postfix + cyrus-sasl + PAM + pam_ruby

David van Geest davidv at spindance.com
Thu Jul 23 11:59:17 EDT 2009 

Sean O'Malley wrote:
>
> On Wed, 22 Jul 2009, David van Geest wrote:
>
>   
>> Thanks Sean.  On my CentOS 5.2 system it's testsaslauthd:
>>
>> -bash-3.2# testsaslauthd -u <local_user> -p <pass> -r "127.0.0.1;234" -s
>> system-auth
>> 0: OK "Success."
>>
>> However, using pam_ruby:
>>
>> -bash-3.2# testsaslauthd -u <user> -p <pass> -r "127.0.0.1;234" -s smtp
>> 0: NO "authentication failed"
>>
>> /var/log/messages has:
>>
>> Jul 22 16:44:10 ip-10-251-215-230 saslauthd[6419]: do_auth         :
>> auth failure: [user=test] [service=smtp] [realm=127.0.0.1;234]
>> [mech=pam] [reason=PAM auth error]
>>
>> I'm assuming this means everything is ok up to my /etc/pam.d/smtp
>> file.... anywhere else I can look for more details on any PAM errors or
>> errors with pam_ruby?
>>     
>
> Try adding the debug flag to it ie in your pam.d/smtp file (it is usually
> supported and it logs to like /var/log/debug or wherever syslog is making
> it point to.)
>
> account required pam_ruby.so debug
> password required pam_ruby.so debug
> auth required pam_ruby.so  debug
> session required pam_ruby.so debug
>   
Sean, thanks for the suggestions.

pam_ruby apparently doesn't support the debug argument, I get no more 
logging than I did before and hunting through the module source I see no 
mention of any debug functionality.
> I would probably turn debugging up on both sides ie saslauthd and mysql
> then, step through them like:
>
> auth required pam_ruby.so  debug
> account required pam_permit.so debug
> password required pam_permit.so debug
> session required pam_permit.so debug
>
> or you can use pam_unix instead of pam_permit so it grabs your local
> duplicate local account info.
>
>   
Just so we're clear, I'm not actually using any mysql yet, the pam_ruby 
module just calls the sample script from the pam_ruby website which 
checks username and password against a text file.

Changed my /etc/pam.d/smtp to the following:
#%PAM-1.0
auth       required     /lib/security/pam_ruby.so 
/lib/security/ruby/simple2.rb /tmp/passwd debug
account    required     pam_permit.so debug
password   required     pam_permit.so debug
session    required     pam_permit.so debug

I stopped the saslauthd service and ran saslauthd, then tried 
"testsaslauthd -u test -p testpass -r"127.0.0.1;234" -s smtp".  Here's 
the saslauthd debug output:
-bash-3.2# saslauthd -a pam -d
saslauthd[1636] :main            : num_procs  : 5
saslauthd[1636] :main            : mech_option: NULL
saslauthd[1636] :main            : run_path   : /var/run/saslauthd
saslauthd[1636] :main            : auth_mech  : pam
saslauthd[1636] :ipc_init        : using accept lock file: 
/var/run/saslauthd/mux.accept
saslauthd[1636] :detach_tty      : master pid is: 0
saslauthd[1636] :ipc_init        : listening on socket: 
/var/run/saslauthd/mux
saslauthd[1636] :main            : using process model
saslauthd[1637] :get_accept_lock : acquired accept lock
saslauthd[1636] :have_baby       : forked child: 1637
saslauthd[1636] :have_baby       : forked child: 1638
saslauthd[1636] :have_baby       : forked child: 1639
saslauthd[1636] :have_baby       : forked child: 1640
saslauthd[1637] :rel_accept_lock : released accept lock
saslauthd[1637] :do_auth         : auth failure: [user=test] 
[service=smtp] [realm=127.0.0.1;234] [mech=pam] [reason=PAM auth error]
saslauthd[1637] :get_accept_lock : acquired accept lock

Still not getting anywhere.  Any ideas?
Thanks,
-David

More information about the Cyrus-sasl mailing list