# dovecot --version 2.2.31 (65cde28) on freebsd 64 10.3
system converted to dovecot 2 against my will and consuming a lot of time sorting it out. i am glad google does not charge. have spent two hours on this one alone; and undoubtedly it is my st00pidity. so excuse my desperate posting to lazynet.
cram-md5 works, pam not so much
Aug 3 06:06:35 psg auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1): missing or invalid facility Aug 3 06:06:35 psg dovecot: auth-worker(48815): Error: pam(elb,2604:6000:130d:c31b:d250:99ff:fe90:14dd,<Lyh6LtNVMq8mBGAAEw3DG9JQmf/+kBTd>): pam_start() failed: system error Aug 3 06:06:35 psg auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1): missing or invalid facility Aug 3 06:06:35 psg dovecot: auth-worker(48815): Error: pam(elb,2604:6000:130d:c31b:d250:99ff:fe90:14dd,<Lyh6LtNVMq8mBGAAEw3DG9JQmf/+kBTd>): pam_start() failed: system error
# 2.2.31 (65cde28): /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 10.3-RELEASE-p20 amd64
auth_mechanisms = plain login cram-md5
first_valid_gid = 0
mail_location = mbox:~/mail/:INBOX=/var/mail/%u
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
prefix =
}
passdb {
args = scheme=cram-md5 /usr/local/etc/dovecot.cram-md5
driver = passwd-file
name = passwd-file
}
passdb {
driver = pam
}
passdb {
driver = pam
name = pam
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
protocols = imap pop3
service auth {
unix_listener auth-userdb {
group = mail
}
}
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = # hidden, use -P to show it
userdb {
driver = passwd
}
# cat /etc/pam.d/dovecot passdb { driver = pam args = failure_show_msg=yes args = %s }
passdb { driver = pam } passdb { driver = pam name = pam } Are those two passdb blocks intentional?
One of them is missing the name parameter.
doh. first removed.
Aug 3 06:49:23 psg auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1): missing or invalid facility Aug 3 06:49:23 psg dovecot: auth-worker(53801): Error: pam(smb,2604:6000:1103:81a4:a8ec:3b9a:a3d4:d74f,<0+2Ax9NV6vAmBGAAEQOBpKjsO5qj1NdP>): pam_start() failed: system error Aug 3 06:49:23 psg pure-ftpd: (?@80.82.78.85) [WARNING] Authentication failed for user [vaninst] Aug 3 06:49:28 psg dovecot: auth: Warning: Timeout leak: 0x419970 (auth-request-handler.c:550) Aug 3 06:49:28 psg dovecot: imap-login: Error: Error sending request to auth server: Broken pipe Aug 3 06:49:40 psg auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1): missing or invalid facility Aug 3 06:49:40 psg dovecot: auth-worker(53801): Error: pam(pokui,160.242.151.213,<f/+EyNNV/dig8pfV>): pam_start() failed: system error Aug 3 06:49:40 psg auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1): missing or invalid facility Aug 3 06:49:40 psg dovecot: auth-worker(53801): Error: pam(ksemat,2a00:23c4:6901:c100:6d2a:d2cb:defd:474f,<YEH1x9NVaMgqACPEaQHBAG0q0sve/UdP>): pam_start() failed: system error
Hi Randy,
On 3 Aug 2017, at 08:50, Randy Bush <randy@psg.com> wrote:
auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1): missing or invalid facility
I do not think that it has something to do with the dovecot settings itself but perhaps with the pam facility settings instead?
Cheers Remko
What is in the pam.d/dovecot file? (Remember to strip passwords if included)
Cheers,
Remko Lodder /* sent from my phone and thus brief and to the point *\
Op 3 aug. 2017 om 15:08 heeft Randy Bush <randy@psg.com> het volgende geschreven:
auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1): missing or invalid facility
I do not think that it has something to do with the dovecot settings itself but perhaps with the pam facility settings instead?
i can believe that. any clues to debug?
