Reuben Farrelly
2015-May-07 11:32 UTC
Additional userdb variables in passwd [was Re: Dovecot Replication - Architecture Endianness?]
On 7/05/2015 7:49 AM, Timo Sirainen wrote:> On 06 May 2015, at 13:52, Reuben Farrelly <reuben-dovecot at reub.net> wrote: >> >> On 4/05/2015 11:06 PM, Teemu Huovila wrote: >>>> Also is there a way to restrict replication users aside from a crude hack around system first and last UIDs? >>> You can set the userdb to return an empty mail_replica variable for users you want to exclude from replication. >>> http://hg.dovecot.org/dovecot-2.2/rev/c1c67bdc8752 >>> >>> br, >>> Teemu Huovila >> >> One last question. Is it possible to achieve this with system users and PAM or do I need to basically create a new static userdb for system users? > > You can create a new userdb passwd-file that adds extra fields. So something like: > > userdb { > driver = passwd > result_success = continue-ok > } > > userdb { > driver = passwd-file > args = /etc/dovecot/passwd.extra > skip = notfound > }This doesn't seem to work for me and my config has that exact config. My password.extra file has just one line for the one account I am testing with at the moment: user1:::::::userdb_mail_replica=tcps:lightning.reub.net:4813,userdb_mail_replica=tcp:pi.x.y:4814 This breaks access for other system users such as my own account which do not have entries: ay 7 21:19:06 tornado.reub.net dovecot: imap-login: Internal login failure (pid=22573 id=1) (internal failure, 1 successful auths): user=<reuben>, auth-method=PLAIN, remote=2001:44b8:31d4:1311::50, local=2001:44b8:31d4:1310::20, TLS which then starts soon spitting this out 10s of times per second in the mail log: May 7 21:19:32 tornado.reub.net dovecot: auth-worker(23738): Error: Auth worker sees different passdbs/userdbs than auth server. Maybe config just changed and this goes away automatically? This is with -hg latest as of now. This system uses PAM for local users. Do I need to replicate all of the system users including those who do not need any extra settings, in the passwd.extra file too? Is my syntax above for two mail_replica servers correct? Thanks, Reuben
Teemu Huovila
2015-May-08 08:10 UTC
Additional userdb variables in passwd [was Re: Dovecot Replication - Architecture Endianness?]
On 05/07/2015 02:32 PM, Reuben Farrelly wrote:> On 7/05/2015 7:49 AM, Timo Sirainen wrote: >> On 06 May 2015, at 13:52, Reuben Farrelly <reuben-dovecot at reub.net> wrote: >>> >>> On 4/05/2015 11:06 PM, Teemu Huovila wrote: >>>>> Also is there a way to restrict replication users aside from a crude hack around system first and last UIDs? >>>> You can set the userdb to return an empty mail_replica variable for users you want to exclude from replication. >>>> http://hg.dovecot.org/dovecot-2.2/rev/c1c67bdc8752 >>>> >>>> br, >>>> Teemu Huovila >>> >>> One last question. Is it possible to achieve this with system users and PAM or do I need to basically create a new static >>> userdb for system users? >> >> You can create a new userdb passwd-file that adds extra fields. So something like: >> >> userdb { >> driver = passwd >> result_success = continue-ok >> } >> >> userdb { >> driver = passwd-file >> args = /etc/dovecot/passwd.extra >> skip = notfound >> } > > This doesn't seem to work for me and my config has that exact config. My password.extra file has just one line for the one > account I am testing with at the moment: > > user1:::::::userdb_mail_replica=tcps:lightning.reub.net:4813,userdb_mail_replica=tcp:pi.x.y:4814 > > This breaks access for other system users such as my own account which do not have entries: > > ay 7 21:19:06 tornado.reub.net dovecot: imap-login: Internal login failure (pid=22573 id=1) (internal failure, 1 successful > auths): user=<reuben>, auth-method=PLAIN, remote=2001:44b8:31d4:1311::50, local=2001:44b8:31d4:1310::20, TLS > > which then starts soon spitting this out 10s of times per second in the mail log: > > May 7 21:19:32 tornado.reub.net dovecot: auth-worker(23738): Error: Auth worker sees different passdbs/userdbs than auth > server. Maybe config just changed and this goes away automatically? > > This is with -hg latest as of now. > > This system uses PAM for local users. Do I need to replicate all of the system users including those who do not need any extra > settings, in the passwd.extra file too? > > Is my syntax above for two mail_replica servers correct?A bit unsure about the config syntax, so I can not advice on that, but there were some bugs in auth yesterday. Maybe you could retest with f2a8e1793718 or newer. Make sure configs on both sides are in sync. Thank you for your continued testing, Teemu Huovila
Reuben Farrelly
2015-May-08 13:04 UTC
Additional userdb variables in passwd [was Re: Dovecot Replication - Architecture Endianness?]
