[Dovecot] PAM authentication fails
Egbert Jan van den Bussche
egbert at vandenbussche.nl
Sun Aug 29 23:02:53 EEST 2010
Op 29-8-2010 20:51, Egbert Jan van den Bussche schreef:
> Hi,
>
> I'm fighting all weekend on with auth and pam to authenticate local
> system users. testuser is such local user and is in passwd and shadow. I
> want to have local system users (testuser is one of them) and virtual
> users. The virtual part works fine but I cannot get the local user to
> connect.
> Still pam fails finding the user. The suggested password mismatch at the
> end is, in my eyes, because there is no user in the first place. I
> verified the password by interactive login to the account. The pam
> module (dovecot) is just the default file with three @includes in it.
>
> Syslog:
> Aug 29 20:18:02 mail-dev dovecot: auth(default): client in:
> AUTH#0112#011LOGIN#011service=imap#011lip=2a02:968:1:2:212:72:224:16#011rip=2001:888:1740:10:250:daff:fe41:4d1c#011lport=143#011rport=1093
>
>
> Aug 29 20:18:02 mail-dev dovecot: auth(default): client out:
> CONT#0112#011VXNlcm5hbWU6
>
> Aug 29 20:18:02 mail-dev dovecot: auth(default): client in:
> CONT#0112#011dGVzdHVzZXI=
>
> Aug 29 20:18:02 mail-dev dovecot: auth(default): client out:
> CONT#0112#011UGFzc3dvcmQ6
>
> Aug 29 20:18:02 mail-dev dovecot: auth(default): client in:
> CONT#0112#011dmF4dm1z
>
> Aug 29 20:18:02 mail-dev dovecot: auth-worker(default):
> pam(testuser,2001:888:1740:10:250:daff:fe41:4d1c): lookup service=dovecot
>
> Aug 29 20:18:02 mail-dev dovecot: auth-worker(default):
> pam(testuser,2001:888:1740:10:250:daff:fe41:4d1c): #1/1 style=1
> msg=Password:
>
> Aug 29 20:18:02 mail-dev dovecot: auth(default):
> cache(testuser,2001:888:1740:10:250:daff:fe41:4d1c): miss
>
> Aug 29 20:18:04 mail-dev dovecot: auth(default):
> cache(testuser,2001:888:1740:10:250:daff:fe41:4d1c): hit:
>
> Aug 29 20:18:04 mail-dev dovecot: auth(default):
> cache(testuser,2001:888:1740:10:250:daff:fe41:4d1c): User unknown
>
> Aug 29 20:18:04 mail-dev dovecot: auth-worker(default):
> pam(testuser,2001:888:1740:10:250:daff:fe41:4d1c): pam_authenticate()
> failed: Authentication failure (password mismatch?) (given password:
> xxxxxxxx)
>
> Aug 29 20:18:06 mail-dev dovecot: auth(default): client out:
> FAIL#0112#011user=testuser
>
>
> Relevant settings in dovecot:
> root at mail-dev:/etc/dovecot# dovecot -n
> # 1.2.9: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-24-server x86_64 Ubuntu 10.04.1 LTS ext4
> log_timestamp: %Y-%m-%d %H:%M:%S
> protocols: imap pop3 imaps pop3s managesieve
> listen: *, [::]
> ssl_cert_file: /etc/ssl/certs/ssl-mail.pem
> ssl_key_file: /etc/ssl/private/ssl-mail.key
> ssl_cipher_list:
> ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM
> disable_plaintext_auth: no
> verbose_ssl: yes
> login_dir: /var/run/dovecot/login
> login_executable(default): /usr/lib/dovecot/imap-login
> login_executable(imap): /usr/lib/dovecot/imap-login
> login_executable(pop3): /usr/lib/dovecot/pop3-login
> login_executable(managesieve): /usr/lib/dovecot/managesieve-login
> mail_max_userip_connections(default): 10
> mail_max_userip_connections(imap): 10
> mail_max_userip_connections(pop3): 3
> mail_max_userip_connections(managesieve): 10
> mail_privileged_group: mail
> mail_location: maildir:/home/vmail/%d/%n:INDEX=/home/vmail/%d/%n
> mail_debug: yes
> mbox_write_locks: fcntl dotlock
> mail_executable(default): /usr/lib/dovecot/imap
> mail_executable(imap): /usr/lib/dovecot/imap
> mail_executable(pop3): /usr/lib/dovecot/pop3
> mail_executable(managesieve): /usr/lib/dovecot/managesieve
> mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
> mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
> mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
> mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve
> imap_client_workarounds(default): outlook-idle delay-newmail
> imap_client_workarounds(imap): outlook-idle delay-newmail
> imap_client_workarounds(pop3):
> imap_client_workarounds(managesieve):
> pop3_client_workarounds(default):
> pop3_client_workarounds(imap):
> pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
> pop3_client_workarounds(managesieve):
> lda:
> postmaster_address: postmaster
> deliver_log_format: msgid=%m: %$
> rejection_reason: Your message to <%t> was automatically rejected:%n%r
> auth_socket_path: /var/run/dovecot/auth-master
>
> auth default:
> mechanisms: plain login
> realms: kader.hcc.nl hobby.nl
> cache_size: 1024
> user: vmail
> verbose: yes
> debug: yes
> debug_passwords: yes
> passdb:
> driver: pam
> args: setcred=yes failure_show_msg=yes cache_key=%u dovecot
> passdb:
> driver: sql
> args: /etc/dovecot/dovecot-sql.conf
> userdb:
> driver: passwd
> userdb:
> driver: sql
> args: /etc/dovecot/dovecot-sql.conf
> socket:
> type: listen
> client:
> path: /var/spool/postfix/private/dovecot-auth
> mode: 432
> user: postfix
> group: postfix
> master:
> path: /var/run/dovecot/auth-master
> mode: 384
> user: vmail
> group: vmail
>
> Where should I look further for this dovecot pam problem? Is there such
> a thing as pam debugging?
>
> TIA
> Egbert Jan
>
Answering to myself:
Auth user needs to be root not vmail. Restrictions on shadow make it
neccessary to do the auth and read shadow!!!!
Also needed to add mail=aildir:~/Maildir in the userdb passwd to
override the default setting for virtual users
(/home/vmail/domain/user/Maildir)
Egbert Jan
More information about the dovecot
mailing list