Loading ...
Sorry, an error occurred while loading the content.

Re: Problem using Postfix, saslauthd and pam_krb5

Expand Messages
  • Victor Duchovni
    ... No. You need a leading 0 for an empty authzid. 0user 0pass -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do
    Message 1 of 9 , Nov 2, 2009
    • 0 Attachment
      On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:

      > I have configured saslauthd to use pam for password verification and I want
      > to use pam_krb5 as the authentication back-end. I have set the following
      > options in /etc/postfix/sasl/smtpd.conf:
      >
      > log_level: 3
      > pwcheck_method: saslauthd
      > mech_list: plain login
      >
      > Also, I have entered the following lines in /etc/pam.d/smtp
      >
      > auth sufficient /lib/security/pam_krb5.so minimum_uid=1000
      > session required /lib/security/pam_krb5.so minimum_uid=1000
      > account required /lib/security/pam_krb5.so minimum_uid=1000
      > password sufficient /lib/security/pam_krb5.so minimum_uid=1000
      >
      > When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
      > /var/run/saslauthd/mux", it can successfully authenticate the user which has
      > a corresponding principal in my kerberos configuration. But, when I want to
      > use telnet to actually test the smtp server, the authentication fails.

      > By
      > the way, what should be provided to the server when the desired
      > authentication mechanism is plain? (Is that something like: perl
      > -MMIME::Base64 -e 'print encode_base64("user\0pass")')?

      No. You need a leading "\0" for an empty authzid.

      "\0user\0pass"

      --
      Viktor.

      Disclaimer: off-list followups get on-list replies or get ignored.
      Please do not ignore the "Reply-To" header.

      To unsubscribe from the postfix-users list, visit
      http://www.postfix.org/lists.html or click the link below:
      <mailto:majordomo@...?body=unsubscribe%20postfix-users>

      If my response solves your problem, the best way to thank me is to not
      send an "it worked, thanks" follow-up. If you must respond, please put
      "It worked, thanks" in the "Subject" so I can delete these quickly.
    • Ali Majdzadeh
      Victor, Hello Thanks a lot for your help. I am going to test your solutions. Thanks again. Warm Regards Ali Majdzadeh Kohbanani 2009/11/2 Victor Duchovni
      Message 2 of 9 , Nov 2, 2009
      • 0 Attachment
        Victor,
        Hello
        Thanks a lot for your help. I am going to test your solutions. Thanks again.

        Warm Regards
        Ali Majdzadeh Kohbanani

        2009/11/2 Victor Duchovni <Victor.Duchovni@...>
        On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:

        > I have configured saslauthd to use pam for password verification and I want
        > to use pam_krb5 as the authentication back-end. I have set the following
        > options in /etc/postfix/sasl/smtpd.conf:
        >
        > log_level: 3
        > pwcheck_method: saslauthd
        > mech_list: plain login
        >
        > Also, I have entered the following lines in /etc/pam.d/smtp
        >
        > auth            sufficient      /lib/security/pam_krb5.so minimum_uid=1000
        > session         required        /lib/security/pam_krb5.so minimum_uid=1000
        > account         required        /lib/security/pam_krb5.so minimum_uid=1000
        > password        sufficient      /lib/security/pam_krb5.so minimum_uid=1000
        >
        > When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
        > /var/run/saslauthd/mux", it can successfully authenticate the user which has
        > a corresponding principal in my kerberos configuration. But, when I want to
        > use telnet to actually test the smtp server, the authentication fails.

        > By
        > the way, what should be provided to the server when the desired
        > authentication mechanism is plain? (Is that something like:  perl
        > -MMIME::Base64 -e 'print encode_base64("user\0pass")')?

        No. You need a leading "\0" for an empty authzid.

               "\0user\0pass"

        --
               Viktor.

        Disclaimer: off-list followups get on-list replies or get ignored.
        Please do not ignore the "Reply-To" header.

