Loading ...
Sorry, an error occurred while loading the content.

Problem using Postfix, saslauthd and pam_krb5

Expand Messages
  • Ali Majdzadeh
    Hello all I have configured saslauthd to use pam for password verification and I want to use pam_krb5 as the authentication back-end. I have set the following
    Message 1 of 9 , Nov 1, 2009
    • 0 Attachment
      Hello all
      I have configured saslauthd to use pam for password verification and I want to use pam_krb5 as the authentication back-end. I have set the following options in /etc/postfix/sasl/smtpd.conf:

      log_level: 3
      pwcheck_method: saslauthd
      mech_list: plain login

      Also, I have entered the following lines in /etc/pam.d/smtp

      auth            sufficient      /lib/security/pam_krb5.so minimum_uid=1000
      session         required        /lib/security/pam_krb5.so minimum_uid=1000
      account         required        /lib/security/pam_krb5.so minimum_uid=1000
      password        sufficient      /lib/security/pam_krb5.so minimum_uid=1000

      When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f /var/run/saslauthd/mux", it can successfully authenticate the user which has a corresponding principal in my kerberos configuration. But, when I want to use telnet to actually test the smtp server, the authentication fails. By the way, what should be provided to the server when the desired authentication mechanism is plain? (Is that something like:  perl -MMIME::Base64 -e 'print encode_base64("user\0pass")')? And the last questions, are all those configuration file names (and definitely) their content correct? I mean, /etc/postfix/smtpd.conf and /etc/pam.d/smtp?

      Kind Regards
      Ali Majdzadeh Kohbanani
    • Victor Duchovni
      ... No. You need a leading 0 for an empty authzid. 0user 0pass -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do
      Message 2 of 9 , Nov 2, 2009
      • 0 Attachment
        On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:

        > I have configured saslauthd to use pam for password verification and I want
        > to use pam_krb5 as the authentication back-end. I have set the following
        > options in /etc/postfix/sasl/smtpd.conf:
        >
        > log_level: 3
        > pwcheck_method: saslauthd
        > mech_list: plain login
        >
        > Also, I have entered the following lines in /etc/pam.d/smtp
        >
        > auth sufficient /lib/security/pam_krb5.so minimum_uid=1000
        > session required /lib/security/pam_krb5.so minimum_uid=1000
        > account required /lib/security/pam_krb5.so minimum_uid=1000
        > password sufficient /lib/security/pam_krb5.so minimum_uid=1000
        >
        > When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
        > /var/run/saslauthd/mux", it can successfully authenticate the user which has
        > a corresponding principal in my kerberos configuration. But, when I want to
        > use telnet to actually test the smtp server, the authentication fails.

        > By
        > the way, what should be provided to the server when the desired
        > authentication mechanism is plain? (Is that something like: perl
        > -MMIME::Base64 -e 'print encode_base64("user\0pass")')?

        No. You need a leading "\0" for an empty authzid.

        "\0user\0pass"

        --
        Viktor.

        Disclaimer: off-list followups get on-list replies or get ignored.
        Please do not ignore the "Reply-To" header.

        To unsubscribe from the postfix-users list, visit
        http://www.postfix.org/lists.html or click the link below:
        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

        If my response solves your problem, the best way to thank me is to not
        send an "it worked, thanks" follow-up. If you must respond, please put
        "It worked, thanks" in the "Subject" so I can delete these quickly.
      • Ali Majdzadeh
        Victor, Hello Thanks a lot for your help. I am going to test your solutions. Thanks again. Warm Regards Ali Majdzadeh Kohbanani 2009/11/2 Victor Duchovni
        Message 3 of 9 , Nov 2, 2009
        • 0 Attachment
          Victor,
          Hello
          Thanks a lot for your help. I am going to test your solutions. Thanks again.

