Re: pam authentication

Pol Hallen Tue, 05 Sep 2017 05:00:55 -0700

How cooool!!! Works! :-)))

Very very thanks for your help!!!


Pol :)


On 2017-09-05 13:54, Aki Tuomi wrote:

Sorry, small typo

passdb {
 driver = static
 args = user=%n noauthenticate
}

Aki


On 05.09.2017 14:51, Pol Hallen wrote:

does not work :-/

Sep 05 13:49:41 auth: Debug: auth client connected (pid=31115)
Sep 05 13:49:41 auth: Debug: client in: AUTH    1       PLAIN
service=imap    secured session=IFCT0m9Y0KjAqAFk
lip=192.168.1.100       rip=192.168.1.100       lport=143
rport=43216
resp=AHBvbGhhbGxlbkBmdWNrYXJvdW5kLm9yZwBQYW5kb3JhMjAwMA== (previous
base64 data may contain sensitive data)
Sep 05 13:49:41 auth: Debug:
passwd-file(use...@realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>):
lookup: user=use...@realdomain.org file=/etc/dovecot/users
Sep 05 13:49:41 auth: Debug:
static(use...@realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): lookup
Sep 05 13:49:41 auth: Debug:
static(use...@realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>):
Allowing any password
Sep 05 13:49:41 auth: Debug:
static(use...@realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): Not
performing authentication (noauthenticate set)
==> /var/log/dovecot.info <==
Sep 05 13:49:41 auth: Info:
passwd-file(use...@realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>):
unknown user (given password: pass) - trying the next passdb
==> /var/log/dovecot.debug <==
Sep 05 13:49:41 auth-worker(31116): Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
Sep 05 13:49:41 auth-worker(31116): Debug: passwd-file
/etc/dovecot/users: Read 4 users in 0 secs
Sep 05 13:49:41 auth-worker(31116): Debug:
pam(use...@realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): lookup
service=dovecot
Sep 05 13:49:41 auth-worker(31116): Debug:
pam(use...@realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): #1/1
style=1 msg=Password:
==> /var/log/dovecot.info <==
Sep 05 13:49:42 auth-worker(31116): Info:
pam(use...@realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>):
pam_authenticate() failed: Authentication failure (password mismatch?)
(given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:49:42 auth-worker(31116): Debug:
pam(use...@realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): lookup
service=dovecot
Sep 05 13:49:42 auth-worker(31116): Debug:
pam(use...@realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): #1/1
style=1 msg=Password:
==> /var/log/dovecot.info <==
Sep 05 13:49:45 auth-worker(31116): Info:
pam(use...@realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>):
pam_authenticate() failed: Authentication failure (password mismatch?)
(given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:49:45 auth: Debug:
passwd-file(use...@realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>):
lookup: user=use...@realdomain.org file=/etc/dovecot/users
==> /var/log/dovecot.info <==
Sep 05 13:49:45 auth: Info:
passwd-file(use...@realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>):
unknown user (given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:49:47 auth: Debug: client passdb out: FAIL    1
user=use...@realdomain.org

Sep 05 13:49:47 imap-login: Debug: Ignoring unknown passdb extrafield:

==> /var/log/dovecot.info <==
Sep 05 13:49:47 imap-login: Info: Disconnected (auth failed, 1
attempts in 6 secs): user=<use...@realdomain.org>, method=PLAIN,
rip=192.168.1.100, lip=192.168.1.100, secured



On 2017-09-05 13:41, Aki Tuomi wrote:

No, you modify dovecot.conf

Aki

On 05.09.2017 14:40, Pol Hallen wrote: Do I modify
auth-system.conf.ext only (sorry for the question)

if yes, I've same problem

Pol

On 2017-09-05 13:34, Aki Tuomi wrote:

Try configuring like this:

passdb {
args = scheme=SHA256 username_format=%u /etc/dovecot/users
driver = passwd-file
}

passdb {
driver = static
args = username=%n noauthenticate
skip = authenticated
}

passdb {
driver = pam
skip = authenticated
}

On 05.09.2017 14:29, Pol Hallen wrote: Sure :) thanks

cat /var/log/dovecot/[...]

