Occasional mail auth failures for AD users in a service ACL

[emailman]

I’m running webmail on OS X Server 10.4.7. It’s bound to a W2K3 domain (2 DCs) having about 4500 student users. I’ve granted mail access (service ACL) to 6 AD student groups plus a few local users. All works fine most of the time, however, I see occasional login or posting (to mailbox) failures saying the service ACL is not enabled for the user. When I do
$ id [i]username[/i]
the user shows up fine and includes the 500(com.apple.access_mail) group in the groups listing. Network traffic between this mail server and the Windows DCs seem to be fine (all on 1000baseT). There is rarely one lone failure; most failures seem to be happening about the same time which makes me think it might be when the DC is busy. Replication between the 2 DCs seems to be fine. Currently netstat shows connections to the primary DC: [code]$ netstat -a -n -p tcp | grep 172.16.0.2[35]
tcp4 0 0 172.16.0.31.52481 172.16.0.23.389 ESTABLISHED
tcp4 0 0 172.16.0.31.51493 172.16.0.23.3268 ESTABLISHED
tcp4 0 0 172.16.0.31.57097 172.16.0.23.445 ESTABLISHED[/code]
I’ve got DirectoryService in debug mode and am waiting for the error to happen again. I will post the ADPlugin output when that happens.
Here’s my AD bind config (scrubbed) [code]$ dsconfigad -show
You are bound to Active Directory:
Active Directory Forest = domain.int
Active Directory Domain = domain.int
Computer Account = comp-webmail

Advanced Options – User Experience
Create mobile account at login = Disabled
Require confirmation = Enabled
Force home to startup disk = Disabled
Use Windows UNC path for home = Disabled
Network protocol to be used = smb:
Default user Shell = not set

Advanced Options – Mappings
Mapping UID to attribute = not set
Mapping user GID to attribute = not set
Mapping group GID to attribute = not set

Advanced Options – Administrative
Preferred Domain controller = not set
Allowed admin groups = DOMAIN/domain admins,DOMAIN/enterprise admins
Authentication from any domain = Disabled

Advanced Options – Static maps
None[/code]
Here’s the SACL[code]$ niutil -read . /groups/com.apple.access_mail
name: com.apple.access_mail
gid: 500
generateduid: 8AFC0298-ED95-4589-9E46-C3E3B184293A
users: postmaster tuser webmail
groupmembers: D7952ECF-8E9B-4A48-B378-01CC62917686 7B262330-41F1-4952-8435-169E07D819C0 ABFE490D-79B0-48F2-9387-3F5C10898909
nestedgroups: 36067CE8-9DF1-49DD-A1B1-2E319C623A65 54FE96B2-1A67-47A9-8D6A-8595B2BFB92C F5FC7E3F-9A49-4D5D-9100-A89EF4C2C149 4D4C6A43-E7F8-4380-970C-1712260B75BD 55201AC1-58C4-41AE-8D4D-35F3C06D882B CCBDF010-6DD7-43F8-A752-C6C74C0B0023 4D603080-34B6-4F40-8A3F-70CEEB25625A[/code]
Here are some examples from today’s /var/log/mailaccess.log (scrubbed)[code]Nov 16 06:33:54 comp-webmail imap[14041]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 06:34:15 comp-webmail imap[13857]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 06:34:23 comp-webmail imap[14041]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 06:34:24 comp-webmail imap[13706]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 06:34:32 comp-webmail imap[13857]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 06:34:41 comp-webmail imap[13477]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 06:34:54 comp-webmail imap[14041]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 06:35:07 comp-webmail imap[13706]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 06:35:29 comp-webmail imap[14041]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 09:18:24 comp-webmail imap[16082]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 09:18:30 comp-webmail imap[15781]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 09:18:30 comp-webmail lmtpunix[16071]: warning: unable to post message for user: (user), service ACL is not enabled for this user
Nov 16 09:18:31 comp-webmail imap[15846]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 09:18:37 comp-webmail imap[15763]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 09:18:39 comp-webmail imap[15849]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 09:18:43 comp-webmail imap[15848]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 09:18:45 comp-webmail imap[15990]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 09:18:46 comp-webmail imap[16082]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 09:18:53 comp-webmail imap[15781]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 09:18:56 comp-webmail imap[16081]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 09:18:59 comp-webmail lmtpunix[16071]: warning: unable to post message for user: (user), service ACL is not enabled for this user
Nov 16 09:18:59 comp-webmail lmtpunix[16064]: warning: unable to post message for user: (user), service ACL is not enabled for this user
Nov 16 09:18:59 comp-webmail lmtpunix[16071]: warning: unable to post message for user: (user), service ACL is not enabled for this user
Nov 16 09:18:59 comp-webmail imap[15849]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 09:19:04 comp-webmail lmtpunix[16071]: warning: unable to post message for user: (user), service ACL is not enabled for this user
Nov 16 09:19:05 comp-webmail lmtpunix[16064]: warning: unable to post message for user: (user), service ACL is not enabled for this user
Nov 16 09:19:05 comp-webmail imap[15990]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 09:19:08 comp-webmail imap[16082]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 09:19:09 comp-webmail lmtpunix[16071]: warning: unable to post message for user: (user), service ACL is not enabled for this user
Nov 16 09:19:14 comp-webmail imap[15721]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 09:19:26 comp-webmail lmtpunix[16064]: warning: unable to post message for user: (user), service ACL is not enabled for this user
Nov 16 09:19:40 comp-webmail lmtpunix[16099]: warning: unable to post message for user: (user), service ACL is not enabled for this user
Nov 16 09:19:43 comp-webmail lmtpunix[16064]: warning: unable to post message for user: (user), service ACL is not enabled for this user
Nov 16 09:19:58 comp-webmail lmtpunix[16099]: warning: unable to post message for user: (user), service ACL is not enabled for this user
Nov 16 09:19:58 comp-webmail imap[15848]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user
Nov 16 09:20:24 comp-webmail imap[15990]: badlogin from: localhost [::1]. plaintext user: (user). service ACL is not enabled for this user[/code]

[emailman]

Upgrading to 10.4.8 seemed to fix the issue. Hallelujah!

Apple’s notes included
– directory service usage affecting Mail server performance

[Author]

Posts