I'm experimenting with checkpassword as an auth method for usedb and passdb
(http://wiki2.dovecot.org/AuthDatabase/CheckPassword). I've set up the
userdb
and passdb *exactly* as the wiki suggests as the "standard way":
passdb {
driver = checkpassword
args = /user/util/bin/checkpassword
}
userdb {
driver = prefetch
}
I've created a checkpassword program that does receive the correct user and
password from dovecot. And I am successfully authenticating with ntlm_auth and
exiting with status 0. My debug output:
AUTHORIZED: (null)
USER: (null)
userdb_uid: (null)
userdb_gid: (null)
arg1=/usr/local/libexec/dovecot/checkpassword-reply
CMD: /usr/bin/ntlm_auth --username="mark" --password='mypass'
ntlm_auth status: 0
Now, the wiki says 2 things that have me stumped:
1. It says that, "Dovecot calls the script with AUTHORIZED=1 environment
set
when performing a userdb lookup. The script must acknowledge this by changing
the environment to AUTHORIZED=2, otherwise the lookup fails."
As you can see from my program log, "AUTHORIZED" is not set. Why? Nor
are any of the
other environment variables mentioned in the wiki. I've listed all the
environment variables that *are* passed to the program at the bottom of this
message.
2. The wiki says, "Your program received a path to checkpassword-reply
binary as the first
parameter. Execute it."
I did so as a fork() and then
execve("/usr/local/libexec/dovecot/checkpassword-reply")
How do I know it worked ... or failed?
What am I doing wrong?
Dovecot log entries:
Sep 10 22:54:04 auth: Debug: auth client connected (pid=14748)
Sep 10 22:54:04 auth: Debug: client in: AUTH 1 PLAIN service=imap
session=AkYg1G8f8QDAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143
rport=49649 resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain
sensitive data)
Sep 10 22:54:04 auth: Debug:
checkpassword(mark,192.168.0.58,<AkYg1G8f8QDAqAA6>): execute:
/user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Sep 10 22:54:04 auth: Debug:
checkpassword(mark,192.168.0.58,<AkYg1G8f8QDAqAA6>): exit_status=0
Sep 10 22:54:04 auth: Debug:
checkpassword(mark,192.168.0.58,<AkYg1G8f8QDAqAA6>): Received input:
Sep 10 22:54:06 auth: Debug: client passdb out: FAIL 1 user=mark
temp
ENV variables passed to the checkpassword program:
DOVECOT_PRESERVE_ENVS=TZ CORE_OUTOFMEM CORE_ERROR
DOVECOT_CHILD_PROCESS=1
CONFIG_FILE=/usr/local/var/run/dovecot/config
CLIENT_LIMIT=1000
PROCESS_LIMIT=1
PROCESS_MIN_AVAIL=0
IDLE_KILL=60
GENERATION=2991
DOVECOT_HOSTNAME=mail
DOVECOT_HOSTDOMAIN=mail.hprs.local
DOVECOT_VERSION=2.2.15
LOG_SERVICE=1
SOCKET_COUNT=6
SSL_SOCKET_COUNT=0
SOCKET_NAMES=login tokenlogin auth-login auth-client
auth-userdb auth-master
PROTO=TCP
ORIG_UID=151
SERVICE=imap
TCPLOCALIP=192.168.0.2
LOCAL_IP=192.168.0.2
TCPREMOTEIP=192.168.0.58
REMOTE_IP=192.168.0.58
TCPLOCALPORT=143
TCPREMOTEPORT=49649
AUTH_USER=mark
AUTH_USERNAME=mark
AUTH_SERVICE=imap
AUTH_LIP=192.168.0.2
AUTH_RIP=192.168.0.58
AUTH_PID=14748
AUTH_MECH=PLAIN
AUTH_SECUREDAUTH_LPORT=143
AUTH_RPORT=49649
AUTH_CERTAUTH_SESSION=AkYg1G8f8QDAqAA6
AUTH_REAL_LIP=192.168.0.2
AUTH_REAL_RIP=192.168.0.58
AUTH_REAL_LPORT=143
AUTH_REAL_RPORT=49649
AUTH_ORIG_USER=mark
AUTH_ORIG_USERNAME=mark
--Mark
Not to be grumpy, but I've posted a dozen or more message to this list in
the
past week about what I think might be relatively common/easy issues and have had
zero response except from Rick Romero who is trying, but hasn't actually
done
what I need himself. I'm sure someone has. Perhaps these problem are too
mundane
compared to CalDAV, sieve filtering and IPA to excite List interest? Come on
Dovecotters! Let's step up to the plate!
