On 01/06/2012 06:52 PM, Nick Rosier wrote:
Hi all,
I have no idea about that message, here is my configuration, what's wrong? You have 2 passdb entries; 1 with a file and 1 with pam. I'm pretty sure PAM doesn't support DIGEST-MD5 authentication. Could be the cause of the
Yubao Liu wrote: problem.
Thanks, that does be the cause.
http://hg.dovecot.org/dovecot-2.0/file/684381041dc4/src/auth/auth.c 121 static bool auth_passdb_list_have_lookup_credentials(struct auth *auth) 122 { 123 struct auth_passdb *passdb; 124 125 for (passdb = auth->passdbs; passdb != NULL; passdb = passdb->next) { 126 if (passdb->passdb->iface.lookup_credentials != NULL) 127 return TRUE; 128 } 129 return FALSE; 130 }
I don't know why this function doesn't check auth->masterdbs, if I insert these lines after line 128, that error goes away, and dovecot's imap-login process happily does DIGEST-MD5 authentication [1]. In my configuration, "masterdbs" contains "passdb passwd-file", "passdbs" contains " passdb pam".
for (passdb = auth->masterdbs; passdb != NULL; passdb = passdb->next) { if (passdb->passdb->iface.lookup_credentials != NULL) return TRUE; }
[1] But the authentication for "user*master" always fails, I realized master users can't login as other users by DIGEST-MD5 or CRAM-MD5 auth mechanisms because these authentication mechanisms use "user*master" as username in hash algorithm, not just "master".
Regards, Yubao Liu
Debian testing, Dovecot 2.0.15
$ doveconf -n # 2.0.15: /etc/dovecot/dovecot.conf # OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid auth_default_realm = corp.example.com auth_krb5_keytab = /etc/dovecot.keytab auth_master_user_separator = * auth_mechanisms = gssapi digest-md5 auth_realms = corp.example.com auth_username_format = %n first_valid_gid = 1000 first_valid_uid = 1000 mail_location = mdbox:/srv/mail/%u/Mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { driver = pam } plugin { sieve = /srv/mail/%u/.dovecot.sieve sieve_dir = /srv/mail/%u/sieve } protocols = " imap lmtp sieve" service auth { unix_listener auth-client { group = Debian-exim mode = 0660 } } ssl_cert =
# cat /etc/dovecot/master-users xxx@corp.example.com:zzzzzzzz
The zzzzz is obtained by "doveadm pw -s digest-md5 -u xxx@corp.example.com", I tried to add prefix "{DIGEST-MD5}" before the generated hash and/or add "scheme=DIGEST-MD5" to the passwd-file passdb's "args" option, both don't help.
The error message: dovecot: master: Dovecot v2.0.15 starting up (core dumps disabled) dovecot: auth: Fatal: DIGEST-MD5 mechanism can't be supported with given passdbs gold dovecot: master: Error: service(auth): command startup failed, throttling
I opened debug auth log, it showed dovecot read /etc/dovecot/master-users and parsed one line, then the error occurred. Doesn't passwd-file passdb support digest-md5 password scheme? If it doesn't support, how do I configure digest-md5 auth mechanism with digest-md5 password scheme for virtual users?
Regards, Yubao Liu
Rgds, N.