[Dovecot] Disable PAM username change?

George jorgito1412 at gmail.com
Sat Aug 24 10:52:09 EEST 2013


Hi! I have a problem involving Samba4, exim4, fetchmail, Dovecot and PAM...
I am using Dovecot 2.1.7 on Debian Wheezy.

I have setup a "maildrop" machine, which fetches mail from an external POP3
server for multiple accounts using fetchmail, delivers to local users
mailboxes through exim4 and then serves them on the intranet via IMAP with
Dovecot.
This works great with local unix users, but I am having some trouble to
configure it to work with Samba4 AD users (Samba 4.0.9 running as a DC on
the same machine).

Basically, I have configured PAM with winbind and it works fine (AD users
can SSH the machine for example). Dovecot also authenticates properly via
PAM, but the problem is that the username gets changed in the process (PAM
returrns the "username" as "DOMAIN\username"):

Aug 21 22:50:22 dc2 dovecot: auth-worker(5179): Debug: auth(foo,127.0.0.1):
username changed foo -> DOMAIN\foo
Aug 21 22:50:22 dc2 dovecot: auth: Debug:
auth(foo,127.0.0.1,<0bBfg3/kpQB/AAAB>): username changed foo -> DOMAIN\foo
 Aug 21 22:50:22 dc2 dovecot: auth: Debug: client out:
OK#0111#011user=DOMAIN\foo

So the actual problem is that exim4 is delivering the mail to, for example,
"/var/mail/foo" but Dovecot is looking for the mailbox on
"/var/mail/DOMAIN\foo", even if the username given in the IMAP session is
just "foo". The wiki
mentions<http://wiki2.dovecot.org/PasswordDatabase/PAM>that "a PAM
module can change the username". Can this be avoided?

I need either:
* Exim to deliver the mail to the user mailbox, *including* the domain part
(out of scope of this list, but information is welcome), or
* Dovecot to fetch the mail *not* using the domain part as part of the
username variable.

As a quick and dirty workaround, I hardcoded the domain part in the exim
delivery path (something like "/var/mail/DOMAIN\\$local_part"), but this is
far from optimal since I cannot use both unix users and AD users, I cannot
use dovecot_delivery LDA transport, etc.

As a bottom line, I also posted this to the Samba list because I believe
this could also be solved if winbind just always returned the username
without the domain when queried (conf option not working, probable bug)

Ideas are welcome!!

Best regards,

Jorge


More information about the dovecot mailing list