Additional userdb variables in passwd [was Re: Dovecot Replication - Architecture Endianness?]

Reuben Farrelly reuben-dovecot at reub.net
Fri May 8 13:04:28 UTC 2015 

On 8/05/2015 6:10 PM, Teemu Huovila wrote:
> On 05/07/2015 02:32 PM, Reuben Farrelly wrote:
>> On 7/05/2015 7:49 AM, Timo Sirainen wrote:
>>> On 06 May 2015, at 13:52, Reuben Farrelly
>>> <reuben-dovecot at reub.net> wrote:
>>>>
>>>> On 4/05/2015 11:06 PM, Teemu Huovila wrote:
>>>>>> Also is there a way to restrict replication users aside
>>>>>> from a crude hack around system first and last UIDs?
>>>>> You can set the userdb to return an empty mail_replica
>>>>> variable for users you want to exclude from replication.
>>>>> http://hg.dovecot.org/dovecot-2.2/rev/c1c67bdc8752
>>>>>
>>>>> br, Teemu Huovila
>>>>
>>>> One last question.  Is it possible to achieve this with system
>>>> users and PAM or do I need to basically create a new static
>>>> userdb for system users?
>>>
>>> You can create a new userdb passwd-file that adds extra fields.
>>> So something like:
>>>
>>> userdb { driver = passwd result_success = continue-ok }
>>>
>>> userdb { driver = passwd-file args = /etc/dovecot/passwd.extra
>>> skip = notfound }
>>
>> This doesn't seem to work for me and my config has that exact
>> config. My password.extra file has just one line for the one
>> account I am testing with at the moment:
>>
>> user1:::::::userdb_mail_replica=tcps:lightning.reub.net:4813,userdb_mail_replica=tcp:pi.x.y:4814
>>
>>
>>
This breaks access for other system users such as my own account which 
do not have entries:
>>
>> ay  7 21:19:06 tornado.reub.net dovecot: imap-login: Internal login
>> failure (pid=22573 id=1) (internal failure, 1 successful auths):
>> user=<reuben>, auth-method=PLAIN, remote=2001:44b8:31d4:1311::50,
>> local=2001:44b8:31d4:1310::20, TLS
>>
>> which then starts soon spitting this out 10s of times per second in
>> the mail log:
>>
>> May  7 21:19:32 tornado.reub.net dovecot: auth-worker(23738):
>> Error: Auth worker sees different passdbs/userdbs than auth server.
>> Maybe config just changed and this goes away automatically?
>>
>> This is with -hg latest as of now.
>>
>> This system uses PAM for local users.  Do I need to replicate all
>> of the system users including those who do not need any extra
>> settings, in the passwd.extra file too?
>>
>> Is my syntax above for two mail_replica servers correct?
> A bit unsure about the config syntax, so I can not advice on that,
> but there were some bugs in auth yesterday. Maybe you could retest
> with f2a8e1793718 or newer. Make sure configs on both sides are in
> sync.
>
> Thank you for your continued testing, Teemu Huovila
>

With -hg as of now it's still not any better:

tornado log # dovecot --version
2.2.16 (f2a8e1793718+)
tornado log #

===================

# System users (NSS, /etc/passwd, or similiar). In many systems nowadays 
this
# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
userdb {
   # <doc/wiki/AuthDatabase.Passwd.txt>
   driver = passwd
   # [blocking=no]
   #args =

   # Override fields from passwd
   #override_fields = home=/home/virtual/%u

   result_success = continue-ok
}

# Add some extra fields such as replication..

userdb {
   driver = passwd-file
   args = /etc/dovecot/passwd.extra
   skip = notfound
}

==============

May  8 22:59:11 tornado.reub.net dovecot: imap: Error: Authenticated 
user not found from userdb, auth lookup id=586547201 (client-pid=29035 
client-id=1)
May  8 22:59:11 tornado.reub.net dovecot: imap-login: Internal login 
failure (pid=29035 id=1) (internal failure, 1 successful auths): 
user=<reuben>, auth-method=PLAIN, remote=2001:44b8:31d4:1311::50, 
local=2001:44b8:31d4:1310::20, TLS

It logs an awful lot of those lines in short succession also, at least 
15 per second...

Reuben

More information about the dovecot mailing list