CentOS - Sep 2005 - pam and sasl2-sample-server failure

I'm setting up a postfix server using "The Book of Postfix".  In
ch 15
there is a section on testing saslauthd which I can't get to work.  I
can get it to work using shadow password authentication, but it fails
on pam.  I don't kow squat about troubleshooting pam.  Any PAM wizzes
out there that can help?  I saw a unrelated post talking about
something needing to be in the pam sasl group.  Had no idea what that
meant.  sasl ins't a user, or group.

I setup and try

saslauthd -m /var/run/saslauthd -a pam -d
sasl2-sample-server -s rcmd -p 8000
sasl2-sample-client -s rcmd -p 8000 -m LOGIN 127.0.0.1

If I set "-a shadow" it works.  So I assume I have saslauthd working
at least.

But, if I set "-a pam" as listed above, it fails

I believe it may be a PAM issue, could be sasl, but I'm hoping maybe
someone will see the easy answer.

I have in /etc/pam.d/smtp
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth

Also:
# saslauthd -v
saslauthd 2.1.19
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap

And /usr/lib/sasl2/smtpd.conf  (also linked to sample.conf)
# cat smtpd.conf
loglevel: 7
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Here are the results of a failed attempt:
-------------------------------------

# saslauthd -m /var/run/saslauthd -a pam -d
saslauthd[3176] :main            : num_procs  : 5
saslauthd[3176] :main            : mech_option: NULL
saslauthd[3176] :main            : run_path   : /var/run/saslauthd
saslauthd[3176] :main            : auth_mech  : pam
saslauthd[3176] :ipc_init        : using accept lock file:
/var/run/saslauthd/mux.accept
saslauthd[3176] :detach_tty      : master pid is: 0
saslauthd[3176] :ipc_init        : listening on socket:
/var/run/saslauthd/mux
saslauthd[3176] :main            : using process model
saslauthd[3177] :get_accept_lock : acquired accept lock
saslauthd[3176] :have_baby       : forked child: 3177
saslauthd[3176] :have_baby       : forked child: 3178
saslauthd[3176] :have_baby       : forked child: 3179
saslauthd[3176] :have_baby       : forked child: 3180
saslauthd[3177] :rel_accept_lock : released accept lock
saslauthd[3177] :do_auth         : auth failure: [user=testuser]
[service=rcmd] [realm=] [mech=pam] [reason=PAM auth error]

# sasl2-sample-server -s rcmd -p 8000
trying 2, 1, 6
trying 10, 1, 6
socket: Address family not supported by protocol
accepted new connection
send: {11}
PLAIN LOGIN
recv: {5}
LOGIN
recv: {1}
N
send: {9}
Username:
recv: {7}
testuser
send: {9}
Password:
recv: {6}
xxxxxx
performing SASL negotiation: authentication failureclosing connection


# sasl2-sample-client -s rcmd -p 8000 -m LOGIN 127.0.0.1
receiving capability list... recv: {11}
PLAIN LOGIN
PLAIN LOGIN
send: {5}
LOGIN
send: {1}
N
recv: {9}
Username:
please enter an authentication id: testuser
Password:
send: {7}
testuser
recv: {9}
Password:
send: {6}
xxxxxx
authentication failed
closing connection

--------------
# From syslog:

Sep 19 09:33:45 tn1 saslauthd[3209]: main            : num_procs  : 5
Sep 19 09:33:45 tn1 saslauthd[3209]: main            : mech_option:
NULL
Sep 19 09:33:45 tn1 saslauthd[3209]: main            : run_path   :
/var/run/saslauthd
Sep 19 09:33:45 tn1 saslauthd[3209]: main            : auth_mech  :
pam
Sep 19 09:33:45 tn1 saslauthd[3209]: ipc_init        : using accept
lock file: /var/run/saslauthd/mux.accept
Sep 19 09:33:45 tn1 saslauthd[3209]: detach_tty      : master pid is:
0
Sep 19 09:33:45 tn1 saslauthd[3209]: ipc_init        : listening on
socket: /var/run/saslauthd/mux
Sep 19 09:33:45 tn1 saslauthd[3209]: main            : using process
model
Sep 19 09:33:45 tn1 saslauthd[3210]: get_accept_lock : acquired accept
lock
Sep 19 09:33:45 tn1 saslauthd[3209]: have_baby       : forked child:
3210
Sep 19 09:33:45 tn1 saslauthd[3209]: have_baby       : forked child:
3211
Sep 19 09:33:45 tn1 saslauthd[3209]: have_baby       : forked child:
3212
Sep 19 09:33:45 tn1 saslauthd[3209]: have_baby       : forked child:
3213
Sep 19 09:34:03 tn1 saslauthd[3210]: rel_accept_lock : released accept
lock
Sep 19 09:34:03 tn1 saslauthd[3210]: DEBUG: auth_pam: pam_authenticate
failed: Authentication failure
Sep 19 09:34:03 tn1 saslauthd[3210]: do_auth         : auth failure:
[user=testuser] [service=rcmd] [realm=] [mech=pam] [reason=PAM auth
error]
Sep 19 09:34:03 tn1 saslauthd[3210]: get_accept_lock : acquired accept
lock

I think the part your missing is the PAM mechanism.  If you're going to use 
"rcmd" as the service, then you need to have an /etc/pam.d/rcmd to
tell SASL
w/ PAM where to look for authentication information.  Better yet, use '-s 
smtp' to have sasl2-sample-server look at /etc/pam.d/smtp for PAM 
configuration instead of 'rcmd'.  This should just work for you.  

Are you stuck elsewhere with the postfix+SASL stack or is this as far as 
you've gotten?  Let me know.  