          Warm Regards
          Ali Majdzadeh Kohbanani

          2009/11/2 Victor Duchovni <Victor.Duchovni@...>
          On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:

          > I have configured saslauthd to use pam for password verification and I want
          > to use pam_krb5 as the authentication back-end. I have set the following
          > options in /etc/postfix/sasl/smtpd.conf:
          >
          > log_level: 3
          > pwcheck_method: saslauthd
          > mech_list: plain login
          >
          > Also, I have entered the following lines in /etc/pam.d/smtp
          >
          > auth            sufficient      /lib/security/pam_krb5.so minimum_uid=1000
          > session         required        /lib/security/pam_krb5.so minimum_uid=1000
          > account         required        /lib/security/pam_krb5.so minimum_uid=1000
          > password        sufficient      /lib/security/pam_krb5.so minimum_uid=1000
          >
          > When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
          > /var/run/saslauthd/mux", it can successfully authenticate the user which has
          > a corresponding principal in my kerberos configuration. But, when I want to
          > use telnet to actually test the smtp server, the authentication fails.

          > By
          > the way, what should be provided to the server when the desired
          > authentication mechanism is plain? (Is that something like:  perl
          > -MMIME::Base64 -e 'print encode_base64("user\0pass")')?

          No. You need a leading "\0" for an empty authzid.

                 "\0user\0pass"

          --
                 Viktor.

          Disclaimer: off-list followups get on-list replies or get ignored.
          Please do not ignore the "Reply-To" header.

          To unsubscribe from the postfix-users list, visit
          http://www.postfix.org/lists.html or click the link below:
          <mailto:majordomo@...?body=unsubscribe%20postfix-users>

          If my response solves your problem, the best way to thank me is to not
          send an "it worked, thanks" follow-up. If you must respond, please put
          "It worked, thanks" in the "Subject" so I can delete these quickly.

        • Ali Majdzadeh
          Viktor, Hi I hope that you are still following this thread. After a couple of testing, I saw the following error in auth.log: Nov 7 11:14:51 client2
          Message 4 of 9 , Nov 6, 2009
          • 0 Attachment
            Viktor,
            Hi
            I hope that you are still following this thread. After a couple of testing, I saw the following error in auth.log:

            Nov  7 11:14:51 client2 saslauthd[2882]: DEBUG: auth_pam: pam_authenticate failed: Permission denied
            Nov  7 11:14:51 client2 saslauthd[2882]: do_auth         : auth failure: [user=rana] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

            Do you have any ideas about these?

            Kind Regards
            Ali Majdzadeh Kohbanani

            2009/11/2 Ali Majdzadeh <ali.majdzadeh@...>
            Victor,
            Hello
            Thanks a lot for your help. I am going to test your solutions. Thanks again.

            Warm Regards
            Ali Majdzadeh Kohbanani

            2009/11/2 Victor Duchovni <Victor.Duchovni@...>

            On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:

            > I have configured saslauthd to use pam for password verification and I want
            > to use pam_krb5 as the authentication back-end. I have set the following
            > options in /etc/postfix/sasl/smtpd.conf:
            >
            > log_level: 3
            > pwcheck_method: saslauthd
            > mech_list: plain login
            >
            > Also, I have entered the following lines in /etc/pam.d/smtp
            >
            > auth            sufficient      /lib/security/pam_krb5.so minimum_uid=1000
            > session         required        /lib/security/pam_krb5.so minimum_uid=1000
            > account         required        /lib/security/pam_krb5.so minimum_uid=1000
            > password        sufficient      /lib/security/pam_krb5.so minimum_uid=1000
            >
            > When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
            > /var/run/saslauthd/mux", it can successfully authenticate the user which has
            > a corresponding principal in my kerberos configuration. But, when I want to
            > use telnet to actually test the smtp server, the authentication fails.

            > By
            > the way, what should be provided to the server when the desired
            > authentication mechanism is plain? (Is that something like:  perl
            > -MMIME::Base64 -e 'print encode_base64("user\0pass")')?

            No. You need a leading "\0" for an empty authzid.

                   "\0user\0pass"

            --
                   Viktor.

            Disclaimer: off-list followups get on-list replies or get ignored.
            Please do not ignore the "Reply-To" header.