        To unsubscribe from the postfix-users list, visit
        http://www.postfix.org/lists.html or click the link below:
        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

        If my response solves your problem, the best way to thank me is to not
        send an "it worked, thanks" follow-up. If you must respond, please put
        "It worked, thanks" in the "Subject" so I can delete these quickly.

      • Ali Majdzadeh
        Viktor, Hi I hope that you are still following this thread. After a couple of testing, I saw the following error in auth.log: Nov 7 11:14:51 client2
        Message 3 of 9 , Nov 6, 2009
        • 0 Attachment
          Viktor,
          Hi
          I hope that you are still following this thread. After a couple of testing, I saw the following error in auth.log:

          Nov  7 11:14:51 client2 saslauthd[2882]: DEBUG: auth_pam: pam_authenticate failed: Permission denied
          Nov  7 11:14:51 client2 saslauthd[2882]: do_auth         : auth failure: [user=rana] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

          Do you have any ideas about these?

          Kind Regards
          Ali Majdzadeh Kohbanani

          2009/11/2 Ali Majdzadeh <ali.majdzadeh@...>
          Victor,
          Hello
          Thanks a lot for your help. I am going to test your solutions. Thanks again.

          Warm Regards
          Ali Majdzadeh Kohbanani

          2009/11/2 Victor Duchovni <Victor.Duchovni@...>

          On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:

          > I have configured saslauthd to use pam for password verification and I want
          > to use pam_krb5 as the authentication back-end. I have set the following
          > options in /etc/postfix/sasl/smtpd.conf:
          >
          > log_level: 3
          > pwcheck_method: saslauthd
          > mech_list: plain login
          >
          > Also, I have entered the following lines in /etc/pam.d/smtp
          >
          > auth            sufficient      /lib/security/pam_krb5.so minimum_uid=1000
          > session         required        /lib/security/pam_krb5.so minimum_uid=1000
          > account         required        /lib/security/pam_krb5.so minimum_uid=1000
          > password        sufficient      /lib/security/pam_krb5.so minimum_uid=1000
          >
          > When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
          > /var/run/saslauthd/mux", it can successfully authenticate the user which has
          > a corresponding principal in my kerberos configuration. But, when I want to
          > use telnet to actually test the smtp server, the authentication fails.

          > By
          > the way, what should be provided to the server when the desired
          > authentication mechanism is plain? (Is that something like:  perl
          > -MMIME::Base64 -e 'print encode_base64("user\0pass")')?

          No. You need a leading "\0" for an empty authzid.

                 "\0user\0pass"

          --
                 Viktor.

          Disclaimer: off-list followups get on-list replies or get ignored.
          Please do not ignore the "Reply-To" header.

          To unsubscribe from the postfix-users list, visit
          http://www.postfix.org/lists.html or click the link below:
          <mailto:majordomo@...?body=unsubscribe%20postfix-users>

          If my response solves your problem, the best way to thank me is to not
          send an "it worked, thanks" follow-up. If you must respond, please put
          "It worked, thanks" in the "Subject" so I can delete these quickly.


        • Ali Majdzadeh
          Viktor, Sorry about the previous mail. The logs which I sent were incorrect. Actually, there are no log messages just the following one in /var/log/mail.log:
          Message 4 of 9 , Nov 7, 2009
          • 0 Attachment
            Viktor,
            Sorry about the previous mail. The logs which I sent were incorrect. Actually, there are no log messages just the following one in /var/log/mail.log:

            Nov  7 11:44:54 client2 postfix/smtpd[13159]: warning: SASL authentication failure: Password verification failed

            But, as I told you before, I can successfully test the authentication process using sasltestuser.

            Kind Regards
            Ali Majdzadeh Kohbanani

            2009/11/7 Ali Majdzadeh <ali.majdzadeh@...>
            Viktor,
            Hi
            I hope that you are still following this thread. After a couple of testing, I saw the following error in auth.log:

            Nov  7 11:14:51 client2 saslauthd[2882]: DEBUG: auth_pam: pam_authenticate failed: Permission denied
            Nov  7 11:14:51 client2 saslauthd[2882]: do_auth         : auth failure: [user=rana] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

            Do you have any ideas about these?

