postfix + cyrus-sasl + PAM + pam_ruby

Sean O'Malley omalleys at msu.edu
Thu Jul 23 09:27:55 EDT 2009 



On Wed, 22 Jul 2009, David van Geest wrote:

> Thanks Sean.  On my CentOS 5.2 system it's testsaslauthd:
>
> -bash-3.2# testsaslauthd -u <local_user> -p <pass> -r "127.0.0.1;234" -s
> system-auth
> 0: OK "Success."
>
> However, using pam_ruby:
>
> -bash-3.2# testsaslauthd -u <user> -p <pass> -r "127.0.0.1;234" -s smtp
> 0: NO "authentication failed"
>
> /var/log/messages has:
>
> Jul 22 16:44:10 ip-10-251-215-230 saslauthd[6419]: do_auth         :
> auth failure: [user=test] [service=smtp] [realm=127.0.0.1;234]
> [mech=pam] [reason=PAM auth error]
>
> I'm assuming this means everything is ok up to my /etc/pam.d/smtp
> file.... anywhere else I can look for more details on any PAM errors or
> errors with pam_ruby?

Try adding the debug flag to it ie in your pam.d/smtp file (it is usually
supported and it logs to like /var/log/debug or wherever syslog is making
it point to.)

account required pam_ruby.so debug
password required pam_ruby.so debug
auth required pam_ruby.so  debug
session required pam_ruby.so debug

I would probably turn debugging up on both sides ie saslauthd and mysql
then, step through them like:

auth required pam_ruby.so  debug
account required pam_permit.so debug
password required pam_permit.so debug
session required pam_permit.so debug

or you can use pam_unix instead of pam_permit so it grabs your local
duplicate local account info.

Sean


> However, playing around a bit more with sasl2-sample-server/client I get
> different results:
> sasl2-sample-server -s system-auth -p8000
> ......
> performing SASL negotiation: user not foundclosing connection
>
>
> sasl2-sample-client -s system-auth -p 8000 -m LOGIN localhost
> receiving capability list... recv: {53}
> CRAM-MD5 ANONYMOUS NTLM LOGIN PLAIN DIGEST-MD5 GSSAPI
> CRAM-MD5 ANONYMOUS NTLM LOGIN PLAIN DIGEST-MD5 GSSAPI
> send: {5}
> LOGIN
> send: {1}
> N
> recv: {9}
> Username:
> please enter an authentication id: <user>
> Password:
> send: {4}
> <user>
> recv: {9}
> Password:
> send: {9}
> <password>
> authentication failed
> closing connection
>
> -David
>
>
>
>
>
>
>

--------------------------------------
  Sean O'Malley, Information Technologist
  Michigan State University
-------------------------------------

More information about the Cyrus-sasl mailing list