            To unsubscribe from the postfix-users list, visit
            http://www.postfix.org/lists.html or click the link below:
            <mailto:majordomo@...?body=unsubscribe%20postfix-users>

            If my response solves your problem, the best way to thank me is to not
            send an "it worked, thanks" follow-up. If you must respond, please put
            "It worked, thanks" in the "Subject" so I can delete these quickly.


          • Ali Majdzadeh
            Viktor, Sorry about the previous mail. The logs which I sent were incorrect. Actually, there are no log messages just the following one in /var/log/mail.log:
            Message 5 of 9 , Nov 7, 2009
            • 0 Attachment
              Viktor,
              Sorry about the previous mail. The logs which I sent were incorrect. Actually, there are no log messages just the following one in /var/log/mail.log:

              Nov  7 11:44:54 client2 postfix/smtpd[13159]: warning: SASL authentication failure: Password verification failed

              But, as I told you before, I can successfully test the authentication process using sasltestuser.

              Kind Regards
              Ali Majdzadeh Kohbanani

              2009/11/7 Ali Majdzadeh <ali.majdzadeh@...>
              Viktor,
              Hi
              I hope that you are still following this thread. After a couple of testing, I saw the following error in auth.log:

              Nov  7 11:14:51 client2 saslauthd[2882]: DEBUG: auth_pam: pam_authenticate failed: Permission denied
              Nov  7 11:14:51 client2 saslauthd[2882]: do_auth         : auth failure: [user=rana] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

              Do you have any ideas about these?

              Kind Regards
              Ali Majdzadeh Kohbanani

              2009/11/2 Ali Majdzadeh <ali.majdzadeh@...>

              Victor,
              Hello
              Thanks a lot for your help. I am going to test your solutions. Thanks again.

              Warm Regards
              Ali Majdzadeh Kohbanani

              2009/11/2 Victor Duchovni <Victor.Duchovni@...>

              On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:

              > I have configured saslauthd to use pam for password verification and I want
              > to use pam_krb5 as the authentication back-end. I have set the following
              > options in /etc/postfix/sasl/smtpd.conf:
              >
              > log_level: 3
              > pwcheck_method: saslauthd
              > mech_list: plain login
              >
              > Also, I have entered the following lines in /etc/pam.d/smtp
              >
              > auth            sufficient      /lib/security/pam_krb5.so minimum_uid=1000
              > session         required        /lib/security/pam_krb5.so minimum_uid=1000
              > account         required        /lib/security/pam_krb5.so minimum_uid=1000
              > password        sufficient      /lib/security/pam_krb5.so minimum_uid=1000
              >
              > When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
              > /var/run/saslauthd/mux", it can successfully authenticate the user which has
              > a corresponding principal in my kerberos configuration. But, when I want to
              > use telnet to actually test the smtp server, the authentication fails.

              > By
              > the way, what should be provided to the server when the desired
              > authentication mechanism is plain? (Is that something like:  perl
              > -MMIME::Base64 -e 'print encode_base64("user\0pass")')?

              No. You need a leading "\0" for an empty authzid.

                     "\0user\0pass"

              --
                     Viktor.

              Disclaimer: off-list followups get on-list replies or get ignored.
              Please do not ignore the "Reply-To" header.

              To unsubscribe from the postfix-users list, visit
              http://www.postfix.org/lists.html or click the link below:
              <mailto:majordomo@...?body=unsubscribe%20postfix-users>

              If my response solves your problem, the best way to thank me is to not
              send an "it worked, thanks" follow-up. If you must respond, please put
              "It worked, thanks" in the "Subject" so I can delete these quickly.



            • Ali Majdzadeh
              Viktor, Hi I managed to test the configuration using the sample programs provided by Cyrus. But I can not test the configuration using Postfix. Sample users
              Message 6 of 9 , Nov 7, 2009
              • 0 Attachment
                Viktor,
                Hi
                I managed to test the configuration using the sample programs provided by Cyrus. But I can not test the configuration using Postfix. Sample users which are defined as principles are successfully authenticated using PLAIN authentication mechanism, pam_krb5.so and saslauthd, but the similar configuration for Postfix, always fails.

