Hi everybody,

we try to migrate our IMAP service from uw-imap to dovecot because of horrible server slowdown when a lot of people poking in theirs huge imap folders. So, I try to run testing instance of dovecot on different imap port (12143)

I have trouble with authentication by PAM module of MIT Kerberos. It successfuly works for authentificate users of wu-imap but not for dovecot. I see in dovecot.log messages like that :

Info: Dovecot v1.0.beta3 starting up Info: auth(default): client in: AUTH 1 PLAIN service=IMAP lip=10.0.0.154 rip=10.0.0.148 Info: auth(default): client out: CONT 1 Info: auth(default): client in: CONT 1 AGtDNLamUjvADNLamUjQRsbw== Error: auth(default): pam(kyyashko,10.0.0.148): Child process died Info: auth(default): shadow(kyyashko,10.0.0.148): invalid password field Error: auth(default): PAM: Child 6748 died with signal 11 Info: auth(default): client out: FAIL 1 user=kyyashko temp

Almost all users are in kerberos DB and has in local shadow field "*KRB*" instead of encrypted password. So, line "shadow ... invalid password field" is OK (when I made a local password in shadow the login was success)

My dovecot.conf looks like:

sl_disable = yes protocol imap { listen = *:12143 }

auth_default_realm = FZU.CZ auth_verbose = yes auth_debug = yes auth_debug_passwords = yes auth default { mechanisms = plain passdb pam { } userdb passwd { } user = root }

original /etc/pam.d/dovecot I introdused by lines

auth sufficient pam_krb5.so auth required pam_unix2.so use_first_pass nullok

or tryed to substitute whole file pam.d/dovecot by actualy working one of imap:

#%PAM-1.0 auth sufficient pam_krb5.so auth required pam_unix2.so use_first_pass nullok auth required pam_unix2.so account required pam_unix2.so

but similary fruitless.

Which direction I have to dig?

P.S. Dovecot was built from dovecot-1.0.beta3-6.src.rpm on SuSE 9.0 with the same result like from dovecot-1.0.beta3.tar.bz2 :(