On Tue, 2002-10-29 at 05:01, Hielke Christian Braun wrote:> i am trying to use dovecot with pam and radius. My users have names > in the format joe at somedomain.com. When i have pam configured to use > the normal passwd/shadow files it works fine. With radius it does not. > I see at the radius server that the domain part of my usernames > is always replaced with the same domain @nikojet.com. I don't think > it is a problem with the pam radius, as the same library works fine > with the solid state pop3 server. Is this a fundamental problem and > dovecot/imap does not work with usernames which have a domain part or > is it a bug?You probably don't have the users in /etc/passwd file too, right? Dovecot currently wants the users to exist there too to get their UID, GID and home directory. I'll change this later so that you could give "gid=123 uid=456 homeroot=/var/mail" options to pam auth and it'd use them for all users. Or did PAM also support getting that information in some way? I'm not sure exactly..
On Tue, 2002-10-29 at 06:00, Hielke Christian Braun wrote:> > You probably don't have the users in /etc/passwd file too, right? > > I have the users in the passwd and shadow files as i need that for quotas > to work. Though in the shadow file i don't have the password and only a x. > The problem must be something else.Well .. I don't know then really. Since you did get it to work by changing PAM to use shadow auth, Dovecot is doing it at least partly right. Maybe the radius PAM module requires something that Dovecot didn't do.. Looking at Courier's PAM handling, it does pam_setcred() which dovecot doesn't. You could try if doing that helps: src/auth/userinfo-pam.c, around line 169, insert between pam_authenticate() and pam_acct_mgmt(): if ((status = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { if (status == PAM_ABORT) i_fatal("pam_setcred_mgmt() requested abort"); return FALSE; }> Maybe it dovecot sets a realm, which is then mistakenly used by > the pam radius module, but not by the passwd/shadow module?PAM doesn't have any support for realms AFAIK.
On Thu, 2002-10-31 at 21:32, Hielke Christian Braun wrote:> It helped a bit. Now the first login to dovecot works fine. The domainpart > of my username is not changed. But after the first login, dovecot > always sents the username from the first login to the radius server even when > i login from a different client with a complete different username.OK, fixed now in CVS. I implemented PAM support pretty wrong.
Apparently Analagous Threads
- reinit_creds (was Re: OpenSSHd barfs upon reauthentication: PAM, Solaris 8)
- [Bug 926] pam_session_close called as user or not at all
- reinit_creds (was Re: OpenSSHd barfs upon reauthentication: PAM, Solaris 8)
- SIP Call Forwarding/Transfer support ?
- LDAP + mail_location: Get "%d" from customfield