[Dovecot] Dovecot on FC3 with Active Directory authentication
I am building an IMAP server that uses Dovecot/Sendmail on FC3 to
replace our POP server that uses Dovecot (via POP)/Sendmail on FC2.
My new server is authenticating users via winbind/smb against my
WIndows 2003 Active Directory. The authentication is working great.
The problem come up when a user gets an email and has not ever logged
into the IMAP server via SSH, local, or GDM, therefore that user has
no home directory.
/etc/pam.d/ssh, /etc/pam.d/login, and /etc/pam.d/gdm all have a line
calling mkhomedir.so, which is using the /etc/skel home directory
skeleton to create the user's home dir upon successful login,
however, when I add that line to /etc/pam.d/dovecot, I get a
permission denied error in /var/log/maillog. I'm assuming this is
because dovecot is running as the user at this point, and therefore
does not have the necessary permissions to create a folder under /
home/DOMAIN/, which is where the home dir is supposed to be. If I
manually create the folder, and set it's permissions, or if the user
logs in via any of the before-mentioned methods, dovecot and sendmail
work great.
Does anyone else run a similar setup? If so, how did you overcome
this problem?
If not, can some Linux gurus recommend either altering the write
permissions on the /home/DOMAIN directory, or should I try to call
the mkhomdir app earlier in the process somehow?
Any help would be appreciated. I'm trying to make this as seamless as
possible. Basically, I can manually create all the home dirs well
enough, but when I add a new user to the Active Directory, it would
be nice if this part was automated as much as possible.
Thanks,
Jeff Ramsey MIS Administrator Tubafor Mill, Inc.
On Thu, 2005-10-06 at 10:28 -0700, Jeff Ramsey wrote:
/etc/pam.d/ssh, /etc/pam.d/login, and /etc/pam.d/gdm all have a line
calling mkhomedir.so, which is using the /etc/skel home directory
skeleton to create the user's home dir upon successful login,
however, when I add that line to /etc/pam.d/dovecot, I get a
permission denied error in /var/log/maillog. I'm assuming this is
because dovecot is running as the user at this point, and therefore
does not have the necessary permissions to create a folder under / home/DOMAIN/, which is where the home dir is supposed to be. If I
manually create the folder, and set it's permissions, or if the user
logs in via any of the before-mentioned methods, dovecot and sendmail
work great.
Which section did you add it to?
-- Ignacio Vazquez-Abrams ivazquez@ivazquez.net http://fedora.ivazquez.net/
gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72
On Oct 06, 2005, at 11:16 AM, Ignacio Vazquez-Abrams wrote:
On Thu, 2005-10-06 at 10:28 -0700, Jeff Ramsey wrote:
/etc/pam.d/ssh, /etc/pam.d/login, and /etc/pam.d/gdm all have a line calling mkhomedir.so, which is using the /etc/skel home directory skeleton to create the user's home dir upon successful login, however, when I add that line to /etc/pam.d/dovecot, I get a permission denied error in /var/log/maillog. I'm assuming this is because dovecot is running as the user at this point, and therefore does not have the necessary permissions to create a folder under / home/DOMAIN/, which is where the home dir is supposed to be. If I manually create the folder, and set it's permissions, or if the user logs in via any of the before-mentioned methods, dovecot and sendmail work great.
Which section did you add it to?
-- Ignacio Vazquez-Abrams ivazquez@ivazquez.net http://fedora.ivazquez.net/
gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72
Here is my /etc/pam.d/dovecot:
#%PAM-1.0 auth required pam_nologin.so auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
On Fri, 2005-10-07 at 11:23 -0700, Jeff Ramsey wrote:
On Oct 06, 2005, at 11:16 AM, Ignacio Vazquez-Abrams wrote:
On Thu, 2005-10-06 at 10:28 -0700, Jeff Ramsey wrote:
/etc/pam.d/ssh, /etc/pam.d/login, and /etc/pam.d/gdm all have a line calling mkhomedir.so, which is using the /etc/skel home directory skeleton to create the user's home dir upon successful login, however, when I add that line to /etc/pam.d/dovecot, I get a permission denied error in /var/log/maillog. I'm assuming this is because dovecot is running as the user at this point, and therefore does not have the necessary permissions to create a folder under / home/DOMAIN/, which is where the home dir is supposed to be. If I manually create the folder, and set it's permissions, or if the user logs in via any of the before-mentioned methods, dovecot and sendmail work great.
Which section did you add it to?
Here is my /etc/pam.d/dovecot:
Based on what I've been able to find on the web it appears that your conjecture is correct. The dovecot daemon simply doesn't have the proper permissions to create the home directory.
AFAICT the only way to really fix this is to set the permissions on /home to 0777, which of course has security repercussions of its own.You could also write a daemon that creates home directories when a new user is created, but I don't know enough about your environment to give a starting point.
-- Ignacio Vazquez-Abrams ivazquez@ivazquez.net http://fedora.ivazquez.net/
gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72
On Oct 08, 2005, at 10:41 AM, Ignacio Vazquez-Abrams wrote:
On Fri, 2005-10-07 at 11:23 -0700, Jeff Ramsey wrote:
On Oct 06, 2005, at 11:16 AM, Ignacio Vazquez-Abrams wrote:
On Thu, 2005-10-06 at 10:28 -0700, Jeff Ramsey wrote:
/etc/pam.d/ssh, /etc/pam.d/login, and /etc/pam.d/gdm all have a
line calling mkhomedir.so, which is using the /etc/skel home directory skeleton to create the user's home dir upon successful login, however, when I add that line to /etc/pam.d/dovecot, I get a permission denied error in /var/log/maillog. I'm assuming this is because dovecot is running as the user at this point, and therefore does not have the necessary permissions to create a folder under / home/DOMAIN/, which is where the home dir is supposed to be. If I manually create the folder, and set it's permissions, or if the
user logs in via any of the before-mentioned methods, dovecot and
sendmail work great.Which section did you add it to?
Here is my /etc/pam.d/dovecot:
Based on what I've been able to find on the web it appears that your conjecture is correct. The dovecot daemon simply doesn't have the
proper permissions to create the home directory.AFAICT the only way to really fix this is to set the permissions on /home to 0777, which of course has security repercussions of its own.You could also write a daemon that creates home directories when a new user is created, but I don't know enough about your environment to give a starting point.
Thanks for assuring me that I was not losing my mind.
I'll study up on writing such a daemon. If I write a script that is
called from /etc/pam.d/dovecot, then uses 'su' to become a non-root
user with write permissions to /home, this seems like the best way to
do this, correct? Or are you suggesting that I write an actual daemon
that runs and waits for the users to login, and then creates the home
dir?
I've done the former once or twice, but never the latter. It may be
above my knowledge of Linux shell scripting. (Maybe another reason to
buy a new shell scripting book...)
Thanks again,
Jeff Ramsey MIS Administrator Tubafor Mill, Inc.
On Thu, 2005-10-06 at 10:28 -0700, Jeff Ramsey wrote:
/etc/pam.d/ssh, /etc/pam.d/login, and /etc/pam.d/gdm all have a line
calling mkhomedir.so, which is using the /etc/skel home directory
skeleton to create the user's home dir upon successful login,
however, when I add that line to /etc/pam.d/dovecot, I get a
permission denied error in /var/log/maillog. I'm assuming this is
because dovecot is running as the user at this point,
No. PAM calls are made by dovecot-auth process, and it runs as auth_user specified in config file. Have you changed that to be non-root? Another reason why it could be denied is because of SELinux if you have it enabled.
participants (3)
-
Ignacio Vazquez-Abrams
-
Jeff Ramsey
-
Timo Sirainen