Need help on checkpassword userdb/passdb

Mark Foley mfoley at ohprs.org
Sat Sep 12 01:57:40 UTC 2015 

Not to be grumpy, but I've posted a dozen or more message to this list in the
past week about what I think might be relatively common/easy issues and have had
zero response except from Rick Romero who is trying, but hasn't actually done
what I need himself.  I'm sure someone has.  Perhaps these problem are too mundane
compared to CalDAV, sieve filtering and IPA to excite List interest? Come on
Dovecotters! Let's step up to the plate!

To follow up on my previous posting in this thread, I'm trying to get
checkpassword to work. I have confirmed that it is setting the environment
variables as described in (http://wiki2.dovecot.org/AuthDatabase/CheckPassword).
My debug output of env variables sent to checkpassword-reply:

$USER=mark
userdb_uid=3000026
userdb_gid=100
INSECURE_SETUID=1
EXTRA=userdb_uid userdb_gid

I have confirmed that my checkpassword program returns 0 authenticating the user
with the AD:

fork pid = 4239, ntlm_auth status: 0

The pid listed above is the pid of the forked /usr/local/libexec/dovecot/checkpassword-reply 
program. For testing purposes, I've replaced that with a stub of my own that
shows the set environment variables so I know checkpassword-reply is getting
them (listed above).

Notice in the log messages below that everything looks correct. It has the
correct username, UID, GID, client passdb out: OK. No error in the log that I
can see.

I believe I've done everything exactly as documented in the wiki, but it doesn't
work I get the Outlook message "Your IMAP server closed the connection ... 
Error Code: 0x800CCCDD".  Finally, I tried setting:

chgrp dovecot /usr/local/libexec/dovecot/checkpassword-reply
chmod g+s /usr/local/libexec/dovecot/checkpassword-reply

As the wiki suggested and setting the env variable INSECURE_SETUID=1. Same
error. 

Googling the 0x800CCCDD code simply says to turn of scheduled send/received, but
that makes no different. Same error.

I believe I've done everything exactly according to the documentation.  Does
checkpassword actually work with Dovecot version 2.2.15? If not, could someone
please tell me so I can stop wasting my time.  If it does work, can someone
please help me figure out why it does not for me?

Thanks -- Mark

My dovecot log:

Sep 11 21:18:22 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Sep 11 21:18:22 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat
Sep 11 21:18:22 auth: Debug: auth client connected (pid=4234)
Sep 11 21:18:22 auth: Debug: client in: AUTH    1       PLAIN   service=imap    session=tHPCm4IftgDAqAA6      lip=192.168.0.2  rip=192.168.0.58        lport=143       rport=50614     resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain sensitive data)
Sep 11 21:18:22 auth: Debug: checkpassword(mark,192.168.0.58,<tHPCm4IftgDAqAA6>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Sep 11 21:18:22 auth: Debug: checkpassword(mark,192.168.0.58,<tHPCm4IftgDAqAA6>): exit_status=0
Sep 11 21:18:22 auth: Debug: checkpassword(mark,192.168.0.58,<tHPCm4IftgDAqAA6>): Received input: userdb_uid=3000026   userdb_gid=100
Sep 11 21:18:22 auth: Debug: client passdb out: OK      1       user=mark
Sep 11 21:18:22 auth: Debug: master in: REQUEST 1794375681      4234    1       c2551b70ccf5e2f8e022869663bf6a70       session_pid=4240        request_auth_token
Sep 11 21:18:22 auth: Debug: prefetch(mark,192.168.0.58,<tHPCm4IftgDAqAA6>): success
Sep 11 21:18:22 auth: Debug: master userdb out: USER    1794375681      mark    uid=3000026     gid=100 auth_token=008ebf0ebd9c1654085de247f10cdf0a746555d4
Sep 11 21:18:22 imap-login: Info: Login: user=<mark>, method=PLAIN, rip=192.168.0.58, lip=192.168.0.2, mpid=4240, session=<tHPCm4IftgDAqAA6>


-----Original Message-----
From: Mark Foley <mfoley at ohprs.org>
Date: Thu, 10 Sep 2015 23:05:18 -0400
To: dovecot at dovecot.org
Subject: Need help on checkpassword userdb/passdb

