Re: Can't successfully test credentials I just created

Ann Onemouse <annonemouse@xxxxxx> · Mon, 17 Nov 2008 16:52:41 -0500

Hello, Dan, and other SASL experts.

A quick update: I have decided to try using SASL's PAM mechanism,  
since that's what seems to be setup by default.

So, I rebuild my system from scratch (it's just a Xen VM, after all),  
and installed all cyrus-sasl RPMs:
==================================
cyrus-sasl-ldap-2.1.22-4
cyrus-sasl-devel-2.1.22-4
cyrus-sasl-plain-2.1.22-4
cyrus-sasl-ntlm-2.1.22-4
cyrus-sasl-sql-2.1.22-4
cyrus-sasl-plain-2.1.22-4
cyrus-sasl-ntlm-2.1.22-4
cyrus-sasl-ldap-2.1.22-4
cyrus-sasl-lib-2.1.22-4
cyrus-sasl-2.1.22-4
cyrus-sasl-lib-2.1.22-4
cyrus-sasl-sql-2.1.22-4
cyrus-sasl-gssapi-2.1.22-4
cyrus-sasl-md5-2.1.22-4
cyrus-sasl-devel-2.1.22-4
cyrus-sasl-2.1.22-4
cyrus-sasl-md5-2.1.22-4
cyrus-sasl-gssapi-2.1.22-4
==================================

When I start up SASL with "service saslauthd start", here's what's  
running:
==================================
[root@emailrelay ~]# ps auxwww | grep sasl
root      4828  0.0  0.3  46648   804 ?        Ss   16:10   0:00 /usr/ 
sbin/saslauthd -m /var/run/saslauthd -a pam
==================================
It's using PAM, right? It should work with any shell account I create,  
right?

So,  I create a regular Unix shell account, set the password to  
'1234', and verify that I can login as the user in question.
==================================
ann@some-other-host:~> ssh relay@xxxxxxxxxxxxxxxxxxxxxxx
relay@xxxxxxxxxxxxxxxxxxxxxxx's password:  [ here I type '1234' ]
  Last login: Mon Nov 17 16:06:15 2008 from xxx.xxx.xxx.xxx
[relay@emailrelay ~]$
==================================
OK, shell login works. Later, if I can get this working, I will set  
the shell to "/sbin/nologin".

Now, at this point, SASL should authenticate against these credentials  
with no problem, right? So, why won't this work?
==================================
[root@emailrelay ~]# testsaslauthd -u relay -p 1234
0: NO "authentication failed"
==================================
   and from /var/log/messages...
==================================
Nov 17 16:47:49 emailrelay saslauthd[4831]: do_auth         : auth  
failure: [user=relay] [service=imap] [realm=] [mech=pam] [reason=PAM  
auth error]
==================================

OK, now I'm really baffled. Is the testsaslauthd broken? Am I using it  
incorrectly? What does the [service=imap] mean?

This use case seem dead simple, but is not working.   :(

Thanks for any insights,
- Ann