Re: Need help on checkpassword userdb/passdb

I figured out how to make checkpassword work. There is a problem with the documentation. http://wiki2.dovecot.org/AuthDatabase/CheckPassword, under 'Security' says, "a. If possible, change the checkpassword to return userdb_uid and userdb_gid extra fields instead of using setuid() and setgid(). This also improves the performance." And, under 'Checkpassword Interface' it says, "Return the user's UNIX UID and GID using userdb_uid and userdb_gid environments and add them to the EXTRA environment ..."

I did all of this and it didn't work. However, when I added the userdb_home environment variable and added that to the EXTRA environment variable, it worked. I tried this because I happened upon http://wiki2.dovecot.org/UserDatabase/Prefetch which mentioned userdb_home. The http://wiki2.dovecot.org/AuthDatabase/CheckPassword needs to have this bit of information added in the appropriate place(s) or the developer/hackster will waste days trying to get checkpassword working until he/she stumbles across the userdb_home comment elsewhere.

Nevertheless, checkpassword turns out not to be the solution to my original problem, so I will keep on keepin' on ...

--Mark

-----Original Message----- From: Mark Foley mfoley@ohprs.org Date: Fri, 11 Sep 2015 21:57:40 -0400 To: dovecot@dovecot.org Subject: Re: Need help on checkpassword userdb/passdb

[grumpy bit deleted]

To follow up on my previous posting in this thread, I'm trying to get checkpassword to work. I have confirmed that it is setting the environment variables as described in (http://wiki2.dovecot.org/AuthDatabase/CheckPassword). My debug output of env variables sent to checkpassword-reply:

$USER=mark userdb_uid=3000026 userdb_gid=100 INSECURE_SETUID=1 EXTRA=userdb_uid userdb_gid

I have confirmed that my checkpassword program returns 0 authenticating the user with the AD:

fork pid = 4239, ntlm_auth status: 0

The pid listed above is the pid of the forked /usr/local/libexec/dovecot/checkpassword-reply program. For testing purposes, I've replaced that with a stub of my own that shows the set environment variables so I know checkpassword-reply is getting them (listed above).

Notice in the log messages below that everything looks correct. It has the correct username, UID, GID, client passdb out: OK. No error in the log that I can see.

I believe I've done everything exactly as documented in the wiki, but it doesn't work I get the Outlook message "Your IMAP server closed the connection ... Error Code: 0x800CCCDD". Finally, I tried setting:

chgrp dovecot /usr/local/libexec/dovecot/checkpassword-reply chmod g+s /usr/local/libexec/dovecot/checkpassword-reply

As the wiki suggested and setting the env variable INSECURE_SETUID=1. Same error.

Googling the 0x800CCCDD code simply says to turn of scheduled send/received, but that makes no different. Same error.

I believe I've done everything exactly according to the documentation. Does checkpassword actually work with Dovecot version 2.2.15? If not, could someone please tell me so I can stop wasting my time. If it does work, can someone please help me figure out why it does not for me?

Thanks -- Mark

My dovecot log:

Sep 11 21:18:22 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 11 21:18:22 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Sep 11 21:18:22 auth: Debug: auth client connected (pid=4234) Sep 11 21:18:22 auth: Debug: client in: AUTH 1 PLAIN service=imap session=tHPCm4IftgDAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=50614 resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain sensitive data) Sep 11 21:18:22 auth: Debug: checkpassword(mark,192.168.0.58,<tHPCm4IftgDAqAA6>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply Sep 11 21:18:22 auth: Debug: checkpassword(mark,192.168.0.58,<tHPCm4IftgDAqAA6>): exit_status=0 Sep 11 21:18:22 auth: Debug: checkpassword(mark,192.168.0.58,<tHPCm4IftgDAqAA6>): Received input: userdb_uid=3000026 userdb_gid=100 Sep 11 21:18:22 auth: Debug: client passdb out: OK 1 user=mark Sep 11 21:18:22 auth: Debug: master in: REQUEST 1794375681 4234 1 c2551b70ccf5e2f8e022869663bf6a70 session_pid=4240 request_auth_token Sep 11 21:18:22 auth: Debug: prefetch(mark,192.168.0.58,<tHPCm4IftgDAqAA6>): success Sep 11 21:18:22 auth: Debug: master userdb out: USER 1794375681 mark uid=3000026 gid=100 auth_token=008ebf0ebd9c1654085de247f10cdf0a746555d4 Sep 11 21:18:22 imap-login: Info: Login: user=<mark>, method=PLAIN, rip=192.168.0.58, lip=192.168.0.2, mpid=4240, session=<tHPCm4IftgDAqAA6>

