Re: [Dovecot] Dot in user name. Was: Re: Apple patch 9
On T 6 Jan, 2009, at 16:08 , Timo Sirainen wrote: On Tue, 2009-01-06 at 16:02 +0100, Giuliano Gavazzi wrote: Jan 6 15:38:58 dns dovecot[281]: Fatal: auth(default): BROKEN NSS IMPLEMENTATION: getpwnam() lookup returned different user than was requested (x_y != x.y). .. This is not vital, but perhaps it is time to allow control on this behaviour that seems to potentially affect various platforms? Or perhaps should getpwnam return the short user name that matches the passwd field supplied (if it exists)? http://hg.dovecot.org/dovecot-1.1/rev/5858d901b2af that was quick! Thanks g
Re: [Dovecot] Dot in user name. Was: Re: Apple patch 9
On Tue, 2009-01-06 at 16:02 +0100, Giuliano Gavazzi wrote: > Jan 6 15:38:58 dns dovecot[281]: Fatal: auth(default): BROKEN NSS > IMPLEMENTATION: getpwnam() lookup returned different user than was > requested (x_y != x.y). .. > This is not vital, but perhaps it is time to allow control on this > behaviour that seems to potentially affect various platforms? Or > perhaps should getpwnam return the short user name that matches the > passwd field supplied (if it exists)? http://hg.dovecot.org/dovecot-1.1/rev/5858d901b2af signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Dot in user name. Was: Re: Apple patch 9
Here is the reason of the login failure on Mac OS X (Server) when using secondary short names: the unix username is x_y, the additional short name (accepted for authentication) is x.y: Jan 6 15:38:58 dns dovecot[281]: Fatal: auth(default): BROKEN NSS IMPLEMENTATION: getpwnam() lookup returned different user than was requested (x_y != x.y). Jan 6 15:38:58 dns dovecot[281]: imap-login: Internal login failure (auth failed, 1 attempts): user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured the secure.log report no errors: Jan 6 15:38:58 dns com.apple.SecurityServer[35]: checkpw() succeeded, creating credential for user x.y Jan 6 15:38:58 dns com.apple.SecurityServer[35]: checkpw() succeeded, creating shared credential for user x.y Jan 6 15:38:58 dns com.apple.SecurityServer[35]: Succeeded authorizing right system.login.tty by client /usr/local/libexec/ dovecot/dovecot-auth for authorization created by /usr/local/libexec/ dovecot/dovecot-auth. Back in 2006 Timo wrote in response to the same problem: "Well, you could simply remove the check from src/auth/userdb-passwd.c. Perhaps I could make this also optional. I'd anyway not want to remove that check completely because nss_ldap is still not fixed." This is not vital, but perhaps it is time to allow control on this behaviour that seems to potentially affect various platforms? Or perhaps should getpwnam return the short user name that matches the passwd field supplied (if it exists)? Giuliano
[Dovecot] Dot in user name. Was: Re: Apple patch 9
Sorry for sneaking in this thread, but it might be a reason for a patch on the Apple side. Up until 10.3.9 Server, and 10.4 Client, I used to be able to create users with short name containing a dot. The latest OS doesn't allow that easily (there seem to be some not so clean workarounds), but the closest thing I can do is to create the primary short name with another character in place of the dot (for instance an underscore) and add an extra short name with the dot as I want it. Now, if I use PAM for authentication dovecot will not permit using the alternative dotted short name as it will seem to fail authentication. I do not remember exactly what is the issue, but I can do a test if you like. Other servers seem not to have an issue, just dovecot. Perhaps it is just an issue when interacting with PAM. Giuliano