Re: postfix + cyrus-sasl + PAM + pam_ruby

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sean O'Malley wrote:

On Wed, 22 Jul 2009, David van Geest wrote:

Thanks Sean.  On my CentOS 5.2 system it's testsaslauthd:

-bash-3.2# testsaslauthd -u <local_user> -p <pass> -r "127.0.0.1;234" -s
system-auth
0: OK "Success."

However, using pam_ruby:

-bash-3.2# testsaslauthd -u <user> -p <pass> -r "127.0.0.1;234" -s smtp
0: NO "authentication failed"

/var/log/messages has:

Jul 22 16:44:10 ip-10-251-215-230 saslauthd[6419]: do_auth         :
auth failure: [user=test] [service=smtp] [realm=127.0.0.1;234]
[mech=pam] [reason=PAM auth error]

I'm assuming this means everything is ok up to my /etc/pam.d/smtp
file.... anywhere else I can look for more details on any PAM errors or
errors with pam_ruby?

Try adding the debug flag to it ie in your pam.d/smtp file (it is usually
supported and it logs to like /var/log/debug or wherever syslog is making
it point to.)

account required pam_ruby.so debug
password required pam_ruby.so debug
auth required pam_ruby.so  debug
session required pam_ruby.so debug
Sean, thanks for the suggestions.

pam_ruby apparently doesn't support the debug argument, I get no more logging than I did before and hunting through the module source I see no mention of any debug functionality.
I would probably turn debugging up on both sides ie saslauthd and mysql
then, step through them like:

auth required pam_ruby.so  debug
account required pam_permit.so debug
password required pam_permit.so debug
session required pam_permit.so debug

or you can use pam_unix instead of pam_permit so it grabs your local
duplicate local account info.

Just so we're clear, I'm not actually using any mysql yet, the pam_ruby module just calls the sample script from the pam_ruby website which checks username and password against a text file.

Changed my /etc/pam.d/smtp to the following:
#%PAM-1.0
auth required /lib/security/pam_ruby.so /lib/security/ruby/simple2.rb /tmp/passwd debug
account    required     pam_permit.so debug
password   required     pam_permit.so debug
session    required     pam_permit.so debug

I stopped the saslauthd service and ran saslauthd, then tried "testsaslauthd -u test -p testpass -r"127.0.0.1;234" -s smtp". Here's the saslauthd debug output:
-bash-3.2# saslauthd -a pam -d
saslauthd[1636] :main            : num_procs  : 5
saslauthd[1636] :main            : mech_option: NULL
saslauthd[1636] :main            : run_path   : /var/run/saslauthd
saslauthd[1636] :main            : auth_mech  : pam
saslauthd[1636] :ipc_init : using accept lock file: /var/run/saslauthd/mux.accept
saslauthd[1636] :detach_tty      : master pid is: 0
saslauthd[1636] :ipc_init : listening on socket: /var/run/saslauthd/mux
saslauthd[1636] :main            : using process model
saslauthd[1637] :get_accept_lock : acquired accept lock
saslauthd[1636] :have_baby       : forked child: 1637
saslauthd[1636] :have_baby       : forked child: 1638
saslauthd[1636] :have_baby       : forked child: 1639
saslauthd[1636] :have_baby       : forked child: 1640
saslauthd[1637] :rel_accept_lock : released accept lock
saslauthd[1637] :do_auth : auth failure: [user=test] [service=smtp] [realm=127.0.0.1;234] [mech=pam] [reason=PAM auth error]
saslauthd[1637] :get_accept_lock : acquired accept lock

Still not getting anywhere.  Any ideas?
Thanks,
-David



[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux