[Dovecot] PAM authentification problem
Hi everybody,
we try to migrate our IMAP service from uw-imap to dovecot because of horrible server slowdown when a lot of people poking in theirs huge imap folders. So, I try to run testing instance of dovecot on different imap port (12143)
I have trouble with authentication by PAM module of MIT Kerberos. It successfuly works for authentificate users of wu-imap but not for dovecot. I see in dovecot.log messages like that :
Info: Dovecot v1.0.beta3 starting up Info: auth(default): client in: AUTH 1 PLAIN service=IMAP lip=10.0.0.154 rip=10.0.0.148 Info: auth(default): client out: CONT 1 Info: auth(default): client in: CONT 1 AGtDNLamUjvADNLamUjQRsbw== Error: auth(default): pam(kyyashko,10.0.0.148): Child process died Info: auth(default): shadow(kyyashko,10.0.0.148): invalid password field Error: auth(default): PAM: Child 6748 died with signal 11 Info: auth(default): client out: FAIL 1 user=kyyashko temp
Almost all users are in kerberos DB and has in local shadow field "*KRB*" instead of encrypted password. So, line "shadow ... invalid password field" is OK (when I made a local password in shadow the login was success)
My dovecot.conf looks like:
sl_disable = yes protocol imap { listen = *:12143 }
auth_default_realm = FZU.CZ auth_verbose = yes auth_debug = yes auth_debug_passwords = yes auth default { mechanisms = plain passdb pam { } userdb passwd { } user = root }
original /etc/pam.d/dovecot I introdused by lines
auth sufficient pam_krb5.so auth required pam_unix2.so use_first_pass nullok
or tryed to substitute whole file pam.d/dovecot by actualy working one of imap:
#%PAM-1.0 auth sufficient pam_krb5.so auth required pam_unix2.so use_first_pass nullok auth required pam_unix2.so account required pam_unix2.so
but similary fruitless.
Which direction I have to dig?
P.S. Dovecot was built from dovecot-1.0.beta3-6.src.rpm on SuSE 9.0 with the same result like from dovecot-1.0.beta3.tar.bz2 :(
==> Jan Kundrát [Thu, 16 Mar 2006 18:17]:
Vladislav Kyjasko wrote:
original /etc/pam.d/dovecot I introdused by lines
If I'm not mistaken, dovecot uses "imap" as a PAM mechanism name by default.
Maybe. But as I used dovecot-1.0.beta3-6.src.rpm from OSS 10.1 it has explicit /etc/pam.d/dovecot . So I thought that "pam.d/imap" is used only if "args = imap" in
passdb pam { args = imap }
and both "imap" & "pop3" if "args = *"
Anyway all of them contain the first erroneous line
auth sufficient pam_krb5.s
V<
Vladislav Kyjasko wrote:
Error: auth(default): PAM: Child 6748 died with signal 11
This one doesn't seem sane to me - it really shouldn't segfault (signal 11 is SIGSEGV). You might try to run it under debugger to see why it crashes.
Cheers, -jkt
-- cd /local/pub && more beer > /dev/mouth
participants (2)
-
Jan Kundrát
-
Vladislav Kyjasko