Hi, We currently have a postfix/dovecot setup using nss_ldap with PAM for authentication. Everything is working fine, but there are excessive "error" messages in /var/log/messages that I'd like to prevent from happening. Since auth_userdb defaults to passwd and that our users are not in the passwd file, we get the following message everytime a user logs in: Jul 7 13:34:37 hostname dovecot(pam_unix)[32206]: check pass; user unknown Jul 7 13:34:37 hostname dovecot(pam_unix)[32206]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost We of course also get the input that a user has logged in, in /var/log/maillog: imap-login: Jul 07 13:34:37 Info: Login: username [xxx.xxx.xxx.xxx] I've tried changing auth_verbose to no, and I still get those messages. Is there any way to prevent this from happening? Thanks a lot, Steve Johnson
On 7.7.2004, at 20:39, Steve Johnson wrote:> We currently have a postfix/dovecot setup using nss_ldap with PAM for > authentication. Everything is working fine, but there are excessive > "error" messages in /var/log/messages that I'd like to prevent from > happening. > > Since auth_userdb defaults to passwd and that our users are not in the > passwd file, we get the following message everytime a user logs in:passwd userdb actually uses NSS (or getpwnam() which uses it) and not /etc/passwd directly.> Jul 7 13:34:37 hostname dovecot(pam_unix)[32206]: check pass; user > unknown > Jul 7 13:34:37 hostname dovecot(pam_unix)[32206]: authentication > failure; logname= uid=0 euid=0 tty= ruser= rhostThat's written by pam_unix PAM module, not Dovecot. Do you have both pam_unix and pam_ldap in /etc/pam.d/dovecot? Remove the pam_unix.so lines from there. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20040707/3360fb0b/attachment-0001.bin>
Thanks for the clarification. The pam file for dovecot references to system-auth: auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth Of course, system-auth does indeed have both (and needs both). However, I tried modifying the dovecot pam file to a few things instead of system_auth, but can't get it to work. I've tried with just the following: auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass password sufficient /lib/security/$ISA/pam_ldap.so use_authtok session optional /lib/security/$ISA/pam_ldap.so And I've also tried with all the system-auth lines, except the pam_unix.so ones, like this: auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so password required /lib/security/$ISA/pam_cracklib.so retry=3 typepassword sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session optional /lib/security/$ISA/pam_ldap.so In both of these situations, users can't authenticate. Is there something I'm doing wrong? I'm not that familiar with pam, so it's a very plausible cause! :) Thanks again, Steve Johnson On Wed, 2004-07-07 at 13:57, Timo Sirainen wrote:> On 7.7.2004, at 20:39, Steve Johnson wrote: > > > We currently have a postfix/dovecot setup using nss_ldap with PAM for > > authentication. Everything is working fine, but there are excessive > > "error" messages in /var/log/messages that I'd like to prevent from > > happening. > > > > Since auth_userdb defaults to passwd and that our users are not in the > > passwd file, we get the following message everytime a user logs in: > > passwd userdb actually uses NSS (or getpwnam() which uses it) and not > /etc/passwd directly. > > > Jul 7 13:34:37 hostname dovecot(pam_unix)[32206]: check pass; user > > unknown > > Jul 7 13:34:37 hostname dovecot(pam_unix)[32206]: authentication > > failure; logname= uid=0 euid=0 tty= ruser= rhost> > That's written by pam_unix PAM module, not Dovecot. Do you have both > pam_unix and pam_ldap in /etc/pam.d/dovecot? Remove the pam_unix.so > lines from there.
Great, thanks a lot, solved the problem. No more annoying logs every 2-5 seconds :) Steve Johnson On Wed, 2004-07-07 at 14:39, Ray Miller wrote:> On Wed, Jul 07, 2004 at 02:21:04PM -0400, Steve Johnson wrote: > > > > I've tried with just the following: > > > > auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass > > password sufficient /lib/security/$ISA/pam_ldap.so use_authtok > > session optional /lib/security/$ISA/pam_ldap.so > > [...] > > In both of these situations, users can't authenticate. Is there > > something I'm doing wrong? I'm not that familiar with pam, so it's a > > very plausible cause! :) > > I'm fairly sure you don't need the password line, but that's not > likely to be causing your problem - more likely it's the use_first_pass > option. Try: > > auth required /lib/security/$ISA/pam_ldap.so > account required /lib/security/$ISA/pam_ldap.so > password required /lib/security/$ISA/pam_deny.so > session required /lib/security/$ISA/pam_ldap.so