Forum

 
Current User: Guest Login Register
Please consider registering


Register? | Lost Your Password?

Search Forums:


 






Minimum search word length is 4 characters – Maximum search word length is 84 characters
Wildcard Usage:
*  matches any number of characters    %  matches exactly one character

Home Forum Directory Server Dovecot AD authentication failed. How to debug?

Dovecot AD authentication failed. How to debug?
Page:   1   Reply to Post Add a New Topic
UserPost

8:24 pm
December 19, 2010


Ran_Talbott

Arizona

New Member

posts 2
  Quote and Reply
  Report Post
Print this Post
1

I have Dovecot IMAP (v1.2.12) installed on an Ubuntu 10.10 system.  Kerberos lib debs are version 1.8.1+dfsg-5ubuntu0.2.

I configured it for AD authentication per http://www.linuxmail.info/acti…..ntication/

except that I set up userdb as:

    userdb static {

    args = uid=501 gid=501 home=/var/mailstore/%n
      }

because I'm creating a dedicated filesystem for mail storage.

I verified with the "kinit" and "net ads join" tests that authentication via the AD server is working.

However,  all my attempts to login failed with "Authentication failed.".

It turns out that Ubuntu doesn't package /lib/security/pam_krb5.so with Kerberos.  There's a separate "libpam-krb5" package you need to install.  I found a "No such file or directory" error in /var/log/auth.log that tipped me off.  This may be different from Redhat/CentOS.

With the library installed,  the symptoms changed:  now I get:

    aaa1 login testing.testing xxxxxxxxxxx
    * OK Waiting for authentication process to respond..
    aaa1 NO [UNAVAILABLE] Temporary authentication failure.

/var/log/mail.log shows:

    Dec 19 13:40:04 IBMUBUNTU1 dovecot: auth-worker(default): pam(testing.testing,72.201.4.110): lookup service=dovecot
    Dec 19 13:40:04 IBMUBUNTU1 dovecot: auth-worker(default): pam(testing.testing,72.201.4.110): #1/1 style=1 msg=Password:
    Dec 19 13:41:04 IBMUBUNTU1 dovecot: auth(default): worker-server(testing.testing,72.201.4.110): Aborted: Lookup timed out

var/log/auth.log shows:

    Dec 19 13:40:04 IBMUBUNTU1 dovecot-auth: unknown option no_user_check
    Dec 19 13:40:04 IBMUBUNTU1 dovecot-auth: unknown option validate
    Dec 19 13:41:04 IBMUBUNTU1 dovecot-auth: pam_krb5(dovecot:auth): user testing.testing authenticated as testing.testing@LAWLEY.LOCAL

The one-minute timeout (it's exactly 60 seconds on every try) is only slightly surprising:  it takes about 90 seconds to run kinit (which I don't understand.  And is very worrisome,  since the users will probably revolt if it really takes a over a minute to access their email).  What's really puzzling is that it appears PAM says the authentication worked, but dovecot says it failed.  I can't find a config parameter to adjust the authentication timeout, so I'm don't know how to tell which side (Dovecot or PAM) is failing.  Any suggestions?

And is the long authentication time normal for a Linux client with Windoze Serve 2003?

Thanks,

Ran
Page:   1   Reply to Post

Reply to Topic:
Dovecot AD authentication failed. How to debug?

Guest Name (Required):

Guest Email (Required):

Smileys
Confused Cool Cry Embarassed Frown Kiss Laugh Smile Surprised Wink Yell
Post New Reply

Guest URL (required)

Math Required!
What is the sum of:
5 + 7    

Topic RSS

About the Linux Mail Server Setup and Howto Guide Forum

Forum Timezone: America/New_York

Most Users Ever Online: 60

Currently Online:
15 Guests

Currently Browsing this Topic:
1 Guest

Forum Stats:

Groups: 2
Forums: 5
Topics: 343
Posts: 1062

Membership:

There are 966 Members
There have been 91 Guests

There is 1 Admin

Top Posters:

shanmugasundaram s – 46
Kendermin – 15
Ginger – 14
bighorn – 14
iron_michael86 – 12
Raminda – 11

Recent New Members: waveney, achal, niesul14, hesaum, sreevinodss, nasonov

Administrators: consultant (353 Posts)