General discussion on installation and configuration of SOGo

Text archives Help


Re: [SOGo] LDAP weirdness!


Chronological Thread 
  • From: Davor Vusir < >
  • To: < >
  • Subject: Re: [SOGo] LDAP weirdness!
  • Date: Wed, 3 Apr 2013 11:31:35 +0200
  • Importance: Normal

It seems that Samba Team made a design decision with the release of Samba 4.0 RC5 that created this issue. With Samba v4.0.3 Samba Team reverted the settings.
 
If you add ‘acl:search=false’ to the global section of smb.conf it works to authenticate “on behalf of”.
 
Regards
Davor Vusir
 
vi /etc/samba/smb.conf:
#acl:read = false
acl:search=false
 
root@mail:~# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
. login Pa$$w0rd
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS QUOTA] Logged in
. examine inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS ()] Read-only mailbox.
* 0 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1364971765] UIDs valid
* OK [UIDNEXT 1] Predicted next UID
* OK [HIGHESTMODSEQ 1] Highest
. OK [READ-ONLY] Select completed.
 
samba -d5 -i -M single:
filter=(&(userPrincipalName= )(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
auth_check_password_send: Checking password for unmapped user [EXAMPLE]\[davor]@[(null)]
auth_check_password_send: mapped user is: [EXAMPLE]\[davor]@[(null)]
[0000] 4C 9B BA 1D B7 17 19 27                            L......'
authsam_account_ok: Checking SMB password for user davor
logon_hours_ok: No hours restrictions for user davor
auth_check_password_recv: sam_ignoredomain authentication for user [EXAMPLE\davor] succeeded
 
/var/log/dovecot.log:
Apr 03 08:49:13 imap-login: Info: Login: user=< >, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2410, secured
Apr 03 08:50:36 imap( ): Info: Connection closed bytes=17/559
 
Hi all!
 
Thank you, SOGo Team, for a great product and the convinient installation and configuration of several complex techniques that SOGo contains. Great work! It's a bliss.
 
I have also found iRedmail (www.iredmail.org). Great stuff too. And recepie to combine the two: https://www.tribalchicken.com.au/?p=56.
 
But how about combining Samba4 AD DS, iRedmail with Openchange/SOGo on top? An all-in-one package with mailwash and IMAP authentication, amongst other good things.
 
Unfortunately, I can't get this combination to work; packaged Samba (v4.0.1), provided by Inverse, and iRedmail. All install fine and the Postfix authentication and and LDAP lookup works fine but IMAP/Dovecot authentication against Samba fails with a "Authentication failed." response. Same goes for Samba v 4.0.1 downloaded from Samba Team. With version 4.0.4 it works fine though.
 
In short, I start with installing iRedmail, continue with Samba and modify the iRedmail configuration to work with an Active Directory (http://www.iredmail.org/wiki/index.php?title=Integration/Active.Directory.iRedMail). 
 
Has anybody experienced this? Solutions? Am I missing something or is it rather a bug in Samba v4.0.1 than LDAP weirdness?
 
Thank you
Davor Vusir
 
--
 
Inverse, Samba:
Postfix:
root@mail:~# samba-tool user add vmailer Pa$$w0rd --description="Postfix/Dovecot LDAP Account"
User 'vmailer' created successfully
root@mail:~# samba-tool user add davor Pa$$w0rd --surname=Vusir --given-name=Davor
User 'davor' created successfully
root@mail:~# samba-tool group add test "> CTRL + Click to follow link" face=Courier>--mail-address=
Added group test
root@mail:~# samba-tool group addmembers test davor
Added members to group test
root@mail:~# postmap -q "> CTRL + Click to follow link" face=Courier> ldap:/etc/postfix/ad_sender_login_maps.cf
">
root@mail:~# postmap -q "> CTRL + Click to follow link" face=Courier> ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
example.com/davor/Maildir/
root@mail:~# postmap -q "> CTRL + Click to follow link" face=Courier> ldap:/etc/postfix/ad_virtual_group_maps.cf
">
root@mail:~#
 
Dovecot:
root@mail:~# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
. login
"> Pa$$w0rd
. NO [AUTHENTICATIONFAILED] Authentication failed.
^[^]
telnet> q
 
/var/log/dovecot.log:
Mar 26 10:38:43 anvil: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Mar 26 10:38:43 log: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Mar 26 10:43:40 master: Info: Dovecot v2.0.19 starting up (core dumps disabled)
Mar 26 10:56:52 imap-login: Info: Disconnected (auth failed, 1 attempts): user=<
"> >, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
 
