[Dovecot] Dovecot & pam_mkhomedir
Hi there,
Does anyone have Dovecot working correctly with pam_mkhomedir, please? I seem to be going through quite a number of IMAP servers this week, trying to find one that will not only authenticate against a Windows domain but which will also create home directories for users the first time they log in.
I'm using winbind to do the authentication & that seems to be doing the trick in the first instance - if I log in using Squirrelmail I see entries written to the system log saying:
Dec 16 11:58:35 baby pam_winbind[9319]: user 'ned' granted accessI have set Dovecot to log to /var/log/mail and in that I see only three entries saying:
imap-login: Dec 16 11:58:36 Info: Login: ned [127.0.0.1]But Squirrelmail gives:
ERROR: Could not complete request.
Query: SELECT "INBOX"
Reason Given:/etc/pam.d/imap says:
#%PAM-1.0
auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
If I use the same configuration for SSH then the user's home directory
is created upon authenticaton, but not with Dovecot. I chose to try
Dovecot because I understood it handled PAM session wossisnames, which
Courier-IMAP doesn't. My dovecot.conf is attached - I'm wondering if
the problem could be with the "auth_userdb" setting, but getent passwd does show an entry for the user:
# grep ned /etc/passwd
# getent passwd | grep ned
ned:x:10012:10000:Ned Nedbody:/home/DOMAIN/ned:/bin/false
#Many thanks in advance for any advice or suggestions - I'd really like to understand what's going on here. I believe I can authenticate against the domain using LDAP / Active Directory, but since I don't know if that'll help I'd rather not go that route yet.
If I first try to log in using ssh with pam_mkhomedir enabled then the users' home directory is created successfully & I can subsequently log on in Squirrelmail. But it's important to me that I shouldn't have to create users' home dirs for them - I should be able to add them on the Windows domain controller & just tell them to log in to their email - the home dir on the mailserver should be created automagically when they authenticate against the domain.
Stroller.
Looks like you're using version 1.0-stable (judging by the passdb/authdb option format). I'd recommend upgrading to 1.0alpha5 (which, actually, is probably more stable!). One of the features added to 1.0 alphas is a "-session" option to PAM authentication
passdb pam { # [-session] [cache_key=<key>] [<service name>] # # -session makes Dovecot open and immediately close PAM session. Some # PAM plugins need this to work. # ... }
which ought to trigger your mkhomedir module.
Best Wishes, Chris
Stroller wrote:
Hi there,
Does anyone have Dovecot working correctly with pam_mkhomedir, please? I seem to be going through quite a number of IMAP servers this week, trying to find one that will not only authenticate against a Windows domain but which will also create home directories for users the first time they log in.
I'm using winbind to do the authentication & that seems to be doing the trick in the first instance - if I log in using Squirrelmail I see entries written to the system log saying:
Dec 16 11:58:35 baby pam_winbind[9319]: user 'ned' granted accessI have set Dovecot to log to /var/log/mail and in that I see only three entries saying:
imap-login: Dec 16 11:58:36 Info: Login: ned [127.0.0.1]But Squirrelmail gives:
ERROR: Could not complete request. Query: SELECT "INBOX" Reason Given:/etc/pam.d/imap says:
#%PAM-1.0 auth required /lib/security/pam_winbind.so account required /lib/security/pam_winbind.so session required /lib/security/pam_mkhomedir.soskel=/etc/skel umask=0022
If I use the same configuration for SSH then the user's home directory is created upon authenticaton, but not with Dovecot. I chose to try Dovecot because I understood it handled PAM session wossisnames, which Courier-IMAP doesn't. My dovecot.conf is attached - I'm wondering if the problem could be with the "auth_userdb" setting, but
getent passwddoes show an entry for the user:# grep ned /etc/passwd # getent passwd | grep ned ned:x:10012:10000:Ned Nedbody:/home/DOMAIN/ned:/bin/false #Many thanks in advance for any advice or suggestions - I'd really like to understand what's going on here. I believe I can authenticate against the domain using LDAP / Active Directory, but since I don't know if that'll help I'd rather not go that route yet.
