[Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs
Yubao Liu
yubao.liu at gmail.com
Sun Jan 8 04:56:33 EET 2012
Hi Timo,
Did you review the patches in previous email? I tested two patches against
my configuration(pasted in this thread too), they both work well. I prefer
the first patch, but I'm not sure whether it breaks something else.
Regards,
Yubao Liu
On 01/07/2012 11:36 AM, Yubao Liu wrote:
> On 01/07/2012 01:51 AM, Timo Sirainen wrote:
>> On 6.1.2012, at 19.45, Yubao Liu wrote:
>>> On 01/07/2012 12:44 AM, Timo Sirainen wrote:
>>>> On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:
>>>>> I don't know why this function doesn't check auth->masterdbs, if I
>>>>> insert these lines after line 128, that error goes away, and
>>>>> dovecot's
>>>>> imap-login process happily does DIGEST-MD5 authentication [1].
>>>>> In my configuration, "masterdbs" contains "passdb passwd-file",
>>>>> "passdbs" contains " passdb pam".
>>>> So .. you want DIGEST-MD5 authentication for the master users, but not
>>>> for anyone else? I hadn't really thought anyone would want that..
>>> Is there any special reason that master passdb isn't taken into
>>> account in src/auth/auth.c:auth_passdb_list_have_lookup_credentials() ?
>>> I feel master passdb is also a kind of passdb.
>> I guess it could be changed. It wasn't done intentionally that way.
>>
> I guess this change broke old way:
> http://hg.dovecot.org/dovecot-2.0/rev/b05793c609ac
>
> In old version, "auth->passdbs" contains all passdbs, this revision
> changes "auth->passdbs" to only contain non-master passdbs.
>
> I'm not sure which fix is better or even my proposal is correct or fully:
> a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to
> auth->passdbs too, and remove duplicate code for masterdbs
> in auth_init() and auth_deinit().
>
> b) add similar code for masterdbs in
> auth_passdb_list_have_verify_plain(),
> auth_passdb_list_have_lookup_credentials(),
> auth_passdb_list_have_set_credentials().
>>> This is exactly my use case, I use Kerberos for system users,
>>> I'm curious why master passdb isn't used to check
>>> "have_lookup_credentials" ability
>>> http://wiki2.dovecot.org/Authentication/MultipleDatabases
>>>> Currently the fallback works only with the PLAIN authentication
>>>> mechanism.
>>> I hope this limitation can be relaxed.
>> It might already be .. I don't remember. In any case you have only
>> PAM passdb, so it shouldn't matter. GSSAPI isn't a passdb.
> If the fix above is added, then I can use CRAM-MD5 with master
> passwd-file passdb
> and normal pam passdb, else imap-login process can't startup due to
> check in
> auth_mech_list_verify_passdb().
>
> Attached two patches against dovecot-2.0 branch for the two schemes,
> the first is cleaner but may affect other logics in other source files.
>
>
> Another related question is "pass" option in master passdb, if I set
> it to "yes",
> the authentication fails:
> Jan 7 11:26:00 gold dovecot: auth: Debug: client in:
> AUTH#0111#011CRAM-MD5#011service=imap#011secured#011lip=127.0.1.1#011rip=127.0.0.1#011lport=143#011rport=51771
> Jan 7 11:26:00 gold dovecot: auth: Debug: client out:
> CONT#0111#011PDk4NjcwMDY1MTU3NzI3MjguMTMyNTkwNjc2MEBnb2xkPg==
> Jan 7 11:26:00 gold dovecot: auth: Debug: client in:
> CONT#0111#011ZGlla2VuKndlYm1haWwgYmNkMzFiMWE1YjQ1OWQ0OGRkZWQ4ZmIzZDhmMjVhZTc=
> Jan 7 11:26:00 gold dovecot: auth: Debug:
> auth(webmail,127.0.0.1,master): Master user lookup for login: dieken
> Jan 7 11:26:00 gold dovecot: auth: Debug:
> passwd-file(webmail,127.0.0.1,master): lookup: user=webmail
> file=/etc/dovecot/master-users
> Jan 7 11:26:00 gold dovecot: auth: passdb(webmail,127.0.0.1,master):
> Master user logging in as dieken
> Jan 7 11:26:00 gold dovecot: auth: Error: passdb(dieken,127.0.0.1):
> No passdbs support skipping password verification - pass=yes can't be
> used in master passdb
> Jan 7 11:26:00 gold dovecot: auth: Debug: password(dieken,127.0.0.1):
> passdb doesn't support credential lookups
>
> My normal passdb is a PAM passdb, it doesn't support credential
> lookups, that's
> reasonable, but I feel the comment for "pass" option is confusing:
>
> $ less /etc/dovecot/conf.d/auth-master.conf.ext
> ....
> # Example master user passdb using passwd-file. You can use any passdb
> though.
> passdb {
> driver = passwd-file
> master = yes
> args = /etc/dovecot/master-users
>
> # Unless you're using PAM, you probably still want the destination
> user to
> # be looked up from passdb that it really exists. pass=yes does that.
> pass = yes
> }
>
> According the comment, it's to check whether the real user exists, why
> not
> to check userdb but another passdb? Even it must check against passdb,
> in this case, it's obvious not necessary to lookup credentials, it's
> enough to
> to lookup user name only.
>
> Regards,
> Yubao Liu
>
More information about the dovecot
mailing list