#58560 closed defect (wontfix)
dovecot2 authorization failure
| Reported by: | braslau | Owned by: | jdberry |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | |
| Keywords: | Cc: | essandess (Steve Smith) | |
| Port: | dovecot2 |
Description
After updating the dovecot2 port to v2.3.6, with no change in the configuration files, authorization now fails with the error log message "Fatal: setbroups(227) failed: Too many extra groups".
Change History (10)
comment:1 Changed 5 years ago by ryandesign (Ryan Carsten Schmidt)
| Cc: | essandess mf2k added |
|---|---|
| Keywords: | auth error removed |
| Priority: | High → Normal |
comment:2 Changed 5 years ago by essandess (Steve Smith)
comment:3 Changed 5 years ago by essandess (Steve Smith)
Sorry, wrong thread. I’ll come back to you on this. It’s an upstream issue, and there’s an easy fix.
comment:4 Changed 5 years ago by essandess (Steve Smith)
@braslau This issue is caused on macOS by the configuration setting last_valid_gid = 0.
I changed the code to avoid this, but if you set it explicitly, you’ll have to edit your configuration to something like last_valid_gid = 100. See
comment:5 Changed 5 years ago by braslau
Thank you for the information.
This seems like a bug. I do not have last_valid_gid set in any configuration file and setting it explicitly to last_valid_gid=100 as suggested does not allow authorization. Its default value (of 0) should not block users.
What if the user's primary group is something greater, as is the case on my network (where the user group is 1000)?
The solution, I have found, is to set
first_valid_gid=1000 last_valid_gid=0
thus limiting use to my network users.
Setting just first_valid_gid causes dovecot to fail to run; explictly setting last_valid_gid=0 (or to 1000) seems to be necessary.
Would not a better solution be to pass only the primary gid, or to truncate the list of gid to a valid maximum number of entries? Maybe that is an upstream fix.
Alan
comment:6 Changed 5 years ago by essandess (Steve Smith)
Not a bug, a dovecot+macOS feature!
It’s discussed in the dovecot mail list. The large number of groups defined in macOS crosses some dovecot threshold, resulting in the auth failure.
You can raise the issue upstream, but my expectation is the response will be that it’s not a bug, but a configuration issue on macOS.
Also, your fix doesn’t make sense to me. I believe the fundamental issue is group id’s (gid’s), not user id’s (uid’s). AFAIK there are no macOS gid’s above 1000. Does this configuration turn off all valid gid’s? Run this to see all your gid’s:
dscl . -list /Groups PrimaryGroupID | sort -n -k2
Would you please check your fix and compare to the dovecot mailing list discussion/dovecot code on github? If necessary, we can patch the dovecot code in MacPorts so that it doesn’t tickle this issue.
comment:7 Changed 5 years ago by mf2k (Frank Schima)
| Cc: | mf2k removed |
|---|
comment:8 Changed 4 years ago by mf2k (Frank Schima)
| Owner: | set to jdberry |
|---|---|
| Status: | new → assigned |
comment:9 Changed 3 years ago by mf2k (Frank Schima)
| Resolution: | → wontfix |
|---|---|
| Status: | assigned → closed |
comment:10 Changed 3 years ago by jmroot (Joshua Root)
However dovecot now installs what used to be dovecot2. Reopen if this is still relevant to the current dovecot port I guess.
Thanks I’ll try it.
Also, while this is open, is there some Portfile voodoo that sidesteps the hack in the original Portfile of calling
gettextize -f, or my hack of just installing the fileconfig.rpathto avoid the crazy anti-script linedummy < /dev/ttyingettextize?I’m honestly still not sure how the original Portfile avoided that.