I'm setting up a postfix server using "The Book of Postfix". In ch 15 there is a section on testing saslauthd which I can't get to work. I can get it to work using shadow password authentication, but it fails on pam. I don't kow squat about troubleshooting pam. Any PAM wizzes out there that can help? I saw a unrelated post talking about something needing to be in the pam sasl group. Had no idea what that meant. sasl ins't a user, or group.
I setup and try
saslauthd -m /var/run/saslauthd -a pam -d sasl2-sample-server -s rcmd -p 8000 sasl2-sample-client -s rcmd -p 8000 -m LOGIN 127.0.0.1
If I set "-a shadow" it works. So I assume I have saslauthd working at least.
But, if I set "-a pam" as listed above, it fails
I believe it may be a PAM issue, could be sasl, but I'm hoping maybe someone will see the easy answer.
I have in /etc/pam.d/smtp #%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth
Also: # saslauthd -v saslauthd 2.1.19 authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
And /usr/lib/sasl2/smtpd.conf (also linked to sample.conf) # cat smtpd.conf loglevel: 7 pwcheck_method: saslauthd mech_list: PLAIN LOGIN
Here are the results of a failed attempt: -------------------------------------
# saslauthd -m /var/run/saslauthd -a pam -d saslauthd[3176] :main : num_procs : 5 saslauthd[3176] :main : mech_option: NULL saslauthd[3176] :main : run_path : /var/run/saslauthd saslauthd[3176] :main : auth_mech : pam saslauthd[3176] :ipc_init : using accept lock file: /var/run/saslauthd/mux.accept saslauthd[3176] :detach_tty : master pid is: 0 saslauthd[3176] :ipc_init : listening on socket: /var/run/saslauthd/mux saslauthd[3176] :main : using process model saslauthd[3177] :get_accept_lock : acquired accept lock saslauthd[3176] :have_baby : forked child: 3177 saslauthd[3176] :have_baby : forked child: 3178 saslauthd[3176] :have_baby : forked child: 3179 saslauthd[3176] :have_baby : forked child: 3180 saslauthd[3177] :rel_accept_lock : released accept lock saslauthd[3177] :do_auth : auth failure: [user=testuser] [service=rcmd] [realm=] [mech=pam] [reason=PAM auth error]
# sasl2-sample-server -s rcmd -p 8000 trying 2, 1, 6 trying 10, 1, 6 socket: Address family not supported by protocol accepted new connection send: {11} PLAIN LOGIN recv: {5} LOGIN recv: {1} N send: {9} Username: recv: {7} testuser send: {9} Password: recv: {6} xxxxxx performing SASL negotiation: authentication failureclosing connection
# sasl2-sample-client -s rcmd -p 8000 -m LOGIN 127.0.0.1 receiving capability list... recv: {11} PLAIN LOGIN PLAIN LOGIN send: {5} LOGIN send: {1} N recv: {9} Username: please enter an authentication id: testuser Password: send: {7} testuser recv: {9} Password: send: {6} xxxxxx authentication failed closing connection
-------------- # From syslog:
Sep 19 09:33:45 tn1 saslauthd[3209]: main : num_procs : 5 Sep 19 09:33:45 tn1 saslauthd[3209]: main : mech_option: NULL Sep 19 09:33:45 tn1 saslauthd[3209]: main : run_path : /var/run/saslauthd Sep 19 09:33:45 tn1 saslauthd[3209]: main : auth_mech : pam Sep 19 09:33:45 tn1 saslauthd[3209]: ipc_init : using accept lock file: /var/run/saslauthd/mux.accept Sep 19 09:33:45 tn1 saslauthd[3209]: detach_tty : master pid is: 0 Sep 19 09:33:45 tn1 saslauthd[3209]: ipc_init : listening on socket: /var/run/saslauthd/mux Sep 19 09:33:45 tn1 saslauthd[3209]: main : using process model Sep 19 09:33:45 tn1 saslauthd[3210]: get_accept_lock : acquired accept lock Sep 19 09:33:45 tn1 saslauthd[3209]: have_baby : forked child: 3210 Sep 19 09:33:45 tn1 saslauthd[3209]: have_baby : forked child: 3211 Sep 19 09:33:45 tn1 saslauthd[3209]: have_baby : forked child: 3212 Sep 19 09:33:45 tn1 saslauthd[3209]: have_baby : forked child: 3213 Sep 19 09:34:03 tn1 saslauthd[3210]: rel_accept_lock : released accept lock Sep 19 09:34:03 tn1 saslauthd[3210]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Sep 19 09:34:03 tn1 saslauthd[3210]: do_auth : auth failure: [user=testuser] [service=rcmd] [realm=] [mech=pam] [reason=PAM auth error] Sep 19 09:34:03 tn1 saslauthd[3210]: get_accept_lock : acquired accept lock
I think the part your missing is the PAM mechanism. If you're going to use "rcmd" as the service, then you need to have an /etc/pam.d/rcmd to tell SASL w/ PAM where to look for authentication information. Better yet, use '-s smtp' to have sasl2-sample-server look at /etc/pam.d/smtp for PAM configuration instead of 'rcmd'. This should just work for you.
Are you stuck elsewhere with the postfix+SASL stack or is this as far as you've gotten? Let me know.
-- Jason
On Monday 19 September 2005 10:55, scott.list wrote:
I'm setting up a postfix server using "The Book of Postfix". In ch 15 there is a section on testing saslauthd which I can't get to work. I can get it to work using shadow password authentication, but it fails on pam. I don't kow squat about troubleshooting pam. Any PAM wizzes out there that can help? I saw a unrelated post talking about something needing to be in the pam sasl group. Had no idea what that meant. sasl ins't a user, or group.
