hi timo,
I checked out the commit causing this.
its this one:
http://hg.dovecot.org/dovecot-2.2/diff/5e445c659f89/src/auth/auth-request.c#l1.32
if I move this block back as it was. everything is fine
diff -r a46620d6e0ff -r 5e445c659f89 src/auth/auth-request.c
--- a/src/auth/auth-request.c Tue May 05 13:35:52 2015 +0300
+++ b/src/auth/auth-request.c Tue May 05 14:16:31 2015 +0300
@@ -618,30 +627,28 @@
auth_request_want_skip_passdb(request, next_passdb))
next_passdb = next_passdb->next;
+ if (*result == PASSDB_RESULT_OK) {
+ /* this passdb lookup succeeded, preserve its extra fields */
+ auth_fields_snapshot(request->extra_fields);
+ request->snapshot_have_userdb_prefetch_set +
request->userdb_prefetch_set;
+ if (request->userdb_reply != NULL)
+ auth_fields_snapshot(request->userdb_reply);
+ } else {
+ /* this passdb lookup failed, remove any extra fields it set */
+ auth_fields_rollback(request->extra_fields);
+ if (request->userdb_reply != NULL) {
+ auth_fields_rollback(request->userdb_reply);
+ request->userdb_prefetch_set +
request->snapshot_have_userdb_prefetch_set;
+ }
+ }
+
if (passdb_continue && next_passdb != NULL) {
/* try next passdb. */
request->passdb = next_passdb;
request->passdb_password = NULL;
- if (*result == PASSDB_RESULT_OK) {
- /* this passdb lookup succeeded, preserve its extra
- fields */
- auth_fields_snapshot(request->extra_fields);
- request->snapshot_have_userdb_prefetch_set -
request->userdb_prefetch_set;
- if (request->userdb_reply != NULL)
- auth_fields_snapshot(request->userdb_reply);
- } else {
- /* this passdb lookup failed, remove any extra fields
- it set */
- auth_fields_rollback(request->extra_fields);
- if (request->userdb_reply != NULL) {
- auth_fields_rollback(request->userdb_reply);
- request->userdb_prefetch_set -
request->snapshot_have_userdb_prefetch_set;
- }
- }
-
if (*result == PASSDB_RESULT_USER_UNKNOWN) {
/* remember that we did at least one successful
passdb lookup */
On 08/05/2015 05:33 PM, matthias lay wrote:> just tested against dovecot 2.2.15
>
> everythings works fine. so might be a bug introduced between 2.2.16 and
> 2.2.18
>
>
>
>
>
> On 08/05/2015 04:30 PM, matthias lay wrote:
>> Hi list,
>>
>> I have a question on auth caching in 2.2.18.
>>
>> I am using acl_groups for a master user, appended in a static userdb
file
>>
>> # snip ###############################
>> master at uma:{SHA}XXXX=::::::userdb_acl_groups=umareadmaster
>> allow_nets=127.0.0.1
>> # snap ###############################
>>
>> and use this group in a global ACL file.
>> I discovered this only works on first NOT-cached login
>>
>>
>>
>> environment in imap-postlogin script on first login:
>>
>>
>> AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c
>> MASTER_USER=master at uma
>> SPUSER=private/pdf
>> LOCAL_IP=127.0.0.1
>> USER=pdf
>> AUTH_USER=master at uma
>> PWD=/var/run/dovecot
>> USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
>> SHLVL=1
>> HOME=/var/data/vmail/private/pdf
>> ACL_GROUPS=umareadmaster
>> IP=127.0.0.1
>> _=/usr/bin/env
>>
>>
>> on the second cached login it looks like this
>>
>>
>> AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f
>> MASTER_USER=master at uma
>> SPUSER=private/pdf
>> LOCAL_IP=127.0.0.1
>> USER=pdf
>> AUTH_USER=master at uma
>> PWD=/var/run/dovecot
>> USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
>> SHLVL=1
>> HOME=/var/data/vmail/private/pdf
>> IP=127.0.0.1
>> _=/usr/bin/env
>>
>> so the ACL_GROUPS is gone.
>>
>> is this intended to be like that.
>> so groups not included in cache and I have to find another approach?
>>
>> anybody else encountered similar problems with some auth Variables and
>> caching?
