postfix + cyrus-sasl + PAM + pam_ruby

David van Geest davidv at
Thu Jul 23 11:59:17 EDT 2009

Sean O'Malley wrote:
> On Wed, 22 Jul 2009, David van Geest wrote:
>> Thanks Sean.  On my CentOS 5.2 system it's testsaslauthd:
>> -bash-3.2# testsaslauthd -u <local_user> -p <pass> -r ";234" -s
>> system-auth
>> 0: OK "Success."
>> However, using pam_ruby:
>> -bash-3.2# testsaslauthd -u <user> -p <pass> -r ";234" -s smtp
>> 0: NO "authentication failed"
>> /var/log/messages has:
>> Jul 22 16:44:10 ip-10-251-215-230 saslauthd[6419]: do_auth         :
>> auth failure: [user=test] [service=smtp] [realm=;234]
>> [mech=pam] [reason=PAM auth error]
>> I'm assuming this means everything is ok up to my /etc/pam.d/smtp
>> file.... anywhere else I can look for more details on any PAM errors or
>> errors with pam_ruby?
> Try adding the debug flag to it ie in your pam.d/smtp file (it is usually
> supported and it logs to like /var/log/debug or wherever syslog is making
> it point to.)
> account required debug
> password required debug
> auth required  debug
> session required debug
Sean, thanks for the suggestions.

pam_ruby apparently doesn't support the debug argument, I get no more 
logging than I did before and hunting through the module source I see no 
mention of any debug functionality.
> I would probably turn debugging up on both sides ie saslauthd and mysql
> then, step through them like:
> auth required  debug
> account required debug
> password required debug
> session required debug
> or you can use pam_unix instead of pam_permit so it grabs your local
> duplicate local account info.
Just so we're clear, I'm not actually using any mysql yet, the pam_ruby 
module just calls the sample script from the pam_ruby website which 
checks username and password against a text file.

Changed my /etc/pam.d/smtp to the following:
auth       required     /lib/security/ 
/lib/security/ruby/simple2.rb /tmp/passwd debug
account    required debug
password   required debug
session    required debug

I stopped the saslauthd service and ran saslauthd, then tried 
"testsaslauthd -u test -p testpass -r";234" -s smtp".  Here's 
the saslauthd debug output:
-bash-3.2# saslauthd -a pam -d
saslauthd[1636] :main            : num_procs  : 5
saslauthd[1636] :main            : mech_option: NULL
saslauthd[1636] :main            : run_path   : /var/run/saslauthd
saslauthd[1636] :main            : auth_mech  : pam
saslauthd[1636] :ipc_init        : using accept lock file: 
saslauthd[1636] :detach_tty      : master pid is: 0
saslauthd[1636] :ipc_init        : listening on socket: 
saslauthd[1636] :main            : using process model
saslauthd[1637] :get_accept_lock : acquired accept lock
saslauthd[1636] :have_baby       : forked child: 1637
saslauthd[1636] :have_baby       : forked child: 1638
saslauthd[1636] :have_baby       : forked child: 1639
saslauthd[1636] :have_baby       : forked child: 1640
saslauthd[1637] :rel_accept_lock : released accept lock
saslauthd[1637] :do_auth         : auth failure: [user=test] 
[service=smtp] [realm=;234] [mech=pam] [reason=PAM auth error]
saslauthd[1637] :get_accept_lock : acquired accept lock

Still not getting anywhere.  Any ideas?

More information about the Cyrus-sasl mailing list