[Dovecot] Disable PAM username change?
Hi! I have a problem involving Samba4, exim4, fetchmail, Dovecot and PAM... I am using Dovecot 2.1.7 on Debian Wheezy.
I have setup a "maildrop" machine, which fetches mail from an external POP3 server for multiple accounts using fetchmail, delivers to local users mailboxes through exim4 and then serves them on the intranet via IMAP with Dovecot. This works great with local unix users, but I am having some trouble to configure it to work with Samba4 AD users (Samba 4.0.9 running as a DC on the same machine).
Basically, I have configured PAM with winbind and it works fine (AD users can SSH the machine for example). Dovecot also authenticates properly via PAM, but the problem is that the username gets changed in the process (PAM returrns the "username" as "DOMAIN\username"):
Aug 21 22:50:22 dc2 dovecot: auth-worker(5179): Debug: auth(foo,127.0.0.1): username changed foo -> DOMAIN\foo Aug 21 22:50:22 dc2 dovecot: auth: Debug: auth(foo,127.0.0.1,<0bBfg3/kpQB/AAAB>): username changed foo -> DOMAIN\foo Aug 21 22:50:22 dc2 dovecot: auth: Debug: client out: OK#0111#011user=DOMAIN\foo
So the actual problem is that exim4 is delivering the mail to, for example, "/var/mail/foo" but Dovecot is looking for the mailbox on "/var/mail/DOMAIN\foo", even if the username given in the IMAP session is just "foo". The wiki mentionshttp://wiki2.dovecot.org/PasswordDatabase/PAMthat "a PAM module can change the username". Can this be avoided?
I need either:
- Exim to deliver the mail to the user mailbox, *including* the domain part (out of scope of this list, but information is welcome), or
- Dovecot to fetch the mail *not* using the domain part as part of the username variable.
As a quick and dirty workaround, I hardcoded the domain part in the exim delivery path (something like "/var/mail/DOMAIN\\$local_part"), but this is far from optimal since I cannot use both unix users and AD users, I cannot use dovecot_delivery LDA transport, etc.
As a bottom line, I also posted this to the Samba list because I believe this could also be solved if winbind just always returned the username without the domain when queried (conf option not working, probable bug)
Ideas are welcome!!
Best regards,
Jorge
Ok, I figured it out.
I used the dovecot_delivery transport with Exim. When using the "-d $local_part" option, it does the same userdb lookup that Dovecot itself does later, so the mail gets delivered and is fetched to the right location.
Hope this helps.
Best regards.
On Sat, Aug 24, 2013 at 4:52 AM, George jorgito1412@gmail.com wrote:
Hi! I have a problem involving Samba4, exim4, fetchmail, Dovecot and PAM... I am using Dovecot 2.1.7 on Debian Wheezy.
I have setup a "maildrop" machine, which fetches mail from an external POP3 server for multiple accounts using fetchmail, delivers to local users mailboxes through exim4 and then serves them on the intranet via IMAP with Dovecot. This works great with local unix users, but I am having some trouble to configure it to work with Samba4 AD users (Samba 4.0.9 running as a DC on the same machine).
Basically, I have configured PAM with winbind and it works fine (AD users can SSH the machine for example). Dovecot also authenticates properly via PAM, but the problem is that the username gets changed in the process (PAM returrns the "username" as "DOMAIN\username"):
Aug 21 22:50:22 dc2 dovecot: auth-worker(5179): Debug: auth(foo,127.0.0.1): username changed foo -> DOMAIN\foo Aug 21 22:50:22 dc2 dovecot: auth: Debug: auth(foo,127.0.0.1,<0bBfg3/kpQB/AAAB>): username changed foo -> DOMAIN\foo Aug 21 22:50:22 dc2 dovecot: auth: Debug: client out: OK#0111#011user=DOMAIN\foo
So the actual problem is that exim4 is delivering the mail to, for example, "/var/mail/foo" but Dovecot is looking for the mailbox on "/var/mail/DOMAIN\foo", even if the username given in the IMAP session is just "foo". The wiki mentionshttp://wiki2.dovecot.org/PasswordDatabase/PAMthat "a PAM module can change the username". Can this be avoided?
I need either: part (out of scope of this list, but information is welcome), or
- Exim to deliver the mail to the user mailbox, *including* the domain
- Dovecot to fetch the mail *not* using the domain part as part of the username variable.
As a quick and dirty workaround, I hardcoded the domain part in the exim delivery path (something like "/var/mail/DOMAIN\\$local_part"), but this is far from optimal since I cannot use both unix users and AD users, I cannot use dovecot_delivery LDA transport, etc.
As a bottom line, I also posted this to the Samba list because I believe this could also be solved if winbind just always returned the username without the domain when queried (conf option not working, probable bug)
Ideas are welcome!!
Best regards,
Jorge
participants (1)
-
George