PAM issues on OS X Yosemite

Markus Mayer code at mmayer.net
Tue Dec 30 21:44:22 UTC 2014 

Hi,

I have been running dovecot successfully on OS X Mavericks for several
months. After upgrading to Yosemite, however, PAM authentication for
dovecot is failing. Or rather, creating the PAM session is failing. Either
way, I can't get to my e-mail.

$ /usr/pkg/sbin/dovecot --version
2.2.15

$ /usr/pkg/sbin/dovecot -n
# 2.2.15: /usr/pkg/etc/dovecot/dovecot.conf
# OS: Darwin 14.0.0 x86_64  hfs
auth_debug = yes
auth_verbose = yes
mail_location = maildir:/Volumes/Secure/%u/Maildir
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = session=yes dovecot
  driver = pam
}
ssl_cert = </usr/pkg/etc/openssl/certs/dovecot.pem
ssl_key = </usr/pkg/etc/openssl/private/dovecot.pem
userdb {
  driver = passwd
}

$ defaults read "/System/Library/CoreServices/SystemVersion" ProductVersion
10.10.1

Dec 30 13:21:47 my.host.name dovecot[49247]: auth: Debug: auth client
connected (pid=49289)
Dec 30 13:21:51 my.host.name dovecot[49247]: auth: Debug: client in: AUTH
 1       PLAIN   service=imap
 secured session=3bBdlHULNgAAAAAAAAAAAAAAAAAAAAAB        lip=::1 rip=::1
lport=143       rport=52278     resp=<hidden>
Dec 30 13:21:51 my.host.name dovecot[49247]: auth-worker(49286): Debug:
pam(markus,::1): lookup service=dovecot
Dec 30 13:21:51 my.host.name dovecot[49247]: auth-worker(49286): Debug:
pam(markus,::1): #1/1 style=1 msg=Password:
Dec 30 13:21:51 my.host.name dovecot[49247]: auth-worker(49286): Error:
pam(markus,::1): pam_open_session() failed: session failure
Dec 30 13:21:53 my.host.name dovecot[49247]: auth: Debug: client passdb
out: FAIL    1       user=markus

It does successfully verify my password. If I purposefully enter a wrong
password the error becomes "pam_authenticate() failed: authentication error
(password mismatch?)". So that portion is okay.

Do you have any suggestions how I might find out why pam_open_session() is
failing? The auth process *is* running as root.

I have tried these two PAM configurations. The first one based on
Maverick's /etc/pam.d/login and used to work fine on Mavericks.

# dovecot: auth account password session
auth       optional       pam_krb5.so use_kcminit
auth       optional       pam_ntlm.so try_first_pass
auth       optional       pam_mount.so try_first_pass
auth       required       pam_opendirectory.so try_first_pass
account    required       pam_nologin.so
account    required       pam_opendirectory.so
password   required       pam_opendirectory.so
session    required       pam_launchd.so
session    required       pam_uwtmp.so
session    optional       pam_mount.so

I tried to simplify it by using the one suggested on dovecot's PAM wiki.

# dovecot: auth account password session
auth       required       pam_opendirectory.so try_first_pass
account    required       pam_nologin.so
account    required       pam_opendirectory.so
password   required       pam_opendirectory.so

On Yosemite, neither works. Or, quite possibly, both configurations are
fine and the problem lies elsewhere.

Any pointers would be greatly appreciated. In the mean time I'll be using
auth-passwdfile, since that works.

Thanks,
-Markus

More information about the dovecot mailing list