[Dovecot] Requested xxxx scheme, but we have a NULL password after upgrade
I'm having an issue I can't seem to work around after upgrading from Dovecot 1.0.7 to 1.2.17.
After getting Dovecot 1.07 working on CentOS 5.9, I decided that it might be wise to upgrade to a later version, so I stuck with 1.x and went with 1.2.17, which I had to compile from source. CentOS was originally using /etc as the starting path for Dovecot files but the source distribution puts most of the stuff under /usr/local/etc. After the usual config>make>make install dance I made the necessary changes to point to the new libraries, modules, etc. and the "imap-login: Fatal: Dovecot version mismatch: Master is v1.2.17, login is v1.0.7...." messages went away.
After doing this though I cannot login, I get the following error messages:
Feb 13 15:50:40 auth(default): Info: client in: AUTH 7 NTLM
service=imap lip=192.168.2.102 rip=192.168.2.100 lport=143
rport=1470
Feb 13 15:50:40 auth(default): Info: client out: CONT 7
Feb 13 15:50:40 auth(default): Info: client in: CONT 7
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
Feb 13 15:50:40 auth(default): Info: client out: CONT 7
TlRMTVNTUAACAAAAMAAwADAAAAAFAooATj7XW6ve2hwAAAAAAAAAADgAOABgAAAAUwBlAHIAdgBlAHIAMQAuAGgAZQByAHMAYwBoAGwAYQB1AHIAZQBuAC4AYwBvAG0AAwAwAFMAZQByAHYAZQByADEALgBoAGUAcgBzAGMAaABsAGEAdQByAGUAbgAuAGMAbwBtAAAAAAA=
Feb 13 15:50:40 auth(default): Info: client in: CONT 7
TlRMTVNTUAADAAAAGAAYAGoAAABoAGgAggAAAAAAAABIAAAAEAAQAEgAAAASABIAWAAAAAAAAADqAAAABQKIAgUBKAoAAAAP*CENSORED*bgBiAFEAUwBFAC0AVwBJAE4AWABQAEXO6p/WuopqQ02x1kzJGW3NoQELKw32N88JqkbMOYOVErhiS492elwBAQAAAAAAA*CENSORED*ysN9jcAAAAAAwAwAFMAZQByAHYAZQByADEALgBoAGUAcgBzAGMAaABsAGEAdQByAGUAbgAuAGMAbwBtAAAAAAAAAAAA
Feb 13 15:50:40 auth(default): Info: cache(pquesinb,192.168.2.100): miss
Feb 13 15:50:40 auth(default): Info: passwd-file(pquesinb,192.168.2.100):
lookup: user=pquesinb file=/etc/dovecot.users
Feb 13 15:50:40 auth(default): Info: password(pquesinb,192.168.2.100):
Requested NTLM scheme, but we have a NULL password
Feb 13 15:50:40 auth(default): Info: cache(pquesinb,192.168.2.100): miss
Feb 13 15:50:40 auth(default): Info: password(pquesinb,192.168.2.100):
passdb doesn't support credential lookups
Feb 13 15:50:40 auth(default): Info: cache(pquesinb,192.168.2.100): miss
Feb 13 15:50:40 auth(default): Info: password(pquesinb,192.168.2.100):
passdb doesn't support credential lookups
Feb 13 15:50:40 auth(default): Info: cache(pquesinb,192.168.2.100): miss
Feb 13 15:50:40 auth(default): Info: password(pquesinb,192.168.2.100):
passdb doesn't support credential lookups
Feb 13 15:50:40 auth(default): Info: cache(pquesinb,192.168.2.100): miss
Feb 13 15:50:40 auth(default): Info: password(pquesinb,192.168.2.100):
passdb doesn't support credential lookups
Feb 13 15:50:42 auth(default): Info: client out: FAIL 7
user=pquesinb
Looking at the log from the old version while it was working, I was getting messages like the following: dovecot: Feb 04 14:14:21 Info: imap-login: Login: user=<pquesinb>, method=NTLM, rip=192.168.2.100, lip=192.168.2.102 dovecot: Feb 04 14:14:21 Info: imap-login: Login: user=<pquesinb>, method=NTLM, rip=192.168.2.100, lip=192.168.2.102 dovecot: Feb 04 14:15:03 Info: IMAP(pquesinb): Disconnected: Logged out dovecot: Feb 04 14:15:03 Info: IMAP(pquesinb): Disconnected: Logged out dovecot: Feb 04 14:15:23 Info: imap-login: Login: user=<pquesinb>, method=NTLM, rip=192.168.2.100, lip=192.168.2.102 dovecot: Feb 04 14:15:23 Info: imap-login: Login: user=<pquesinb>, method=NTLM, rip=192.168.2.100, lip=192.168.2.102 dovecot: Feb 04 14:16:05 Info: IMAP(pquesinb): Disconnected: Logged out dovecot: Feb 04 14:16:05 Info: IMAP(pquesinb): Disconnected: Logged out
/etc/dovecot.users contains a list of usernames.