randy
What is in the pam.d/dovecot file? (Remember to strip passwords if included)
# cat /etc/pam.d/dovecot passdb { driver = pam # args = failure_show_msg=yes # args = max_requests=12 args = %s }
and /etc/pam.d/{imap,pop3} were untouched; both as follows
# # $FreeBSD: releng/10.3/etc/pam.d/pop3 170771 2007-06-15 11:33:13Z yar $ # # PAM configuration for the "pop3" service #
# auth #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass
# account #account required pam_nologin.so account required pam_unix.so
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 3 Aug 2017, Randy Bush wrote:
# cat /etc/pam.d/dovecot passdb { driver = pam # args = failure_show_msg=yes # args = max_requests=12 args = %s }
this info belongs into Dovecot's conf files, not into /etc/pam.d.
and /etc/pam.d/{imap,pop3} were untouched; both as follows
# # $FreeBSD: releng/10.3/etc/pam.d/pop3 170771 2007-06-15 11:33:13Z yar $ # # PAM configuration for the "pop3" service #
# auth #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass
# account #account required pam_nologin.so account required pam_unix.so
copy or link /etc/pam.d/imap do /etc/pam.d/dovecot
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWYMlw3z1H7kL/d9rAQLrCQgAyDJmgni9kmFa5833CedRV1aeA+JsUAjJ IzRuDFXCsi+uEJfOdL8ZxlIXdnTPmvVSGHzx+iDNLId0y4VsJYDuby4d8LkKu7Be MkOp+H6Ii1Qsx60Us9D9S8wcMwpdv0gG/4GrxuxCFC4CZUth/gF2yMmI9FxDa3f6 jQbJDOHVcs3mMtByxICRwWH8TT05hhDQ6duMNlTldULfhVoym1VTQOx0AivJYHOv gnaozfnDlp2HTIz5VBIH3sob7ZSJde01KW2gpfz6O3aMhZSmAPhe6tr4xOMBMWUT 8n6t/CH0G0U4K/5yRw/DE+9CCAs4/A/YNsVKzEG0Art7kfwRSi7HPw== =3p5l -----END PGP SIGNATURE-----
# cat /etc/pam.d/dovecot passdb { driver = pam # args = failure_show_msg=yes # args = max_requests=12 args = %s }
this info belongs into Dovecot's conf files, not into /etc/pam.d.
doh. i misread the wiki page. thanks.
copy or link /etc/pam.d/imap do /etc/pam.d/dovecot
that seems to have helped a lot!
thank you
randy
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 3 Aug 2017, Randy Bush wrote:
Date: Thu, 03 Aug 2017 22:08:22 +0900 From: Randy Bush <randy@psg.com> To: Remko Lodder <remko@FreeBSD.org> Cc: Christian Kivalo <ml+dovecot@valo.at>, dovecot@dovecot.org Subject: Re: pam auth problem
auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1): missing or invalid facility
I do not think that it has something to do with the dovecot settings itself but perhaps with the pam facility settings instead?
i can believe that. any clues to debug?
do you have a /etc/pam.d/dovecot file, does it define all necessary settings?
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWYMiAHz1H7kL/d9rAQLmcAgArM/RKrUk2g3MUWN7O51VZ4wIBXL0aIwh EqyG7Tj7CnWPWu+sZY64omu6beoD6WC3ThfRkY2uAWEP9MKGU6Nt9W6vZSsLdDeH cegMSHnfW19YZefiIhlYMZJHC7pyn2sEslS3iTkDNjja6FSoVbW/Qr+SUri9Gd5h rHF/DOUtLbLugrQymWe2KO2pJaL+WZvwhd4FP66pOlr+njEkxRfNjCQQx6L9kM7m Muq4beU9WvHFB6cXYxv1bGyxvLU1Y02YaAFVQAiKRVicNfBXo7RLXj1duQADtWqK 1tB60TVAFhREKR5Mu0tq3xRYuwYQc0tNVbuP1KrjfOTtJ9NLpeDE+g== =9LWc -----END PGP SIGNATURE-----
do you have a /etc/pam.d/dovecot file, does it define all necessary settings?
probably not, as i do not know what the necessary ones are :)
i did as best i could using https://wiki.dovecot.org/PasswordDatabase/PAM as guidance
randy
participants (5)
-
Christian Kivalo
-
Randy Bush
-
Remko Lodder
-
Remko Lodder
-
Steffen Kaiser