            Kind Regards
            Ali Majdzadeh Kohbanani

            2009/11/2 Ali Majdzadeh <ali.majdzadeh@...>

            Victor,
            Hello
            Thanks a lot for your help. I am going to test your solutions. Thanks again.

            Warm Regards
            Ali Majdzadeh Kohbanani

            2009/11/2 Victor Duchovni <Victor.Duchovni@...>

            On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:

            > I have configured saslauthd to use pam for password verification and I want
            > to use pam_krb5 as the authentication back-end. I have set the following
            > options in /etc/postfix/sasl/smtpd.conf:
            >
            > log_level: 3
            > pwcheck_method: saslauthd
            > mech_list: plain login
            >
            > Also, I have entered the following lines in /etc/pam.d/smtp
            >
            > auth            sufficient      /lib/security/pam_krb5.so minimum_uid=1000
            > session         required        /lib/security/pam_krb5.so minimum_uid=1000
            > account         required        /lib/security/pam_krb5.so minimum_uid=1000
            > password        sufficient      /lib/security/pam_krb5.so minimum_uid=1000
            >
            > When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
            > /var/run/saslauthd/mux", it can successfully authenticate the user which has
            > a corresponding principal in my kerberos configuration. But, when I want to
            > use telnet to actually test the smtp server, the authentication fails.

            > By
            > the way, what should be provided to the server when the desired
            > authentication mechanism is plain? (Is that something like:  perl
            > -MMIME::Base64 -e 'print encode_base64("user\0pass")')?

            No. You need a leading "\0" for an empty authzid.

                   "\0user\0pass"

            --
                   Viktor.

            Disclaimer: off-list followups get on-list replies or get ignored.
            Please do not ignore the "Reply-To" header.

            To unsubscribe from the postfix-users list, visit
            http://www.postfix.org/lists.html or click the link below:
            <mailto:majordomo@...?body=unsubscribe%20postfix-users>

            If my response solves your problem, the best way to thank me is to not
            send an "it worked, thanks" follow-up. If you must respond, please put
            "It worked, thanks" in the "Subject" so I can delete these quickly.



          • Ali Majdzadeh
            Viktor, Hi I managed to test the configuration using the sample programs provided by Cyrus. But I can not test the configuration using Postfix. Sample users
            Message 5 of 9 , Nov 7, 2009
            • 0 Attachment
              Viktor,
              Hi
              I managed to test the configuration using the sample programs provided by Cyrus. But I can not test the configuration using Postfix. Sample users which are defined as principles are successfully authenticated using PLAIN authentication mechanism, pam_krb5.so and saslauthd, but the similar configuration for Postfix, always fails.

              Kind Regards
              Ali Majdzadeh Kohbanani

              2009/11/7 Ali Majdzadeh <ali.majdzadeh@...>
              Viktor,
              Sorry about the previous mail. The logs which I sent were incorrect. Actually, there are no log messages just the following one in /var/log/mail.log:

              Nov  7 11:44:54 client2 postfix/smtpd[13159]: warning: SASL authentication failure: Password verification failed

              But, as I told you before, I can successfully test the authentication process using sasltestuser.


              Kind Regards
              Ali Majdzadeh Kohbanani

              2009/11/7 Ali Majdzadeh <ali.majdzadeh@...>

              Viktor,
              Hi
              I hope that you are still following this thread. After a couple of testing, I saw the following error in auth.log:

              Nov  7 11:14:51 client2 saslauthd[2882]: DEBUG: auth_pam: pam_authenticate failed: Permission denied
              Nov  7 11:14:51 client2 saslauthd[2882]: do_auth         : auth failure: [user=rana] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

              Do you have any ideas about these?

              Kind Regards
              Ali Majdzadeh Kohbanani

              2009/11/2 Ali Majdzadeh <ali.majdzadeh@...>

              Victor,
              Hello
              Thanks a lot for your help. I am going to test your solutions. Thanks again.