                Kind Regards
                Ali Majdzadeh Kohbanani

                2009/11/7 Ali Majdzadeh <ali.majdzadeh@...>
                Viktor,
                Sorry about the previous mail. The logs which I sent were incorrect. Actually, there are no log messages just the following one in /var/log/mail.log:

                Nov  7 11:44:54 client2 postfix/smtpd[13159]: warning: SASL authentication failure: Password verification failed

                But, as I told you before, I can successfully test the authentication process using sasltestuser.


                Kind Regards
                Ali Majdzadeh Kohbanani

                2009/11/7 Ali Majdzadeh <ali.majdzadeh@...>

                Viktor,
                Hi
                I hope that you are still following this thread. After a couple of testing, I saw the following error in auth.log:

                Nov  7 11:14:51 client2 saslauthd[2882]: DEBUG: auth_pam: pam_authenticate failed: Permission denied
                Nov  7 11:14:51 client2 saslauthd[2882]: do_auth         : auth failure: [user=rana] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

                Do you have any ideas about these?

                Kind Regards
                Ali Majdzadeh Kohbanani

                2009/11/2 Ali Majdzadeh <ali.majdzadeh@...>

                Victor,
                Hello
                Thanks a lot for your help. I am going to test your solutions. Thanks again.

                Warm Regards
                Ali Majdzadeh Kohbanani

                2009/11/2 Victor Duchovni <Victor.Duchovni@...>

                On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:

                > I have configured saslauthd to use pam for password verification and I want
                > to use pam_krb5 as the authentication back-end. I have set the following
                > options in /etc/postfix/sasl/smtpd.conf:
                >
                > log_level: 3
                > pwcheck_method: saslauthd
                > mech_list: plain login
                >
                > Also, I have entered the following lines in /etc/pam.d/smtp
                >
                > auth            sufficient      /lib/security/pam_krb5.so minimum_uid=1000
                > session         required        /lib/security/pam_krb5.so minimum_uid=1000
                > account         required        /lib/security/pam_krb5.so minimum_uid=1000
                > password        sufficient      /lib/security/pam_krb5.so minimum_uid=1000
                >
                > When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
                > /var/run/saslauthd/mux", it can successfully authenticate the user which has
                > a corresponding principal in my kerberos configuration. But, when I want to
                > use telnet to actually test the smtp server, the authentication fails.

                > By
                > the way, what should be provided to the server when the desired
                > authentication mechanism is plain? (Is that something like:  perl
                > -MMIME::Base64 -e 'print encode_base64("user\0pass")')?

                No. You need a leading "\0" for an empty authzid.

                       "\0user\0pass"

                --
                       Viktor.

                Disclaimer: off-list followups get on-list replies or get ignored.
                Please do not ignore the "Reply-To" header.

                To unsubscribe from the postfix-users list, visit
                http://www.postfix.org/lists.html or click the link below:
                <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                If my response solves your problem, the best way to thank me is to not
                send an "it worked, thanks" follow-up. If you must respond, please put
                "It worked, thanks" in the "Subject" so I can delete these quickly.




              • Victor Duchovni
                ... Turn up the debug level in saslauthd, and find out what queries it is handling and why it believes the password to be incorrect. -- Viktor. Disclaimer:
                Message 7 of 9 , Nov 7, 2009
                • 0 Attachment
                  On Sat, Nov 07, 2009 at 11:11:36PM +0330, Ali Majdzadeh wrote:

                  > Viktor,
                  > Hi
                  > I managed to test the configuration using the sample programs provided by
                  > Cyrus. But I can not test the configuration using Postfix. Sample users
                  > which are defined as principles are successfully authenticated using PLAIN
                  > authentication mechanism, pam_krb5.so and saslauthd, but the similar
                  > configuration for Postfix, always fails.

                  Turn up the debug level in saslauthd, and find out what queries it is
                  handling and why it believes the password to be incorrect.

