[Dovecot] PAM authentification problem

Vladislav Kyjasko kyyashko at fzu.cz
Thu Mar 16 18:59:49 EET 2006 

Hi everybody,

  we try to migrate our IMAP service from uw-imap to dovecot because of
horrible server slowdown when a lot of people poking in theirs huge imap
folders.
So, I try to run testing instance of dovecot on different imap port (12143)

I have trouble with authentication by PAM module of MIT Kerberos.
It successfuly works for authentificate users of wu-imap but not for
dovecot. I see in dovecot.log messages like that :

 Info: Dovecot v1.0.beta3 starting up
 Info: auth(default): client in: AUTH   1     PLAIN   service=IMAP   lip=10.0.0.154   rip=10.0.0.148
 Info: auth(default): client out: CONT  1
 Info: auth(default): client in: CONT   1     AGtDNLamUjvADNLamUjQRsbw==
 Error: auth(default): pam(kyyashko,10.0.0.148): Child process died
 Info: auth(default): shadow(kyyashko,10.0.0.148): invalid password field
 Error: auth(default): PAM: Child 6748 died with signal 11
 Info: auth(default): client out: FAIL  1       user=kyyashko   temp

Almost all users are in kerberos DB and has in local shadow field "*KRB*"
instead of encrypted password. So, line "shadow ... invalid password field"
is OK  (when I made a local password in shadow the login was success)

My dovecot.conf looks like:

   sl_disable = yes
   protocol imap {
     listen = *:12143
   }
   
   auth_default_realm = FZU.CZ
   auth_verbose = yes
   auth_debug = yes
   auth_debug_passwords = yes
   auth default {
     mechanisms = plain
     passdb pam {
     }
     userdb passwd {
     }
     user = root
   }

original /etc/pam.d/dovecot I introdused by lines

  auth   sufficient   pam_krb5.so
  auth   required     pam_unix2.so use_first_pass nullok
  
or tryed to substitute whole file pam.d/dovecot by actualy working one of imap:
  
  #%PAM-1.0
  auth        sufficient    pam_krb5.so
  auth        required      pam_unix2.so use_first_pass nullok
  auth        required      pam_unix2.so
  account     required      pam_unix2.so
  
but similary fruitless.


 Which direction I have to dig?


P.S. Dovecot was built from dovecot-1.0.beta3-6.src.rpm on SuSE 9.0 with
the same result like from dovecot-1.0.beta3.tar.bz2 :(

More information about the dovecot mailing list