-- Jason



On Monday 19 September 2005 10:55, scott.list wrote:
> I'm setting up a postfix server using "The Book of Postfix". 
In ch 15
> there is a section on testing saslauthd which I can't get to work.  I
> can get it to work using shadow password authentication, but it fails
> on pam.  I don't kow squat about troubleshooting pam.  Any PAM wizzes
> out there that can help?  I saw a unrelated post talking about
> something needing to be in the pam sasl group.  Had no idea what that
> meant.  sasl ins't a user, or group.
>
> I setup and try
>
> saslauthd -m /var/run/saslauthd -a pam -d
> sasl2-sample-server -s rcmd -p 8000
> sasl2-sample-client -s rcmd -p 8000 -m LOGIN 127.0.0.1
>
> If I set "-a shadow" it works.  So I assume I have saslauthd
working
> at least.
>
> But, if I set "-a pam" as listed above, it fails
>
> I believe it may be a PAM issue, could be sasl, but I'm hoping maybe
> someone will see the easy answer.
>
> I have in /etc/pam.d/smtp
> #%PAM-1.0
> auth       required     pam_stack.so service=system-auth
> account    required     pam_stack.so service=system-auth
>
> Also:
> # saslauthd -v
> saslauthd 2.1.19
> authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
>
> And /usr/lib/sasl2/smtpd.conf  (also linked to sample.conf)
> # cat smtpd.conf
> loglevel: 7
> pwcheck_method: saslauthd
> mech_list: PLAIN LOGIN
>
> Here are the results of a failed attempt:
> -------------------------------------
>
> # saslauthd -m /var/run/saslauthd -a pam -d
> saslauthd[3176] :main            : num_procs  : 5
> saslauthd[3176] :main            : mech_option: NULL
> saslauthd[3176] :main            : run_path   : /var/run/saslauthd
> saslauthd[3176] :main            : auth_mech  : pam
> saslauthd[3176] :ipc_init        : using accept lock file:
> /var/run/saslauthd/mux.accept
> saslauthd[3176] :detach_tty      : master pid is: 0
> saslauthd[3176] :ipc_init        : listening on socket:
> /var/run/saslauthd/mux
> saslauthd[3176] :main            : using process model
> saslauthd[3177] :get_accept_lock : acquired accept lock
> saslauthd[3176] :have_baby       : forked child: 3177
> saslauthd[3176] :have_baby       : forked child: 3178
> saslauthd[3176] :have_baby       : forked child: 3179
> saslauthd[3176] :have_baby       : forked child: 3180
> saslauthd[3177] :rel_accept_lock : released accept lock
> saslauthd[3177] :do_auth         : auth failure: [user=testuser]
> [service=rcmd] [realm=] [mech=pam] [reason=PAM auth error]
>
> # sasl2-sample-server -s rcmd -p 8000
> trying 2, 1, 6
> trying 10, 1, 6
> socket: Address family not supported by protocol
> accepted new connection
> send: {11}
> PLAIN LOGIN
> recv: {5}
> LOGIN
> recv: {1}
> N
> send: {9}
> Username:
> recv: {7}
> testuser
> send: {9}
> Password:
> recv: {6}
> xxxxxx
> performing SASL negotiation: authentication failureclosing connection
>
>
> # sasl2-sample-client -s rcmd -p 8000 -m LOGIN 127.0.0.1
> receiving capability list... recv: {11}
> PLAIN LOGIN
> PLAIN LOGIN
> send: {5}
> LOGIN
> send: {1}
> N
> recv: {9}
> Username:
> please enter an authentication id: testuser
> Password:
> send: {7}
> testuser
> recv: {9}
> Password:
> send: {6}
> xxxxxx
> authentication failed
> closing connection
>
> --------------
> # From syslog:
>
> Sep 19 09:33:45 tn1 saslauthd[3209]: main            : num_procs  : 5
> Sep 19 09:33:45 tn1 saslauthd[3209]: main            : mech_option:
> NULL
> Sep 19 09:33:45 tn1 saslauthd[3209]: main            : run_path   :
> /var/run/saslauthd
> Sep 19 09:33:45 tn1 saslauthd[3209]: main            : auth_mech  :
> pam
> Sep 19 09:33:45 tn1 saslauthd[3209]: ipc_init        : using accept
> lock file: /var/run/saslauthd/mux.accept
> Sep 19 09:33:45 tn1 saslauthd[3209]: detach_tty      : master pid is:
> 0
> Sep 19 09:33:45 tn1 saslauthd[3209]: ipc_init        : listening on
> socket: /var/run/saslauthd/mux
> Sep 19 09:33:45 tn1 saslauthd[3209]: main            : using process
> model
> Sep 19 09:33:45 tn1 saslauthd[3210]: get_accept_lock : acquired accept
> lock
> Sep 19 09:33:45 tn1 saslauthd[3209]: have_baby       : forked child:
> 3210
> Sep 19 09:33:45 tn1 saslauthd[3209]: have_baby       : forked child:
> 3211
> Sep 19 09:33:45 tn1 saslauthd[3209]: have_baby       : forked child:
> 3212
> Sep 19 09:33:45 tn1 saslauthd[3209]: have_baby       : forked child:
> 3213
> Sep 19 09:34:03 tn1 saslauthd[3210]: rel_accept_lock : released accept
> lock
> Sep 19 09:34:03 tn1 saslauthd[3210]: DEBUG: auth_pam: pam_authenticate
> failed: Authentication failure
> Sep 19 09:34:03 tn1 saslauthd[3210]: do_auth         : auth failure:
> [user=testuser] [service=rcmd] [realm=] [mech=pam] [reason=PAM auth
> error]
> Sep 19 09:34:03 tn1 saslauthd[3210]: get_accept_lock : acquired accept
> lock
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos