Dovecot users have no file permissions

Question

I want to authenticate dovecot against LDAP (AD based on Samba 4). The files are stored in /var/mail/vmail/, which is owned by vmail:vmail . One user is working, since it uses vmail as uid and gid:

$ sudo doveadm user du field value uid vmail gid vmail home mail maildir:/var/mail/vmail//du 

All other user can't change the directory (and therefore store no mails), they look like this:

$ sudo doveadm user sh field value uid 2035 gid 5074 home mail maildir:/var/mail/vmail//sh 

I have no idea, why this user does not use vmail as virtual user to change the maildir.

The relevant configs look like this:

disable_plaintext_auth = no auth_mechanisms = plain login mail_uid = vmail mail_gid = vmail ssl_cert = </etc/dovecot/private/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.key login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k" mail_plugins = quota ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA log_timestamp = "%Y-%m-%d %H:%M:%S " protocols = imap listen = * mail_location = maildir:/var/mail/vmail/%d/%n userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } service auth { unix_listener /var/spool/postfix/private/auth_dovecot { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = root } service dict { unix_listener dict { mode = 0660 user = vmail group = vmail } } namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } protocol imap { mail_plugins = quota imap_quota } plugin { quota = maildir:User quota } 

And the Dovecot LDAP:

uris = ldaps://ucs01.domain.tld dn = cn=ldap-read,ou=Users,ou=domain,dc=domain,dc=tld dnpass = *********** tls_ca_cert_dir = /etc/ssl/certs/ tls_require_cert = never auth_bind = yes ldap_version = 3 base = ou=domain,dc=domain,dc=tld scope = subtree user_filter = (sAMAccountName=%Ln) pass_filter = (sAMAccountName=%Ln) iterate_attrs = uid=user iterate_filter = (objectClass=person) default_pass_scheme = CRYPT 

Answer 1

It seems to be common to fetch numerical uid and numerical gid for dovecot's virtual user's home and maildirs from the LDAP directory. That said and since you do not have a prefetch setup, user/group information should be obtained incorporating user_filter and user_attrs from dovecot-ldap.conf.ext.

I can only speculate, but I can't find neither user_attrs nor pass_attrs in your dovecot-ldap.conf.ext file and since dovecot's example configuration files usually contain the default settings, I had a look at dovecot-ldap.conf.ext from the offical github repo. It turns out, there it contains a numerical uid and gid mapping. Here goes, last line of snippet.

# User attributes are given in LDAP-name=dovecot-internal-name list. The # internal names are: # uid - System UID # gid - System GID # home - Home directory # mail - Mail location # # There are also other special fields which can be returned, see # http://wiki2.dovecot.org/UserDatabase/ExtraFields #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid 

So now on to the interesting part: do you happen to have attributes uidNumber and gidNumber on your LDAP entities, that you query (usually some person or account objectClass)? If so, please check if the uid/gid values you observed in dovecot's vmail folder correspond to the values stored in LDAP.