On 01/06/2012 06:52 PM, Nick Rosier wrote:
Yubao Liu wrote:
Hi all,
I have no idea about that message, here is my configuration, what's wrong?
You have 2 passdb entries; 1 with a file and 1 with pam. I'm pretty sure
PAM doesn't support DIGEST-MD5 authentication. Could be the cause of the
problem.
Thanks, that does be the cause.
http://hg.dovecot.org/dovecot-2.0/file/684381041dc4/src/auth/auth.c
121 static bool auth_passdb_list_have_lookup_credentials(struct auth
*auth)
122 {
123 struct auth_passdb *passdb;
124
125 for (passdb = auth->passdbs; passdb != NULL; passdb =
passdb->next) {
126 if (passdb->passdb->iface.lookup_credentials != NULL)
127 return TRUE;
128 }
129 return FALSE;
130 }
I don't know why this function doesn't check auth->masterdbs, if I
insert these lines after line 128, that error goes away, and dovecot's
imap-login process happily does DIGEST-MD5 authentication [1].
In my configuration, "masterdbs" contains "passdb passwd-file",
"passdbs" contains " passdb pam".
for (passdb = auth->masterdbs; passdb != NULL; passdb = passdb->next) {
if (passdb->passdb->iface.lookup_credentials != NULL)
return TRUE;
}
[1] But the authentication for "user*master" always fails, I realized
master users
can't login as other users by DIGEST-MD5 or CRAM-MD5 auth mechanisms
because these authentication mechanisms use "user*master" as username
in hash algorithm, not just "master".
Regards,
Yubao Liu
Debian testing, Dovecot 2.0.15
$ doveconf -n
# 2.0.15: /etc/dovecot/dovecot.conf
# OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid
auth_default_realm = corp.example.com
auth_krb5_keytab = /etc/dovecot.keytab
auth_master_user_separator = *
auth_mechanisms = gssapi digest-md5
auth_realms = corp.example.com
auth_username_format = %n
first_valid_gid = 1000
first_valid_uid = 1000
mail_location = mdbox:/srv/mail/%u/Mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
passdb {
args = /etc/dovecot/master-users
driver = passwd-file
master = yes
pass = yes
}
passdb {
driver = pam
}
plugin {
sieve = /srv/mail/%u/.dovecot.sieve
sieve_dir = /srv/mail/%u/sieve
}
protocols = " imap lmtp sieve"
service auth {
unix_listener auth-client {
group = Debian-exim
mode = 0660
}
}
ssl_cert =</etc/ssl/certs/dovecot.pem
ssl_key =</etc/ssl/private/dovecot.pem
userdb {
args = home=/srv/mail/%u
driver = passwd
}
protocol lmtp {
mail_plugins = " sieve"
}
protocol lda {
mail_plugins = " sieve"
}
# cat /etc/dovecot/master-users
[email protected]:zzzzzzzz
The zzzzz is obtained by "doveadm pw -s digest-md5 -u
[email protected]",
I tried to add prefix "{DIGEST-MD5}" before the generated hash and/or add
"scheme=DIGEST-MD5" to the passwd-file passdb's "args" option, both
don't help.
The error message:
dovecot: master: Dovecot v2.0.15 starting up (core dumps disabled)
dovecot: auth: Fatal: DIGEST-MD5 mechanism can't be supported with given
passdbs
gold dovecot: master: Error: service(auth): command startup failed,
throttling
I opened debug auth log, it showed dovecot read /etc/dovecot/master-users
and parsed one line, then the error occurred. Doesn't passwd-file
passdb support
digest-md5 password scheme? If it doesn't support, how do I configure
digest-md5 auth
mechanism with digest-md5 password scheme for virtual users?
Regards,
Yubao Liu
Rgds,
N.