>>
>>
>> Greetz Matze
>>
>
Hello Thank you for your report. We really appreciate it, especially when you can pinpoint a commit. However, I am unable to reproduce this. Could you post your doveconf -n please? Im especially interested in your passdb and userdb configurations and auth-cache settings. br, Teemu Huovila On 08/06/2015 01:07 PM, matthias lay wrote:> hi timo, > > I checked out the commit causing this. > > its this one: > > http://hg.dovecot.org/dovecot-2.2/diff/5e445c659f89/src/auth/auth-request.c#l1.32 > > > if I move this block back as it was. everything is fine > > > diff -r a46620d6e0ff -r 5e445c659f89 src/auth/auth-request.c > --- a/src/auth/auth-request.c Tue May 05 13:35:52 2015 +0300 > +++ b/src/auth/auth-request.c Tue May 05 14:16:31 2015 +0300 > @@ -618,30 +627,28 @@ > auth_request_want_skip_passdb(request, next_passdb)) > next_passdb = next_passdb->next; > > + if (*result == PASSDB_RESULT_OK) { > + /* this passdb lookup succeeded, preserve its extra fields */ > + auth_fields_snapshot(request->extra_fields); > + request->snapshot_have_userdb_prefetch_set > + request->userdb_prefetch_set; > + if (request->userdb_reply != NULL) > + auth_fields_snapshot(request->userdb_reply); > + } else { > + /* this passdb lookup failed, remove any extra fields it set */ > + auth_fields_rollback(request->extra_fields); > + if (request->userdb_reply != NULL) { > + auth_fields_rollback(request->userdb_reply); > + request->userdb_prefetch_set > + request->snapshot_have_userdb_prefetch_set; > + } > + } > + > if (passdb_continue && next_passdb != NULL) { > /* try next passdb. */ > request->passdb = next_passdb; > request->passdb_password = NULL; > > - if (*result == PASSDB_RESULT_OK) { > - /* this passdb lookup succeeded, preserve its extra > - fields */ > - auth_fields_snapshot(request->extra_fields); > - request->snapshot_have_userdb_prefetch_set > - request->userdb_prefetch_set; > - if (request->userdb_reply != NULL) > - auth_fields_snapshot(request->userdb_reply); > - } else { > - /* this passdb lookup failed, remove any extra fields > - it set */ > - auth_fields_rollback(request->extra_fields); > - if (request->userdb_reply != NULL) { > - auth_fields_rollback(request->userdb_reply); > - request->userdb_prefetch_set > - request->snapshot_have_userdb_prefetch_set; > - } > - } > - > if (*result == PASSDB_RESULT_USER_UNKNOWN) { > /* remember that we did at least one successful > passdb lookup */ > > > > > > > > > > > > > > > On 08/05/2015 05:33 PM, matthias lay wrote: >> just tested against dovecot 2.2.15 >> >> everythings works fine. so might be a bug introduced between 2.2.16 and >> 2.2.18 >> >> >> >> >> >> On 08/05/2015 04:30 PM, matthias lay wrote: >>> Hi list, >>> >>> I have a question on auth caching in 2.2.18. >>> >>> I am using acl_groups for a master user, appended in a static userdb file >>> >>> # snip ############################### >>> master at uma:{SHA}XXXX=::::::userdb_acl_groups=umareadmaster >>> allow_nets=127.0.0.1 >>> # snap ############################### >>> >>> and use this group in a global ACL file. >>> I discovered this only works on first NOT-cached login >>> >>> >>> >>> environment in imap-postlogin script on first login: >>> >>> >>> AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c >>> MASTER_USER=master at uma >>> SPUSER=private/pdf >>> LOCAL_IP=127.0.0.1 >>> USER=pdf >>> AUTH_USER=master at uma >>> PWD=/var/run/dovecot >>> USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER >>> SHLVL=1 >>> HOME=/var/data/vmail/private/pdf >>> ACL_GROUPS=umareadmaster >>> IP=127.0.0.1 >>> _=/usr/bin/env >>> >>> >>> on the second cached login it looks like this >>> >>> >>> AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f >>> MASTER_USER=master at uma >>> SPUSER=private/pdf >>> LOCAL_IP=127.0.0.1 >>> USER=pdf >>> AUTH_USER=master at uma >>> PWD=/var/run/dovecot >>> USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER >>> SHLVL=1 >>> HOME=/var/data/vmail/private/pdf >>> IP=127.0.0.1 >>> _=/usr/bin/env >>> >>> so the ACL_GROUPS is gone. >>> >>> is this intended to be like that. >>> so groups not included in cache and I have to find another approach? >>> >>> anybody else encountered similar problems with some auth Variables and >>> caching? >>> >>> >>> Greetz Matze >>> >>
hi teemu,
thx for your reply.
the user is a masteruser that hast a static passwd file. this is where
the ACL_GROUPS is applied
############
cat /etc/dovecot/passwd.masteruser
master at
uma:{SHA}ojN+jsbELZbRJeRb0qj9+MMjPUs=::::::userdb_acl_groups=umareadmaster
allow_nets=127.0.0.1
##########
* the standard lookup method for users is ldap. only masterusers are in
static user/passdbs
* auth cache is enabled
I cant post my whole conf but will paste the parts you requested.
if its not enough for you to reproduce, I will setup a clean instance
and reproduce it there.
