Hi, mail is delivered by Dovecot's LMTP locally and I need user's home directory to be created if it doesn't exist yet. There is a setting in Dovecot's configuration, "session=yes", in /etc/Dovecot/conf.d/auth-system.conf.ext, which should do that.

passdb { driver = pam
args = session=yes dovecot }

But I think it does not work in my setup because I do not see any PAM log entry for Dovecot in system log when this error happens:

Apr 9 13:01:55 mailhost dovecot: lmtp(2935): Connect from local Apr 9 13:01:55 mailhost dovecot: lmtp(2935, testuser): Error: User initialization failed: Namespace '': mkdir(/home/testuser/Maildir) failed: Permission denied (euid=174000327(testuser) egid=174000327(testuser ) missing +w perm: /home, dir owned by 0:0 mode=0755) Apr 9 13:01:55 mailhost dovecot: lmtp(2935): Disconnect from local: Successful quit

The error above seems expected, because it is not LMTP agent's job to create user's home directory but pam_oddjob_mkhomedir.so module should do that. Right?

And there are common PAM log entries for every user session:

Apr 9 13:24:42 mailhost auth: pam_sss(dovecot:auth): authentication success; logname= uid=0 euid=0 tty=dovecot ruser=validuser rhost=::1 user= validuser Apr 9 13:24:42 mailhost auth: pam_unix(dovecot:session): session opened for user validuser by (uid=0) Apr 9 13:24:42 mailhost auth: pam_unix(dovecot:session): session closed for user validuser

How to debug this problem and find out why Dovecot does not open PAM session or - if I am wrong and it does, then what else is going wrong? Home directory autocreation is configured with command "authconfig --enablemkhomedir --update" and it works if user logs into system via shell or webmail.

I tried to enable "mail_debug" in Dovecot's settings, but it did not give me any more information on PAM session.

Running on Centos 7.6, with Dovecot 2.2.36.

It looks like a common mistake or issue, because I am not alone: http://tinyurl.com/y6kjhsnw Thank you very much in advance for your time. Ivars

/etc/pam.d/dovecot #%PAM-1.0 auth required pam_nologin.so auth include password-auth account include password-auth session include password-auth

/etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so

account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so

session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so

doveconf -n # 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.24 (124e06aa) # OS: Linux 3.10.0-957.10.1.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core)
# Hostname: mailhost.example.com auth_mechanisms = plain login auth_socket_path = /var/run/dovecot/auth-master auth_username_format = %Ln auth_verbose = yes default_client_limit = 3500 default_process_limit = 500 disable_plaintext_auth = no first_valid_uid = 203 imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lmtp_save_to_detail_mailbox = yes mail_location = maildir:~/Maildir:INBOX=~/Maildir:LAYOUT=fs mail_plugins = " fts fts_lucene" mail_privileged_group = mail maildir_very_dirty_syncs = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve mbox_write_locks = fcntl namespace inbox { inbox = yes list = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = session=yes dovecot driver = pam } plugin { autocreate = Junk autocreate2 = Sent autocreate3 = Drafts autocreate4 = Trash autosubscribe = Junk autosubscribe2 = Sent autosubscribe3 = Drafts autosubscribe4 = Trash fts = lucene fts_lucene = whitespace_chars=@. imapsieve_mailbox1_before = file:/usr/lib64/dovecot/sieve/report-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/usr/lib64/dovecot/sieve/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * sieve = file:~/sieve;active=~/roundcube.sieve sieve_before = /var/lib/sieve/junk.sieve sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment sieve_pipe_bin_dir = /usr/lib64/dovecot/sieve sieve_plugins = sieve_imapsieve sieve_extprograms } pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_uidl_format = %v.%u protocols = imap pop3 lmtp sieve service auth { unix_listener /var/spool/postfix/private/dovecot-auth { group = postfix mode = 0660 user = postfix } unix_listener auth-master { group = user mode = 0660 user = root } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl_cert =