To follow up on my previous posting in this thread, I'm trying to get
checkpassword to work. I have confirmed that it is setting the environment
variables as described in (http://wiki2.dovecot.org/AuthDatabase/CheckPassword).
My debug output of env variables sent to checkpassword-reply:
$USER=mark
userdb_uid=3000026
userdb_gid=100
INSECURE_SETUID=1
EXTRA=userdb_uid userdb_gid
I have confirmed that my checkpassword program returns 0 authenticating the user
with the AD:
fork pid = 4239, ntlm_auth status: 0
The pid listed above is the pid of the forked
/usr/local/libexec/dovecot/checkpassword-reply
program. For testing purposes, I've replaced that with a stub of my own that
shows the set environment variables so I know checkpassword-reply is getting
them (listed above).
Notice in the log messages below that everything looks correct. It has the
correct username, UID, GID, client passdb out: OK. No error in the log that I
can see.
I believe I've done everything exactly as documented in the wiki, but it
doesn't
work I get the Outlook message "Your IMAP server closed the connection ...
Error Code: 0x800CCCDD". Finally, I tried setting:
chgrp dovecot /usr/local/libexec/dovecot/checkpassword-reply
chmod g+s /usr/local/libexec/dovecot/checkpassword-reply
As the wiki suggested and setting the env variable INSECURE_SETUID=1. Same
error.
Googling the 0x800CCCDD code simply says to turn of scheduled send/received, but
that makes no different. Same error.
I believe I've done everything exactly according to the documentation. Does
checkpassword actually work with Dovecot version 2.2.15? If not, could someone
please tell me so I can stop wasting my time. If it does work, can someone
please help me figure out why it does not for me?
Thanks -- Mark
My dovecot log:
Sep 11 21:18:22 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
Sep 11 21:18:22 auth: Debug: Read auth token secret from
/usr/local/var/run/dovecot/auth-token-secret.dat
Sep 11 21:18:22 auth: Debug: auth client connected (pid=4234)
Sep 11 21:18:22 auth: Debug: client in: AUTH 1 PLAIN service=imap
session=tHPCm4IftgDAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143
rport=50614 resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain
sensitive data)
Sep 11 21:18:22 auth: Debug:
checkpassword(mark,192.168.0.58,<tHPCm4IftgDAqAA6>): execute:
/user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Sep 11 21:18:22 auth: Debug:
checkpassword(mark,192.168.0.58,<tHPCm4IftgDAqAA6>): exit_status=0
Sep 11 21:18:22 auth: Debug:
checkpassword(mark,192.168.0.58,<tHPCm4IftgDAqAA6>): Received input:
userdb_uid=3000026 userdb_gid=100
Sep 11 21:18:22 auth: Debug: client passdb out: OK 1 user=mark
Sep 11 21:18:22 auth: Debug: master in: REQUEST 1794375681 4234 1
c2551b70ccf5e2f8e022869663bf6a70 session_pid=4240
request_auth_token
Sep 11 21:18:22 auth: Debug:
prefetch(mark,192.168.0.58,<tHPCm4IftgDAqAA6>): success
Sep 11 21:18:22 auth: Debug: master userdb out: USER 1794375681 mark
uid=3000026 gid=100 auth_token=008ebf0ebd9c1654085de247f10cdf0a746555d4
Sep 11 21:18:22 imap-login: Info: Login: user=<mark>, method=PLAIN,
rip=192.168.0.58, lip=192.168.0.2, mpid=4240, session=<tHPCm4IftgDAqAA6>
-----Original Message-----
From: Mark Foley <mfoley at ohprs.org>
Date: Thu, 10 Sep 2015 23:05:18 -0400
To: dovecot at dovecot.org
Subject: Need help on checkpassword userdb/passdb
I'm experimenting with checkpassword as an auth method for usedb and passdb
(http://wiki2.dovecot.org/AuthDatabase/CheckPassword). I've set up the
userdb
and passdb *exactly* as the wiki suggests as the "standard way":
passdb {
driver = checkpassword
args = /user/util/bin/checkpassword
}
userdb {
driver = prefetch
}
I've created a checkpassword program that does receive the correct user and
password from dovecot. And I am successfully authenticating with ntlm_auth and
exiting with status 0. My debug output:
AUTHORIZED: (null)
USER: (null)
userdb_uid: (null)
userdb_gid: (null)
arg1=/usr/local/libexec/dovecot/checkpassword-reply
CMD: /usr/bin/ntlm_auth --username="mark" --password='mypass'
ntlm_auth status: 0
Now, the wiki says 2 things that have me stumped:
1. It says that, "Dovecot calls the script with AUTHORIZED=1 environment
set
when performing a userdb lookup. The script must acknowledge this by changing
the environment to AUTHORIZED=2, otherwise the lookup fails."