I setup and try
saslauthd -m /var/run/saslauthd -a pam -d sasl2-sample-server -s rcmd -p 8000 sasl2-sample-client -s rcmd -p 8000 -m LOGIN 127.0.0.1
If I set "-a shadow" it works. So I assume I have saslauthd working at least.
But, if I set "-a pam" as listed above, it fails
I believe it may be a PAM issue, could be sasl, but I'm hoping maybe someone will see the easy answer.
I have in /etc/pam.d/smtp #%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth
Also: # saslauthd -v saslauthd 2.1.19 authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
And /usr/lib/sasl2/smtpd.conf (also linked to sample.conf) # cat smtpd.conf loglevel: 7 pwcheck_method: saslauthd mech_list: PLAIN LOGIN
Here are the results of a failed attempt:
# saslauthd -m /var/run/saslauthd -a pam -d saslauthd[3176] :main : num_procs : 5 saslauthd[3176] :main : mech_option: NULL saslauthd[3176] :main : run_path : /var/run/saslauthd saslauthd[3176] :main : auth_mech : pam saslauthd[3176] :ipc_init : using accept lock file: /var/run/saslauthd/mux.accept saslauthd[3176] :detach_tty : master pid is: 0 saslauthd[3176] :ipc_init : listening on socket: /var/run/saslauthd/mux saslauthd[3176] :main : using process model saslauthd[3177] :get_accept_lock : acquired accept lock saslauthd[3176] :have_baby : forked child: 3177 saslauthd[3176] :have_baby : forked child: 3178 saslauthd[3176] :have_baby : forked child: 3179 saslauthd[3176] :have_baby : forked child: 3180 saslauthd[3177] :rel_accept_lock : released accept lock saslauthd[3177] :do_auth : auth failure: [user=testuser] [service=rcmd] [realm=] [mech=pam] [reason=PAM auth error]
# sasl2-sample-server -s rcmd -p 8000 trying 2, 1, 6 trying 10, 1, 6 socket: Address family not supported by protocol accepted new connection send: {11} PLAIN LOGIN recv: {5} LOGIN recv: {1} N send: {9} Username: recv: {7} testuser send: {9} Password: recv: {6} xxxxxx performing SASL negotiation: authentication failureclosing connection
# sasl2-sample-client -s rcmd -p 8000 -m LOGIN 127.0.0.1 receiving capability list... recv: {11} PLAIN LOGIN PLAIN LOGIN send: {5} LOGIN send: {1} N recv: {9} Username: please enter an authentication id: testuser Password: send: {7} testuser recv: {9} Password: send: {6} xxxxxx authentication failed closing connection
# From syslog:
Sep 19 09:33:45 tn1 saslauthd[3209]: main : num_procs : 5 Sep 19 09:33:45 tn1 saslauthd[3209]: main : mech_option: NULL Sep 19 09:33:45 tn1 saslauthd[3209]: main : run_path : /var/run/saslauthd Sep 19 09:33:45 tn1 saslauthd[3209]: main : auth_mech : pam Sep 19 09:33:45 tn1 saslauthd[3209]: ipc_init : using accept lock file: /var/run/saslauthd/mux.accept Sep 19 09:33:45 tn1 saslauthd[3209]: detach_tty : master pid is: 0 Sep 19 09:33:45 tn1 saslauthd[3209]: ipc_init : listening on socket: /var/run/saslauthd/mux Sep 19 09:33:45 tn1 saslauthd[3209]: main : using process model Sep 19 09:33:45 tn1 saslauthd[3210]: get_accept_lock : acquired accept lock Sep 19 09:33:45 tn1 saslauthd[3209]: have_baby : forked child: 3210 Sep 19 09:33:45 tn1 saslauthd[3209]: have_baby : forked child: 3211 Sep 19 09:33:45 tn1 saslauthd[3209]: have_baby : forked child: 3212 Sep 19 09:33:45 tn1 saslauthd[3209]: have_baby : forked child: 3213 Sep 19 09:34:03 tn1 saslauthd[3210]: rel_accept_lock : released accept lock Sep 19 09:34:03 tn1 saslauthd[3210]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Sep 19 09:34:03 tn1 saslauthd[3210]: do_auth : auth failure: [user=testuser] [service=rcmd] [realm=] [mech=pam] [reason=PAM auth error] Sep 19 09:34:03 tn1 saslauthd[3210]: get_accept_lock : acquired accept lock
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I think the part your missing is the PAM mechanism. If you're going to
use
"rcmd" as the service, then you need to have an /etc/pam.d/rcmd to tell
SASL
w/ PAM where to look for authentication information. Better yet, use '-s smtp' to have sasl2-sample-server look at /etc/pam.d/smtp for PAM configuration instead of 'rcmd'. This should just work for you.
Are you stuck elsewhere with the postfix+SASL stack or is this as far as you've gotten? Let me know.
Thanks very much for the time to help Jason.
That was as far as I got. I diligently stopped right there wanting to get that right before proceding to take my working mail down <smile>.
Someone else also pointed out my misunderstanding as you described above. I swapped rcmd to smtp and all was well. I was following the Book of Postfix examples literally, but I didn't see anything to make me think to do otherwise. With the help I got from the other person and now you, too, I was able to get it going. So I have that part behind me and working.
Thanks again for the help.
Best, Scott
-
Jason McCormick -
scott -
scott.list