Re: question on autch cache parameters

[Timo Sirainen]

Fixed: http://hg.dovecot.org/dovecot-2.2/rev/b7f7ad2bc4d0

> On 05 Aug 2015, at 17:30, matthias lay  wrote:
> 
> Hi list,
> 
> I have a question on auth caching in 2.2.18.
> 
> I am using acl_groups for a master user, appended in a static userdb file
> 
> # snip ###
> master@uma:{SHA}=::userdb_acl_groups=umareadmaster
> allow_nets=127.0.0.1
> # snap ###
> 
> and use this group in a global ACL file.
> I discovered this only works on first NOT-cached login
> 
> 
> 
> environment in imap-postlogin script on first login:
> 
> 
> AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c
> MASTER_USER=master@uma
> SPUSER=private/pdf
> LOCAL_IP=127.0.0.1
> USER=pdf
> AUTH_USER=master@uma
> PWD=/var/run/dovecot
> USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
> SHLVL=1
> HOME=/var/data/vmail/private/pdf
> ACL_GROUPS=umareadmaster
> IP=127.0.0.1
> _=/usr/bin/env
> 
> 
> on the second cached login it looks like this
> 
> 
> AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f
> MASTER_USER=master@uma
> SPUSER=private/pdf
> LOCAL_IP=127.0.0.1
> USER=pdf
> AUTH_USER=master@uma
> PWD=/var/run/dovecot
> USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
> SHLVL=1
> HOME=/var/data/vmail/private/pdf
> IP=127.0.0.1
> _=/usr/bin/env
> 
> so the ACL_GROUPS is gone.
> 
> is this intended to be like that.
> so groups not included in cache and I have to find another approach?
> 
> anybody else encountered similar problems with some auth Variables and
> caching?
> 
> 
> Greetz Matze

Re: question on autch cache parameters[Bug]

[Matthias Lay]

hi again,

On Thu, 27 Aug 2015 14:37:59 +0300
Teemu Huovila  wrote:


> 
> However, I am unable to reproduce this. Could you post your doveconf
> -n please? Im especially interested in your passdb and userdb
> configurations and auth-cache settings.
> 

just reproduced the bug with a fresh clean 2.2.18 install

ldap userdb an 2 masterusers with the ACL_GROUP attribut in passwd file


env output in imap-postlogin

first login:
AUTH_TOKEN=4adba75022f765fc3215ac5243337fd99adfdbf5
MASTER_USER=master2
SPUSER=private/johnd
LOCAL_IP=127.0.0.1
USER=johnd
AUTH_USER=master2
PWD=/run/dovecot
USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER 
SHLVL=1
HOME=/home/vmail/private/johnd
ACL_GROUPS=umareadmaster
IP=127.0.0.1
_=/usr/bin/env


logout and next login:

AUTH_TOKEN=83d7ede27b4fbc4de2abad58e84e65ac1073e4ec
MASTER_USER=master2
SPUSER=private/johnd
LOCAL_IP=127.0.0.1
USER=johnd
AUTH_USER=master2
PWD=/run/dovecot
USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER 
SHLVL=1
HOME=/home/vmail/private/johnd
IP=127.0.0.1
_=/usr/bin/env


##
% doveconf -n:


# 2.2.18: /etc/dovecot/dovecot.conf
# OS: Linux 3.12.44-gentoo x86_64 Gentoo Base System release 2.2 
auth_cache_negative_ttl = 30 mins
auth_cache_size = 10 k
auth_master_user_separator = *
auth_use_winbind = yes
auth_username_chars = 
auth_verbose = yes
log_path = /var/log/dovecot.log
mail_gid = vmail
mail_home = /home/vmail/private/%u
mail_location = maildir:~/Maildir:LAYOUT=fs:INBOX=~/Maildir/INBOX
mail_uid = vmail
namespace {
  inbox = yes
  location = 
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  prefix = 
  separator = /
  subscriptions = yes
  type = private
}
namespace {
  hidden = no
  inbox = no
  list = children
  location =
maildir:/home/vmail/public/%%Lu/Maildir:LAYOUT=fs:INBOX=/home/vmail/public/%%Lu/Maildir/INBOX
prefix = public/%%u/ separator = /
  subscriptions = no
  type = shared
}
passdb {
  args = /etc/dovecot/master-users1
  driver = passwd-file
  master = yes
}
passdb {
  args = /etc/dovecot/master-users2
  driver = passwd-file
  master = yes
}
service auth {
  unix_listener auth-client {
group = 
mode = 0600
user = $default_internal_user
  }
  unix_listener auth-login {
group = 
mode = 0600
user = $default_internal_user
  }
  unix_listener auth-master {
group = 
mode = 0600
user = $default_internal_user
  }
  unix_listener auth-userdb {
group = vmail
mode = 0660
user = $default_internal_user
  }
  unix_listener login/login {
group = 
mode = 0666
user = $default_internal_user
  }
  user = $default_internal_user
}
service imap-login {
  inet_listener imap {
port = 143
  }
}
service imap-postlogin {
  executable = script-login /usr/libexec/dovecot/imap-postlogin
  user = vmail
}
service imap {
  executable = imap imap-postlogin
}
ssl_cert = 

