Errors using PAM and saslauthd

Ken Murchison ken at oceana.com
Tue Nov 26 14:58:18 EST 2002



Russell Gnann wrote:
> 
> Hi,
> 
> I am having some authentication issues using saslauthd -a pam. The errors
> that show up in the message log when a login attempt is made are
> 
> imapd[13427]: [ID 702911 auth.error] auxpropfunc error -4
> imapd[13427]: [ID 702911 auth.debug] _sasl_plugin_load failed on
> sasl_auxprop_plug_init for plugin: sasldb
> saslauthd[12854]: [ID 308033 auth.debug] pam_acct_mgmt: error Permission
> denied
> saslauthd[12854]: [ID 308033 auth.debug] pam_acct_mgmt: error No account
> present for user
> saslauthd[12854]: [ID 226429 auth.debug] DEBUG: auth_pam: pam_acct_mgmt
> failed: Permission denied
> saslauthd[12854]: [ID 982738 auth.warning] AUTHFAIL: user=foo service=imap
> realm= [PAM acct error]
> 
> We use a couple of in house PAM modules for authentication.  On the same
> server that this cyrus installation is built, they work fine using a test
> application.  We did a truss of saslauthd and noticed once it had completed
> the in house authentication it seemed to attempt authentication using the
> pam_unix.so.1.  In fact we can authenticate using with the user cyrus
> successfully, but other local users can not since they fail on the in house
> PAM module (not that we want the other local users to authenticate).
> 
> The imapd.conf we are using contains
> 
> admins: cyrus
> allowanonymouslogin: no
> sasl_passwd_check: saslauthd

^^^^^^^^^^^^^^^^^^  This is not a valid option.  You probably want
sasl_pwcheck_method, in which case having a Cyrus.conf file is
redundant.


> allowplaintext: yes
> 
> Ths Cyrus.conf for sasl2 contains
> 
> pwcheck_method: saslauthd
> 
> We are kind of lost on this end at the moment and any insight someone might
> provide would be greatly appreciated.  Thanks for any help.

You probably need to specify a module for account management.  Unless
you are doing something exotic, just use permit.  Here is my
/etc/pam.d/imap:

#%PAM-1.0
auth    sufficient      /lib/security/pam_smb_auth.so
auth    required        /lib/security/pam_pwdb.so shadow nullok
account sufficient      /lib/security/pam_permit.so

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp




More information about the Info-cyrus mailing list