I was not able to reproduce the Outlook/OL Express users complaints (in a test system). As it turned out, a DB problem in one of our ldap servers led to dovecot authentication failures - showing in the logs that "shadow" authentication failed. Deleting the "passdb shadow" (plus clean up of tens of dovecot-auth processes) fixed it. A couple of days later, a user complained that he can't login with Outlook (OL asking for his password again and again), and a check revealed that his password exired :-)
Still not using authentication cache... Just FYI.
On Tue, Jan 13, 2009 at 12:49:47PM -0500, Timo Sirainen wrote:
On Tue, 2009-01-13 at 09:14 +0200, Oved Ben-Aroya wrote:
which work fine, except for Outlook/OL Express users that are asked
for their password whenever they "send/receive"... We've had also
"passdb shadow" that somehow "fixed" thisThis really makes no sense. Outlook doesn't know if you're using PAM
or shadow. Do you mean that Outlook anyway can successfully log in,
but just asks the password all the time?Sorry I was not clear in my description of the problem. Yes, users of Outlook log in and read their mail just fine. However, whenever they want to refresh the inbox or send mail, they are presented with a login window of Outlook. With the "passdb shadow" directive that somehow crept in, Outlook users were not asked for password after they logged in (however this broke the password exiration).
Well, there is some difference between what PAM and shadow does. Perhaps PAM starts failing the login after some time? Enable auth_debug=yes and see what the difference is between when using shadow and pam.
The difference between Outlook/OE and other clients is that they keep logging out and back in all the time, while other clients typically log in only once. Perhaps you have a PAM plugin that limits the number of logins to once every n minutes or something?
I wonder if we need to enable authentication cache?
It shouldn't be necessary, but if the problem is something like what I described above then auth cache will probably work around the actual problem in most cases (but not all).
-- \Oved Dr. Oved Ben-Aroya, Head Unix group, Taub Computer Center, Technion Phone: +972 (4) 829 3688 FAX: +972 (4) 823 6212 oved@technion.ac.il PGP key at http://tx.technion.ac.il/~oved/pgp/pubkey PGP Key fingerprint: A9 52 46 04 E8 70 41 99 60 E3 DA 8F BA 39 C2 C8