[Dovecot] User not found when using shadow for passdb
I am getting "user unknown" when trying to connect to the dovecot server using IMAP. The client gets an authentication failed message and does not download mail.
The host system uses shadow passwords in /etc/shadow. I would like to use the same passwords for IMAP sessions, so I have set the passdb driver to shadow.
The system is Slackware, which does not use PAM.
Here is the dovecot version and configuration output:
dovecot -n
2.1.17: /usr/local/etc/dovecot/dovecot.conf
OS: Linux 3.6.5 i686 Slackware 13.1.0
auth_debug_passwords = yes auth_verbose = yes namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = blocking=no driver = shadow } service auth { unix_listener auth-userdb { user = root } } ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { args = blocking=no driver = passwd }
Here are the dovecot auth_passwd_debug level log messages when the client tries to connect:
May 2 09:05:07 harlie dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth May 2 09:05:07 harlie dovecot: auth: Debug: auth client connected (pid=22181) May 2 09:05:07 harlie dovecot: auth: Debug: client in: AUTH^I1^IPLAIN^Iservice=imap^Isecured^Isession=ABCDEFGHIJKLMNOP^Ilip=96.229.223.7^Irip=10.0.0.181^Ilport=993^Irport=51898^Iresp=zxywvutsrqponmlkji== May 2 09:05:07 harlie dovecot: auth: Debug: shadow(john,10.0.0.181,<ABCDEFGHIJKLMNOP>): lookup May 2 09:05:07 harlie dovecot: auth: shadow(john,10.0.0.181,<ABCDEFGHIJKLMNOP>): unknown user May 2 09:05:09 harlie dovecot: auth: Debug: client passdb out: FAIL^I1^Iuser=john May 2 09:05:09 harlie dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<john>, method=PLAIN, rip=10.0.0.181, lip=96.229.223.7, TLS, session=<ABCDEFGHIJKLMNOP>
The user john is a real account on the host machine and has entries in both /etc/passwd and /etc/shadow.
Help?
--
john@idsfa.net John Stimson http://www.idsfa.net/~john/ HMC Physics '94
I poked through the source code for dovecot's auth module, and it looks like the right username is getting passed to the linux system getspnam() function, but for some reason it's interpreting the return value as user not found. I thought that it could be a permissions problem with the auth process, so I edited 10-master.conf to try to make the lookups as permissive as possible (I hope I did it correctly):
service auth { unix_listener auth-userdb { mode = 0777 user = root #group = }
I also tried the above, with user=root and the mode line commented out, and again with mode = 0777 and the user line commented out. The results are all identical in the logs. Is there anywhere else that I can elevate the permission of the auto process's shadow password lookups?
I am assuming that there is no way to set the shadow file location because the lookups are done through a system call.
I am getting the unknown user error message for every user that tries to connect to the server using IMAP, which is four different users.
On Fri, May 02, 2014 at 09:25:34AM -0700, John J. Stimson III wrote:
I am getting "user unknown" when trying to connect to the dovecot server using IMAP. The client gets an authentication failed message and does not download mail.
The host system uses shadow passwords in /etc/shadow. I would like to use the same passwords for IMAP sessions, so I have set the passdb driver to shadow.
The system is Slackware, which does not use PAM.
Here is the dovecot version and configuration output:
dovecot -n
2.1.17: /usr/local/etc/dovecot/dovecot.conf
OS: Linux 3.6.5 i686 Slackware 13.1.0
auth_debug_passwords = yes auth_verbose = yes namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = blocking=no driver = shadow } service auth { unix_listener auth-userdb { user = root } } ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { args = blocking=no driver = passwd }
Here are the dovecot auth_passwd_debug level log messages when the client tries to connect:
May 2 09:05:07 harlie dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth May 2 09:05:07 harlie dovecot: auth: Debug: auth client connected (pid=22181) May 2 09:05:07 harlie dovecot: auth: Debug: client in: AUTH^I1^IPLAIN^Iservice=imap^Isecured^Isession=ABCDEFGHIJKLMNOP^Ilip=96.229.223.7^Irip=10.0.0.181^Ilport=993^Irport=51898^Iresp=zxywvutsrqponmlkji== May 2 09:05:07 harlie dovecot: auth: Debug: shadow(john,10.0.0.181,<ABCDEFGHIJKLMNOP>): lookup May 2 09:05:07 harlie dovecot: auth: shadow(john,10.0.0.181,<ABCDEFGHIJKLMNOP>): unknown user May 2 09:05:09 harlie dovecot: auth: Debug: client passdb out: FAIL^I1^Iuser=john May 2 09:05:09 harlie dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<john>, method=PLAIN, rip=10.0.0.181, lip=96.229.223.7, TLS, session=<ABCDEFGHIJKLMNOP>
The user john is a real account on the host machine and has entries in both /etc/passwd and /etc/shadow.
Help?
--
john@idsfa.net John Stimson http://www.idsfa.net/~john/ HMC Physics '94
participants (1)
-
John J. Stimson III