staging.inyokaproject.org

via DuckDuckGo

Dovecot: Authentifizierung von Systemusern über PAM scheitert

Status: Ungelöst | Ubuntu-Version: Server 22.04 (Jammy Jellyfish)
Antworten |

MrQNo

Anmeldungsdatum:
31. August 2013

Beiträge: 13
Zitieren
16. April 2024 18:25

Liebe Gemeinde,

ich habe einen neuen Server aufgesetzt, da soll wie auf dem alten Dovecot als IMAP-Server laufen und außerdem SASL für Postfix bereitstellen. Gehostet werden sollen zwei Domains: eine virtuelle Mailbox-Domain mit Treiber SQL (die funktioniert) und eine mit Systemnutzern, die sich über PAM anmelden und ihre Mail in ihrem Homeverzeichnis finden. Hier scheitert die Anmeldung, und ich habe keine Ahnung, wonach ich suchen soll.

Systemnutzer loggen sich in SSH mit einem Schlüssel ein, da lässt sich das Pw nicht kontrollieren. Sie können aber sudo ausführen, und da klappt die Passwort-Identifizierung. Ich gehe also davon aus, dass die Einträge in /etc/passwd und /etc/shadow korrekt sind und von PAM auch zugreifbar sind.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
root@bywater ~ # lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.4 LTS
Release:        22.04
Codename:       jammy

root@bywater ~ # doveconf -n
# 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.16 (09c29328)
# OS: Linux 5.15.0-102-generic x86_64 Ubuntu 22.04.4 LTS
# Hostname: bywater.qno.de
auth_debug = yes
auth_debug_passwords = yes
listen = 65.21.136.15, [::]
mail_location = maildir:~/Maildir
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/tables.d/dovecot-sql.conf.ext
  driver = sql
}
passdb {
  args = dovecot
  driver = pam
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
postmaster_address = postmaster@qno.de
protocols = " imap sieve"
service auth-worker {
  user = vmail
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  user = dovecot
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service lmtp {
  unix_listener lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
ssl = required
ssl_cert = </etc/letsencrypt/live/imap2.qno.de/fullchain.pem
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
syslog_facility = local0
userdb {
  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%u
  driver = static
}
userdb {
  driver = passwd
}
verbose_proctitle = yes

/etc/pam.d/dovecot:
#%PAM-1.0
@include common-auth
@include common-account
@include common-session

root@bywater ~ # doveadm auth test qno 'xxxxxxx'
passdb: qno auth failed
extra fields:
  user=qno

/var/log/auth.log:
Apr 12 18:19:16 bywater unix_chkpwd[611002]: check pass; user unknown
Apr 12 18:19:16 bywater unix_chkpwd[611003]: check pass; user unknown
Apr 12 18:19:16 bywater unix_chkpwd[611003]: password check failed for user (qno)
Apr 12 18:19:16 bywater auth worker: PASSV: pam_unix(dovecot:auth): authentication failure; logname= uid=5000 euid=5000 tty=dovecot ruser=qno rhost=  user=qno

/var/log/dovecot/dovecot.debug:
Apr 12 18:19:16 bywater dovecot: auth: Debug: auth client connected (pid=0)
Apr 12 18:19:16 bywater dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=doveadm#011debug#011resp=cW5vAHFu
bwAhMTRKMDN6ODgu (previous base64 data may contain sensitive data)
Apr 12 18:19:16 bywater dovecot: auth: Debug: sql(qno): Performing passdb lookup
Apr 12 18:19:16 bywater dovecot: auth-worker(610993): Debug: conn unix:auth-worker (pid=610992,uid=110): auth-worker<5>:
 Handling PASSV request
Apr 12 18:19:16 bywater dovecot: auth-worker(610993): Debug: conn unix:auth-worker (pid=610992,uid=110): auth-worker<5>:
 sql(qno): Performing passdb lookup
Apr 12 18:19:16 bywater dovecot: auth-worker(610993): Debug: conn unix:auth-worker (pid=610992,uid=110): auth-worker<5>:
 sql(qno): query: SELECT email as user, password FROM user WHERE email='qno'
Apr 12 18:19:16 bywater dovecot: auth-worker(610993): Debug: mysql(localhost): Finished query 'SELECT email as user, pas
sword FROM user WHERE email='qno'' in 0 msecs
Apr 12 18:19:16 bywater dovecot: auth-worker(610993): Debug: conn unix:auth-worker (pid=610992,uid=110): auth-worker<5>:
 sql(qno): Finished passdb lookup
Apr 12 18:19:16 bywater dovecot: auth-worker(610993): Debug: conn unix:auth-worker (pid=610992,uid=110): auth-worker<5>:
 Finished: user_unknown
Apr 12 18:19:16 bywater dovecot: auth: Debug: sql(qno): Finished passdb lookup
Apr 12 18:19:16 bywater dovecot: auth: Debug: pam(qno): Performing passdb lookup
Apr 12 18:19:16 bywater dovecot: auth-worker(610993): Debug: conn unix:auth-worker (pid=610992,uid=110): auth-worker<6>:
 Handling PASSV request
Apr 12 18:19:16 bywater dovecot: auth-worker(610993): Debug: conn unix:auth-worker (pid=610992,uid=110): auth-worker<6>:
 pam(qno): Performing passdb lookup
Apr 12 18:19:16 bywater dovecot: auth-worker(610993): Debug: conn unix:auth-worker (pid=610992,uid=110): auth-worker<6>:
 pam(qno): lookup service=dovecot
Apr 12 18:19:16 bywater dovecot: auth-worker(610993): Debug: conn unix:auth-worker (pid=610992,uid=110): auth-worker<6>: pam(qno): #1/1 style=1 msg=Password:
Apr 12 18:19:17 bywater dovecot: auth-worker(610993): Debug: conn unix:auth-worker (pid=610992,uid=110): auth-worker<6>: pam(qno): Finished passdb lookup
Apr 12 18:19:17 bywater dovecot: auth-worker(610993): Debug: conn unix:auth-worker (pid=610992,uid=110): auth-worker<6>: Finished: password_mismatch
Apr 12 18:19:17 bywater dovecot: auth: Debug: pam(qno): Finished passdb lookup
Apr 12 18:19:17 bywater dovecot: auth: Debug: auth(qno): Auth request finished

Einloggen mit einem IMAP-Client führt zu ähnlichen Resultaten.

Ich kann auch keinen relevanten Unterschied zur Konfiguration auf dem alten (funktionierenden) Server feststellen. Welchen Fehler sehe ich nicht?

LG QNo
Antworten |