Re: Need help on checkpassword userdb/passdb
I figured out how to make checkpassword work. There is a problem with the documentation. http://wiki2.dovecot.org/AuthDatabase/CheckPassword, under 'Security' says, "a. If possible, change the checkpassword to return userdb_uid and userdb_gid extra fields instead of using setuid() and setgid(). This also improves the performance." And, under 'Checkpassword Interface' it says, "Return the user's UNIX UID and GID using userdb_uid and userdb_gid environments and add them to the EXTRA environment ..." I did all of this and it didn't work. However, when I added the userdb_home environment variable and added that to the EXTRA environment variable, it worked. I tried this because I happened upon http://wiki2.dovecot.org/UserDatabase/Prefetch which mentioned userdb_home. The http://wiki2.dovecot.org/AuthDatabase/CheckPassword needs to have this bit of information added in the appropriate place(s) or the developer/hackster will waste days trying to get checkpassword working until he/she stumbles across the userdb_home comment elsewhere. Nevertheless, checkpassword turns out not to be the solution to my original problem, so I will keep on keepin' on ... --Mark -Original Message- From: Mark Foley <mfo...@ohprs.org> Date: Fri, 11 Sep 2015 21:57:40 -0400 To: dovecot@dovecot.org Subject: Re: Need help on checkpassword userdb/passdb [grumpy bit deleted] To follow up on my previous posting in this thread, I'm trying to get checkpassword to work. I have confirmed that it is setting the environment variables as described in (http://wiki2.dovecot.org/AuthDatabase/CheckPassword). My debug output of env variables sent to checkpassword-reply: $USER=mark userdb_uid=326 userdb_gid=100 INSECURE_SETUID=1 EXTRA=userdb_uid userdb_gid I have confirmed that my checkpassword program returns 0 authenticating the user with the AD: fork pid = 4239, ntlm_auth status: 0 The pid listed above is the pid of the forked /usr/local/libexec/dovecot/checkpassword-reply program. For testing purposes, I've replaced that with a stub of my own that shows the set environment variables so I know checkpassword-reply is getting them (listed above). Notice in the log messages below that everything looks correct. It has the correct username, UID, GID, client passdb out: OK. No error in the log that I can see. I believe I've done everything exactly as documented in the wiki, but it doesn't work I get the Outlook message "Your IMAP server closed the connection ... Error Code: 0x800CCCDD". Finally, I tried setting: chgrp dovecot /usr/local/libexec/dovecot/checkpassword-reply chmod g+s /usr/local/libexec/dovecot/checkpassword-reply As the wiki suggested and setting the env variable INSECURE_SETUID=1. Same error. Googling the 0x800CCCDD code simply says to turn of scheduled send/received, but that makes no different. Same error. I believe I've done everything exactly according to the documentation. Does checkpassword actually work with Dovecot version 2.2.15? If not, could someone please tell me so I can stop wasting my time. If it does work, can someone please help me figure out why it does not for me? Thanks -- Mark My dovecot log: Sep 11 21:18:22 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 11 21:18:22 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Sep 11 21:18:22 auth: Debug: auth client connected (pid=4234) Sep 11 21:18:22 auth: Debug: client in: AUTH1 PLAIN service=imap session=tHPCm4IftgDAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=50614 resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain sensitive data) Sep 11 21:18:22 auth: Debug: checkpassword(mark,192.168.0.58,): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply Sep 11 21:18:22 auth: Debug: checkpassword(mark,192.168.0.58,): exit_status=0 Sep 11 21:18:22 auth: Debug: checkpassword(mark,192.168.0.58,): Received input: userdb_uid=326 userdb_gid=100 Sep 11 21:18:22 auth: Debug: client passdb out: OK 1 user=mark Sep 11 21:18:22 auth: Debug: master in: REQUEST 1794375681 42341 c2551b70ccf5e2f8e022869663bf6a70 session_pid=4240 request_auth_token Sep 11 21:18:22 auth: Debug: prefetch(mark,192.168.0.58,): success Sep 11 21:18:22 auth: Debug: master userdb out: USER1794375681 mark uid=326 gid=100 auth_token=008ebf0ebd9c1654085de247f10cdf0a746555d4 Sep 11 21:18:22 imap-login: Info: Login: user=, method=PLAIN, rip=192.168.0.58, lip=192.168.0.2, mpid=4240, session= -Original Message- From: Mark Foley <mfo...@ohprs.org> Date: Thu, 10 Sep 2015 23:05:18 -0400 To: dovecot@dovecot.org Subject: Need help on checkpassword userdb/passdb I'm experimenting with checkpassword as an auth method for usedb and passdb (http://wiki2.dovecot.org/AuthDatabase/CheckPassword). I've set up the userdb
Re: Need help on checkpassword userdb/passdb
Not to be grumpy, but I've posted a dozen or more message to this list in the
past week about what I think might be relatively common/easy issues and have had
zero response except from Rick Romero who is trying, but hasn't actually done
what I need himself. I'm sure someone has. Perhaps these problem are too
mundane
compared to CalDAV, sieve filtering and IPA to excite List interest? Come on
Dovecotters! Let's step up to the plate!
