Re: pam auth problem
>> # cat /etc/pam.d/dovecot
>> passdb {
>> driver = pam
>> # args = failure_show_msg=yes
>> # args = max_requests=12
>> args = %s
>> }
>
> this info belongs into Dovecot's conf files, not into /etc/pam.d.
doh. i misread the wiki page. thanks.
> copy or link /etc/pam.d/imap do /etc/pam.d/dovecot
that seems to have helped a lot!
thank you
randy
Re: pam auth problem
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, 3 Aug 2017, Randy Bush wrote:
# cat /etc/pam.d/dovecot
passdb {
driver = pam
# args = failure_show_msg=yes
# args = max_requests=12
args = %s
}
this info belongs into Dovecot's conf files, not into /etc/pam.d.
and /etc/pam.d/{imap,pop3} were untouched; both as follows
#
# $FreeBSD: releng/10.3/etc/pam.d/pop3 170771 2007-06-15 11:33:13Z yar $
#
# PAM configuration for the "pop3" service
#
# auth
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
authrequiredpam_unix.so no_warn try_first_pass
# account
#accountrequiredpam_nologin.so
account requiredpam_unix.so
copy or link /etc/pam.d/imap do /etc/pam.d/dovecot
- --
Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQEVAwUBWYMlw3z1H7kL/d9rAQLrCQgAyDJmgni9kmFa5833CedRV1aeA+JsUAjJ
IzRuDFXCsi+uEJfOdL8ZxlIXdnTPmvVSGHzx+iDNLId0y4VsJYDuby4d8LkKu7Be
MkOp+H6Ii1Qsx60Us9D9S8wcMwpdv0gG/4GrxuxCFC4CZUth/gF2yMmI9FxDa3f6
jQbJDOHVcs3mMtByxICRwWH8TT05hhDQ6duMNlTldULfhVoym1VTQOx0AivJYHOv
gnaozfnDlp2HTIz5VBIH3sob7ZSJde01KW2gpfz6O3aMhZSmAPhe6tr4xOMBMWUT
8n6t/CH0G0U4K/5yRw/DE+9CCAs4/A/YNsVKzEG0Art7kfwRSi7HPw==
=3p5l
-END PGP SIGNATURE-
Re: pam auth problem
> do you have a /etc/pam.d/dovecot file, does it define all necessary > settings? probably not, as i do not know what the necessary ones are :) i did as best i could using https://wiki.dovecot.org/PasswordDatabase/PAM as guidance randy
Re: pam auth problem
> What is in the pam.d/dovecot file? (Remember to strip passwords if
> included)
# cat /etc/pam.d/dovecot
passdb {
driver = pam
# args = failure_show_msg=yes
# args = max_requests=12
args = %s
}
and /etc/pam.d/{imap,pop3} were untouched; both as follows
#
# $FreeBSD: releng/10.3/etc/pam.d/pop3 170771 2007-06-15 11:33:13Z yar $
#
# PAM configuration for the "pop3" service
#
# auth
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
authrequiredpam_unix.so no_warn try_first_pass
# account
#accountrequiredpam_nologin.so
account requiredpam_unix.so
Re: pam auth problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 3 Aug 2017, Randy Bush wrote: Date: Thu, 03 Aug 2017 22:08:22 +0900 From: Randy Bush To: Remko Lodder Cc: Christian Kivalo , dovecot@dovecot.org Subject: Re: pam auth problem auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1): missing or invalid facility I do not think that it has something to do with the dovecot settings itself but perhaps with the pam facility settings instead? i can believe that. any clues to debug? do you have a /etc/pam.d/dovecot file, does it define all necessary settings? - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBWYMiAHz1H7kL/d9rAQLmcAgArM/RKrUk2g3MUWN7O51VZ4wIBXL0aIwh EqyG7Tj7CnWPWu+sZY64omu6beoD6WC3ThfRkY2uAWEP9MKGU6Nt9W6vZSsLdDeH cegMSHnfW19YZefiIhlYMZJHC7pyn2sEslS3iTkDNjja6FSoVbW/Qr+SUri9Gd5h rHF/DOUtLbLugrQymWe2KO2pJaL+WZvwhd4FP66pOlr+njEkxRfNjCQQx6L9kM7m Muq4beU9WvHFB6cXYxv1bGyxvLU1Y02YaAFVQAiKRVicNfBXo7RLXj1duQADtWqK 1tB60TVAFhREKR5Mu0tq3xRYuwYQc0tNVbuP1KrjfOTtJ9NLpeDE+g== =9LWc -END PGP SIGNATURE-