Is this error the result of additional security which has been incorporated into the later version of Dovecot, or is it because my installation of the later version from source is broken, somehow incompatible, etc? Dovecot was configured to use PAM and it appeared to know the password of my account, failing when it was entered incorrectly so I'm assuming that it was successfully using PAM. I kept the same syntax in the later config file.
From dovecot.conf: passdb pam { # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>] # [cache_key=<key>] [<service name>] # # session=yes makes Dovecot open and immediately close PAM session. Some # PAM plugins need this to work, such as pam_mkhomedir. # # setcred=yes makes Dovecot establish PAM credentials if some PAM plugins # need that. They aren't ever deleted though, so this isn't enabled by # default. # # max_requests specifies how many PAM lookups to do in one process before # recreating the process. The default is 100, because many PAM plugins # leak memory. # # cache_key can be used to enable authentication caching for PAM # (auth_cache_size also needs to be set). It isn't enabled by default # because PAM modules can do all kinds of checks besides checking password, # such as checking IP address. Dovecot can't know about these checks # without some help. cache_key is simply a list of variables (see # doc/wiki/Variables.txt) which must match for the cached data to be used. # Here are some examples: # %u - Username must match. Probably sufficient for most uses. # %u%r - Username and remote IP address must match. # %u%s - Username and service (ie. IMAP, POP3) must match. # # The service name can contain variables, for example %Ls expands to # pop3 or imap. # # Some examples: # args = session=yes %Ls args = cache_key=%u dovecot #args = dovecot }
If anyone could give me some ideas on where to go from here, I'd really appreciate it. If there's little chance of getting the newer version to work with CentOS 5 then I'm ready to just drop back to the older version.
Thanks a bunch.
- Phil
Config info follows:
[root@Server1 lda]# dovecot -n # 1.2.17: /usr/local/etc/dovecot.conf # OS: Linux 2.6.18-348.el5.centos.plusxen x86_64 CentOS release 5.9 (Final) log_path: /var/log/dovecot.log info_log_path: /var/log/dovecot.log protocols: imap imaps pop3 pop3s ssl_cert_file: /etc/pki/dovecot/certs/dovecot.pem ssl_key_file: /etc/pki/dovecot/private/dovecot.pem disable_plaintext_auth: no login_dir: /usr/local/var/run/dovecot/login login_executable(default): /usr/local/libexec/dovecot/imap-login login_executable(imap): /usr/local/libexec/dovecot/imap-login login_executable(pop3): /usr/local/libexec/dovecot/pop3-login max_mail_processes: 64 mail_location: maildir:~/Maildir maildir_very_dirty_syncs: yes mail_executable(default): /usr/local/libexec/dovecot/imap mail_executable(imap): /usr/local/libexec/dovecot/imap mail_executable(pop3): /usr/local/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/local/lib/dovecot/imap mail_plugin_dir(imap): /usr/local/lib/dovecot/imap mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3 mail_log_max_lines_per_sec: 100 imap_client_workarounds(default): outlook-idle imap_client_workarounds(imap): outlook-idle imap_client_workarounds(pop3): lda: mail_plugin_dir: /usr/local/lib/dovecot/lda auth default: mechanisms: ntlm plain login digest-md5 cache_size: 16 cache_ttl: 90 verbose: yes debug: yes debug_passwords: yes passdb: driver: passwd-file args: /etc/dovecot.users passdb: driver: pam args: cache_key=%u dovecot passdb: driver: passwd passdb: driver: shadow userdb: driver: passwd
-- View this message in context: http://dovecot.2317879.n4.nabble.com/Requested-xxxx-scheme-but-we-have-a-NUL... Sent from the Dovecot mailing list archive at Nabble.com.