I'm experimenting with checkpassword as an auth method for usedb and passdb 
(http://wiki2.dovecot.org/AuthDatabase/CheckPassword). I've set up the userdb
and passdb *exactly* as the wiki suggests as the "standard way":

passdb {
  driver = checkpassword
  args = /user/util/bin/checkpassword
}
userdb {
  driver = prefetch
}

I've created a checkpassword program that does receive the correct user and
password from dovecot.  And I am successfully authenticating with ntlm_auth and
exiting with status 0.  My debug output:

AUTHORIZED: (null)
USER: (null)
userdb_uid: (null)
userdb_gid: (null)
arg1=/usr/local/libexec/dovecot/checkpassword-reply
CMD: /usr/bin/ntlm_auth --username="mark" --password='mypass'
ntlm_auth status: 0

Now, the wiki says 2 things that have me stumped:

1.  It says that, "Dovecot calls the script with AUTHORIZED=1 environment set
when performing a userdb lookup.  The script must acknowledge this by changing
the environment to AUTHORIZED=2, otherwise the lookup fails."

As you can see from my program log, "AUTHORIZED" is not set.  Why? Nor are any of the
other environment variables mentioned in the wiki. I've listed all the
environment variables that *are* passed to the program at the bottom of this message.

2. The wiki says, "Your program received a path to checkpassword-reply binary as the first
parameter. Execute it."

I did so as a fork() and then execve("/usr/local/libexec/dovecot/checkpassword-reply")
How do I know it worked ... or failed?

What am I doing wrong?

Dovecot log entries:

Sep 10 22:54:04 auth: Debug: auth client connected (pid=14748)
Sep 10 22:54:04 auth: Debug: client in: AUTH    1       PLAIN   service=imap    session=AkYg1G8f8QDAqAA6      lip=192.168.0.2  rip=192.168.0.58        lport=143       rport=49649     resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain sensitive data)
Sep 10 22:54:04 auth: Debug: checkpassword(mark,192.168.0.58,<AkYg1G8f8QDAqAA6>): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Sep 10 22:54:04 auth: Debug: checkpassword(mark,192.168.0.58,<AkYg1G8f8QDAqAA6>): exit_status=0
Sep 10 22:54:04 auth: Debug: checkpassword(mark,192.168.0.58,<AkYg1G8f8QDAqAA6>): Received input:
Sep 10 22:54:06 auth: Debug: client passdb out: FAIL    1       user=mark       temp

ENV variables passed to the checkpassword program:

DOVECOT_PRESERVE_ENVS=TZ CORE_OUTOFMEM CORE_ERROR
DOVECOT_CHILD_PROCESS=1
CONFIG_FILE=/usr/local/var/run/dovecot/config
CLIENT_LIMIT=1000
PROCESS_LIMIT=1
PROCESS_MIN_AVAIL=0
IDLE_KILL=60
GENERATION=2991
DOVECOT_HOSTNAME=mail
DOVECOT_HOSTDOMAIN=mail.hprs.local
DOVECOT_VERSION=2.2.15
LOG_SERVICE=1
SOCKET_COUNT=6
SSL_SOCKET_COUNT=0
SOCKET_NAMES=login      tokenlogin      auth-login      auth-client     auth-userdb     auth-master
PROTO=TCP
ORIG_UID=151
SERVICE=imap
TCPLOCALIP=192.168.0.2
LOCAL_IP=192.168.0.2
TCPREMOTEIP=192.168.0.58
REMOTE_IP=192.168.0.58
TCPLOCALPORT=143
TCPREMOTEPORT=49649
AUTH_USER=mark
AUTH_USERNAME=mark
AUTH_SERVICE=imap
AUTH_LIP=192.168.0.2
AUTH_RIP=192.168.0.58
AUTH_PID=14748
AUTH_MECH=PLAIN
AUTH_SECURED=
AUTH_LPORT=143
AUTH_RPORT=49649
AUTH_CERT=
AUTH_SESSION=AkYg1G8f8QDAqAA6
AUTH_REAL_LIP=192.168.0.2
AUTH_REAL_RIP=192.168.0.58
AUTH_REAL_LPORT=143
AUTH_REAL_RPORT=49649
AUTH_ORIG_USER=mark
AUTH_ORIG_USERNAME=mark

--Mark

More information about the dovecot mailing list