On Fri, Oct 09, 2009 at 11:26:19AM -0400, Timo Sirainen tss@iki.fi wrote:
On Oct 9, 2009, at 11:14 AM, Vallo Kallaste wrote:
The reason seems to be that user primary group is "devel" and directory /a/home has ACL which gives execute permission only to the users in "domain users" group. Now the catch is that the user _is_ member of "domain users" group and is happily accessing his home directory over CIFS(Samba) for long time.
What does Dovecot log with auth_debug=yes?
Oct 9 18:53:49 jura dovecot: auth(default): client in: AUTH 1 PLAIN service=imap secured lip=192.168 .10.3 rip=192.168.25.1 lport=143 rport=3659 Oct 9 18:53:49 jura dovecot: auth(default): client out: CONT 1 Oct 9 18:53:49 jura dovecot: auth(default): client in: CONT<hidden> Oct 9 18:53:49 jura dovecot: auth-worker(default): pam(ftest,192.168.25.1): lookup service=dovecot Oct 9 18:53:49 jura dovecot: auth-worker(default): pam(ftest,192.168.25.1): #1/1 style=1 msg=Password: Oct 9 18:53:49 jura dovecot: auth(default): client out: OK 1 user=ftest Oct 9 18:53:49 jura dovecot: auth(default): master in: REQUEST 36 26941 1 Oct 9 18:53:49 jura dovecot: auth(default): passwd(ftest,192.168.25.1): lookup Oct 9 18:53:49 jura dovecot: auth(default): master out: USER 36 ftest system_groups_user=ftest uid =11745 gid=11332 home=/a/home/ftest Oct 9 18:53:49 jura dovecot: imap-login: Login: user=<ftest>, method=PLAIN, rip=192.168.25.1, lip=192.168.10.3, T LS Oct 9 18:53:49 jura dovecot: dovecot: Fatal: chdir(/a/home/ftest) failed: Permission denied (euid=117 45(ftest) egid=11332(devel) missing +x perm: /a/home) Oct 9 18:53:49 jura dovecot: dovecot: child 26943 (imap) returned error 89 (Fatal failure)
Uid/gid are right, gid=11332 is group "devel". The user has several supplementary groups which are something like this (mangled):
jura:~ # id ftest uid=11745(ftest) gid=11332(devel) groups=11332(devel),11812(xxx),11813(xxx_test),10513(domain users),11472(xxxmonitor),11409(monitor),11354(offline_xxx_mon),11323(it),11456(YYY),11237(ZZZZ)
Vallo