On 8/05/2015 6:10 PM, Teemu Huovila wrote:> On 05/07/2015 02:32 PM, Reuben Farrelly wrote: >> On 7/05/2015 7:49 AM, Timo Sirainen wrote: >>> On 06 May 2015, at 13:52, Reuben Farrelly >>> <reuben-dovecot at reub.net> wrote: >>>> >>>> On 4/05/2015 11:06 PM, Teemu Huovila wrote: >>>>>> Also is there a way to restrict replication users aside >>>>>> from a crude hack around system first and last UIDs? >>>>> You can set the userdb to return an empty mail_replica >>>>> variable for users you want to exclude from replication. >>>>> http://hg.dovecot.org/dovecot-2.2/rev/c1c67bdc8752 >>>>> >>>>> br, Teemu Huovila >>>> >>>> One last question. Is it possible to achieve this with system >>>> users and PAM or do I need to basically create a new static >>>> userdb for system users? >>> >>> You can create a new userdb passwd-file that adds extra fields. >>> So something like: >>> >>> userdb { driver = passwd result_success = continue-ok } >>> >>> userdb { driver = passwd-file args = /etc/dovecot/passwd.extra >>> skip = notfound } >> >> This doesn't seem to work for me and my config has that exact >> config. My password.extra file has just one line for the one >> account I am testing with at the moment: >> >> user1:::::::userdb_mail_replica=tcps:lightning.reub.net:4813,userdb_mail_replica=tcp:pi.x.y:4814 >> >> >>This breaks access for other system users such as my own account which do not have entries:>> >> ay 7 21:19:06 tornado.reub.net dovecot: imap-login: Internal login >> failure (pid=22573 id=1) (internal failure, 1 successful auths): >> user=<reuben>, auth-method=PLAIN, remote=2001:44b8:31d4:1311::50, >> local=2001:44b8:31d4:1310::20, TLS >> >> which then starts soon spitting this out 10s of times per second in >> the mail log: >> >> May 7 21:19:32 tornado.reub.net dovecot: auth-worker(23738): >> Error: Auth worker sees different passdbs/userdbs than auth server. >> Maybe config just changed and this goes away automatically? >> >> This is with -hg latest as of now. >> >> This system uses PAM for local users. Do I need to replicate all >> of the system users including those who do not need any extra >> settings, in the passwd.extra file too? >> >> Is my syntax above for two mail_replica servers correct? > A bit unsure about the config syntax, so I can not advice on that, > but there were some bugs in auth yesterday. Maybe you could retest > with f2a8e1793718 or newer. Make sure configs on both sides are in > sync. > > Thank you for your continued testing, Teemu Huovila >With -hg as of now it's still not any better: tornado log # dovecot --version 2.2.16 (f2a8e1793718+) tornado log # ================== # System users (NSS, /etc/passwd, or similiar). In many systems nowadays this # uses Name Service Switch, which is configured in /etc/nsswitch.conf. userdb { # <doc/wiki/AuthDatabase.Passwd.txt> driver = passwd # [blocking=no] #args # Override fields from passwd #override_fields = home=/home/virtual/%u result_success = continue-ok } # Add some extra fields such as replication.. userdb { driver = passwd-file args = /etc/dovecot/passwd.extra skip = notfound } ============= May 8 22:59:11 tornado.reub.net dovecot: imap: Error: Authenticated user not found from userdb, auth lookup id=586547201 (client-pid=29035 client-id=1) May 8 22:59:11 tornado.reub.net dovecot: imap-login: Internal login failure (pid=29035 id=1) (internal failure, 1 successful auths): user=<reuben>, auth-method=PLAIN, remote=2001:44b8:31d4:1311::50, local=2001:44b8:31d4:1310::20, TLS It logs an awful lot of those lines in short succession also, at least 15 per second... Reuben
Apparently Analagous Threads
- Additional userdb variables in passwd [was Re: Dovecot Replication - Architecture Endianness?]
- Additional userdb variables in passwd [was Re: Dovecot Replication - Architecture Endianness?]
- Dovecot Replication - Architecture Endianness?
- Dovecot Replication - Architecture Endianness?
- Core Dumps with dovecot-2.2 -git as of 2.2.devel (eaf276b33)