As you can see from my program log, "AUTHORIZED" is not set. Why? Nor
are any of the
other environment variables mentioned in the wiki. I've listed all the
environment variables that *are* passed to the program at the bottom of this
message.
2. The wiki says, "Your program received a path to checkpassword-reply
binary as the first
parameter. Execute it."
I did so as a fork() and then
execve("/usr/local/libexec/dovecot/checkpassword-reply")
How do I know it worked ... or failed?
What am I doing wrong?
Dovecot log entries:
Sep 10 22:54:04 auth: Debug: auth client connected (pid=14748)
Sep 10 22:54:04 auth: Debug: client in: AUTH 1 PLAIN service=imap
session=AkYg1G8f8QDAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143
rport=49649 resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain
sensitive data)
Sep 10 22:54:04 auth: Debug:
checkpassword(mark,192.168.0.58,<AkYg1G8f8QDAqAA6>): execute:
/user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Sep 10 22:54:04 auth: Debug:
checkpassword(mark,192.168.0.58,<AkYg1G8f8QDAqAA6>): exit_status=0
Sep 10 22:54:04 auth: Debug:
checkpassword(mark,192.168.0.58,<AkYg1G8f8QDAqAA6>): Received input:
Sep 10 22:54:06 auth: Debug: client passdb out: FAIL 1 user=mark
temp
ENV variables passed to the checkpassword program:
DOVECOT_PRESERVE_ENVS=TZ CORE_OUTOFMEM CORE_ERROR
DOVECOT_CHILD_PROCESS=1
CONFIG_FILE=/usr/local/var/run/dovecot/config
CLIENT_LIMIT=1000
PROCESS_LIMIT=1
PROCESS_MIN_AVAIL=0
IDLE_KILL=60
GENERATION=2991
DOVECOT_HOSTNAME=mail
DOVECOT_HOSTDOMAIN=mail.hprs.local
DOVECOT_VERSION=2.2.15
LOG_SERVICE=1
SOCKET_COUNT=6
SSL_SOCKET_COUNT=0
SOCKET_NAMES=login tokenlogin auth-login auth-client
auth-userdb auth-master
PROTO=TCP
ORIG_UID=151
SERVICE=imap
TCPLOCALIP=192.168.0.2
LOCAL_IP=192.168.0.2
TCPREMOTEIP=192.168.0.58
REMOTE_IP=192.168.0.58
TCPLOCALPORT=143
TCPREMOTEPORT=49649
AUTH_USER=mark
AUTH_USERNAME=mark
AUTH_SERVICE=imap
AUTH_LIP=192.168.0.2
AUTH_RIP=192.168.0.58
AUTH_PID=14748
AUTH_MECH=PLAIN
AUTH_SECUREDAUTH_LPORT=143
AUTH_RPORT=49649
AUTH_CERTAUTH_SESSION=AkYg1G8f8QDAqAA6
AUTH_REAL_LIP=192.168.0.2
AUTH_REAL_RIP=192.168.0.58
AUTH_REAL_LPORT=143
AUTH_REAL_RPORT=49649
AUTH_ORIG_USER=mark
AUTH_ORIG_USERNAME=mark
--Mark
I figured out how to make checkpassword work. There is a problem with the
documentation. http://wiki2.dovecot.org/AuthDatabase/CheckPassword, under
'Security' says, "a. If possible, change the checkpassword to
return userdb_uid
and userdb_gid extra fields instead of using setuid() and setgid(). This also
improves the performance." And, under 'Checkpassword Interface' it
says,
"Return the user's UNIX UID and GID using userdb_uid and userdb_gid
environments and add them to the EXTRA environment ..."