Re: pam auth problem
What is in the pam.d/dovecot file? (Remember to strip passwords if included) Cheers, Remko Lodder /* sent from my phone and thus brief and to the point *\ Op 3 aug. 2017 om 15:08 heeft Randy Bush het volgende geschreven: >>> auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1): missing or invalid >>> facility >> >> I do not think that it has something to do with the dovecot settings >> itself but perhaps with the pam facility settings instead? > > i can believe that. any clues to debug? > > randy
Re: pam auth problem
>> auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1): missing or invalid >> facility > > I do not think that it has something to do with the dovecot settings > itself but perhaps with the pam facility settings instead? i can believe that. any clues to debug? randy
Re: pam auth problem
Hi Randy, > On 3 Aug 2017, at 08:50, Randy Bush wrote: > > auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1): missing or invalid > facility I do not think that it has something to do with the dovecot settings itself but perhaps with the pam facility settings instead? Cheers Remko signature.asc Description: Message signed with OpenPGP
Re: pam auth problem
>> passdb {
>> driver = pam
>> }
>> passdb {
>> driver = pam
>> name = pam
>> }
> Are those two passdb blocks intentional?
>
> One of them is missing the name parameter.
doh. first removed.
Aug 3 06:49:23 psg auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1):
missing or invalid facility
Aug 3 06:49:23 psg dovecot: auth-worker(53801): Error:
pam(smb,2604:6000:1103:81a4:a8ec:3b9a:a3d4:d74f,<0+2Ax9NV6vAmBGAAEQOBpKjsO5qj1NdP>):
pam_start() failed: system error
Aug 3 06:49:23 psg pure-ftpd: (?@80.82.78.85) [WARNING] Authentication failed
for user [vaninst]
Aug 3 06:49:28 psg dovecot: auth: Warning: Timeout leak: 0x419970
(auth-request-handler.c:550)
Aug 3 06:49:28 psg dovecot: imap-login: Error: Error sending request to auth
server: Broken pipe
Aug 3 06:49:40 psg auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1):
missing or invalid facility
Aug 3 06:49:40 psg dovecot: auth-worker(53801): Error:
pam(pokui,160.242.151.213,): pam_start() failed: system error
Aug 3 06:49:40 psg auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1):
missing or invalid facility
Aug 3 06:49:40 psg dovecot: auth-worker(53801): Error:
pam(ksemat,2a00:23c4:6901:c100:6d2a:d2cb:defd:474f,):
pam_start() failed: system error
Re: pam auth problem
>passdb {
> driver = pam
>}
>passdb {
> driver = pam
> name = pam
>}
Are those two passdb blocks intentional?
One of them is missing the name parameter.
--
Christian Kivalo
pam auth problem
# dovecot --version
2.2.31 (65cde28)
on freebsd 64 10.3
system converted to dovecot 2 against my will and consuming a lot of
time sorting it out. i am glad google does not charge. have spent
two hours on this one alone; and undoubtedly it is my st00pidity. so
excuse my desperate posting to lazynet.
