret=1 value=4 limit=1048576
Sep 23 11:29:34 imap(john): Debug: quota: quota_over_flag check: MESSAGE ret=0 value=4 limit=0
Sep 23 11:29:34 imap(john): Debug: quota: quota_over_flag=0((null)) vs currently overquota=0
Sep 23 11:29:34 imap(john): Debug: acl vfile: file /srv/vmail/maildir/john/maildir/.&BB0ENQQ2BDUEOwQwBEIENQQ7BEwEPQQwBE8- &BD8EPgRHBEIEMA-/dovecot-acl not found
Sep 23 11:29:34 imap(john): Debug: acl vfile: file /srv/vmail/maildir/john/maildir/.&BCMENAQwBDsENQQ9BD0ESwQ1-/dovecot-acl not found
Sep 23 11:29:34 imap(john): Debug: acl vfile: file /srv/vmail/maildir/john/maildir/.&BB4EQgQ,BEAEMAQyBDsENQQ9BD0ESwQ1-/dovecot-acl not found
Sep 23 11:29:34 imap(john): Debug: acl vfile: file /srv/vmail/maildir/john/maildir/.Trash/dovecot-acl not found
Sep 23 11:29:34 imap(john): Debug: acl vfile: file /srv/vmail/maildir/john/maildir/dovecot-acl not found
Sep 23 11:29:34 imap(john): Debug: acl vfile: file /srv/vmail/maildir/john/maildir/dovecot-acl not found
...
Далее то же самое второй раз(Thunderbird) и третий раз если MUA Outlook.
mail.log:
Sep 23 11:29:34 imap dovecot: imap-login: Login: user=<john>, method=NTLM, rip=192.168.66.236, lip=192.168.66.50, mpid=15290, session=<iwGtOSU9xtPAqELs>
Sep 23 11:29:44 imap dovecot: imap-login: Login: user=<john>, method=NTLM, rip=192.168.66.236, lip=192.168.66.50, mpid=15292, session=<pCtMOiU9ytPAqELs>
Не могу разобраться, почему _каждый_ раз при подключении запрашивается пароль?