--
 
 
Samba (root@mail:/usr/local/samba/sbin/samba -d5 -i -M single):
postmap -q
"> CTRL + Click to follow link" face=Courier> ldap:/etc/postfix/ad_sender_login_maps.cf:
ldb_request SUB dn=cn=users,dc=example,dc=com filter=(&(
)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2"> )(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2 CTRL + Click to follow link" face=Courier>userPrincipalName= )(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
imessaging: cleaning up /usr/local/samba/private/smbd.tmp/msg/msg.0.78
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
 
postmap -q "> ldap:/etc/postfix/ad_virtual_mailbox_maps.cf:
ldb_request SUB dn=cn=users,dc=example,dc=com filter=(&(objectclass=person)(
"> CTRL + Click to follow link" face=Courier>userPrincipalName= ))
Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
imessaging: cleaning up /usr/local/samba/private/smbd.tmp/msg/msg.0.78
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
 
postmap -q "> ldap:/etc/postfix/ad_virtual_group_maps.cf:
ldb_request SUB dn=cn=users,dc=example,dc=com filter=(&(objectClass=group)(
">mail= ))
ldb_request BASE dn=CN=Davor Vusir,CN=Users,DC=example,DC=com filter=(objectclass=*)
Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED
 
auth_check_password_send: Checking password for unmapped user [EXAMPLE]\[vmailer]@[(null)]
auth_check_password_send: mapped user is: [EXAMPLE]\[vmailer]@[(null)]
[0000] 69 CD CE 3F 71 65 C9 CC                            i..?qe..
authsam_account_ok: Checking SMB password for user vmailer
logon_hours_ok: No hours restrictions for user vmailer
auth_check_password_recv: sam_ignoredomain authentication for user [EXAMPLE\vmailer] succeeded
 
 
root@mail:~# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
. login
"> Pa$$w0rd
. NO [AUTHENTICATIONFAILED] Authentication failed.
^]
telnet> q
 
--
 
Samba Team, Samba v4.0.4 (/usr/local/samba/sbin/samba -d5 -i -M single):
 
 
ldb_request SUB dn=cn=users,dc=example,dc=com filter=(&(objectclass=person)( "> CTRL + Click to follow link" face=Courier>userPrincipalName= ))
Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
 
"> ))
ldb_request BASE dn=CN=Davor Vusir,CN=Users,DC=example,DC=com filter=(objectclass=*)
Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
 
auth_check_password_send: Checking password for unmapped user [EXAMPLE]\[vmailer]@[(null)]
auth_check_password_send: mapped user is: [EXAMPLE]\[vmailer]@[(null)]
[0000] FE D5 D6 87 31 FC 68 A7                            ....1.h.
authsam_account_ok: Checking SMB password for user vmailer
logon_hours_ok: No hours restrictions for user vmailer
auth_check_password_recv: sam_ignoredomain authentication for user [EXAMPLE\vmailer] succeeded
 
ldb_request SUB dn=cn=users,dc=example,dc=com filter=(&( )(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2"> )(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2 CTRL + Click to follow link" face=Courier>userPrincipalName= )(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
auth_check_password_send: Checking password for unmapped user [EXAMPLE]\[davor]@[(null)]
auth_check_password_send: mapped user is: [EXAMPLE]\[davor]@[(null)]
[0000] 27 C2 52 40 FF 7C F3 F2                            '.R@.|..
authsam_account_ok: Checking SMB password for user davor
logon_hours_ok: No hours restrictions for user davor
auth_check_password_recv: sam_ignoredomain authentication for user [EXAMPLE\davor] succeeded
 
dovecot.log:
Mar 26 20:25:16 imap-login: Info: Login: user=<
"> CTRL + Click to follow link" face=Courier> >, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=31179, secured
Mar 26 20:25:16 imap(
"> CTRL + Click to follow link" face=Courier> ): Error: user "> : Initialization failed: Namespace '': mkdir(/var/vmail/vmail1/example.com/davor/Maildir) failed: Permission denied (euid=1001(vmail) egid=1001(vmail) missing +w perm: /var, dir owned by 0:0 mode=0755)
Mar 26 20:25:16 imap(
"> CTRL + Click to follow link" face=Courier> ): Error: Invalid user settings. Refer to server log for more information.
Mar 26 20:28:11 anvil: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Mar 26 20:28:11 log: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Mar 26 20:28:11 master: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Mar 26 20:28:17 master: Info: Dovecot v2.0.19 starting up (core dumps disabled)
Mar 26 20:28:54 imap-login: Info: Login: user=<
"> CTRL + Click to follow link" face=Courier> >, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=31393, secured
Mar 26 20:31:19 imap(
"> CTRL + Click to follow link" face=Courier> ): Info: Connection closed bytes=40/714
 
root@mail:/usr/local/samba/bin# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
. login
"> Pa$$w0rd
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS QUOTA] Logged in
. examine inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS ()] Read-only mailbox.
* 0 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1364326146] UIDs valid
* OK [UIDNEXT 1] Predicted next UID
* OK [HIGHESTMODSEQ 1] Highest
. OK [READ-ONLY] Select completed.
. bye
^]
telnet> q
Connection closed.


  • Re: [SOGo] LDAP weirdness!, Davor Vusir, 04/03/2013

Archive powered by MHonArc 2.6.18.

Top of page