I did all of this and it didn't work. However, when I added the userdb_home
environment variable and added that to the EXTRA environment variable, it
worked. I tried this because I happened upon
http://wiki2.dovecot.org/UserDatabase/Prefetch which mentioned userdb_home. The
http://wiki2.dovecot.org/AuthDatabase/CheckPassword needs to have this bit of
information added in the appropriate place(s) or the developer/hackster will
waste days trying to get checkpassword working until he/she stumbles across the
userdb_home comment elsewhere.
Nevertheless, checkpassword turns out not to be the solution to my original
problem, so I will keep on keepin' on ...
--Mark
-----Original Message-----
From: Mark Foley <mfoley at ohprs.org>
Date: Fri, 11 Sep 2015 21:57:40 -0400
To: dovecot at dovecot.org
Subject: Re: Need help on checkpassword userdb/passdb
[grumpy bit deleted]
To follow up on my previous posting in this thread, I'm trying to get
checkpassword to work. I have confirmed that it is setting the environment
variables as described in (http://wiki2.dovecot.org/AuthDatabase/CheckPassword).
My debug output of env variables sent to checkpassword-reply:
$USER=mark
userdb_uid=3000026
userdb_gid=100
INSECURE_SETUID=1
EXTRA=userdb_uid userdb_gid
I have confirmed that my checkpassword program returns 0 authenticating the user
with the AD:
fork pid = 4239, ntlm_auth status: 0
The pid listed above is the pid of the forked
/usr/local/libexec/dovecot/checkpassword-reply
program. For testing purposes, I've replaced that with a stub of my own that
shows the set environment variables so I know checkpassword-reply is getting
them (listed above).
Notice in the log messages below that everything looks correct. It has the
correct username, UID, GID, client passdb out: OK. No error in the log that I
can see.
I believe I've done everything exactly as documented in the wiki, but it
doesn't
work I get the Outlook message "Your IMAP server closed the connection ...
Error Code: 0x800CCCDD". Finally, I tried setting:
chgrp dovecot /usr/local/libexec/dovecot/checkpassword-reply
chmod g+s /usr/local/libexec/dovecot/checkpassword-reply
As the wiki suggested and setting the env variable INSECURE_SETUID=1. Same
error.
Googling the 0x800CCCDD code simply says to turn of scheduled send/received, but
that makes no different. Same error.
I believe I've done everything exactly according to the documentation. Does
checkpassword actually work with Dovecot version 2.2.15? If not, could someone
please tell me so I can stop wasting my time. If it does work, can someone
please help me figure out why it does not for me?
Thanks -- Mark
My dovecot log:
Sep 11 21:18:22 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
Sep 11 21:18:22 auth: Debug: Read auth token secret from
/usr/local/var/run/dovecot/auth-token-secret.dat
Sep 11 21:18:22 auth: Debug: auth client connected (pid=4234)
Sep 11 21:18:22 auth: Debug: client in: AUTH 1 PLAIN service=imap
session=tHPCm4IftgDAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143
rport=50614 resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain
sensitive data)
Sep 11 21:18:22 auth: Debug:
checkpassword(mark,192.168.0.58,<tHPCm4IftgDAqAA6>): execute:
/user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Sep 11 21:18:22 auth: Debug:
checkpassword(mark,192.168.0.58,<tHPCm4IftgDAqAA6>): exit_status=0
Sep 11 21:18:22 auth: Debug:
checkpassword(mark,192.168.0.58,<tHPCm4IftgDAqAA6>): Received input:
userdb_uid=3000026 userdb_gid=100
Sep 11 21:18:22 auth: Debug: client passdb out: OK 1 user=mark
Sep 11 21:18:22 auth: Debug: master in: REQUEST 1794375681 4234 1
c2551b70ccf5e2f8e022869663bf6a70 session_pid=4240
request_auth_token
Sep 11 21:18:22 auth: Debug:
prefetch(mark,192.168.0.58,<tHPCm4IftgDAqAA6>): success
Sep 11 21:18:22 auth: Debug: master userdb out: USER 1794375681 mark
uid=3000026 gid=100 auth_token=008ebf0ebd9c1654085de247f10cdf0a746555d4
Sep 11 21:18:22 imap-login: Info: Login: user=<mark>, method=PLAIN,
rip=192.168.0.58, lip=192.168.0.2, mpid=4240, session=<tHPCm4IftgDAqAA6>
-----Original Message-----
From: Mark Foley <mfoley at ohprs.org>
Date: Thu, 10 Sep 2015 23:05:18 -0400
To: dovecot at dovecot.org
Subject: Need help on checkpassword userdb/passdb
I'm experimenting with checkpassword as an auth method for usedb and passdb
(http://wiki2.dovecot.org/AuthDatabase/CheckPassword). I've set up the
userdb
and passdb *exactly* as the wiki suggests as the "standard way":
passdb {
driver = checkpassword
args = /user/util/bin/checkpassword
}
userdb {
driver = prefetch
}
I've created a checkpassword program that does receive the correct user and
password from dovecot. And I am successfully authenticating with ntlm_auth and
exiting with status 0. My debug output:
AUTHORIZED: (null)
USER: (null)
userdb_uid: (null)
userdb_gid: (null)
arg1=/usr/local/libexec/dovecot/checkpassword-reply
CMD: /usr/bin/ntlm_auth --username="mark" --password='mypass'
ntlm_auth status: 0
Now, the wiki says 2 things that have me stumped:
1. It says that, "Dovecot calls the script with AUTHORIZED=1 environment
set
when performing a userdb lookup. The script must acknowledge this by changing
the environment to AUTHORIZED=2, otherwise the lookup fails."