######################################################################################################################
# 2.2.16: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.7
# OS: Linux 3.15.10-dist i686
auth_cache_negative_ttl = 30 mins
auth_cache_size = 10 k
auth_master_user_separator = *
#### snip
default namespace: (maildir gets overwritten by ldap lookup on most
users)
namespace {
hidden = no
inbox = no
list = children
location
maildir:/var/data/vmail/public/%%Lu/Maildir:LAYOUT=fs:INBOX=/var/data/vmail/public/%%Lu/Maildir/INBOX
prefix = public/%%u/ separator = /
subscriptions = no
type = shared
}
userdb {
args = uid=vmail gid=vmail home=/var/data/vmail/public/%Ln
driver = static
}
....
protocol imap {
imap_client_workarounds = tb-extra-mailbox-sep
mail_plugins = acl notify mailbox_alias imap_acl
ssl = yes
ssl_cert = </etc/ssl/certs/imap.cert
ssl_key = </etc/ssl/private/imap.key
userdb {
args = /etc/dovecot/dovecot-imap-ldap.conf.ext
driver = ldap
name =
}
}
##########################
content of dovecot-imap-ldap.conf.ext:
base = "dc=spdev, dc=local"
# Filter for user lookups.
user_filter
(&(sAMAccountName=%Ln)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(&(sAMAccountType=805306368)))
# User attributes are given in LDAP-name=dovecot-internal-name list.
user_attrs = name=home=/var/data/vmail/private/%Ln,
=spuser=private/%L{ldap:sAMAccountName}
####################
several masteruser passdbs
passdb {
args = /etc/dovecot/passwd.masteruser
driver = passwd-file
master = yes
}
passdb {
args = /etc/dovecot/passwd.system
driver = passwd-file
master = yes
}
passdb {
args = /etc/dovecot/passwd.email-shredder
driver = passwd-file
master = yes
}
passdb {
args = /etc/dovecot/passwd.imap-set-del-flag
driver = passwd-file
master = yes
}
passdb {
args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
driver = ldap
}
############# contents of ldap-passdb.conf
# LDAP base.
base = "dc=spdev, dc=local"
# Filter for user lookups.
user_filter
(&(sAMAccountName=%Ln)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
############
protocols = imap
service auth {
unix_listener auth-client {
group =
mode = 0600
user = $default_internal_user
}
unix_listener auth-login {
group =
mode = 0600
user = $default_internal_user
}
unix_listener auth-master {
group =
mode = 0600
user = $default_internal_user
}
unix_listener auth-userdb {
group = vmail
mode = 0660
user = $default_internal_user
}
unix_listener login/login {
group =
mode = 0666
user = $default_internal_user
}
user = $default_internal_user
}
##########################################################################################################
We use a global ACL file. where masterusers have different rights and
the one mentioned is the only one that gets a ACL_GROUP in passdb.
my guess: it might be related to the "several masteruser passdbs"
point.
but thats just a guess from the outside ;)
hope this helps, if not let me know
greetz Matze
On Thu, 27 Aug 2015 14:37:59 +0300
Teemu Huovila <teemu.huovila at dovecot.fi> wrote:
> Hello
>
> Thank you for your report. We really appreciate it, especially when
> you can pinpoint a commit.
>
> However, I am unable to reproduce this. Could you post your doveconf
> -n please? Im especially interested in your passdb and userdb
> configurations and auth-cache settings.
>
> br,
> Teemu Huovila
>
>
> On 08/06/2015 01:07 PM, matthias lay wrote:
> > hi timo,
> >
> > I checked out the commit causing this.
