Christian Seiler <christ...@iwakd.de> writes: > Hi, > > On 02/17/2016 05:11 PM, Joe Pfeiffer wrote: >> Christian Seiler writes: >>> [Suggesting journalctl -o verbose to debug this] >> I'm running a current Debian testing installation, and journal is >> enabled. >> >> It turns out it's only coming from /usr/lib/dovecot/auth. What's >> weird is in /etc/pam.d/, the only files using the module are >> common-auth and common-password, so I'd expect to see the error coming >> either every time someone authenticates through anything, or any time >> someone changes their password, and I'm not seeing either of those >> cases -- just dovecot. > > Just a hunch: do you run dovecot chroot'ed? If so, then it is most > likely the case that the specific PAM module is not available within > the chroot and that's why it produces that message.
No, it isn't chrooted -- if it were, I'd expect the other pam modules to give the same issues (for that matter, I'd expect it to not be able to find pam.d!). > If that's not the case: what's the contents of /etc/pam.d/dovecot? > And /etc/pam.d/common-auth? /etc/pam.d/dovecot: #%PAM-1.0 @include common-auth @include common-account @include common-session /etc/pam.d/common-auth: # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth required pam_abl.so config=/etc/security/pam_abl.conf auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_mount.so auth optional pam_smbpass.so migrate auth optional pam_cap.so # end of pam-auth-update config (note the line auth optional pam_smbpass.so migrate is added when libpam-smbpass is installed)