Additional userdb variables in passwd [was Re: Dovecot Replication - Architecture Endianness?]

Reuben Farrelly reuben-dovecot at reub.net
Sat May 16 02:46:35 UTC 2015 

On 8/05/2015 11:04 PM, Reuben Farrelly wrote:
> On 8/05/2015 6:10 PM, Teemu Huovila wrote:
>> On 05/07/2015 02:32 PM, Reuben Farrelly wrote:
>>> On 7/05/2015 7:49 AM, Timo Sirainen wrote:
>>>> On 06 May 2015, at 13:52, Reuben Farrelly
>>>> <reuben-dovecot at reub.net> wrote:
>>>>>
>>>>> On 4/05/2015 11:06 PM, Teemu Huovila wrote:
>>>>>>> Also is there a way to restrict replication users aside
>>>>>>> from a crude hack around system first and last UIDs?
>>>>>> You can set the userdb to return an empty mail_replica
>>>>>> variable for users you want to exclude from replication.
>>>>>> http://hg.dovecot.org/dovecot-2.2/rev/c1c67bdc8752
>>>>>>
>>>>>> br, Teemu Huovila
>>>>>
>>>>> One last question.  Is it possible to achieve this with system
>>>>> users and PAM or do I need to basically create a new static
>>>>> userdb for system users?
>>>>
>>>> You can create a new userdb passwd-file that adds extra fields.
>>>> So something like:
>>>>
>>>> userdb { driver = passwd result_success = continue-ok }
>>>>
>>>> userdb { driver = passwd-file args = /etc/dovecot/passwd.extra
>>>> skip = notfound }
>>>
>>> This doesn't seem to work for me and my config has that exact
>>> config. My password.extra file has just one line for the one
>>> account I am testing with at the moment:
>>>
>>> user1:::::::userdb_mail_replica=tcps:lightning.reub.net:4813,userdb_mail_replica=tcp:pi.x.y:4814
>>>
>>>
>>>
>>>
> This breaks access for other system users such as my own account which
> do not have entries:
>>>
>>> ay  7 21:19:06 tornado.reub.net dovecot: imap-login: Internal login
>>> failure (pid=22573 id=1) (internal failure, 1 successful auths):
>>> user=<reuben>, auth-method=PLAIN, remote=2001:44b8:31d4:1311::50,
>>> local=2001:44b8:31d4:1310::20, TLS
>>>
>>> which then starts soon spitting this out 10s of times per second in
>>> the mail log:
>>>
>>> May  7 21:19:32 tornado.reub.net dovecot: auth-worker(23738):
>>> Error: Auth worker sees different passdbs/userdbs than auth server.
>>> Maybe config just changed and this goes away automatically?
>>>
>>> This is with -hg latest as of now.
>>>
>>> This system uses PAM for local users.  Do I need to replicate all
>>> of the system users including those who do not need any extra
>>> settings, in the passwd.extra file too?
>>>
>>> Is my syntax above for two mail_replica servers correct?
>> A bit unsure about the config syntax, so I can not advice on that,
>> but there were some bugs in auth yesterday. Maybe you could retest
>> with f2a8e1793718 or newer. Make sure configs on both sides are in
>> sync.
>>
>> Thank you for your continued testing, Teemu Huovila
>>
>
> With -hg as of now it's still not any better:
>
> tornado log # dovecot --version
> 2.2.16 (f2a8e1793718+)
> tornado log #
>
> ===================
>
> # System users (NSS, /etc/passwd, or similiar). In many systems nowadays
> this
> # uses Name Service Switch, which is configured in /etc/nsswitch.conf.
> userdb {
>    # <doc/wiki/AuthDatabase.Passwd.txt>
>    driver = passwd
>    # [blocking=no]
>    #args =
>
>    # Override fields from passwd
>    #override_fields = home=/home/virtual/%u
>
>    result_success = continue-ok
> }
>
> # Add some extra fields such as replication..
>
> userdb {
>    driver = passwd-file
>    args = /etc/dovecot/passwd.extra
>    skip = notfound
> }
>
> ==============
>
> May  8 22:59:11 tornado.reub.net dovecot: imap: Error: Authenticated
> user not found from userdb, auth lookup id=586547201 (client-pid=29035
> client-id=1)
> May  8 22:59:11 tornado.reub.net dovecot: imap-login: Internal login
> failure (pid=29035 id=1) (internal failure, 1 successful auths):
> user=<reuben>, auth-method=PLAIN, remote=2001:44b8:31d4:1311::50,
> local=2001:44b8:31d4:1310::20, TLS
>
> It logs an awful lot of those lines in short succession also, at least
> 15 per second...
>
> Reuben

Following on from this I've managed to get it to work - but there is one 
outstanding problem which I suspect may be a bug.   Running -hg build as 
of today.

In case anyone else tries this, I had to separate each 
userdb_mail_replica entry with a space.  This is however, documented in 
the wiki.

The outstanding issue is that even though I've had 'skip = notfound' in 
the second userdb as above, if I don't add all of the users to that file 
(even with no extra variables set) those users who are not added cannot 
log in.  They fail with the error above about an 'internal failure'.

It seems that the second passdb is not actually being skipped at all if 
the user is not listed in it...Timo?

Thanks,
Reuben

More information about the dovecot mailing list