Digging further:
I did some rc.d/init.d tweaking so that I could run either Dovecot version on demand and changed the configuration so that authentication for both is basically the same. 1.07 works and 1.2.17 still doesn't.
I'd really like to understand what's going on here as opposed to just dropping back and declaring it "fixed".
Here is the -n output for both versions, login/mail executables and plugins are present within the configured paths for both versions:
[root@Server1 init.d]# dovecot -n # 1.2.17: /usr/local/etc/dovecot.conf # OS: Linux 2.6.18-348.el5.centos.plusxen x86_64 CentOS release 5.9 (Final) log_path: /var/log/dovecot.log info_log_path: /var/log/dovecot.log protocols: imap imaps pop3 pop3s ssl_cert_file: /etc/pki/dovecot/certs/dovecot.pem ssl_key_file: /etc/pki/dovecot/private/dovecot.pem disable_plaintext_auth: no login_dir: /usr/local/var/run/dovecot/login login_executable(default): /usr/local/libexec/dovecot/imap-login login_executable(imap): /usr/local/libexec/dovecot/imap-login login_executable(pop3): /usr/local/libexec/dovecot/pop3-login max_mail_processes: 64 mail_location: maildir:~/Maildir maildir_very_dirty_syncs: yes mail_executable(default): /usr/local/libexec/dovecot/imap mail_executable(imap): /usr/local/libexec/dovecot/imap mail_executable(pop3): /usr/local/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/local/lib/dovecot/imap mail_plugin_dir(imap): /usr/local/lib/dovecot/imap mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3 mail_log_max_lines_per_sec: 100 imap_client_workarounds(default): outlook-idle imap_client_workarounds(imap): outlook-idle imap_client_workarounds(pop3): lda: mail_plugin_dir: /usr/local/lib/dovecot/lda auth default: mechanisms: ntlm plain cache_size: 16 cache_ttl: 90 verbose: yes debug: yes debug_passwords: yes passdb: driver: passwd-file args: /etc/dovecot.users passdb: driver: pam args: cache_key=%u dovecot userdb: driver: passwd
[root@Server1 init.d]# dovecot107 -n # 1.0.7: /etc/dovecot.conf login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login mail_location: maildir:~/Maildir mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 auth default: mechanisms: ntlm plain passdb: driver: passwd-file args: /etc/dovecot.users passdb: driver: pam args: cache_key=%u dovecot userdb: driver: passwd
Many thanks,
- Phil
-- View this message in context: http://dovecot.2317879.n4.nabble.com/Requested-xxxx-scheme-but-we-have-a-NUL... Sent from the Dovecot mailing list archive at Nabble.com.
This is definitely a PAM-related problem. I can get authentication to work with passdb shadow and userdb passwd.
Looking around, I saw something about a config option and a certain library needing to be present at compile-time to support PAM authentication but I thought I read something about an error-message related to that being shown in the log. Perhaps that error message is shown at compile-time.
If anyone is able to confirm my suspicions, please let me know.
Cheers,
- Phil
-- View this message in context: http://dovecot.2317879.n4.nabble.com/Requested-xxxx-scheme-but-we-have-a-NUL... Sent from the Dovecot mailing list archive at Nabble.com.
participants (1)
-
PhilQ