[Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs

Yubao Liu yubao.liu at gmail.com
Fri Jan 6 18:15:55 EET 2012


On 01/06/2012 06:52 PM, Nick Rosier wrote:
> Yubao Liu wrote:
>> Hi all,
>>
>> I have no idea about that message, here is my configuration, what's wrong?
> You have 2 passdb entries; 1 with a file and 1 with pam. I'm pretty sure
> PAM doesn't support DIGEST-MD5 authentication. Could be the cause of the
> problem.
>
Thanks, that does be the cause.

http://hg.dovecot.org/dovecot-2.0/file/684381041dc4/src/auth/auth.c
    121 static bool auth_passdb_list_have_lookup_credentials(struct auth 
*auth)
    122 {
    123     struct auth_passdb *passdb;
    124
    125     for (passdb = auth->passdbs; passdb != NULL; passdb = 
passdb->next) {
    126         if (passdb->passdb->iface.lookup_credentials != NULL)
    127             return TRUE;
    128     }
    129     return FALSE;
    130 }

I don't know why this function doesn't check auth->masterdbs, if I
insert these lines after line 128, that error goes away, and dovecot's
imap-login process happily does DIGEST-MD5 authentication [1].
In my configuration, "masterdbs" contains "passdb passwd-file",
"passdbs" contains " passdb pam".

for (passdb = auth->masterdbs; passdb != NULL; passdb = passdb->next) {
     if (passdb->passdb->iface.lookup_credentials != NULL)
        return TRUE;
}


[1] But the authentication for "user*master" always fails, I realized 
master users
can't login as other users by DIGEST-MD5 or CRAM-MD5 auth mechanisms
because these authentication mechanisms use "user*master" as username
in hash algorithm, not just "master".

Regards,
Yubao Liu

>> Debian testing, Dovecot 2.0.15
>>
>> $ doveconf -n
>> # 2.0.15: /etc/dovecot/dovecot.conf
>> # OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid
>> auth_default_realm = corp.example.com
>> auth_krb5_keytab = /etc/dovecot.keytab
>> auth_master_user_separator = *
>> auth_mechanisms = gssapi digest-md5
>> auth_realms = corp.example.com
>> auth_username_format = %n
>> first_valid_gid = 1000
>> first_valid_uid = 1000
>> mail_location = mdbox:/srv/mail/%u/Mail
>> managesieve_notify_capability = mailto
>> managesieve_sieve_capability = fileinto reject envelope
>> encoded-character vacation subaddress comparator-i;ascii-numeric
>> relational regex imap4flags copy include variables body enotify
>> environment mailbox date ihave
>> passdb {
>>    args = /etc/dovecot/master-users
>>    driver = passwd-file
>>    master = yes
>>    pass = yes
>> }
>> passdb {
>>    driver = pam
>> }
>> plugin {
>>    sieve = /srv/mail/%u/.dovecot.sieve
>>    sieve_dir = /srv/mail/%u/sieve
>> }
>> protocols = " imap lmtp sieve"
>> service auth {
>>    unix_listener auth-client {
>>      group = Debian-exim
>>      mode = 0660
>>    }
>> }
>> ssl_cert =</etc/ssl/certs/dovecot.pem
>> ssl_key =</etc/ssl/private/dovecot.pem
>> userdb {
>>    args = home=/srv/mail/%u
>>    driver = passwd
>> }
>> protocol lmtp {
>>    mail_plugins = " sieve"
>> }
>> protocol lda {
>>    mail_plugins = " sieve"
>> }
>>
>> # cat /etc/dovecot/master-users
>> xxx at corp.example.com:zzzzzzzz
>>
>> The zzzzz is obtained by "doveadm pw -s digest-md5 -u
>> xxx at corp.example.com",
>> I tried to add prefix "{DIGEST-MD5}" before the generated hash and/or add
>> "scheme=DIGEST-MD5" to the passwd-file passdb's "args" option, both
>> don't help.
>>
>> The error message:
>> dovecot: master: Dovecot v2.0.15 starting up (core dumps disabled)
>> dovecot: auth: Fatal: DIGEST-MD5 mechanism can't be supported with given
>> passdbs
>> gold dovecot: master: Error: service(auth): command startup failed,
>> throttling
>>
>> I opened debug auth log,  it showed dovecot read /etc/dovecot/master-users
>> and parsed one line, then the error occurred.  Doesn't passwd-file
>> passdb support
>> digest-md5 password scheme?  If it doesn't support, how do I configure
>> digest-md5 auth
>> mechanism with digest-md5 password scheme for virtual users?
>>
>> Regards,
>> Yubao Liu
>>
> Rgds,
> N.




More information about the dovecot mailing list