pk10 at ksiaznica.torun.pl
2011-Mar-24 12:45 UTC
[Samba] Problem with pam-auth and winbind
Hi I try to use windbind rule to authenticate users in dovecot login procedure. /etc/nsswitch.conf file: passwd: files winbind shadow: files winbind group: files winbind when I try logon from my console to dovecot (pop3 server): # telnet komp14 110 Trying 10.10.10.38... Connected to komp.xxx.xxx (10.10.10.38). Escape character is '^]'. +OK Dovecot ready. user tt1 +OK pass xxxxxxxxx -ERR Authentication failed. quit +OK Logging out Connection closed by foreign host. Of course password is corret becouse #wbinfo -K tt1 Enter tt1's password: plaintext kerberos password authentication for [tt1] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 In the logs files I can find coresponding to the telnet command to dovecot: /var/log/auth.log Mar 23 10:37:50 komp14 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot rusertt1 rhost=10.10.10.38 user=tt1 Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: 0x15cfc80] ENTER: pam_sm_authenticate (flags: 0x0000) Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: 0x15cfc80] STATE: ITEM(PAM_SERVICE) = "dovecot" (0x15c fe00) Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: 0x15cfc80] STATE: ITEM(PAM_USER) = "tt1" (0x15cfe20) Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: 0x15cfc80] STATE: ITEM(PAM_TTY) = "dovecot" (0x15cbfa0 ) Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: 0x15cfc80] STATE: ITEM(PAM_RHOST) = "10.10.10.38" (0x1 5cbf60) Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: 0x15cfc80] STATE: ITEM(PAM_RUSER) = "tt1" (0x15cbf80) Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: 0x15cfc80] STATE: ITEM(PAM_AUTHTOK) = 0x15cc070 Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: 0x15cfc80] STATE: ITEM(PAM_CONV) = 0x15cfe40 Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): getting password (0x00001011) Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): pam_get_item returned a password Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): Verify user 'tt1' Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): request wbcLogonUser succeeded Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): user 'tt1' granted access Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): Returned user was 'tt1' Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: 0x15cfc80] LEAVE: pam_sm_authenticate returning 0 (PAM _SUCCESS) Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: 0x15cfc80] STATE: ITEM(PAM_SERVICE) = "dovecot" (0x15c fe00) Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: 0x15cfc80] STATE: ITEM(PAM_USER) = "tt1" (0x15d6d30) Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: 0x15cfc80] STATE: ITEM(PAM_TTY) = "dovecot" (0x15cbfa0 ) Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: 0x15cfc80] STATE: ITEM(PAM_RHOST) = "10.10.10.38" (0x1 5cbf60) Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: 0x15cfc80] STATE: ITEM(PAM_RUSER) = "tt1" (0x15cbf80) Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: 0x15cfc80] STATE: ITEM(PAM_AUTHTOK) = 0x15cc070 Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: 0x15cfc80] STATE: ITEM(PAM_CONV) = 0x15cfe40 Mar 23 10:37:50 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: 0x15cfc80] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "WBP 4" (0x15d6ed0) Mar 23 10:37:50 komp14 dovecot-auth: PAM [pamh: 0x15cfc80] CLEAN: cleaning up PAM data 0x15d6ed0 (error_status = 7) but in dovecot log file /var/log/dovecot/info.log we have Mar 23 10:37:50 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<tt1>, method=PLAIN, rip=10.10.10.38, lip=10.10.10.38, secured I'll be apreciate for any hints. but in dovecot error log file /var/log/dovecot/error.log we have information: Mar 23 10:37:50 auth-worker(default): Error: pam(tt1,10.10.10.38): pam_acct_mgmt() failed: Authentication failure This test was done with windbindd Version 3.5.3. When I test it on another machine with windbind Version 3.0.24 (config file are the same) authentication prosess is done properly. Any HINTS????
From: pk10 at ksiaznica.torun.pl Date: Thu, 24 Mar 2011 13:45:04 +0100 (CET)> I try to use windbind rule to authenticate users in dovecot login procedure.(snip)> but in dovecot log file /var/log/dovecot/info.log we have > Mar 23 10:37:50 pop3-login: Info: Aborted login (auth failed, 1 attempts): > user=<tt1>, method=PLAIN, rip=10.10.10.38, lip=10.10.10.38, secured > I'll be apreciate for any hints. > but in dovecot error log file /var/log/dovecot/error.log we have information: > Mar 23 10:37:50 auth-worker(default): Error: pam(tt1,10.10.10.38): > pam_acct_mgmt() failed: Authentication failure"pam_acct_mgmt() failed" means that Some "account" line failed. Please check "debug" flag to PAM modules on "account" line and try again. --- TAKAHASHI Motonobu <monyo at samba.gr.jp>
From: pk10 at ksiaznica.torun.pl Date: Sat, 26 Mar 2011 11:32:01 +0100 (CET)> I added debug flag to PAM and the I've in auth.log file I found:(snip)> Mar 25 20:01:45 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: > 0x15cfc80] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)(snip)> Mar 25 20:01:45 komp14 dovecot-auth: pam_winbind(dovecot:auth): [pamh: > 0x15cfc80] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "WBP2" (0x15d59a0) > Mar 25 20:01:45 komp14 dovecot-auth: PAM [pamh: 0x15cfc80] CLEAN: cleaning > up PAM data 0x15d59a0 (error_status = 7) > > Last row suggested that prolem is in PAM_WINBIND I guess and then cleaning > data in PAM faild. Do you thing I have to compile newest version of SAMBA > (3.5.8)?This means that pam_winbind returned success but dovecot reported an error, perhaps(*). * error_status = 7 means error?? Perhaps there may be a compatibility problem between pam_winbind and dovecot, but I do not know the detail, sorry. --- TAKAHASHI Motonobu <monyo at samba.gr.jp>