To follow up on my previous posting in this thread, I'm trying to get
checkpassword to work. I have confirmed that it is setting the environment
variables as described in (http://wiki2.dovecot.org/AuthDatabase/CheckPassword).
My debug output of env variables sent to checkpassword-reply:
$USER=mark
userdb_uid=326
userdb_gid=100
INSECURE_SETUID=1
EXTRA=userdb_uid userdb_gid
I have confirmed that my checkpassword program returns 0 authenticating the user
with the AD:
fork pid = 4239, ntlm_auth status: 0
The pid listed above is the pid of the forked
/usr/local/libexec/dovecot/checkpassword-reply
program. For testing purposes, I've replaced that with a stub of my own that
shows the set environment variables so I know checkpassword-reply is getting
them (listed above).
Notice in the log messages below that everything looks correct. It has the
correct username, UID, GID, client passdb out: OK. No error in the log that I
can see.
I believe I've done everything exactly as documented in the wiki, but it doesn't
work I get the Outlook message "Your IMAP server closed the connection ...
Error Code: 0x800CCCDD". Finally, I tried setting:
chgrp dovecot /usr/local/libexec/dovecot/checkpassword-reply
chmod g+s /usr/local/libexec/dovecot/checkpassword-reply
As the wiki suggested and setting the env variable INSECURE_SETUID=1. Same
error.
Googling the 0x800CCCDD code simply says to turn of scheduled send/received, but
that makes no different. Same error.
I believe I've done everything exactly according to the documentation. Does
checkpassword actually work with Dovecot version 2.2.15? If not, could someone
please tell me so I can stop wasting my time. If it does work, can someone
please help me figure out why it does not for me?
Thanks -- Mark
My dovecot log:
Sep 11 21:18:22 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
Sep 11 21:18:22 auth: Debug: Read auth token secret from
/usr/local/var/run/dovecot/auth-token-secret.dat
Sep 11 21:18:22 auth: Debug: auth client connected (pid=4234)
Sep 11 21:18:22 auth: Debug: client in: AUTH1 PLAIN service=imap
session=tHPCm4IftgDAqAA6 lip=192.168.0.2 rip=192.168.0.58
lport=143 rport=50614 resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data
may contain sensitive data)
Sep 11 21:18:22 auth: Debug:
checkpassword(mark,192.168.0.58,): execute:
/user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Sep 11 21:18:22 auth: Debug:
checkpassword(mark,192.168.0.58,): exit_status=0
Sep 11 21:18:22 auth: Debug:
checkpassword(mark,192.168.0.58,): Received input:
userdb_uid=326 userdb_gid=100
Sep 11 21:18:22 auth: Debug: client passdb out: OK 1 user=mark
Sep 11 21:18:22 auth: Debug: master in: REQUEST 1794375681 42341
c2551b70ccf5e2f8e022869663bf6a70 session_pid=4240
request_auth_token
Sep 11 21:18:22 auth: Debug: prefetch(mark,192.168.0.58,):
success
Sep 11 21:18:22 auth: Debug: master userdb out: USER1794375681 mark
uid=326 gid=100 auth_token=008ebf0ebd9c1654085de247f10cdf0a746555d4
Sep 11 21:18:22 imap-login: Info: Login: user=, method=PLAIN,
rip=192.168.0.58, lip=192.168.0.2, mpid=4240, session=
-Original Message-
From: Mark Foley <mfo...@ohprs.org>
Date: Thu, 10 Sep 2015 23:05:18 -0400
To: dovecot@dovecot.org
Subject: Need help on checkpassword userdb/passdb
I'm experimenting with checkpassword as an auth method for usedb and passdb
(http://wiki2.dovecot.org/AuthDatabase/CheckPassword). I've set up the userdb
and passdb *exactly* as the wiki suggests as the "standard way":
passdb {
driver = checkpassword
args = /user/util/bin/checkpassword
}
userdb {
driver = prefetch
}
I've created a checkpassword program that does receive the correct user and
password from dovecot. And I am successfully authenticating with ntlm_auth and
exiting with status 0. My debug output:
AUTHORIZED: (null)
USER: (null)
userdb_uid: (null)
userdb_gid: (null)
arg1=/usr/local/libexec/dovecot/checkpassword-reply
CMD: /usr/bin/ntlm_auth --username="mark" --password='mypass'
ntlm_auth status: 0
Now, the wiki says 2 things that have me stumped:
1. It says that, "Dovecot calls the script with AUTHORIZED=1 environment set
when performing a userdb lookup. The script must acknowledge this by changing
the environment to AUTHORIZED=2, otherwise the lookup fails."