> >
> > its this one:
> >
> >
http://hg.dovecot.org/dovecot-2.2/diff/5e445c659f89/src/auth/auth-request.c#l1.32
> >
> >
> > if I move this block back as it was. everything is fine
> >
> >
> > diff -r a46620d6e0ff -r 5e445c659f89 src/auth/auth-request.c
> > --- a/src/auth/auth-request.c Tue May 05 13:35:52 2015 +0300
> > +++ b/src/auth/auth-request.c Tue May 05 14:16:31 2015 +0300
> > @@ -618,30 +627,28 @@
> > auth_request_want_skip_passdb(request, next_passdb))
> > next_passdb = next_passdb->next;
> >
> > + if (*result == PASSDB_RESULT_OK) {
> > + /* this passdb lookup succeeded, preserve its
> > extra fields */
> > + auth_fields_snapshot(request->extra_fields);
> > + request->snapshot_have_userdb_prefetch_set > > +
request->userdb_prefetch_set;
> > + if (request->userdb_reply != NULL)
> > +
> > auth_fields_snapshot(request->userdb_reply);
> > + } else {
> > + /* this passdb lookup failed, remove any extra
> > fields it set */
> > + auth_fields_rollback(request->extra_fields);
> > + if (request->userdb_reply != NULL) {
> > +
> > auth_fields_rollback(request->userdb_reply);
> > + request->userdb_prefetch_set > > +
> > request->snapshot_have_userdb_prefetch_set;
> > + }
> > + }
> > +
> > if (passdb_continue && next_passdb != NULL) {
> > /* try next passdb. */
> > request->passdb = next_passdb;
> > request->passdb_password = NULL;
> >
> > - if (*result == PASSDB_RESULT_OK) {
> > - /* this passdb lookup succeeded, preserve
> > its extra
> > - fields */
> > -
> > auth_fields_snapshot(request->extra_fields);
> > - request->snapshot_have_userdb_prefetch_set
> > > > - request->userdb_prefetch_set;
> > - if (request->userdb_reply != NULL)
> > -
> > auth_fields_snapshot(request->userdb_reply);
> > - } else {
> > - /* this passdb lookup failed, remove any
> > extra fields
> > - it set */
> > -
> > auth_fields_rollback(request->extra_fields);
> > - if (request->userdb_reply != NULL) {
> > -
> > auth_fields_rollback(request->userdb_reply);
> > - request->userdb_prefetch_set > > -
> > request->snapshot_have_userdb_prefetch_set;
> > - }
> > - }
> > -
> > if (*result == PASSDB_RESULT_USER_UNKNOWN) {
> > /* remember that we did at least one
> > successful passdb lookup */
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On 08/05/2015 05:33 PM, matthias lay wrote:
> >> just tested against dovecot 2.2.15
> >>
> >> everythings works fine. so might be a bug introduced between
> >> 2.2.16 and 2.2.18
> >>
> >>
> >>
> >>
> >>
> >> On 08/05/2015 04:30 PM, matthias lay wrote:
> >>> Hi list,
> >>>
> >>> I have a question on auth caching in 2.2.18.
> >>>
> >>> I am using acl_groups for a master user, appended in a static
> >>> userdb file
> >>>
> >>> # snip ###############################
> >>> master at uma:{SHA}XXXX=::::::userdb_acl_groups=umareadmaster
> >>> allow_nets=127.0.0.1
> >>> # snap ###############################
> >>>
> >>> and use this group in a global ACL file.
> >>> I discovered this only works on first NOT-cached login
> >>>
> >>>
> >>>
> >>> environment in imap-postlogin script on first login:
> >>>
> >>>
> >>> AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c
> >>> MASTER_USER=master at uma
> >>> SPUSER=private/pdf
> >>> LOCAL_IP=127.0.0.1
> >>> USER=pdf
> >>> AUTH_USER=master at uma
> >>> PWD=/var/run/dovecot
> >>> USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN
> >>> AUTH_USER SHLVL=1
> >>> HOME=/var/data/vmail/private/pdf
> >>> ACL_GROUPS=umareadmaster
> >>> IP=127.0.0.1
> >>> _=/usr/bin/env
> >>>
> >>>
> >>> on the second cached login it looks like this
> >>>
> >>>
> >>> AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f
> >>> MASTER_USER=master at uma
> >>> SPUSER=private/pdf
> >>> LOCAL_IP=127.0.0.1
> >>> USER=pdf
> >>> AUTH_USER=master at uma
> >>> PWD=/var/run/dovecot
> >>> USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
> >>> SHLVL=1
> >>> HOME=/var/data/vmail/private/pdf
> >>> IP=127.0.0.1
> >>> _=/usr/bin/env
> >>>
> >>> so the ACL_GROUPS is gone.
> >>>
> >>> is this intended to be like that.
> >>> so groups not included in cache and I have to find another
> >>> approach?
