pam dovecot not working with authentication from roundcube
Hi Everyone,
I made some small changes in my dovecot setup to switch it from looking up users and passwords from a mix of ldap (i.e. freeipa) and password files. One of the changes was to switch from using one id for all authentication to using individual ids)
It's working fine with Evolution. I have one account authenticating with GSSAPI, which is my userid for logging into my desktop and for email. The other account in Evolution is logging in using PLAIN and is only used for email (it's shell is set to /sbin/nologin).
The problem is with roundcube: I can login with the second, email only account, but my personal ID always errors out. I never use the domain with either one.
auth worker: PASSV: pam_sss(dovecot:auth): authentication failure; logname= uid=97 euid=97 tty=dovecot ruser=ranbir rhost=1.2.3.4 user=ranbir auth worker: PASSV: pam_sss(dovecot:auth): received for user ranbir: 17 (Failure setting user credentials) It doesn't matter what user or group I use for unix_listener. If I use 0777 for the mode, I still see the failure and dovecot goes to try the name against the passwd-file, where it obviously fails.
This is the pam error:
auth-worker(4474): pam(ranbir,1.2.3.4,<oS10hHmv7qkKyAkP>): pam_authenticate() failed: Authentication failure (password mismatch?)
What have I misconfigured? Here's the "service auth" section:
service auth { chroot = client_limit = 0 drop_priv_before_exec = no executable = auth extra_groups = group = idle_kill = 0 inet_listener { address = 9.8.7.5 haproxy = no port = 17900 reuse_port = no ssl = no } privileged_group = process_limit = 1 process_min_avail = 0 protocol = service_count = 0 type = unix_listener auth-client { group = mode = 0600 user = $default_internal_user } unix_listener auth-login { group = mode = 0600 user = $default_internal_user } unix_listener auth-master { group = mode = 0600 user = } unix_listener auth-userdb { group = mode = 0777 user = $default_internal_user } unix_listener login/login { group = mode = 0666 user = } unix_listener token-login/tokenlogin { group = mode = 0666 user = } user = $default_internal_user vsz_limit = 18446744073709551615 B }
Any guidance is appreciated.
-- Ranbir
On Wed, 2020-09-16 at 23:03 -0400, Ranbir wrote:
auth worker: PASSV: pam_sss(dovecot:auth): authentication failure; logname= uid=97 euid=97 tty=dovecot ruser=ranbir rhost=1.2.3.4 user=ranbir auth worker: PASSV: pam_sss(dovecot:auth): received for user ranbir: 17 (Failure setting user credentials) It doesn't matter what user or group I use for unix_listener. If I use 0777 for the mode, I still see the failure and dovecot goes to try the name against the passwd-file, where it obviously fails.
This is the pam error:
auth-worker(4474): pam(ranbir,1.2.3.4,<oS10hHmv7qkKyAkP>): pam_authenticate() failed: Authentication failure (password mismatch?)
Does anyone have any insight? I'm stumped. Why is Evolution working with both accounts and only one from roundcube?
If I switch back to ldap lookups, all logins and lookups from roundcube and my phone start working again.
-- Ranbir
On 2020-09-17 20:20, Ranbir wrote:
This is the pam error:
auth-worker(4474): pam(ranbir,1.2.3.4,<oS10hHmv7qkKyAkP>): pam_authenticate() failed: Authentication failure (password mismatch?)
Replying to myself here...
I managed to fix the pam problem once I realized that Roundcube didn't know what to do with the second factor auth dovecot (namely the pam module) was presenting to it. I removed the OTP requirement from the ID that couldn't login. Login still didn't work until I also modified the user's ldap entry directly to remove an extra attribute (krbExtraData).
Here's the link to the post in the freeipa user list that explains the OTP removal problem and fix:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Now the user id is successfully looked up via dovecot and roundcube logins are working again.
-- Ranbir
participants (1)
-
Ranbir