cram-md5 works, pam not so much
Aug 3 06:06:35 psg auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1):
missing or invalid facility
Aug 3 06:06:35 psg dovecot: auth-worker(48815): Error:
pam(elb,2604:6000:130d:c31b:d250:99ff:fe90:14dd,):
pam_start() failed: system error
Aug 3 06:06:35 psg auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1):
missing or invalid facility
Aug 3 06:06:35 psg dovecot: auth-worker(48815): Error:
pam(elb,2604:6000:130d:c31b:d250:99ff:fe90:14dd,):
pam_start() failed: system error
# 2.2.31 (65cde28): /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 10.3-RELEASE-p20 amd64
auth_mechanisms = plain login cram-md5
first_valid_gid = 0
mail_location = mbox:~/mail/:INBOX=/var/mail/%u
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
prefix =
}
passdb {
args = scheme=cram-md5 /usr/local/etc/dovecot.cram-md5
driver = passwd-file
name = passwd-file
}
passdb {
driver = pam
}
passdb {
driver = pam
name = pam
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
protocols = imap pop3
service auth {
unix_listener auth-userdb {
group = mail
}
}
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
ssl_cert =
Re: [Dovecot] PAM auth problem
On 28/03/2007 17:32, Taras Savchuk wrote: In FreeBSD pam_group does exactly what I want: Oh, sorry, didn't know you were on *BSD but I suppose I shouldn't have assumed Linux. In Linux-PAM, pam_wheel's documentation is very similar to your pam_group, with the addition of an option: use_uid The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example). It would be useful with Dovecot too, because you don't want your pam_group checking Dovecot's group membership - and this may be why it's not working for you. If you have a pam_succeed_if or equivalent, perhaps you could try that. Cheers, John.
Re: [Dovecot] PAM auth problem
In FreeBSD pam_group does exactly what I want: NAME pam_group -- Group PAM module SYNOPSIS [service-name] module-type control-flag pam_group [arguments] DESCRIPTION The group service module for PAM accepts or rejects users based on their membership in a particular file group. The following options may be passed to the pam_group module: deny Reverse the meaning of the test, i.e., reject the applicant if and only if he or she is a member of the specified group. This can be useful to exclude certain groups of users from certain services. fail_safe If the specified group does not exist, or has no members, act as if it does exist and the applicant is a member. group=groupname Specify the name of the group to check. The default is ``wheel''. root_only Skip this module entirely if the target account is not the superuser account. SEE ALSO pam.conf(5), pam(8) AUTHORS The pam_group module and this manual page were developed for the FreeBSD Project by ThinkSec AS and NAI Labs, the Security Research Division of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS research program. FreeBSD 6.2February 6, 2003 FreeBSD 6.2 John Robinson пишет: On 28/03/2007 16:52, Taras Savchuk wrote: Pam auth don't work when I add pam_group: pam_group grants membership to groups, it can't be used to authenticate. Use pam_wheel or pam_succeed_if, and see http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html Cheers, John. -- С уважением, Савчук Тарас ООО "Элантек" : Аутсорсинг ИТ, WEB-разработка http://www.elantech.ru +7 (495) 589 68 81 +7 (926) 575 22 11
Re: [Dovecot] PAM auth problem
On 28/03/2007 16:52, Taras Savchuk wrote: Pam auth don't work when I add pam_group: pam_group grants membership to groups, it can't be used to authenticate. Use pam_wheel or pam_succeed_if, and see http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html Cheers, John.
[Dovecot] PAM auth problem
Pam auth don't work when I add pam_group: gw# id test2 uid=10001(test2) gid=1(adusers) groups=1(adusers), 1(group1), 10001(group2), 10002(test10) gw# getent passwd test2 test2:*:10001:1:Our AD-Unix Test Account:/home/test2:/bin/sh gw# cat /etc/pam.d/dovecot auth requiredpam_group.sogroup=adusers auth requiredpam_krb5.so debug try_first_pass All works fine with only pam_krb5 module. -- С уважением, Савчук Тарас ООО "Элантек" : Аутсорсинг ИТ, WEB-разработка http://www.elantech.ru +7 (495) 589 68 81 +7 (926) 575 22 11
