Hi Dovecot fails to chdir() into users home directory giving the following error: Oct 9 16:43:49 jura dovecot: dovecot: Fatal: chdir(/a/home/mina) failed: Permission denied (euid=1118 0(mina) egid=11332(devel) missing +x perm: /a/home) Oct 9 16:43:49 jura dovecot: dovecot: child 14441 (imap) returned error 89 (Fatal failure) The reason seems to be that user primary group is "devel" and directory /a/home has ACL which gives execute permission only to the users in "domain users" group. Now the catch is that the user _is_ member of "domain users" group and is happily accessing his home directory over CIFS(Samba) for long time. Also, the user has no problem entering his home directory when using shell access. It just seems like the user lost membership of a bunch of supplementary groups. The group membership info is coming from M$ PDC via winbind and NSS. We have few users and can change the users primary group and/or relax the /a/home directory ACL, but overall this is not right. Shall I shut up or can we hope for a fix or at least explanation? Thanks jura:/a # ls -la drwxrws--T+ 3 root domain admins 18 Oct 8 15:10 home jura:/a # getfacl home/ # file: home # owner: root # group: domain\040admins user::rwx group::rwx group:domain\040users:--x mask::rwx other::--- -- Vallo
On 10/9/2009, Vallo Kallaste (kalts at estpak.ee) wrote:> Dovecot fails to chdir() into users home directory giving the following error:DC version / dovecot -n? -- Best regards, Charles
On Oct 9, 2009, at 11:14 AM, Vallo Kallaste wrote:> The reason seems to be that user primary group is "devel" and > directory /a/home > has ACL which gives execute permission only to the users in "domain > users" > group. Now the catch is that the user _is_ member of "domain users" > group and > is happily accessing his home directory over CIFS(Samba) for long > time.What does Dovecot log with auth_debug=yes?
On Fri, Oct 09, 2009 at 11:26:19AM -0400, Timo Sirainen <tss at iki.fi> wrote:> On Oct 9, 2009, at 11:14 AM, Vallo Kallaste wrote: > > >The reason seems to be that user primary group is "devel" and > >directory /a/home has ACL which gives execute permission only to the > >users in "domain users" group. Now the catch is that the user _is_ > >member of "domain users" group and is happily accessing his home > >directory over CIFS(Samba) for long time. > > What does Dovecot log with auth_debug=yes? >Oct 9 18:53:49 jura dovecot: auth(default): client in: AUTH 1 PLAIN service=imap secured lip=192.168 .10.3 rip=192.168.25.1 lport=143 rport=3659 Oct 9 18:53:49 jura dovecot: auth(default): client out: CONT 1 Oct 9 18:53:49 jura dovecot: auth(default): client in: CONT<hidden> Oct 9 18:53:49 jura dovecot: auth-worker(default): pam(ftest,192.168.25.1): lookup service=dovecot Oct 9 18:53:49 jura dovecot: auth-worker(default): pam(ftest,192.168.25.1): #1/1 style=1 msg=Password: Oct 9 18:53:49 jura dovecot: auth(default): client out: OK 1 user=ftest Oct 9 18:53:49 jura dovecot: auth(default): master in: REQUEST 36 26941 1 Oct 9 18:53:49 jura dovecot: auth(default): passwd(ftest,192.168.25.1): lookup Oct 9 18:53:49 jura dovecot: auth(default): master out: USER 36 ftest system_groups_user=ftest uid =11745 gid=11332 home=/a/home/ftest Oct 9 18:53:49 jura dovecot: imap-login: Login: user=<ftest>, method=PLAIN, rip=192.168.25.1, lip=192.168.10.3, T LS Oct 9 18:53:49 jura dovecot: dovecot: Fatal: chdir(/a/home/ftest) failed: Permission denied (euid=117 45(ftest) egid=11332(devel) missing +x perm: /a/home) Oct 9 18:53:49 jura dovecot: dovecot: child 26943 (imap) returned error 89 (Fatal failure) Uid/gid are right, gid=11332 is group "devel". The user has several supplementary groups which are something like this (mangled): jura:~ # id ftest uid=11745(ftest) gid=11332(devel) groups=11332(devel),11812(xxx),11813(xxx_test),10513(domain users),11472(xxxmonitor),11409(monitor),11354(offline_xxx_mon),11323(it),11456(YYY),11237(ZZZZ) -- Vallo
On Oct 9, 2009, at 11:14 AM, Vallo Kallaste wrote:> Oct 9 16:43:49 jura dovecot: dovecot: Fatal: chdir(/a/home/mina) > failed: Permission denied (euid=1118 > 0(mina) egid=11332(devel) missing +x perm: /a/home)Oh, right, this happens before execing imap. Hmm. Well, mail_drop_priv_before_exec=yes probably helps you. I'll have to figure out if I should change something here..