> >>>
> >>> anybody else encountered similar problems with some auth
> >>> Variables and caching?
> >>>
> >>>
> >>> Greetz Matze
> >>>
> >>
hi again, On Thu, 27 Aug 2015 14:37:59 +0300 Teemu Huovila <teemu.huovila at dovecot.fi> wrote:> > However, I am unable to reproduce this. Could you post your doveconf > -n please? Im especially interested in your passdb and userdb > configurations and auth-cache settings. >just reproduced the bug with a fresh clean 2.2.18 install ldap userdb an 2 masterusers with the ACL_GROUP attribut in passwd file env output in imap-postlogin first login: AUTH_TOKEN=4adba75022f765fc3215ac5243337fd99adfdbf5 MASTER_USER=master2 SPUSER=private/johnd LOCAL_IP=127.0.0.1 USER=johnd AUTH_USER=master2 PWD=/run/dovecot USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/home/vmail/private/johnd ACL_GROUPS=umareadmaster IP=127.0.0.1 _=/usr/bin/env logout and next login: AUTH_TOKEN=83d7ede27b4fbc4de2abad58e84e65ac1073e4ec MASTER_USER=master2 SPUSER=private/johnd LOCAL_IP=127.0.0.1 USER=johnd AUTH_USER=master2 PWD=/run/dovecot USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER SHLVL=1 HOME=/home/vmail/private/johnd IP=127.0.0.1 _=/usr/bin/env ############################## % doveconf -n: # 2.2.18: /etc/dovecot/dovecot.conf # OS: Linux 3.12.44-gentoo x86_64 Gentoo Base System release 2.2 auth_cache_negative_ttl = 30 mins auth_cache_size = 10 k auth_master_user_separator = * auth_use_winbind = yes auth_username_chars = auth_verbose = yes log_path = /var/log/dovecot.log mail_gid = vmail mail_home = /home/vmail/private/%u mail_location = maildir:~/Maildir:LAYOUT=fs:INBOX=~/Maildir/INBOX mail_uid = vmail namespace { inbox = yes location = mailbox Sent { auto = subscribe special_use = \Sent } prefix = separator = / subscriptions = yes type = private } namespace { hidden = no inbox = no list = children location maildir:/home/vmail/public/%%Lu/Maildir:LAYOUT=fs:INBOX=/home/vmail/public/%%Lu/Maildir/INBOX prefix = public/%%u/ separator = / subscriptions = no type = shared } passdb { args = /etc/dovecot/master-users1 driver = passwd-file master = yes } passdb { args = /etc/dovecot/master-users2 driver = passwd-file master = yes } service auth { unix_listener auth-client { group = mode = 0600 user = $default_internal_user } unix_listener auth-login { group = mode = 0600 user = $default_internal_user } unix_listener auth-master { group = mode = 0600 user = $default_internal_user } unix_listener auth-userdb { group = vmail mode = 0660 user = $default_internal_user } unix_listener login/login { group = mode = 0666 user = $default_internal_user } user = $default_internal_user } service imap-login { inet_listener imap { port = 143 } } service imap-postlogin { executable = script-login /usr/libexec/dovecot/imap-postlogin user = vmail } service imap { executable = imap imap-postlogin } ssl_cert = </etc/ssl/dovecot/server.pem ssl_key = </etc/ssl/dovecot/server.key protocol imap { userdb { args = /etc/dovecot/dovecot-imap-ldap.conf.ext driver = ldap name = } userdb { args = /etc/dovecot/dovecot-imap-ldap.conf.ext driver = ldap name = } } ################################### % cat auth-master.conf.ext # Authentication for master users. Included from 10-auth.conf. # By adding master=yes setting inside a passdb you make the passdb a list # of "master users", who can log in as anyone else. # <doc/wiki/Authentication.MasterUsers.txt> auth_master_user_separator = * # Example master user passdb using passwd-file. You can use any passdb though. passdb { driver = passwd-file master = yes args = /etc/dovecot/master-users1 # Unless you're using PAM, you probably still want the destination user to # be looked up from passdb that it really exists. pass=yes does that. #pass = yes } passdb { driver = passwd-file master = yes args = /etc/dovecot/master-users2 # Unless you're using PAM, you probably still want the destination user to # be looked up from passdb that it really exists. pass=yes does that. #pass = yes } ############################################### % cat /etc/dovecot/master-users1 master1:{SHA}xxxxxxx=::::::userdb_acl_groups=umareadmaster allow_nets=127.0.0.1 master2 is the same. Greetz