auth_master_user_separator = *

# Example master user passdb using passwd-file. You can use any passdb
though. passdb {
  driver = passwd-file
  master = yes
  args = /etc/dovecot/master-users1

  # Unless you're using PAM, you probably still want the destination
  user to # be looked up from passdb that it really exists. pass=yes
  does that. #pass = yes
}
passdb {
  driver = passwd-file
  master = yes
  args = /etc/dovecot/master-users2

  # Unless you're using PAM, you probably still want the destination
  user to # be looked up from passdb that it really exists. pass=yes
  does that. #pass = yes
}


###
% cat /etc/dovecot/master-users1

master1:{SHA}xxx=::userdb_acl_groups=umareadmaster
allow_nets=127.0.0.1




master2 is the same. 


Greetz

Re: question on autch cache parameters

[matthias lay]

hi teemu,

thx for your reply.

the user is a masteruser that hast a static passwd file. this is where
the ACL_GROUPS is applied


cat /etc/dovecot/passwd.masteruser 
master@uma:{SHA}ojN+jsbELZbRJeRb0qj9+MMjPUs=::userdb_acl_groups=umareadmaster
allow_nets=127.0.0.1
##

* the standard lookup method for users is ldap. only masterusers are in
static user/passdbs
* auth cache is enabled

I cant post my whole conf but will paste the parts you requested.

if its not enough for you to reproduce, I will setup a clean instance
and reproduce it there.


##
# 2.2.16: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.7
# OS: Linux 3.15.10-dist i686  
auth_cache_negative_ttl = 30 mins
auth_cache_size = 10 k
auth_master_user_separator = *
 snip

default namespace: (maildir gets overwritten by ldap lookup on most
users)

namespace {
  hidden = no
  inbox = no
  list = children
  location =
maildir:/var/data/vmail/public/%%Lu/Maildir:LAYOUT=fs:INBOX=/var/data/vmail/public/%%Lu/Maildir/INBOX
prefix = public/%%u/ separator = /
  subscriptions = no
  type = shared
}

userdb {
  args = uid=vmail gid=vmail home=/var/data/vmail/public/%Ln
  driver = static
}



protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
  mail_plugins = acl notify mailbox_alias imap_acl 
  ssl = yes 
  ssl_cert = /etc/ssl/certs/imap.cert
  ssl_key = /etc/ssl/private/imap.key
  userdb {
args = /etc/dovecot/dovecot-imap-ldap.conf.ext
driver = ldap
name = 
  }
}

##
content of dovecot-imap-ldap.conf.ext:
base = dc=spdev, dc=local

# Filter for user lookups.
user_filter =
((sAMAccountName=%Ln)(!(userAccountControl:1.2.840.113556.1.4.803:=2))((sAMAccountType=805306368)))

# User attributes are given in LDAP-name=dovecot-internal-name list.
user_attrs = name=home=/var/data/vmail/private/%Ln,
=spuser=private/%L{ldap:sAMAccountName}


several masteruser passdbs

passdb {
  args = /etc/dovecot/passwd.masteruser
  driver = passwd-file
  master = yes
}
passdb {
  args = /etc/dovecot/passwd.system
  driver = passwd-file
  master = yes
}
passdb {
  args = /etc/dovecot/passwd.email-shredder
  driver = passwd-file
  master = yes
}
passdb {
  args = /etc/dovecot/passwd.imap-set-del-flag
  driver = passwd-file
  master = yes
}

passdb {
  args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
  driver = ldap
}
# contents of ldap-passdb.conf
# LDAP base.
base = dc=spdev, dc=local

# Filter for user lookups.
user_filter =
((sAMAccountName=%Ln)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))




protocols = imap
service auth {
  unix_listener auth-client {
group = 
mode = 0600
user = $default_internal_user
  }
  unix_listener auth-login {
group = 
mode = 0600
user = $default_internal_user
  }
  unix_listener auth-master {
group = 
mode = 0600
user = $default_internal_user
  }
  unix_listener auth-userdb {
group = vmail
mode = 0660
user = $default_internal_user
  }
  unix_listener login/login {
group = 
mode = 0666
user = $default_internal_user
  }
  user = $default_internal_user
}