-----Original Message----- From: Mark Foley mfoley@ohprs.org Date: Thu, 10 Sep 2015 23:05:18 -0400 To: dovecot@dovecot.org Subject: Need help on checkpassword userdb/passdb

I'm experimenting with checkpassword as an auth method for usedb and passdb (http://wiki2.dovecot.org/AuthDatabase/CheckPassword). I've set up the userdb and passdb *exactly* as the wiki suggests as the "standard way":

passdb { driver = checkpassword args = /user/util/bin/checkpassword } userdb { driver = prefetch }

I've created a checkpassword program that does receive the correct user and password from dovecot. And I am successfully authenticating with ntlm_auth and exiting with status 0. My debug output:

AUTHORIZED: (null) USER: (null) userdb_uid: (null) userdb_gid: (null) arg1=/usr/local/libexec/dovecot/checkpassword-reply CMD: /usr/bin/ntlm_auth --username="mark" --password='mypass' ntlm_auth status: 0

Now, the wiki says 2 things that have me stumped:

1. It says that, "Dovecot calls the script with AUTHORIZED=1 environment set when performing a userdb lookup. The script must acknowledge this by changing the environment to AUTHORIZED=2, otherwise the lookup fails."

As you can see from my program log, "AUTHORIZED" is not set. Why? Nor are any of the other environment variables mentioned in the wiki. I've listed all the environment variables that *are* passed to the program at the bottom of this message.

2. The wiki says, "Your program received a path to checkpassword-reply binary as the first parameter. Execute it."

I did so as a fork() and then execve("/usr/local/libexec/dovecot/checkpassword-reply") How do I know it worked ... or failed?

What am I doing wrong?

Dovecot log entries:

Sep 10 22:54:04 auth: Debug: auth client connected (pid=14748) Sep 10 22:54:04 auth: Debug: client in: AUTH 1 PLAIN service=imap session=AkYg1G8f8QDAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=49649 resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain sensitive data) Sep 10 22:54:04 auth: Debug: checkpassword(mark,192.168.0.58,<AkYg1G8f8QDAqAA6>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply Sep 10 22:54:04 auth: Debug: checkpassword(mark,192.168.0.58,<AkYg1G8f8QDAqAA6>): exit_status=0 Sep 10 22:54:04 auth: Debug: checkpassword(mark,192.168.0.58,<AkYg1G8f8QDAqAA6>): Received input: Sep 10 22:54:06 auth: Debug: client passdb out: FAIL 1 user=mark temp

ENV variables passed to the checkpassword program:

DOVECOT_PRESERVE_ENVS=TZ CORE_OUTOFMEM CORE_ERROR DOVECOT_CHILD_PROCESS=1 CONFIG_FILE=/usr/local/var/run/dovecot/config CLIENT_LIMIT=1000 PROCESS_LIMIT=1 PROCESS_MIN_AVAIL=0 IDLE_KILL=60 GENERATION=2991 DOVECOT_HOSTNAME=mail DOVECOT_HOSTDOMAIN=mail.hprs.local DOVECOT_VERSION=2.2.15 LOG_SERVICE=1 SOCKET_COUNT=6 SSL_SOCKET_COUNT=0 SOCKET_NAMES=login tokenlogin auth-login auth-client auth-userdb auth-master PROTO=TCP ORIG_UID=151 SERVICE=imap TCPLOCALIP=192.168.0.2 LOCAL_IP=192.168.0.2 TCPREMOTEIP=192.168.0.58 REMOTE_IP=192.168.0.58 TCPLOCALPORT=143 TCPREMOTEPORT=49649 AUTH_USER=mark AUTH_USERNAME=mark AUTH_SERVICE=imap AUTH_LIP=192.168.0.2 AUTH_RIP=192.168.0.58 AUTH_PID=14748 AUTH_MECH=PLAIN AUTH_SECURED= AUTH_LPORT=143 AUTH_RPORT=49649 AUTH_CERT= AUTH_SESSION=AkYg1G8f8QDAqAA6 AUTH_REAL_LIP=192.168.0.2 AUTH_REAL_RIP=192.168.0.58 AUTH_REAL_LPORT=143 AUTH_REAL_RPORT=49649 AUTH_ORIG_USER=mark AUTH_ORIG_USERNAME=mark

--Mark