Hello to everybody,

I'm in the process of setting up test mail server (Ubuntu 19.10 amd64 running as VM under Hyper-V) and got stuck on configuring master user authentication. I use GSSAPI authentication in parallel with PLAIN/LOGIN (pam backend that authenticates against my Active Directory domain) and this works as intended. I then tried adding simple static master passdb that simply returns nopassword='y' and k5principals=... for test and it also works OK.

Sadly, using any other backend (I've tried lua and sql) for master passdb instead of static in combination with GSSAPI client causes auth-worker to report "Error: BUG: PASSL had invalid passdb ID". I took a look at the code and my best guess is that in case of GSSAPI + sql/lua master passdb we end up with call to auth_worker_handle_passl with id that auth_worker_handle_passl considers invalid. Continuing with guesswork, I imagine that since GSSAPI doesn't really need passdb in config "virtual" passdb is generated "on the fly" in code. I even tried explicitly defining static passdb with mechanisms set to gssapi to try to force dovecot to use that one instead but it didn't make any difference. At the same time, below configuration works OK when client authenticates with plain/login.

dovecot -n (some settings omitted for brevity):

# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_master_user_separator = *
auth_mechanisms = plain login gssapi
passdb {
  args = /etc/dovecot/dovecot-sql-master.conf
  driver = sql
  master = yes
}
passdb {
  driver = pam
}
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}

Any help is appreciated, even if it requires code changes - I can set up machine with everything needed for building/debugging the source code.

Thanks,

Filip