As you can see from my program log, "AUTHORIZED" is not set. Why? N
Need help on checkpassword userdb/passdb
I'm experimenting with checkpassword as an auth method for usedb and passdb
(http://wiki2.dovecot.org/AuthDatabase/CheckPassword). I've set up the userdb
and passdb *exactly* as the wiki suggests as the "standard way":
passdb {
driver = checkpassword
args = /user/util/bin/checkpassword
}
userdb {
driver = prefetch
}
I've created a checkpassword program that does receive the correct user and
password from dovecot. And I am successfully authenticating with ntlm_auth and
exiting with status 0. My debug output:
AUTHORIZED: (null)
USER: (null)
userdb_uid: (null)
userdb_gid: (null)
arg1=/usr/local/libexec/dovecot/checkpassword-reply
CMD: /usr/bin/ntlm_auth --username="mark" --password='mypass'
ntlm_auth status: 0
Now, the wiki says 2 things that have me stumped:
1. It says that, "Dovecot calls the script with AUTHORIZED=1 environment set
when performing a userdb lookup. The script must acknowledge this by changing
the environment to AUTHORIZED=2, otherwise the lookup fails."
As you can see from my program log, "AUTHORIZED" is not set. Why? Nor are any
of the
other environment variables mentioned in the wiki. I've listed all the
environment variables that *are* passed to the program at the bottom of this
message.
2. The wiki says, "Your program received a path to checkpassword-reply binary
as the first
parameter. Execute it."
I did so as a fork() and then
execve("/usr/local/libexec/dovecot/checkpassword-reply")
How do I know it worked ... or failed?
What am I doing wrong?
Dovecot log entries:
Sep 10 22:54:04 auth: Debug: auth client connected (pid=14748)
Sep 10 22:54:04 auth: Debug: client in: AUTH1 PLAIN service=imap
session=AkYg1G8f8QDAqAA6 lip=192.168.0.2 rip=192.168.0.58
lport=143 rport=49649 resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data
may contain sensitive data)
Sep 10 22:54:04 auth: Debug:
checkpassword(mark,192.168.0.58,): execute:
/user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Sep 10 22:54:04 auth: Debug:
checkpassword(mark,192.168.0.58,): exit_status=0
Sep 10 22:54:04 auth: Debug:
checkpassword(mark,192.168.0.58,): Received input:
Sep 10 22:54:06 auth: Debug: client passdb out: FAIL1 user=mark
temp
ENV variables passed to the checkpassword program:
DOVECOT_PRESERVE_ENVS=TZ CORE_OUTOFMEM CORE_ERROR
DOVECOT_CHILD_PROCESS=1
CONFIG_FILE=/usr/local/var/run/dovecot/config
CLIENT_LIMIT=1000
PROCESS_LIMIT=1
PROCESS_MIN_AVAIL=0
IDLE_KILL=60
GENERATION=2991
DOVECOT_HOSTNAME=mail
DOVECOT_HOSTDOMAIN=mail.hprs.local
DOVECOT_VERSION=2.2.15
LOG_SERVICE=1
SOCKET_COUNT=6
SSL_SOCKET_COUNT=0
SOCKET_NAMES=login tokenlogin auth-login auth-client
auth-userdb auth-master
PROTO=TCP
ORIG_UID=151
SERVICE=imap
TCPLOCALIP=192.168.0.2
LOCAL_IP=192.168.0.2
TCPREMOTEIP=192.168.0.58
REMOTE_IP=192.168.0.58
TCPLOCALPORT=143
TCPREMOTEPORT=49649
AUTH_USER=mark
AUTH_USERNAME=mark
AUTH_SERVICE=imap
AUTH_LIP=192.168.0.2
AUTH_RIP=192.168.0.58
AUTH_PID=14748
AUTH_MECH=PLAIN
AUTH_SECURED=
AUTH_LPORT=143
AUTH_RPORT=49649
AUTH_CERT=
AUTH_SESSION=AkYg1G8f8QDAqAA6
AUTH_REAL_LIP=192.168.0.2
AUTH_REAL_RIP=192.168.0.58
AUTH_REAL_LPORT=143
AUTH_REAL_RPORT=49649
AUTH_ORIG_USER=mark
AUTH_ORIG_USERNAME=mark
--Mark
