After latest performed update (2024-01-26) PAM fails to authenticate (Dovecot usage)

Noticed that emails stopped serving from server and the reason is that authentication fails. Before update everything worked and had been working for a long time but now stop.

Log produces only following:
pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=**** rhost=10.1.10.10 user=****

No changes to configs, no changes to passwords etc. Just update (zypper -v dup) and no more authentication.

Temporarily tested shadowpw and that worked locally but does not work from outside usage. I’d prefer to use PAM but haven’t figured out what is the problem here now.

Any idea of the solution for this?

PAM configs:

  • default common-auth, common-account, common-password, common-session (as per Tumbleweed distro)
  • tried for PAM dovecot config auth required pam_unix.so and account required pam_unix.so - no difference
  • mail config: passdb { driver = pam args = mail }

Dovecot configs:

  • passdb { driver = pam args = dovecot }
  • userdp { driver = passwd args = bocking=no }

https://bugzilla.opensuse.org/show_bug.cgi?id=1219139

Thx for the tip.

Added unix-chkpwd file to apparmor.d:

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{,usr/}{,s}bin/unix_chkpwd

profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
  include <abstractions/base>
  include <abstractions/nameservice>

  # To write records to the kernel auditing log.
  capability audit_write,

  network netlink raw,

  @{exec_path} mr,

  /etc/shadow r,

  # file_inherit
#  owner /dev/tty@{int} rw,

  include if exists <local/unix-chkpwd>
}

Still falls to authenticate with exact same failure log.

Stopped apparmor for testing and still fails so there’s something now with PAM itself.

How did you do it?

systemctl stop apparmor

That does nothing. To deactivate AppArmor, run

aa-teardown

OK. Tried and now login worked.

What’s the point of having such feature (stopping) in apparmor server if it doesn’t do anything but show that the service is stopped. Strange…

Not working 100%. Mobile phone client (Edison email) cannot log in anymore (removed and reinstalled app as well). Another computer did work (Thunderbird).

services auth: pam_unix(dovecot:session): session opened for user ****(uid=1000) by (uid=0)
auth: pam_unix(dovecot:session): session closed for user ****

Problem fixed now with the latest (2024-01-31) update.