On 8/05/2015 11:04 PM, Reuben Farrelly wrote:
On 8/05/2015 6:10 PM, Teemu Huovila wrote:
On 05/07/2015 02:32 PM, Reuben Farrelly wrote:
On 7/05/2015 7:49 AM, Timo Sirainen wrote:
On 06 May 2015, at 13:52, Reuben Farrelly
<reuben-dove...@reub.net> wrote:
On 4/05/2015 11:06 PM, Teemu Huovila wrote:
Also is there a way to restrict replication users aside
from a crude hack around system first and last UIDs?
You can set the userdb to return an empty mail_replica
variable for users you want to exclude from replication.
http://hg.dovecot.org/dovecot-2.2/rev/c1c67bdc8752
br, Teemu Huovila
One last question. Is it possible to achieve this with system
users and PAM or do I need to basically create a new static
userdb for system users?
You can create a new userdb passwd-file that adds extra fields.
So something like:
userdb { driver = passwd result_success = continue-ok }
userdb { driver = passwd-file args = /etc/dovecot/passwd.extra
skip = notfound }
This doesn't seem to work for me and my config has that exact
config. My password.extra file has just one line for the one
account I am testing with at the moment:
user1:::::::userdb_mail_replica=tcps:lightning.reub.net:4813,userdb_mail_replica=tcp:pi.x.y:4814
This breaks access for other system users such as my own account which
do not have entries:
ay 7 21:19:06 tornado.reub.net dovecot: imap-login: Internal login
failure (pid=22573 id=1) (internal failure, 1 successful auths):
user=<reuben>, auth-method=PLAIN, remote=2001:44b8:31d4:1311::50,
local=2001:44b8:31d4:1310::20, TLS
which then starts soon spitting this out 10s of times per second in
the mail log:
May 7 21:19:32 tornado.reub.net dovecot: auth-worker(23738):
Error: Auth worker sees different passdbs/userdbs than auth server.
Maybe config just changed and this goes away automatically?
This is with -hg latest as of now.
This system uses PAM for local users. Do I need to replicate all
of the system users including those who do not need any extra
settings, in the passwd.extra file too?
Is my syntax above for two mail_replica servers correct?
A bit unsure about the config syntax, so I can not advice on that,
but there were some bugs in auth yesterday. Maybe you could retest
with f2a8e1793718 or newer. Make sure configs on both sides are in
sync.
Thank you for your continued testing, Teemu Huovila
With -hg as of now it's still not any better:
tornado log # dovecot --version
2.2.16 (f2a8e1793718+)
tornado log #
===================
# System users (NSS, /etc/passwd, or similiar). In many systems nowadays
this
# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
userdb {
# <doc/wiki/AuthDatabase.Passwd.txt>
driver = passwd
# [blocking=no]
#args =
# Override fields from passwd
#override_fields = home=/home/virtual/%u
result_success = continue-ok
}
# Add some extra fields such as replication..
userdb {
driver = passwd-file
args = /etc/dovecot/passwd.extra
skip = notfound
}
==============
May 8 22:59:11 tornado.reub.net dovecot: imap: Error: Authenticated
user not found from userdb, auth lookup id=586547201 (client-pid=29035
client-id=1)
May 8 22:59:11 tornado.reub.net dovecot: imap-login: Internal login
failure (pid=29035 id=1) (internal failure, 1 successful auths):
user=<reuben>, auth-method=PLAIN, remote=2001:44b8:31d4:1311::50,
local=2001:44b8:31d4:1310::20, TLS
It logs an awful lot of those lines in short succession also, at least
15 per second...
Reuben
Following on from this I've managed to get it to work - but there is one
outstanding problem which I suspect may be a bug. Running -hg build as
of today.
In case anyone else tries this, I had to separate each
userdb_mail_replica entry with a space. This is however, documented in
the wiki.
The outstanding issue is that even though I've had 'skip = notfound' in
the second userdb as above, if I don't add all of the users to that file
(even with no extra variables set) those users who are not added cannot
log in. They fail with the error above about an 'internal failure'.
It seems that the second passdb is not actually being skipped at all if
the user is not listed in it...Timo?
Thanks,
Reuben