##


We use a global ACL file. where masterusers have different rights and
the one mentioned is the only one that gets a ACL_GROUP in passdb.


my guess: it might be related to the several masteruser passdbs point.
but thats just a guess from the outside ;)



hope this helps, if not let me know



greetz Matze






On Thu, 27 Aug 2015 14:37:59 +0300
Teemu Huovila teemu.huov...@dovecot.fi wrote:

 Hello
 
 Thank you for your report. We really appreciate it, especially when
 you can pinpoint a commit.
 
 However, I am unable to reproduce this. Could you post your doveconf
 -n please? Im especially interested in your passdb and userdb
 configurations and auth-cache settings.
 
 br,
 Teemu Huovila
 
 
 On 08/06/2015 01:07 PM, matthias lay wrote:
  hi timo,
  
  I checked out the commit causing this.
  
  its this one:
  
  http://hg.dovecot.org/dovecot-2.2/diff/5e445c659f89/src/auth/auth-request.c#l1.32
  
  
  if I move this block back as it was. everything is fine
  
  
  diff -r a46620d6e0ff -r 5e445c659f89 src/auth/auth-request.c
  --- a/src/auth/auth-request.c   Tue May 05 13:35:52 2015 +0300
  +++ b/src/auth/auth-request.c   Tue May 05 14:16:31 2015 +0300
  @@ -618,30 +627,28 @@
 auth_request_want_skip_passdb(request, next_passdb))
  next_passdb = next_passdb-next;
  
  +   if (*result == PASSDB_RESULT_OK) {
  +   /* this passdb lookup succeeded, preserve its
  extra fields */
  +   auth_fields_snapshot(request-extra_fields);
  +   request-snapshot_have_userdb_prefetch_set =
  +   request-userdb_prefetch_set;
  +   

Re: question on autch cache parameters

[Teemu Huovila]

Hello

Thank you for your report. We really appreciate it, especially when you can 
pinpoint a commit.

However, I am unable to reproduce this. Could you post your doveconf -n please? 
Im especially interested in your passdb and
userdb configurations and auth-cache settings.

br,
Teemu Huovila


On 08/06/2015 01:07 PM, matthias lay wrote:
 hi timo,
 
 I checked out the commit causing this.
 
 its this one:
 
 http://hg.dovecot.org/dovecot-2.2/diff/5e445c659f89/src/auth/auth-request.c#l1.32
 
 
 if I move this block back as it was. everything is fine
 
 
 diff -r a46620d6e0ff -r 5e445c659f89 src/auth/auth-request.c
 --- a/src/auth/auth-request.c Tue May 05 13:35:52 2015 +0300
 +++ b/src/auth/auth-request.c Tue May 05 14:16:31 2015 +0300
 @@ -618,30 +627,28 @@
  auth_request_want_skip_passdb(request, next_passdb))
   next_passdb = next_passdb-next;
 
 + if (*result == PASSDB_RESULT_OK) {
 + /* this passdb lookup succeeded, preserve its extra fields */
 + auth_fields_snapshot(request-extra_fields);
 + request-snapshot_have_userdb_prefetch_set =
 + request-userdb_prefetch_set;
 + if (request-userdb_reply != NULL)
 + auth_fields_snapshot(request-userdb_reply);
 + } else {
 + /* this passdb lookup failed, remove any extra fields it set */
 + auth_fields_rollback(request-extra_fields);
 + if (request-userdb_reply != NULL) {
 + auth_fields_rollback(request-userdb_reply);
 + request-userdb_prefetch_set =
 + request-snapshot_have_userdb_prefetch_set;
 + }
 + }
 +
   if (passdb_continue  next_passdb != NULL) {
   /* try next passdb. */
  request-passdb = next_passdb;
   request-passdb_password = NULL;
 
 - if (*result == PASSDB_RESULT_OK) {
 - /* this passdb lookup succeeded, preserve its extra
 -fields */
 - auth_fields_snapshot(request-extra_fields);
 - request-snapshot_have_userdb_prefetch_set =
 - request-userdb_prefetch_set;
 - if (request-userdb_reply != NULL)
 - auth_fields_snapshot(request-userdb_reply);
 - } else {
 - /* this passdb lookup failed, remove any extra fields
 -it set */
 - auth_fields_rollback(request-extra_fields);
 - if (request-userdb_reply != NULL) {
 - auth_fields_rollback(request-userdb_reply);
 - request-userdb_prefetch_set =
 - 
 request-snapshot_have_userdb_prefetch_set;
 - }
 - }
 -
   if (*result == PASSDB_RESULT_USER_UNKNOWN) {
   /* remember that we did at least one successful
  passdb lookup */
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 On 08/05/2015 05:33 PM, matthias lay wrote:
 just tested against dovecot 2.2.15

 everythings works fine. so might be a bug introduced between 2.2.16 and
 2.2.18





 On 08/05/2015 04:30 PM, matthias lay wrote:
 Hi list,

 I have a question on auth caching in 2.2.18.