Sep 05 13:26:02 auth: Debug: auth client connected (pid=30131)
Sep 05 13:26:02 auth: Debug: client in: AUTH    1       PLAIN
service=imap    secured session=JK0Bfm9YuqfAqAFk
lip=192.168.1.100       rip=192.168.1.100       lport=143
rport=42938   resp=AG1heEBmdWNrYXJvdW5kLm9yZwBQYW5kb3JhMjAwMA==
(previous base64 data may contain sensitive data)
Sep 05 13:26:02 auth-worker(30088): Debug:
pam(use...@realsystem.org,192.168.1.100,<JK0Bfm9YuqfAqAFk>): lookup
service=username_format=user00
Sep 05 13:26:02 auth-worker(30088): Debug:
pam(use...@realsystem.org,192.168.1.100,<JK0Bfm9YuqfAqAFk>): #1/1
style=1 msg=Password:
==> /var/log/dovecot.info <==
Sep 05 13:26:04 auth-worker(30088): Info:
pam(use...@realsystem.org,192.168.1.100,<JK0Bfm9YuqfAqAFk>):

pam_authenticate() failed: Authentication failure (passwordmismatch?)

(given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:26:04 auth: Debug:
passwd-file(use...@realsystem.org,192.168.1.100,<JK0Bfm9YuqfAqAFk>):
lookup: user=use...@realsystem.org file=/etc/dovecot/users
==> /var/log/dovecot.info <==
Sep 05 13:26:04 auth: Info:
passwd-file(use...@realsystem.org,192.168.1.100,<JK0Bfm9YuqfAqAFk>):
unknown user (given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:26:06 auth: Debug: client passdb out: FAIL    1
user=use...@realsystem.org
==> /var/log/dovecot.info <==
Sep 05 13:26:06 imap-login: Info: Disconnected (auth failed, 1
attempts in 4 secs): user=<use...@realsystem.org>, method=PLAIN,
rip=192.168.1.100, lip=192.168.1.100, secured

doveconf -n

# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.9.0-3-amd64 x86_64 Debian 9.1
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = login plain
auth_verbose = yes
auth_verbose_passwords = yes
debug_log_path = /var/log/dovecot.debug
disable_plaintext_auth = no
info_log_path = /var/log/dovecot.info

login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e%c

mail_debug = yes
mail_home = /home/vmail/%d/%n/Maildir
mail_location = maildir:~/Maildir
mail_plugins = " quota quota"
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext imapflags notify
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
subscriptions = yes
type = private
}
passdb {
args = username_format=%n
driver = pam
}
passdb {
args = scheme=SHA256 username_format=%u /etc/dovecot/users
driver = passwd-file
}
plugin {
mail_log_events = delete undelete expunge copy mailbox_delete
mailbox_rename append flag_change
mail_log_fields = uid box msgid size from subject vsize
quota = maildir:User quota
quota_rule = *:storage=10000M
quota_rule2 = Junk:storage=+100M
quota_rule3 = SPAM:storage=+100M
quota_warning = storage=90%% quota-warning 90 %u
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_extensions = +notify +imapflags
}
protocols = " imap sieve pop3 sieve"
quota_full_tempfail = yes
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
}
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
service_count = 1
vsz_limit = 64 M
}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
service quota-warning {
executable = script /root/bin/quota-warning.sh
unix_listener quota-warning {
mode = 0666
user = vmail
}
user = root
}
ssl_cert = </etc/dovecot/dovecot.pem
ssl_dh_parameters_length = 2048
ssl_key =  # hidden, use -P to show it
userdb {
driver = passwd
}
userdb {
args = scheme=SHA256 username_format=%u /etc/dovecot/users
driver = passwd-file
}
userdb {
args = uid=vmail gid=vmail home=/home/vmail/%d/%n
driver = static
}
verbose_proctitle = yes
protocol lda {
mail_plugins = " quota quota sieve quota"
}
protocol imap {
mail_plugins = " quota quota imap_quota"
}

On 2017-09-05 13:01, Aki Tuomi wrote:

Can you provide

doveconf -n  (with the new config)

enable auth_debug=yes, auth_verbose=yes and provide logs from
authentication attempt?

Aki

On 05.09.2017 13:37, Pol Hallen wrote: thanks Aki, but with all your
advices I've same problem: in the logs
always I see the authentication with user and domain name, so dovecot
doesn't accept it

any idea?

thanks!

Pol

On 2017-09-05 10:58, Aki Tuomi wrote:

Oh right, you need to do it like this...

after the passwd-file drivers add

passdb {
driver = static
args = username=%n noauthenticate
}

Aki

On 05.09.2017 11:03, Pol Hallen wrote: Hello, thanks for your reply

I already tried with:

username_format=%n or auth_username_format=%n but I've same problem

Pol

passdb {
driver = pam
args = username_format=%n
}

also you probably want to consider using driver=passwd instead, ifyou

really don't need pam due to some special plugins.

Aki


--
Pol

Re: pam authentication

Reply via email to