"Invalid uid in reply"
Hello, I am in the process of moving a previously working dovecot setup to a new authentication system. The identity management system, kanidm, uses a Pam module and NSS backend to provide user info. Authentication works normally on the machine, but Dovecot is having a lot of trouble, logging:
Error: Invalid uid in reply Error: Invalid gid in reply
I ran doveadm -D user jesse@waffle.tech as a test, and I see:
Feb 17 21:58:33 doveadm(jesse@waffle.tech)<17666><>: Debug: auth-master: userdb lookup(jesse@waffle.tech): Started userdb lookup Feb 17 21:58:33 doveadm(jesse@waffle.tech)<17666><>: Debug: auth-master: conn unix:/run/dovecot/auth-userdb: Connecting Feb 17 21:58:33 doveadm(jesse@waffle.tech)<17666><>: Debug: auth-master: conn unix:/run/dovecot/auth-userdb (pid=17635,uid=0): Client connected (fd=9) Feb 17 21:58:33 doveadm(jesse@waffle.tech)<17666><>: Debug: auth-master: userdb lookup(jesse@waffle.tech): auth USER input: jesse system_groups_user=jesse uid=4123057063 gid=4123057063 home=/var/mail/jesse mail=maildir:/var/mail/jesse/Maildir Feb 17 21:58:33 doveadm(jesse@waffle.tech)<17666><>: Debug: auth-master: userdb lookup(jesse@waffle.tech): Finished userdb lookup (username=jesse system_groups_user=jesse uid=4123057063 gid=4123057063 home=/var/mail/jesse mail=maildir:/var/mail/jesse/Maildir) Feb 17 21:58:33 doveadm(jesse@waffle.tech)<17666><>: Error: Invalid uid in reply Feb 17 21:58:33 doveadm(jesse@waffle.tech)<17666><>: Error: Invalid gid in reply
We can see the UID and GID in the debug output, but it comes out blank in the final info. I'm having a hard time finding what the cause could be, is it possible that these UID/GID values are too large? that's about the only thing I can think of right now.
This is Dovecot 2.3.21 (47349e2482) on Fedora 39.
Thanks, jc
-- J. B. Crawford jesse@jbcrawford.us (575) 303-9001
On February 18, 2024 4:05:58 AM GMT+01:00, "J. B. Crawford" jesse@jbcrawford.us wrote:
Hello, I am in the process of moving a previously working dovecot setup to a new authentication system. The identity management system, kanidm, uses a Pam module and NSS backend to provide user info. Authentication works normally on the machine, but Dovecot is having a lot of trouble, logging:
Error: Invalid uid in reply Error: Invalid gid in reply
What's the value of first_valid_uid and last_valid_uid in 10-mail.conf? Also including the output of doveconf -n with your question helps others help you.
I ran doveadm -D user jesse@waffle.tech as a test, and I see:
Feb 17 21:58:33 doveadm(jesse@waffle.tech)<17666><>: Debug: auth-master: userdb lookup(jesse@waffle.tech): Started userdb lookup Feb 17 21:58:33 doveadm(jesse@waffle.tech)<17666><>: Debug: auth-master: conn unix:/run/dovecot/auth-userdb: Connecting Feb 17 21:58:33 doveadm(jesse@waffle.tech)<17666><>: Debug: auth-master: conn unix:/run/dovecot/auth-userdb (pid=17635,uid=0): Client connected (fd=9) Feb 17 21:58:33 doveadm(jesse@waffle.tech)<17666><>: Debug: auth-master: userdb lookup(jesse@waffle.tech): auth USER input: jesse system_groups_user=jesse uid=4123057063 gid=4123057063 home=/var/mail/jesse mail=maildir:/var/mail/jesse/Maildir Feb 17 21:58:33 doveadm(jesse@waffle.tech)<17666><>: Debug: auth-master: userdb lookup(jesse@waffle.tech): Finished userdb lookup (username=jesse system_groups_user=jesse uid=4123057063 gid=4123057063 home=/var/mail/jesse mail=maildir:/var/mail/jesse/Maildir) Feb 17 21:58:33 doveadm(jesse@waffle.tech)<17666><>: Error: Invalid uid in reply Feb 17 21:58:33 doveadm(jesse@waffle.tech)<17666><>: Error: Invalid gid in reply
We can see the UID and GID in the debug output, but it comes out blank in the final info. I'm having a hard time finding what the cause could be, is it possible that these UID/GID values are too large? that's about the only thing I can think of right now.
This is Dovecot 2.3.21 (47349e2482) on Fedora 39.
Thanks, jc
-- Christian Kivalo
On 2/18/2024 1:36 AM, Christian Kivalo wrote
What's the value of first_valid_uid and last_valid_uid in 10-mail.conf? Also including the output of doveconf -n with your question helps others help you.
first_valid_uid is 500, last_valid_uid is unset. doveconf -n output below. Sorry, I had stopped looking at the config after I found how that error message was produced (not related to the first_valid/last_valid check), but hadn't tracked down the exact cause yet last night.
The error I'm getting originates from (in the case of uid) https://github.com/dovecot/core/blob/main/src/lib-auth-client/auth-master.c#..., which would produce it if the result of str_to_uid() is negative. That function would return -1 if str_to_uintmax() or verify_xid() are negative. This is where my rusty C shows but take a look at verify_xid()...
static int verify_xid(uintmax_t l, unsigned int result_size) { unsigned int result_bits;
/* we assume that result is a signed type,
but that it can never be negative */
result_bits = result_size*CHAR_BIT - 1;
if ((l >> result_bits) != 0)
return -1;
return 0;}
(result_size will be sizeof a uid_t)
the -1 here gives me the feeling that this might reject UIDs in the upper range of my system's uid_t, which is uint32 (e.g. it would reject UIDs greater than max int 32 but less than max uint 32).
Assuming I'm interpreting this correctly (a plenty big if, check my bitwise arithmetic), I would hesitate to call this a bug as it seems rather intentional? I do know that some systems have historically used int32 for UIDs but I think uint32 has been the case under Linux for time immemorial. Perhaps this check is necessary to avoid problems on platforms that do use a signed int for UIDs?
And just to check my work, I tried a user account that incidentally has a lower uid. That account works fine. I could potentially renumber or remap my UIDs but I am not too excited about doing that, on the other hand I don't know how feasible it is to change this behavior in Dovecot.
doveconf -n:
# 2.3.21 (47349e2482): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.20 (149edcf2) # OS: Linux 6.5.6-300.fc39.x86_64 x86_64 Fedora release 39 (Thirty Nine) xfs # Hostname: mx.waffle.tech auth_default_realm = waffle.tech auth_username_format = %n hostname = mx.waffle.tech mail_home = mbox:/var/mail/%n mail_location = mbox:/var/mail/%n/Maildir mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { args = dovecot driver = pam } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve.d/rejectspam.sieve } protocols = imap pop3 lmtp submission sieve service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0666 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 } service_count = 0 vsz_limit = 256 M } service managesieve { process_limit = 1024 } ssl = required ssl_cert =
participants (2)
-
Christian Kivalo
-
J. B. Crawford