If I first try to log in using ssh with pam_mkhomedir enabled then the users' home directory is created successfully & I can subsequently log on in Squirrelmail. But it's important to me that I shouldn't have to create users' home dirs for them - I should be able to add them on the Windows domain controller & just tell them to log in to their email - the home dir on the mailserver should be created automagically when they authenticate against the domain.
Stroller.
-- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d.wakelin@reading.ac.uk IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
On Dec 16, 2005, at 1:20 pm, Chris Wakelin wrote:
Looks like you're using version 1.0-stable (judging by the passdb/authdb option format). I'd recommend upgrading to 1.0alpha5 (which, actually, is probably more stable!). One of the features added to 1.0 alphas is a "-session" option to PAM authentication... which ought to trigger your mkhomedir module.
That's great, thanks!
I meant to say in my original posting what version of Dovecot I'm using
- of course I just installed the version marked "stable" on my distro (Gentoo) but 1.0alpha5 is also available in Portage, so upgrading wasn't a problem.
However I now have another issue:
dovecot: Dec 16 19:05:00 Info: imap-login: Login: user=<ned>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured dovecot: Dec 16 19:05:00 Error: imap(ned): mkdir(/home/DOMAIN/ned/.maildir/cur) failed: Permission denied dovecot: Dec 16 19:05:00 Info: imap-login: Login: user=<ned>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured dovecot: Dec 16 19:05:00 Error: imap(ned): mkdir(/home/DOMAIN/ned/.maildir/cur) failed: Permission denied dovecot: Dec 16 19:05:00 Error: imap(ned): mkdir(/home/DOMAIN/ned/.maildir/.INBOX.Sent) failed: Permission denied dovecot: Dec 16 19:05:00 Info: imap-login: Login: user=<ned>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured dovecot: Dec 16 19:05:00 Error: imap(ned): mkdir(/home/DOMAIN/ned/.maildir/cur) failed: Permission denied dovecot: Dec 16 19:05:00 Error: imap(ned): mkdir(/home/DOMAIN/ned/.maildir/cur) failed: Permission denied
I can remedy this easily by changing permissions on /home & /home/DOMAIN to 777, but obviously that's undesirable. Any suggestions, please?
I would have assumed that something clever went on in the background, ensuring that Dovecot &/or pam_mkhomedir had permission to make the new home directory. Otherwise, how does SSH manage it?
Stroller.
On Fri, 16 Dec 2005, Stroller wrote:
dovecot: Dec 16 19:05:00 Error: imap(ned):mkdir(/home/DOMAIN/ned/.maildir/cur) failed: Permission denied dovecot: Dec 16 19:05:00 Error: imap(ned): mkdir(/home/DOMAIN/ned/.maildir/cur) failed: Permission denied
I can remedy this easily by changing permissions on /home & /home/DOMAIN to 777, but obviously that's undesirable. Any suggestions, please?
What you have set for "template homedir", "winbind separator" and "winbind use default domain" in smb.conf? I have "/home/%U", "+", "yes"
For me everything is working ok and pam_mkhomedir is making home directories with correct umask (I have set this in /etc/pam.d/{$service}).
btw. when using "winbind use default domain" you don't have to use windows-domain before the username. =)
-- Pasi Sjöholm
On Dec 17, 2005, at 5:56 pm, Pasi Sjoholm wrote:
On Fri, 16 Dec 2005, Stroller wrote:
dovecot: Dec 16 19:05:00 Error: imap(ned):mkdir(/home/DOMAIN/ned/.maildir/cur) failed: Permission denied dovecot: Dec 16 19:05:00 Error: imap(ned): mkdir(/home/DOMAIN/ned/.maildir/cur) failed: Permission denied
I can remedy this easily by changing permissions on /home & /home/DOMAIN to 777, but obviously that's undesirable. Any suggestions, please?