As you can see from my program log, "AUTHORIZED" is not set. Why? Nor
are any of the
other environment variables mentioned in the wiki. I've listed all the
environment variables that *are* passed to the program at the bottom of this
message.
2. The wiki says, "Your program received a path to checkpassword-reply
binary as the first
parameter. Execute it."
I did so as a fork() and then
execve("/usr/local/libexec/dovecot/checkpassword-reply")
How do I know it worked ... or failed?
What am I doing wrong?
Dovecot log entries:
Sep 10 22:54:04 auth: Debug: auth client connected (pid=14748)
Sep 10 22:54:04 auth: Debug: client in: AUTH 1 PLAIN service=imap
session=AkYg1G8f8QDAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143
rport=49649 resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain
sensitive data)
Sep 10 22:54:04 auth: Debug:
checkpassword(mark,192.168.0.58,<AkYg1G8f8QDAqAA6>): execute:
/user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Sep 10 22:54:04 auth: Debug:
checkpassword(mark,192.168.0.58,<AkYg1G8f8QDAqAA6>): exit_status=0
Sep 10 22:54:04 auth: Debug:
checkpassword(mark,192.168.0.58,<AkYg1G8f8QDAqAA6>): Received input:
Sep 10 22:54:06 auth: Debug: client passdb out: FAIL 1 user=mark
temp
ENV variables passed to the checkpassword program:
DOVECOT_PRESERVE_ENVS=TZ CORE_OUTOFMEM CORE_ERROR
DOVECOT_CHILD_PROCESS=1
CONFIG_FILE=/usr/local/var/run/dovecot/config
CLIENT_LIMIT=1000
PROCESS_LIMIT=1
PROCESS_MIN_AVAIL=0
IDLE_KILL=60
GENERATION=2991
DOVECOT_HOSTNAME=mail
DOVECOT_HOSTDOMAIN=mail.hprs.local
DOVECOT_VERSION=2.2.15
LOG_SERVICE=1
SOCKET_COUNT=6
SSL_SOCKET_COUNT=0
SOCKET_NAMES=login tokenlogin auth-login auth-client
auth-userdb auth-master
PROTO=TCP
ORIG_UID=151
SERVICE=imap
TCPLOCALIP=192.168.0.2
LOCAL_IP=192.168.0.2
TCPREMOTEIP=192.168.0.58
REMOTE_IP=192.168.0.58
TCPLOCALPORT=143
TCPREMOTEPORT=49649
AUTH_USER=mark
AUTH_USERNAME=mark
AUTH_SERVICE=imap
AUTH_LIP=192.168.0.2
AUTH_RIP=192.168.0.58
AUTH_PID=14748
AUTH_MECH=PLAIN
AUTH_SECUREDAUTH_LPORT=143
AUTH_RPORT=49649
AUTH_CERTAUTH_SESSION=AkYg1G8f8QDAqAA6
AUTH_REAL_LIP=192.168.0.2
AUTH_REAL_RIP=192.168.0.58
AUTH_REAL_LPORT=143
AUTH_REAL_RPORT=49649
AUTH_ORIG_USER=mark
AUTH_ORIG_USERNAME=mark
--Mark