Additional userdb variables in passwd [was Re: Dovecot Replication - Architecture Endianness?]
Reuben Farrelly
reuben-dovecot at reub.net
Sat May 16 02:46:35 UTC 2015
On 8/05/2015 11:04 PM, Reuben Farrelly wrote:
> On 8/05/2015 6:10 PM, Teemu Huovila wrote:
>> On 05/07/2015 02:32 PM, Reuben Farrelly wrote:
>>> On 7/05/2015 7:49 AM, Timo Sirainen wrote:
>>>> On 06 May 2015, at 13:52, Reuben Farrelly
>>>> <reuben-dovecot at reub.net> wrote:
>>>>>
>>>>> On 4/05/2015 11:06 PM, Teemu Huovila wrote:
>>>>>>> Also is there a way to restrict replication users aside
>>>>>>> from a crude hack around system first and last UIDs?
>>>>>> You can set the userdb to return an empty mail_replica
>>>>>> variable for users you want to exclude from replication.
>>>>>> http://hg.dovecot.org/dovecot-2.2/rev/c1c67bdc8752
>>>>>>
>>>>>> br, Teemu Huovila
>>>>>
>>>>> One last question. Is it possible to achieve this with system
>>>>> users and PAM or do I need to basically create a new static
>>>>> userdb for system users?
>>>>
>>>> You can create a new userdb passwd-file that adds extra fields.
>>>> So something like:
>>>>
>>>> userdb { driver = passwd result_success = continue-ok }
>>>>
>>>> userdb { driver = passwd-file args = /etc/dovecot/passwd.extra
>>>> skip = notfound }
>>>
>>> This doesn't seem to work for me and my config has that exact
>>> config. My password.extra file has just one line for the one
>>> account I am testing with at the moment:
>>>
>>> user1:::::::userdb_mail_replica=tcps:lightning.reub.net:4813,userdb_mail_replica=tcp:pi.x.y:4814
>>>
>>>
>>>
>>>
> This breaks access for other system users such as my own account which
> do not have entries:
>>>
>>> ay 7 21:19:06 tornado.reub.net dovecot: imap-login: Internal login
>>> failure (pid=22573 id=1) (internal failure, 1 successful auths):
>>> user=<reuben>, auth-method=PLAIN, remote=2001:44b8:31d4:1311::50,
>>> local=2001:44b8:31d4:1310::20, TLS
>>>
>>> which then starts soon spitting this out 10s of times per second in
>>> the mail log:
>>>
>>> May 7 21:19:32 tornado.reub.net dovecot: auth-worker(23738):
>>> Error: Auth worker sees different passdbs/userdbs than auth server.
>>> Maybe config just changed and this goes away automatically?
>>>
>>> This is with -hg latest as of now.
>>>
>>> This system uses PAM for local users. Do I need to replicate all
>>> of the system users including those who do not need any extra
>>> settings, in the passwd.extra file too?
>>>
>>> Is my syntax above for two mail_replica servers correct?
>> A bit unsure about the config syntax, so I can not advice on that,
>> but there were some bugs in auth yesterday. Maybe you could retest
>> with f2a8e1793718 or newer. Make sure configs on both sides are in
>> sync.
>>
>> Thank you for your continued testing, Teemu Huovila
>>
>
> With -hg as of now it's still not any better:
>
> tornado log # dovecot --version
> 2.2.16 (f2a8e1793718+)
> tornado log #
>
> ===================
>
> # System users (NSS, /etc/passwd, or similiar). In many systems nowadays
> this
> # uses Name Service Switch, which is configured in /etc/nsswitch.conf.
> userdb {
> # <doc/wiki/AuthDatabase.Passwd.txt>
> driver = passwd
> # [blocking=no]
> #args =
>
> # Override fields from passwd
> #override_fields = home=/home/virtual/%u
>
> result_success = continue-ok
> }
>
> # Add some extra fields such as replication..
>
> userdb {
> driver = passwd-file
> args = /etc/dovecot/passwd.extra
> skip = notfound
> }
>
> ==============
>
> May 8 22:59:11 tornado.reub.net dovecot: imap: Error: Authenticated
> user not found from userdb, auth lookup id=586547201 (client-pid=29035
> client-id=1)
> May 8 22:59:11 tornado.reub.net dovecot: imap-login: Internal login
> failure (pid=29035 id=1) (internal failure, 1 successful auths):
> user=<reuben>, auth-method=PLAIN, remote=2001:44b8:31d4:1311::50,
> local=2001:44b8:31d4:1310::20, TLS
>
> It logs an awful lot of those lines in short succession also, at least
> 15 per second...
>
> Reuben
Following on from this I've managed to get it to work - but there is one
outstanding problem which I suspect may be a bug. Running -hg build as
of today.
In case anyone else tries this, I had to separate each
userdb_mail_replica entry with a space. This is however, documented in
the wiki.
The outstanding issue is that even though I've had 'skip = notfound' in
the second userdb as above, if I don't add all of the users to that file
(even with no extra variables set) those users who are not added cannot
log in. They fail with the error above about an 'internal failure'.
It seems that the second passdb is not actually being skipped at all if
the user is not listed in it...Timo?
Thanks,
Reuben
More information about the dovecot
mailing list