What you have set for "template homedir", "winbind separator" and "winbind use default domain" in smb.conf? I have "/home/%U", "+", "yes"
For me everything is working ok and pam_mkhomedir is making home directories with correct umask (I have set this in /etc/pam.d/{$service}).
btw. when using "winbind use default domain" you don't have to use windows-domain before the username. =)
Sorry... I mean to include my updated config files. I don't seem to have a "template homedir" defined anywhere... but I'm not sure if I need it, as pam.d seems to be trying to create home directories in a reasonable place, anyway (as you can see from the log).
When I log in I'm just using the username "ned" not "domain\ned", and it seems to do the domain stuff on its own.
If you'd have a copy of your own configs I'd be extremely grateful for them - perhpas by private email, if you'd prefer? I'm gonna have a tinker with it later, in any case - it's a relief this is working for someone else, so I know that what I want is possible.
Stroller.
On Dec 18, 2005, at 6:23 pm, Stroller wrote:
On Dec 17, 2005, at 5:56 pm, Pasi Sjoholm wrote:
On Fri, 16 Dec 2005, Stroller wrote:
dovecot: Dec 16 19:05:00 Error: imap(ned):mkdir(/home/DOMAIN/ned/.maildir/cur) failed: Permission denied dovecot: Dec 16 19:05:00 Error: imap(ned): mkdir(/home/DOMAIN/ned/.maildir/cur) failed: Permission denied
I can remedy this easily by changing permissions on /home & /home/DOMAIN to 777, but obviously that's undesirable. Any suggestions, please?
... For me everything is working ok and pam_mkhomedir is making home directories with correct umask (I have set this in /etc/pam.d/{$service}).
Another question - what are your permissions on /home, please, Pasi?
I have no idea whether pam_mkhomedir should be called by dovecot-auth or imap-login. It bothers me that the error messages in he logs above are written to the mail.log, but apparently by the dovecot process, which apparently should have permission to write to /home:
# ps -C imap-login -C dovecot -C dovecot-auth o euid,ruid,comm EUID RUID COMMAND 0 0 dovecot 0 0 dovecot-auth 97 97 imap-login 97 97 imap-login 97 97 imap-login
Stroller.
Sorry to flood the list with this... but I've _finally_ figured out the problem.
From what appears t be the correct syntax I find this difficult to read:
passdb pam {
# [-session] [cache_key=<key>] [<service name>]
#
# -session makes Dovecot open and immediately close PAM session. Some # PAM plugins need this to work. # # If service name is "*", it means the authenticating service name # is used, eg. pop3 or imap. args = "*" }
That suggests to me that some of the following are valid syntax:
passdb pam {
-session cache_key=%n
args = "*"
}or: passdb pam { -session cache_key=%n imap } or: passdb pam { -session cache_key=%n imap } or: passdb pam { -session cache_key=%n args="imap" }
For some of these, Dovecot refuses to start, for others it starts but "-session" appears to be ignored. I think that for others the user can't authenticate at all, but I've been trying a LOT of combinations this evening, and I'm not clear on the correct logic of this & if the guilty one is a combination I haven't remembered.
IMHO the best way to document this in the supplied dovecot.conf would be:
# PAM authentication. Preferred nowadays by most systems. # Note that PAM can only be used to verify if user's password is correct, # so it can't be used as userdb. If you don't want to use a separate user # database (passwd usually), you can use static userdb. passdb pam { # [-session] [cache_key=<key>] [<service name>] # # -session makes Dovecot open and immediately close PAM session. Some # PAM plugins need this to work. # # cache_key can be used to enable authentication caching for PAM # (auth_cache_size also needs to be set). It isn't enabled by default # because PAM modules can do all kinds of checks besides checking password, # such as checking IP address. Dovecot can't know about these checks # without some help. cache_key is simply a list of variables (see # doc/variables.txt) which must match for the cached data to be used. # Here are some examples: # %u - Username must match. Probably sufficient for most uses. # %u%r - Username and remote IP address must match. # %u%s - Username and service (ie. IMAP, POP3) must match. # # If service name is "*", it means the authenticating service name # is used, eg. pop3 or imap. # # EXAMPLES: # # args = "-session cache_key=%n imap" # args = "-session *" # args = "*" args = "*" }
Or have I been really dumb to miss this?