 I am using acl_groups for a master user, appended in a static userdb file

 # snip ###
 master@uma:{SHA}=::userdb_acl_groups=umareadmaster
 allow_nets=127.0.0.1
 # snap ###

 and use this group in a global ACL file.
 I discovered this only works on first NOT-cached login



 environment in imap-postlogin script on first login:


 AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c
 MASTER_USER=master@uma
 SPUSER=private/pdf
 LOCAL_IP=127.0.0.1
 USER=pdf
 AUTH_USER=master@uma
 PWD=/var/run/dovecot
 USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
 SHLVL=1
 HOME=/var/data/vmail/private/pdf
 ACL_GROUPS=umareadmaster
 IP=127.0.0.1
 _=/usr/bin/env


 on the second cached login it looks like this


 AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f
 MASTER_USER=master@uma
 SPUSER=private/pdf
 LOCAL_IP=127.0.0.1
 USER=pdf
 AUTH_USER=master@uma
 PWD=/var/run/dovecot
 USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
 SHLVL=1
 HOME=/var/data/vmail/private/pdf
 IP=127.0.0.1
 _=/usr/bin/env

 so the ACL_GROUPS is gone.

 is this intended to be like that.
 so groups not included in cache and I have to find another approach?

 anybody else encountered similar problems with some auth Variables and
 caching?


 Greetz Matze

Re: question on autch cache parameters

[matthias lay]

hi timo,

I checked out the commit causing this.

its this one:

http://hg.dovecot.org/dovecot-2.2/diff/5e445c659f89/src/auth/auth-request.c#l1.32


if I move this block back as it was. everything is fine


diff -r a46620d6e0ff -r 5e445c659f89 src/auth/auth-request.c
--- a/src/auth/auth-request.c   Tue May 05 13:35:52 2015 +0300
+++ b/src/auth/auth-request.c   Tue May 05 14:16:31 2015 +0300
@@ -618,30 +627,28 @@
   auth_request_want_skip_passdb(request, next_passdb))
next_passdb = next_passdb-next;

+   if (*result == PASSDB_RESULT_OK) {
+   /* this passdb lookup succeeded, preserve its extra fields */
+   auth_fields_snapshot(request-extra_fields);
+   request-snapshot_have_userdb_prefetch_set =
+   request-userdb_prefetch_set;
+   if (request-userdb_reply != NULL)
+   auth_fields_snapshot(request-userdb_reply);
+   } else {
+   /* this passdb lookup failed, remove any extra fields it set */
+   auth_fields_rollback(request-extra_fields);
+   if (request-userdb_reply != NULL) {
+   auth_fields_rollback(request-userdb_reply);
+   request-userdb_prefetch_set =
+   request-snapshot_have_userdb_prefetch_set;
+   }
+   }
+
if (passdb_continue  next_passdb != NULL) {
/* try next passdb. */
 request-passdb = next_passdb;
request-passdb_password = NULL;

-   if (*result == PASSDB_RESULT_OK) {
-   /* this passdb lookup succeeded, preserve its extra
-  fields */
-   auth_fields_snapshot(request-extra_fields);
-   request-snapshot_have_userdb_prefetch_set =
-   request-userdb_prefetch_set;
-   if (request-userdb_reply != NULL)
-   auth_fields_snapshot(request-userdb_reply);
-   } else {
-   /* this passdb lookup failed, remove any extra fields
-  it set */
-   auth_fields_rollback(request-extra_fields);
-   if (request-userdb_reply != NULL) {
-   auth_fields_rollback(request-userdb_reply);
-   request-userdb_prefetch_set =
-   
request-snapshot_have_userdb_prefetch_set;
-   }
-   }
-
if (*result == PASSDB_RESULT_USER_UNKNOWN) {
/* remember that we did at least one successful
   passdb lookup */














On 08/05/2015 05:33 PM, matthias lay wrote:
 just tested against dovecot 2.2.15
 
 everythings works fine. so might be a bug introduced between 2.2.16 and
 2.2.18
 
 
 
 
 
 On 08/05/2015 04:30 PM, matthias lay wrote:
 Hi list,

 I have a question on auth caching in 2.2.18.