                  --
                  Viktor.

                  Disclaimer: off-list followups get on-list replies or get ignored.
                  Please do not ignore the "Reply-To" header.

                  To unsubscribe from the postfix-users list, visit
                  http://www.postfix.org/lists.html or click the link below:
                  <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                  If my response solves your problem, the best way to thank me is to not
                  send an "it worked, thanks" follow-up. If you must respond, please put
                  "It worked, thanks" in the "Subject" so I can delete these quickly.
                • Ali Majdzadeh
                  Viktor, Thanks a lot. You are very helpful. Kind Regards Ali Majdzadeh Kohbanani 2009/11/8 Victor Duchovni
                  Message 8 of 9 , Nov 7, 2009
                  • 0 Attachment
                    Viktor,
                    Thanks a lot. You are very helpful.

                    Kind Regards
                    Ali Majdzadeh Kohbanani

                    2009/11/8 Victor Duchovni <Victor.Duchovni@...>
                    On Sat, Nov 07, 2009 at 11:11:36PM +0330, Ali Majdzadeh wrote:

                    > Viktor,
                    > Hi
                    > I managed to test the configuration using the sample programs provided by
                    > Cyrus. But I can not test the configuration using Postfix. Sample users
                    > which are defined as principles are successfully authenticated using PLAIN
                    > authentication mechanism, pam_krb5.so and saslauthd, but the similar
                    > configuration for Postfix, always fails.

                    Turn up the debug level in saslauthd, and find out what queries it is
                    handling and why it believes the password to be incorrect.

                    --
                           Viktor.

                    Disclaimer: off-list followups get on-list replies or get ignored.
                    Please do not ignore the "Reply-To" header.

                    To unsubscribe from the postfix-users list, visit
                    http://www.postfix.org/lists.html or click the link below:
                    <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                    If my response solves your problem, the best way to thank me is to not
                    send an "it worked, thanks" follow-up. If you must respond, please put
                    "It worked, thanks" in the "Subject" so I can delete these quickly.

                  • Ali Majdzadeh
                    Viktor, Thanks a lot, I managed to solve the problem. I can now authenticate users using SASL, saslauthd, PAM and pam_krb5.so (and of cource Kerberos!) Thanks
                    Message 9 of 9 , Nov 8, 2009
                    • 0 Attachment
                      Viktor,
                      Thanks a lot, I managed to solve the problem. I can now authenticate users using SASL, saslauthd, PAM and pam_krb5.so (and of cource Kerberos!)
                      Thanks again.

                      Kind Regards
                      Ali Majdzadeh Kohbanani

                      2009/11/8 Ali Majdzadeh <ali.majdzadeh@...>
                      Viktor,
                      Thanks a lot. You are very helpful.


                      Kind Regards
                      Ali Majdzadeh Kohbanani

                      2009/11/8 Victor Duchovni <Victor.Duchovni@...>

                      On Sat, Nov 07, 2009 at 11:11:36PM +0330, Ali Majdzadeh wrote:

                      > Viktor,
                      > Hi
                      > I managed to test the configuration using the sample programs provided by
                      > Cyrus. But I can not test the configuration using Postfix. Sample users
                      > which are defined as principles are successfully authenticated using PLAIN
                      > authentication mechanism, pam_krb5.so and saslauthd, but the similar
                      > configuration for Postfix, always fails.

                      Turn up the debug level in saslauthd, and find out what queries it is
                      handling and why it believes the password to be incorrect.

                      --
                             Viktor.

                      Disclaimer: off-list followups get on-list replies or get ignored.
                      Please do not ignore the "Reply-To" header.

                      To unsubscribe from the postfix-users list, visit
                      http://www.postfix.org/lists.html or click the link below:
                      <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                      If my response solves your problem, the best way to thank me is to not
                      send an "it worked, thanks" follow-up. If you must respond, please put
                      "It worked, thanks" in the "Subject" so I can delete these quickly.


                    Your message has been successfully submitted and would be delivered to recipients shortly.