pam dovecot not working with authentication from roundcube

Ranbir m3freak at thesandhufamily.ca
Thu Sep 17 06:03:07 EEST 2020 

Hi Everyone,

I made some small changes in my dovecot setup to switch it from looking
up users and passwords from a mix of ldap (i.e. freeipa) and password
files. One of the changes was to switch from using one id for all
authentication to using individual ids)

It's working fine with Evolution. I have one account authenticating
with GSSAPI, which is my userid for logging into my desktop and for
email. The other account in Evolution is logging in using PLAIN and is
only used for email (it's shell is set to /sbin/nologin).

The problem is with roundcube: I can login with the second, email only
account, but my personal ID always errors out. I never use the domain
with either one. 

auth worker: PASSV: pam_sss(dovecot:auth): authentication failure; logname= uid=97 euid=97 tty=dovecot ruser=ranbir rhost=1.2.3.4 user=ranbir
auth worker: PASSV: pam_sss(dovecot:auth): received for user ranbir: 17 (Failure setting user credentials)
It doesn't matter what user or group I use for unix_listener. If I use
0777 for the mode, I still see the failure and dovecot goes to try the
name against the passwd-file, where it obviously fails.

This is the pam error:

auth-worker(4474): pam(ranbir,1.2.3.4,<oS10hHmv7qkKyAkP>): pam_authenticate() failed: Authentication failure (password mismatch?)

What have I misconfigured? Here's the "service auth" section:

service auth {
  chroot = 
  client_limit = 0
  drop_priv_before_exec = no
  executable = auth
  extra_groups = 
  group = 
  idle_kill = 0
  inet_listener {
    address = 9.8.7.5
    haproxy = no
    port = 17900
    reuse_port = no
    ssl = no
  }
  privileged_group = 
  process_limit = 1
  process_min_avail = 0
  protocol = 
  service_count = 0
  type = 
  unix_listener auth-client {
    group = 
    mode = 0600
    user = $default_internal_user
  }
  unix_listener auth-login {
    group = 
    mode = 0600
    user = $default_internal_user
  }
  unix_listener auth-master {
    group = 
    mode = 0600
    user = 
  }
  unix_listener auth-userdb {
    group = 
    mode = 0777
    user = $default_internal_user
  }
  unix_listener login/login {
    group = 
    mode = 0666
    user = 
  }
  unix_listener token-login/tokenlogin {
    group = 
    mode = 0666
    user = 
  }
  user = $default_internal_user
  vsz_limit = 18446744073709551615 B
}

Any guidance is appreciated.


-- 
Ranbir

More information about the dovecot mailing list