It took me ages to get:
passdb pam {
args = "-session *"
}And the moment I did, it worked PERFECTLY.
Stroller.
Hi,
I have some collegues here going on vacation... is there a way of sending a small message (directly from server) to everyone who send emails to those people.
Thanks and cheers!
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On Mon, December 19, 2005 08:16, Ashvin Meetoo wrote:
I have some collegues here going on vacation... is there a way of sending a small message (directly from server) to everyone who send emails to those people.
You can take a look a this: http://vacation.sourceforge.net/
If you have SquirrelMail, you can install a Vacation plugin that enables your users to turn on and off the vacation feature.
ciao, luigi
-- +----[Luigi Rosa]---
On Mon, December 19, 2005 08:16, Ashvin Meetoo wrote:
I have some collegues here going on vacation... is there a way of sending a small message (directly from server) to everyone who send emails to those people.
Take a look a this: http://vacation.sourceforge.net/
If you have SquirrelMail, you can install a vacation plugin that uses this vacation tool and enables your users to manage their vacation status.
ciao, luigi
-- +----[Luigi Rosa]---
THANKS!!! Everything's possible with Linux after all!
--- Luigi Rosa lrosa@hypertrek.info wrote:
On Mon, December 19, 2005 08:16, Ashvin Meetoo wrote:
I have some collegues here going on vacation... is there a way of sending a small message (directly from server) to everyone who send emails to those people.
Take a look a this: http://vacation.sourceforge.net/
If you have SquirrelMail, you can install a vacation plugin that uses this vacation tool and enables your users to manage their vacation status.
ciao, luigi
-- +----[Luigi Rosa]---
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Luigi Rosa wrote:
Take a look a this: http://vacation.sourceforge.net/
I don't think I'd recommend that software, since it isn't being maintained any longer (2 1/2 years) and I don't think it has robust support for mailing lists. Most of the early vacation programs would just reply to bulk messages, which could cause the list software to mailbomb itself with the automatic responses. I don't trust users to unsubscribe from lists before turning on their vacation message...
I prefer this one:
<http://untroubled.org/qmail-autoresponder/>since it supports rate limiting, the vast majority of mailing lists, etc. It works only with qmail only, though. It's probably possible to use with any LDA which support delivery scripts (e.g. .forward files).
John
-- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748
On Sun, December 18, 2005 7:51 pm, Stroller wrote:
Sorry to flood the list with this... but I've _finally_ figured out the problem.
...
IMHO the best way to document this in the supplied dovecot.conf would be:
passdb pam { # [-session] [cache_key=<key>] [<service name>]
Even better: passdb pam { # args = "[-session] [cache_key=<key>] [<service name>]"
Jim
Jim Trigg, Lord High Everything Else O- /"
Hostmaster, Huie Kin family website \ / ASCII RIBBON CAMPAIGN
Verger and System Administrator, X HELP CURE HTML MAIL
All Saints Church - Sharon Chapel / \
On Dec 19, 2005, at 2:43 pm, Jim Trigg wrote:
On Sun, December 18, 2005 7:51 pm, Stroller wrote:
Sorry to flood the list with this... but I've _finally_ figured out the problem.
...
IMHO the best way to document this in the supplied dovecot.conf would be:
passdb pam { # [-session] [cache_key=<key>] [<service name>]
Even better: passdb pam { # args = "[-session] [cache_key=<key>] [<service name>]"
Yes, of course. I must've been tired &/or brain-dead when I made my posting. Of course yours is the correct way to describe what I've encountered.
Stroller.
participants (7)
-
Ashvin Meetoo
-
Chris Wakelin
-
Jim Trigg
-
John Peacock
-
Luigi Rosa
-
Pasi Sjoholm
-
Stroller