Can't successfully test credentials I just created

Patrick Ben Koetter p at state-of-mind.de
Mon Nov 17 17:01:01 EST 2008


* Ann Onemouse <annonemouse at me.com>:
> Hello, Dan, and other SASL experts.
>
> A quick update: I have decided to try using SASL's PAM mechanism, since 
> that's what seems to be setup by default.
>
> So, I rebuild my system from scratch (it's just a Xen VM, after all),  
> and installed all cyrus-sasl RPMs:
> ==================================
> cyrus-sasl-ldap-2.1.22-4
> cyrus-sasl-devel-2.1.22-4
> cyrus-sasl-plain-2.1.22-4
> cyrus-sasl-ntlm-2.1.22-4
> cyrus-sasl-sql-2.1.22-4
> cyrus-sasl-plain-2.1.22-4
> cyrus-sasl-ntlm-2.1.22-4
> cyrus-sasl-ldap-2.1.22-4
> cyrus-sasl-lib-2.1.22-4
> cyrus-sasl-2.1.22-4
> cyrus-sasl-lib-2.1.22-4
> cyrus-sasl-sql-2.1.22-4
> cyrus-sasl-gssapi-2.1.22-4
> cyrus-sasl-md5-2.1.22-4
> cyrus-sasl-devel-2.1.22-4
> cyrus-sasl-2.1.22-4
> cyrus-sasl-md5-2.1.22-4
> cyrus-sasl-gssapi-2.1.22-4
> ==================================
>
> When I start up SASL with "service saslauthd start", here's what's  
> running:
> ==================================
> [root at emailrelay ~]# ps auxwww | grep sasl
> root      4828  0.0  0.3  46648   804 ?        Ss   16:10   0:00 /usr/ 
> sbin/saslauthd -m /var/run/saslauthd -a pam
> ==================================
> It's using PAM, right? It should work with any shell account I create,  
> right?
>
> So,  I create a regular Unix shell account, set the password to '1234', 
> and verify that I can login as the user in question.
> ==================================
> ann at some-other-host:~> ssh relay at emailrelay.mydomain.com
> relay at emailrelay.mydomain.com's password:  [ here I type '1234' ]
>   Last login: Mon Nov 17 16:06:15 2008 from xxx.xxx.xxx.xxx
> [relay at emailrelay ~]$
> ==================================
> OK, shell login works. Later, if I can get this working, I will set the 
> shell to "/sbin/nologin".
>
>
> Now, at this point, SASL should authenticate against these credentials  
> with no problem, right? So, why won't this work?
> ==================================
> [root at emailrelay ~]# testsaslauthd -u relay -p 1234
> 0: NO "authentication failed"
> ==================================
>    and from /var/log/messages...
> ==================================
> Nov 17 16:47:49 emailrelay saslauthd[4831]: do_auth         : auth  
> failure: [user=relay] [service=imap] [realm=] [mech=pam] [reason=PAM  
> auth error]
> ==================================

Specify the service_name 'smtp' if you want to test SMTP AUTH setup with PAM:

# testsaslauthd -s smtp -u relay -p 1234

This tells PAM to use settings from /etc/pam.d/smtp and not from
/etc/pam.d/imap (if this file exists at all).

p at rick



>
> OK, now I'm really baffled. Is the testsaslauthd broken? Am I using it  
> incorrectly? What does the [service=imap] mean?
>
> This use case seem dead simple, but is not working.   :(
>
> Thanks for any insights,
> - Ann
>
>
>

-- 
All technical answers asked privately will be automatically answered on
the list and archived for public access unless privacy is explicitely
required and justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>


More information about the Cyrus-sasl mailing list