[Dovecot] Dot in user name. Was: Re: Apple patch 9

Giuliano Gavazzi dev+lists at humph.com
Tue Jan 6 17:02:13 EET 2009


Here is the reason of the login failure on Mac OS X (Server) when  
using secondary short names:

the unix username is x_y, the additional short name (accepted for  
authentication) is x.y:


Jan  6 15:38:58 dns dovecot[281]: Fatal: auth(default): BROKEN NSS  
IMPLEMENTATION: getpwnam() lookup returned different user than was  
requested (x_y != x.y).
Jan  6 15:38:58 dns dovecot[281]: imap-login: Internal login failure  
(auth failed, 1 attempts): user=<x.y>, method=PLAIN, rip=127.0.0.1,  
lip=127.0.0.1, secured


the secure.log report no errors:

Jan  6 15:38:58 dns com.apple.SecurityServer[35]: checkpw() succeeded,  
creating credential for user x.y
Jan  6 15:38:58 dns com.apple.SecurityServer[35]: checkpw() succeeded,  
creating shared credential for user x.y
Jan  6 15:38:58 dns com.apple.SecurityServer[35]: Succeeded  
authorizing right system.login.tty by client /usr/local/libexec/ 
dovecot/dovecot-auth for authorization created by /usr/local/libexec/ 
dovecot/dovecot-auth.

Back in 2006 Timo wrote in response to the same problem: "Well, you  
could simply remove the check from src/auth/userdb-passwd.c. Perhaps I  
could make this also optional. I'd anyway not want to remove that  
check completely because nss_ldap is still not fixed."

This is not vital, but perhaps it is time to allow control on this  
behaviour that seems to potentially affect various platforms? Or  
perhaps should getpwnam return the short user name that matches the  
passwd field supplied (if it exists)?

Giuliano


More information about the dovecot mailing list