[Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs
Yubao Liu
yubao.liu at gmail.com
Fri Jan 6 18:15:55 EET 2012
On 01/06/2012 06:52 PM, Nick Rosier wrote:
> Yubao Liu wrote:
>> Hi all,
>>
>> I have no idea about that message, here is my configuration, what's wrong?
> You have 2 passdb entries; 1 with a file and 1 with pam. I'm pretty sure
> PAM doesn't support DIGEST-MD5 authentication. Could be the cause of the
> problem.
>
Thanks, that does be the cause.
http://hg.dovecot.org/dovecot-2.0/file/684381041dc4/src/auth/auth.c
121 static bool auth_passdb_list_have_lookup_credentials(struct auth
*auth)
122 {
123 struct auth_passdb *passdb;
124
125 for (passdb = auth->passdbs; passdb != NULL; passdb =
passdb->next) {
126 if (passdb->passdb->iface.lookup_credentials != NULL)
127 return TRUE;
128 }
129 return FALSE;
130 }
I don't know why this function doesn't check auth->masterdbs, if I
insert these lines after line 128, that error goes away, and dovecot's
imap-login process happily does DIGEST-MD5 authentication [1].
In my configuration, "masterdbs" contains "passdb passwd-file",
"passdbs" contains " passdb pam".
for (passdb = auth->masterdbs; passdb != NULL; passdb = passdb->next) {
if (passdb->passdb->iface.lookup_credentials != NULL)
return TRUE;
}
[1] But the authentication for "user*master" always fails, I realized
master users
can't login as other users by DIGEST-MD5 or CRAM-MD5 auth mechanisms
because these authentication mechanisms use "user*master" as username
in hash algorithm, not just "master".
Regards,
Yubao Liu
>> Debian testing, Dovecot 2.0.15
>>
>> $ doveconf -n
>> # 2.0.15: /etc/dovecot/dovecot.conf
>> # OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid
>> auth_default_realm = corp.example.com
>> auth_krb5_keytab = /etc/dovecot.keytab
>> auth_master_user_separator = *
>> auth_mechanisms = gssapi digest-md5
>> auth_realms = corp.example.com
>> auth_username_format = %n
>> first_valid_gid = 1000
>> first_valid_uid = 1000
>> mail_location = mdbox:/srv/mail/%u/Mail
>> managesieve_notify_capability = mailto
>> managesieve_sieve_capability = fileinto reject envelope
>> encoded-character vacation subaddress comparator-i;ascii-numeric
>> relational regex imap4flags copy include variables body enotify
>> environment mailbox date ihave
>> passdb {
>> args = /etc/dovecot/master-users
>> driver = passwd-file
>> master = yes
>> pass = yes
>> }
>> passdb {
>> driver = pam
>> }
>> plugin {
>> sieve = /srv/mail/%u/.dovecot.sieve
>> sieve_dir = /srv/mail/%u/sieve
>> }
>> protocols = " imap lmtp sieve"
>> service auth {
>> unix_listener auth-client {
>> group = Debian-exim
>> mode = 0660
>> }
>> }
>> ssl_cert =</etc/ssl/certs/dovecot.pem
>> ssl_key =</etc/ssl/private/dovecot.pem
>> userdb {
>> args = home=/srv/mail/%u
>> driver = passwd
>> }
>> protocol lmtp {
>> mail_plugins = " sieve"
>> }
>> protocol lda {
>> mail_plugins = " sieve"
>> }
>>
>> # cat /etc/dovecot/master-users
>> xxx at corp.example.com:zzzzzzzz
>>
>> The zzzzz is obtained by "doveadm pw -s digest-md5 -u
>> xxx at corp.example.com",
>> I tried to add prefix "{DIGEST-MD5}" before the generated hash and/or add
>> "scheme=DIGEST-MD5" to the passwd-file passdb's "args" option, both
>> don't help.
>>
>> The error message:
>> dovecot: master: Dovecot v2.0.15 starting up (core dumps disabled)
>> dovecot: auth: Fatal: DIGEST-MD5 mechanism can't be supported with given
>> passdbs
>> gold dovecot: master: Error: service(auth): command startup failed,
>> throttling
>>
>> I opened debug auth log, it showed dovecot read /etc/dovecot/master-users
>> and parsed one line, then the error occurred. Doesn't passwd-file
>> passdb support
>> digest-md5 password scheme? If it doesn't support, how do I configure
>> digest-md5 auth
>> mechanism with digest-md5 password scheme for virtual users?
>>
>> Regards,
>> Yubao Liu
>>
> Rgds,
> N.
More information about the dovecot
mailing list