 I am using acl_groups for a master user, appended in a static userdb file

 # snip ###
 master@uma:{SHA}=::userdb_acl_groups=umareadmaster
 allow_nets=127.0.0.1
 # snap ###

 and use this group in a global ACL file.
 I discovered this only works on first NOT-cached login



 environment in imap-postlogin script on first login:


 AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c
 MASTER_USER=master@uma
 SPUSER=private/pdf
 LOCAL_IP=127.0.0.1
 USER=pdf
 AUTH_USER=master@uma
 PWD=/var/run/dovecot
 USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
 SHLVL=1
 HOME=/var/data/vmail/private/pdf
 ACL_GROUPS=umareadmaster
 IP=127.0.0.1
 _=/usr/bin/env


 on the second cached login it looks like this


 AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f
 MASTER_USER=master@uma
 SPUSER=private/pdf
 LOCAL_IP=127.0.0.1
 USER=pdf
 AUTH_USER=master@uma
 PWD=/var/run/dovecot
 USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
 SHLVL=1
 HOME=/var/data/vmail/private/pdf
 IP=127.0.0.1
 _=/usr/bin/env

 so the ACL_GROUPS is gone.

 is this intended to be like that.
 so groups not included in cache and I have to find another approach?

 anybody else encountered similar problems with some auth Variables and
 caching?


 Greetz Matze

 

question on autch cache parameters

[matthias lay]

Hi list,

I have a question on auth caching in 2.2.18.

I am using acl_groups for a master user, appended in a static userdb file

# snip ###
master@uma:{SHA}=::userdb_acl_groups=umareadmaster
allow_nets=127.0.0.1
# snap ###

and use this group in a global ACL file.
I discovered this only works on first NOT-cached login



environment in imap-postlogin script on first login:


AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c
MASTER_USER=master@uma
SPUSER=private/pdf
LOCAL_IP=127.0.0.1
USER=pdf
AUTH_USER=master@uma
PWD=/var/run/dovecot
USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
SHLVL=1
HOME=/var/data/vmail/private/pdf
ACL_GROUPS=umareadmaster
IP=127.0.0.1
_=/usr/bin/env


on the second cached login it looks like this


AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f
MASTER_USER=master@uma
SPUSER=private/pdf
LOCAL_IP=127.0.0.1
USER=pdf
AUTH_USER=master@uma
PWD=/var/run/dovecot
USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
SHLVL=1
HOME=/var/data/vmail/private/pdf
IP=127.0.0.1
_=/usr/bin/env

so the ACL_GROUPS is gone.

is this intended to be like that.
so groups not included in cache and I have to find another approach?

anybody else encountered similar problems with some auth Variables and
caching?


Greetz Matze

Re: question on autch cache parameters

[matthias lay]

just tested against dovecot 2.2.15

everythings works fine. so might be a bug introduced between 2.2.16 and
2.2.18





On 08/05/2015 04:30 PM, matthias lay wrote:
 Hi list,
 
 I have a question on auth caching in 2.2.18.
 
 I am using acl_groups for a master user, appended in a static userdb file
 
 # snip ###
 master@uma:{SHA}=::userdb_acl_groups=umareadmaster
 allow_nets=127.0.0.1
 # snap ###
 
 and use this group in a global ACL file.
 I discovered this only works on first NOT-cached login
 
 
 
 environment in imap-postlogin script on first login:
 
 
 AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c
 MASTER_USER=master@uma
 SPUSER=private/pdf
 LOCAL_IP=127.0.0.1
 USER=pdf
 AUTH_USER=master@uma
 PWD=/var/run/dovecot
 USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
 SHLVL=1
 HOME=/var/data/vmail/private/pdf
 ACL_GROUPS=umareadmaster
 IP=127.0.0.1
 _=/usr/bin/env
 
 
 on the second cached login it looks like this
 
 
 AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f
 MASTER_USER=master@uma
 SPUSER=private/pdf
 LOCAL_IP=127.0.0.1
 USER=pdf
 AUTH_USER=master@uma
 PWD=/var/run/dovecot
 USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
 SHLVL=1
 HOME=/var/data/vmail/private/pdf
 IP=127.0.0.1
 _=/usr/bin/env
 
 so the ACL_GROUPS is gone.
 
 is this intended to be like that.
 so groups not included in cache and I have to find another approach?
 
 anybody else encountered similar problems with some auth Variables and
 caching?
 
 
 Greetz Matze
 



0x7BCC653A.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature