[Dovecot] Failed authentication to a mysql database (bug or PEBKAC?)
Hello,
I'm trying to setup a mailserver running postfix and dovecot with mysql as database backend. Postfix is already running and delivers mails just fine. Unfortunately, dovecot has great problems connecting to the database (using username + password). If I disable the password, everthing works fine. But, thats harakiri, security wise ;-)
I tried dovecot-1.0-stable and the latest cvs-nightly (I think from August 9.). With both versions, I get the following error (there are little differences between the to versions, but the meaning ist the same...)
dovecot: auth-worker(default): mysql: Connect failed to localhost (my_dbname): Access denied for user 'my_user'@'localhost' (using password: YES) - waiting for 1 seconds before retry
My connect string is as follows: connect = host=/var/lib/mysql/mysql.sock user=my_user password=my_password dbname=my_dbname
Both versions are compiled with the following settings: ./configure --prefix=/usr --localstatedir=/var --libexecdir=/usr/lib --sysconfdir=/etc/dovecot --enable-ipv6 --with-rawlog --with-ssl=openssl --with-pop3d --with-mysql
"make" runs cleanly. Then I use "checkinstall" intead of "make install" because I want to generate an rpm package, but that shouldn't make any difference.
Im using the following packages from suse (since im building the server upon a SuSE 9.3): mysql-4.1.10a-3.2, mysql-devel-4.1.10a-3, mysql-client-4.1.10a-3 and mysql-shared-4.1.10a-3
I don't have any clue, why the connect fails. The password and the username are both correct (triple verified ;-)) and the user has SELECT- and USE- Permission for my_dbname.
Is there any known bug i didn't know about? Or is this a typical PEBKAC situation?
Thanks in advance, Michael
-- www.megamimi.de.vu
Hello,
here's an update: it all works with version 0.99... But this version doesn't support shared folders and all my boss wants is shared folders and mysql.
Anyone got an idea why the mysql connection fails?
thanks, Michael
Michael Gabb schrieb:
Hello,
I'm trying to setup a mailserver running postfix and dovecot with mysql as database backend. Postfix is already running and delivers mails just fine. Unfortunately, dovecot has great problems connecting to the database (using username + password). If I disable the password, everthing works fine. But, thats harakiri, security wise ;-)
I tried dovecot-1.0-stable and the latest cvs-nightly (I think from August 9.). With both versions, I get the following error (there are little differences between the to versions, but the meaning ist the same...)
dovecot: auth-worker(default): mysql: Connect failed to localhost (my_dbname): Access denied for user 'my_user'@'localhost' (using password: YES) - waiting for 1 seconds before retry
My connect string is as follows: connect = host=/var/lib/mysql/mysql.sock user=my_user password=my_password dbname=my_dbname
Both versions are compiled with the following settings: ./configure --prefix=/usr --localstatedir=/var --libexecdir=/usr/lib --sysconfdir=/etc/dovecot --enable-ipv6 --with-rawlog --with-ssl=openssl --with-pop3d --with-mysql
"make" runs cleanly. Then I use "checkinstall" intead of "make install" because I want to generate an rpm package, but that shouldn't make any difference.
Im using the following packages from suse (since im building the server upon a SuSE 9.3): mysql-4.1.10a-3.2, mysql-devel-4.1.10a-3, mysql-client-4.1.10a-3 and mysql-shared-4.1.10a-3
I don't have any clue, why the connect fails. The password and the username are both correct (triple verified ;-)) and the user has SELECT- and USE- Permission for my_dbname.
Is there any known bug i didn't know about? Or is this a typical PEBKAC situation?
Thanks in advance, Michael
-- www.megamimi.de.vu
On Tue, 2005-08-09 at 11:20 +0200, Michael Gabb wrote:
My connect string is as follows: connect = host=/var/lib/mysql/mysql.sock user=my_user password=my_password dbname=my_dbname
This should work. Assuming of course that it's all in one line. Hmm. Are you sure that all the spaces in the line are actually spaces and not just something that look like spaces?
Maybe check with strace if it's actually sending the password to mysql? Something like: strace -o log -f dovecot
Hi Timo,
Timo Sirainen schrieb:
On Tue, 2005-08-09 at 11:20 +0200, Michael Gabb wrote:
My connect string is as follows: connect = host=/var/lib/mysql/mysql.sock user=my_user password=my_password dbname=my_dbname
This should work. Assuming of course that it's all in one line. Hmm. Are you sure that all the spaces in the line are actually spaces and not just something that look like spaces?
This was all double and triple checked by me.
I patched to code of driver-mysql.c to see whats going on:
temp_logfile = fopen("/tmp/mysql_connect.log", "w"); if (temp_logfile != NULL){ fprintf(temp_logfile, "Connecting with the following settings:" "User -> \"%s\", Password -> \"%s\"\n" , db->user, db->password); fflush(temp_logfile); fclose(temp_logfile); }
(pretty ugly in this mail, but it schould be clear, what the code does...)
I inserted this few lines just before the "mysql_real_connect()" and alle I get ist correct output (means: "User -> my_user, Password -> my_password")
Maybe check with strace if it's actually sending the password to mysql? Something like: strace -o log -f dovecot
I did this. Here's the relevant section:
24558 fcntl64(7, F_GETFL) = 0x2 (flags O_RDWR) 24558 connect(7, {sa_family=AF_FILE, path="/var/lib/mysql/mysql.sock"}, 110) = 0 24558 setsockopt(7, SOL_IP, IP_TOS, [8], 4) = -1 EOPNOTSUPP (Operation not suppor ted) 24558 setsockopt(7, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 24558 read(7, "9\0\0\0", 4) = 4 24558 read(7, "\n4.1.10a-log\0J\0\0\0C5|529g}\0,\242\10\2\0\0"..., 57) = 57 24558 stat64("/usr/share/mysql/charsets/Index.xml", {st_mode=S_IFREG|0644, st_siz e=17147, ...}) = 0 24558 open("/usr/share/mysql/charsets/Index.xml", O_RDONLY|O_LARGEFILE) = 8 24558 read(8, "
I don't see anything special here (although I might be false... I don't have that much experience with mysql, strace and dovecot).
I hope that brings us any further. Hopefully we can get this going since my boss gets a little bit nervous about the amount of time I'm working on this...
Kinf regards, Michael
-- www.megamimi.de.vu
On 15.8.2005, at 12:21, Michael Gabb wrote:
I inserted this few lines just before the "mysql_real_connect()" and alle I get ist correct output (means: "User -> my_user, Password -> my_password")
I can't really then say why it doesn't work. If everything gets sent right to mysql_real_connect(), then it's all mysql's job from there on.. If it works with 0.99.x, is it maybe using a different version of mysql library?
24558 open("/usr/share/mysql/charsets/Index.xml", O_RDONLY|O_LARGEFILE) = 8
This brings to my mind that are aren't any non-ascii characters in the user/password?
24558 read(7, "\377\25\4#28000Access denied for user "..., 75) = 75
Mysql logs don't say more specific reason why it won't work?
Hmm. Maybe it's not user/password itself, but the database that you're connecting to isn't right?
Timo Sirainen schrieb:
On 15.8.2005, at 12:21, Michael Gabb wrote:
I inserted this few lines just before the "mysql_real_connect()" and alle I get ist correct output (means: "User -> my_user, Password -> my_password")
I can't really then say why it doesn't work. If everything gets sent right to mysql_real_connect(), then it's all mysql's job from there on.. If it works with 0.99.x, is it maybe using a different version of mysql library?
All versions are linked against the same mysql library (version 4.1.10a-3, made by SuSE).
24558 open("/usr/share/mysql/charsets/Index.xml", O_RDONLY|O_LARGEFILE) = 8
This brings to my mind that are aren't any non-ascii characters in the user/password?
Hm, thats tricky. Since SuSE uses UTF-8 as charset by default. Could this cause the trouble (when the dovecot-mysql.conf is in UTF-8)? I have to test this tomorrow. But why doesn't have 0.99x any problem with this?
The password itself consists of only alphanumeric characters. Should be no problem.
24558 read(7, "\377\25\4#28000Access denied for user "..., 75) = 75
Mysql logs don't say more specific reason why it won't work?
No. I get only something like "Access denied for 'my_user' @ localhost (Using Password: YES)"
I don#t know exactly because I'm not at work now, but I will mail it tomorrow.
Hmm. Maybe it's not user/password itself, but the database that you're connecting to isn't right? No, everythings fine. Nevertheless I'm going through it tomorrow one more time to be sure.
-- www.megamimi.de.vu
Michael Gabb schrieb:
Hm, thats tricky. Since SuSE uses UTF-8 as charset by default. Could this cause the trouble (when the dovecot-mysql.conf is in UTF-8)? I have to test this tomorrow. But why doesn't have 0.99x any problem with this?
The password itself consists of only alphanumeric characters. Should be no problem.
Well, i said something wrong here. SuSE only uses UTF-8 when installed with an X environement. The dovecot-mysql.conf is plain ascii. file(1) says:
"dovecot-mysql.conf: ASCII English text"
Mysql logs don't say more specific reason why it won't work?
No. I get only something like "Access denied for 'my_user' @ localhost (Using Password: YES)"
I don#t know exactly because I'm not at work now, but I will mail it tomorrow.
Here's what mysql exactly says about it: "76 Connect Access denied for user 'my_user'@'localhost' (using password: YES)"
Hmm. Maybe it's not user/password itself, but the database that you're connecting to isn't right?
No, everythings fine. Nevertheless I'm going through it tomorrow one more time to be sure.
Every parameter of the connect string ist verified by me one more time. No problems here.
-- www.megamimi.de.vu
On 16.8.2005, at 09:03, Michael Gabb wrote:
Hmm. Maybe it's not user/password itself, but the database that you're connecting to isn't right?
No, everythings fine. Nevertheless I'm going through it tomorrow one more time to be sure.
Every parameter of the connect string ist verified by me one more time. No problems here.
I see actually one difference between 0.99.x code and 1.0-test code. Does this help? diff -u -r1.9 driver-mysql.c --- src/lib-sql/driver-mysql.c 9 Jun 2005 18:44:22 -0000 1.9 +++ src/lib-sql/driver-mysql.c 16 Aug 2005 09:08:19 -0000 @@ -82,7 +82,7 @@ if (*conn->host == '/') { unix_socket = conn->host; - host = NULL; + host = "localhost"; } else { unix_socket = NULL; host = conn->host;
Timo Sirainen schrieb:
I see actually one difference between 0.99.x code and 1.0-test code. Does this help?
diff -u -r1.9 driver-mysql.c --- src/lib-sql/driver-mysql.c 9 Jun 2005 18:44:22 -0000 1.9 +++ src/lib-sql/driver-mysql.c 16 Aug 2005 09:08:19 -0000 @@ -82,7 +82,7 @@
if (*conn->host == '/') { unix_socket = conn->host; - host = NULL; + host = "localhost"; } else { unix_socket = NULL; host = conn->host;
No, but now I get an interessting new error sometimes when I try to start: Aug 16 13:51:31 testmail dovecot: Dovecot v1.0-test79 starting up Aug 16 13:51:32 testmail dovecot: Auth process died too early - shutting down Aug 16 13:51:32 testmail dovecot: auth(default): net_connect_unix(/var/run/dovecot/auth-worker.13176) failed: No such file or directory Aug 16 13:51:32 testmail dovecot: child 13176 (auth) returned error 89 But most of the time I get the old error: Aug 16 13:52:10 testmail dovecot: Dovecot v1.0-test79 starting up Aug 16 13:52:11 testmail dovecot: auth-worker(default): mysql: Connect failed to localhost (mailbas): Access denied for user 'my_user'@'localhost' (using password: YES) - waiting for 1 seconds before retry Hope that helps. -- www.megamimi.de.vu
On 16.8.2005, at 12:51, Michael Gabb wrote:
Aug 16 13:51:31 testmail dovecot: Dovecot v1.0-test79 starting up Aug 16 13:51:32 testmail dovecot: Auth process died too early - shutting down Aug 16 13:51:32 testmail dovecot: auth(default): net_connect_unix(/var/run/dovecot/auth-worker.13176) failed: No such file or directory
This is an old unrelated problem which I thought I had fixed earlier, but I think it's finally fixed in test80.
But most of the time I get the old error:
Aug 16 13:52:10 testmail dovecot: Dovecot v1.0-test79 starting up Aug 16 13:52:11 testmail dovecot: auth-worker(default): mysql: Connect failed to localhost (mailbas): Access denied for user 'my_user'@'localhost' (using password: YES) - waiting for 1 seconds before retry
Hmm. How about if you try to use TCP connection instead of UNIX socket? They both work with me though..
Timo Sirainen schrieb:
This is an old unrelated problem which I thought I had fixed earlier, but I think it's finally fixed in test80.
Jup, this error doesn't occurr with test80.
Hmm. How about if you try to use TCP connection instead of UNIX socket? They both work with me though..
Doesn't help. Same error.
-- www.megamimi.de.vu
I'm sorry to say, but my boss told me, that I should try courier on this issue. So I got no more spare time to examine the problem further.
Thanks for your help, though.
King regards, Michael
Michael Gabb schrieb:
Timo Sirainen schrieb:
This is an old unrelated problem which I thought I had fixed earlier, but I think it's finally fixed in test80.
Jup, this error doesn't occurr with test80.
Hmm. How about if you try to use TCP connection instead of UNIX socket? They both work with me though..
Doesn't help. Same error.
-- www.megamimi.de.vu
On Wed, 2005-08-17 at 12:08 +0200, Michael Gabb wrote:
I'm sorry to say, but my boss told me, that I should try courier on this issue. So I got no more spare time to examine the problem further.
Sure. I was out of ideas too..
If anyone has a system where it's broken with 1.0-tests and works with 0.99.x and could give me shell access to it, I'd like to try and fix this.
On Wed, 2005-08-17 at 16:32 +0300, Timo Sirainen wrote:
On Wed, 2005-08-17 at 12:08 +0200, Michael Gabb wrote:
I'm sorry to say, but my boss told me, that I should try courier on this issue. So I got no more spare time to examine the problem further.
Sure. I was out of ideas too..
If anyone has a system where it's broken with 1.0-tests and works with 0.99.x and could give me shell access to it, I'd like to try and fix this.
I'd give you shell access to ours but no real problems at them moment (just assholes who can't configure their exchange servers blaming us for things). Dovecot appears to be running sweet for now.
Regards Andrew
-- Andrew Hutchings (A-Wing) - Linux Guru Netserve Consultants - http://www.domaincity.co.uk/ Linux CDs and DVDs - http://www.linuxiso.co.uk/ Random quote 156: "(Computer manufacturers) want to remove the (IE) icon from the desktop ... this is not allowed." - Microsoft executive Chris Jones, 1995
participants (3)
-
Andrew Hutchings
-
Michael Gabb
-
Timo Sirainen