Errors using PAM and saslauthd

Tue Nov 26 17:30:37 EST 2002

Thanks for pointing my typo.. I had meant to use the sasl_pwcheck_method,
and I see why having that and the entry in Cyrus.conf would be redundant.

We are still having the same authentication issues. I meant mention that we
are running under Solaris 8.  The entries I have in the /etc/pam.conf are 

imap    auth sufficient /usr/lib/security/pam_method1.so.1
imap    auth required   /usr/lib/security/pam_method2.so.1

We don't reference the pam_unix.so.1 for attempts to authenticate with local
users when connecting to imap.  Yet, when I trussed the saslauthd process
for the one valid login that can be done (user cyrus), the output showed
that pam_unix.so.1 was being opened, and it read the /etc/shadow file.  I
can only assume it used it for authenticating that user. The cyrus user is
the only user capable of being authenticated via all 3 methods.

_______
Russell Gnann
UNIX Systems Administrator
Andrx Corp.

-----Original Message-----
From: Ken Murchison [mailto:ken at oceana.com] 
Sent: Tuesday, November 26, 2002 2:58 PM
To: Russell Gnann
Cc: 'info-cyrus at lists.andrew.cmu.edu'
Subject: Re: Errors using PAM and saslauthd

Russell Gnann wrote:
> 
> Hi,
> 
> I am having some authentication issues using saslauthd -a pam. The 
> errors that show up in the message log when a login attempt is made 
> are
> 
> imapd[13427]: [ID 702911 auth.error] auxpropfunc error -4
> imapd[13427]: [ID 702911 auth.debug] _sasl_plugin_load failed on 
> sasl_auxprop_plug_init for plugin: sasldb
> saslauthd[12854]: [ID 308033 auth.debug] pam_acct_mgmt: error 
> Permission denied
> saslauthd[12854]: [ID 308033 auth.debug] pam_acct_mgmt: error No 
> account present for user
> saslauthd[12854]: [ID 226429 auth.debug] DEBUG: auth_pam: 
> pam_acct_mgmt
> failed: Permission denied
> saslauthd[12854]: [ID 982738 auth.warning] AUTHFAIL: user=foo service=imap
> realm= [PAM acct error]
> 
> We use a couple of in house PAM modules for authentication.  On the 
> same server that this cyrus installation is built, they work fine 
> using a test application.  We did a truss of saslauthd and noticed 
> once it had completed the in house authentication it seemed to attempt 
> authentication using the pam_unix.so.1.  In fact we can authenticate 
> using with the user cyrus successfully, but other local users can not 
> since they fail on the in house PAM module (not that we want the other 
> local users to authenticate).
> 
> The imapd.conf we are using contains
> 
> admins: cyrus
> allowanonymouslogin: no
> sasl_passwd_check: saslauthd

^^^^^^^^^^^^^^^^^^  This is not a valid option.  You probably want
sasl_pwcheck_method, in which case having a Cyrus.conf file is redundant.

> allowplaintext: yes
> 
> Ths Cyrus.conf for sasl2 contains
> 
> pwcheck_method: saslauthd
> 
> We are kind of lost on this end at the moment and any insight someone 
> might provide would be greatly appreciated.  Thanks for any help.

You probably need to specify a module for account management.  Unless you
are doing something exotic, just use permit.  Here is my
/etc/pam.d/imap:

#%PAM-1.0
auth    sufficient      /lib/security/pam_smb_auth.so
auth    required        /lib/security/pam_pwdb.so shadow nullok
account sufficient      /lib/security/pam_permit.so

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp