[Dovecot] dovecot2 auth-worker socket perms ignoring assigned ownership settings in conf.d/10-master.conf?
I have Dovecot2 auth setup to run as
user = doveauth
group = dovecot
configured in,
vi conf.d/10-master.conf
...
service auth {
unix_listener /var/spool/postfix/private/auth {
user = postfix
group = postfix
mode = 0660
}
user = doveauth
group = dovecot
}
service auth-worker {
user = doveauth
group = dovecot
}
...
When I start Dovecot,
ls -al /var/run/dovecot/auth-*
/bin/ls: No match.
service dovecot-custom start
Starting Dovecot ... done
Dovect's auth-process sockets are created with different ownership than what I specified,
ls -al /var/run/dovecot/auth-*
srw------- 1 root root 0 Oct 11 19:30
/var/run/dovecot/auth-client
srw------- 1 dovecot root 0 Oct 11 19:30
/var/run/dovecot/auth-login
srw------- 1 root root 0 Oct 11 19:30
/var/run/dovecot/auth-master
srw------- 1 root root 0 Oct 11 19:30
/var/run/dovecot/auth-userdb
srw------- 1 dovecot root 0 Oct 11 19:30
/var/run/dovecot/auth-worker
Which causes problems when I test AUTH,
telnet 127.0.0.1 143
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR
LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot
ready.
a login "xxx@domain.loc" "testpass"
a NO [UNAVAILABLE] Temporary authentication failure.
* OK Waiting for authentication process to respond..
In logs,
==> /var/log/dovecot/dovecot-debug.log <==
Oct 11 19:32:11 auth: Debug: Loading modules from directory:
/usr/lib64/dovecot/modules/auth
Oct 11 19:32:11 auth: Debug: Module loaded:
/usr/lib64/dovecot/modules/auth/libauthdb_ldap.so
Oct 11 19:32:11 auth: Debug: Module loaded:
/usr/lib64/dovecot/modules/auth/libdriver_mysql.so
Oct 11 19:32:11 auth: Debug: Module loaded:
/usr/lib64/dovecot/modules/auth/libdriver_pgsql.so
Oct 11 19:32:11 auth: Debug: Module loaded:
/usr/lib64/dovecot/modules/auth/libdriver_sqlite.so
Oct 11 19:32:11 auth: Debug: Module loaded:
/usr/lib64/dovecot/modules/auth/libmech_gssapi.so
Oct 11 19:32:11 auth: Debug: auth client connected (pid=2397)
Oct 11 19:32:17 auth: Debug: client in: AUTH 1 PLAIN
service=imap secured lip=127.0.0.1 rip=127.0.0.1lport=143
rport=47016 resp=<hidden>
==> /var/log/dovecot/dovecot.log <== Oct 11 19:32:17 auth: Fatal: net_connect_unix(auth-worker) in directory /var/run/dovecot failed: Permission denied (euid=1101(doveauth) egid=305(dovecot) missing +r perm: /var/run/dovecot/auth-worker, dir owned by 305:305 mode=0755)
What needs to change to get those sockets created with correct/assigned ownership & perms?
On Tue, Oct 11, 2011 at 07:43:42PM -0700, mephistopheles@operamail.com wrote:
service auth-worker { user = doveauth group = dovecot }
You need an extra piece here:
service auth-worker { user = $default_internal_user
unix_listener auth-worker {
user = postfix
}
}
It was *not* easy to figure that out; none of the postfix/dovecot how-to's have been updated for dovecot 2.
-- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | henson@csupomona.edu California State Polytechnic University | Pomona CA 91768
On Tuesday, October 11, 2011 7:53 PM, "Paul B. Henson" <henson@acm.org> wrote:
You need an extra piece here:
service auth-worker { user = $default_internal_user
unix_listener auth-worker { user = postfix }
}
Maybe being too literal, or misunderstanding your 'extra', I changed to,
...
service auth-worker {
# user = doveauth
# group = dovecot
user = $default_internal_user
unix_listener auth-worker {
user = postfix
}
}
...
At
telnet 127.0.0.1 143
etc
I get the same FAIL as above.
But, if first I
chown doveauth:dovecot /var/run/dovecot/auth-worker
then
telnet 127.0.0.1 143
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
a login "xxx@domain.loc" "testpass" a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS QUOTA ACL RIGHTS=texk] Logged in ...
succeeds.
On Tue, Oct 11, 2011 at 08:20:13PM -0700, mephistopheles@operamail.com wrote:
Maybe being too literal, or misunderstanding your 'extra', I changed to,
Hmm, I just cut-and-pasted my config :), the missing piece was the unix_listener subconfig user, the user/group part in the service config didn't need to match mine exactly, although I think $default_internal_user is dovecot anyway.
chown doveauth:dovecot /var/run/dovecot/auth-worker
Hmm, perhaps I misunderstood you? I thought you were trying to get SASL auth working with postfix? But you're demonstrating an imap connection.
Ah, yes, I see in your original email you showed an imap connection too. I just saw the /var/spool/postfix/private/auth and user/group postfix parts of the config and made an assumption.
My config was for using Dovecot *just* to provide SASL authentication services to postfix for smtp auth, I'm not using any of its other features/services.
Sorry for any confusion.
I'm curious though, why are you setting the auth stuff up to be owned by postfix if you'd trying to authenticate dovecot imap processes? It seems you're mixing two different configs.
-- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | henson@csupomona.edu California State Polytechnic University | Pomona CA 91768
Sorry for any confusion.
np. issue solved. for my config,
...
service auth-worker {
user = doveauth
unix_listener auth-worker {
user = doveauth
}
}
...
then
service dovecot-custom restart
ls -al /var/run/dovecot/auth-worker
srw------- 1 doveauth root 0 Oct 11 20:56
/var/run/dovecot/auth-worker
better. and,
telnet 127.0.0.1 4143
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR
LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot
ready.
a login "xxx@domain.loc" "testpass"
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR
LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY
THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT
CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1
CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN
CONTEXT=SEARCH LIST-STATUS QUOTA ACL RIGHTS=texk] Logged
in
I'm curious though, why are you setting the auth stuff up to be owned by postfix if you'd trying to authenticate dovecot imap processes? It seems you're mixing two different configs.
I'm converting to SQL from flatfiles (http://wiki2.dovecot.org/HowTo/VirtualUserFlatFilesPostfix).
Just haven't gotten to making all the changes yet. Single-stepping through testing, got to IMAP and found this issue.
Thanks for the help!
It was *not* easy to figure that out; none of the postfix/dovecot how-to's have been updated for dovecot 2.
Fwiw, this looks useful
Authentication process user http://wiki2.dovecot.org/UserIds
Trying to get those $default_... redefined. No luck yet.
participants (2)
-
mephistopheles@operamail.com
-
Paul B. Henson