              Warm Regards
              Ali Majdzadeh Kohbanani

              2009/11/2 Victor Duchovni <Victor.Duchovni@...>

              On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:

              > I have configured saslauthd to use pam for password verification and I want
              > to use pam_krb5 as the authentication back-end. I have set the following
              > options in /etc/postfix/sasl/smtpd.conf:
              >
              > log_level: 3
              > pwcheck_method: saslauthd
              > mech_list: plain login
              >
              > Also, I have entered the following lines in /etc/pam.d/smtp
              >
              > auth            sufficient      /lib/security/pam_krb5.so minimum_uid=1000
              > session         required        /lib/security/pam_krb5.so minimum_uid=1000
              > account         required        /lib/security/pam_krb5.so minimum_uid=1000
              > password        sufficient      /lib/security/pam_krb5.so minimum_uid=1000
              >
              > When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
              > /var/run/saslauthd/mux", it can successfully authenticate the user which has
              > a corresponding principal in my kerberos configuration. But, when I want to
              > use telnet to actually test the smtp server, the authentication fails.

              > By
              > the way, what should be provided to the server when the desired
              > authentication mechanism is plain? (Is that something like:  perl
              > -MMIME::Base64 -e 'print encode_base64("user\0pass")')?

              No. You need a leading "\0" for an empty authzid.

                     "\0user\0pass"

              --
                     Viktor.

              Disclaimer: off-list followups get on-list replies or get ignored.
              Please do not ignore the "Reply-To" header.

              To unsubscribe from the postfix-users list, visit
              http://www.postfix.org/lists.html or click the link below:
              <mailto:majordomo@...?body=unsubscribe%20postfix-users>

              If my response solves your problem, the best way to thank me is to not
              send an "it worked, thanks" follow-up. If you must respond, please put
              "It worked, thanks" in the "Subject" so I can delete these quickly.




            • Victor Duchovni
              ... Turn up the debug level in saslauthd, and find out what queries it is handling and why it believes the password to be incorrect. -- Viktor. Disclaimer:
              Message 6 of 9 , Nov 7, 2009
              • 0 Attachment
                On Sat, Nov 07, 2009 at 11:11:36PM +0330, Ali Majdzadeh wrote:

                > Viktor,
                > Hi
                > I managed to test the configuration using the sample programs provided by
                > Cyrus. But I can not test the configuration using Postfix. Sample users
                > which are defined as principles are successfully authenticated using PLAIN
                > authentication mechanism, pam_krb5.so and saslauthd, but the similar
                > configuration for Postfix, always fails.

                Turn up the debug level in saslauthd, and find out what queries it is
                handling and why it believes the password to be incorrect.

                --
                Viktor.

                Disclaimer: off-list followups get on-list replies or get ignored.
                Please do not ignore the "Reply-To" header.

                To unsubscribe from the postfix-users list, visit
                http://www.postfix.org/lists.html or click the link below:
                <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                If my response solves your problem, the best way to thank me is to not
                send an "it worked, thanks" follow-up. If you must respond, please put
                "It worked, thanks" in the "Subject" so I can delete these quickly.
              • Ali Majdzadeh
                Viktor, Thanks a lot. You are very helpful. Kind Regards Ali Majdzadeh Kohbanani 2009/11/8 Victor Duchovni
                Message 7 of 9 , Nov 7, 2009
                • 0 Attachment
                  Viktor,
                  Thanks a lot. You are very helpful.

                  Kind Regards
                  Ali Majdzadeh Kohbanani

                  2009/11/8 Victor Duchovni <Victor.Duchovni@...>
                  On Sat, Nov 07, 2009 at 11:11:36PM +0330, Ali Majdzadeh wrote:

                  > Viktor,
                  > Hi
                  > I managed to test the configuration using the sample programs provided by
                  > Cyrus. But I can not test the configuration using Postfix. Sample users
                  > which are defined as principles are successfully authenticated using PLAIN
                  > authentication mechanism, pam_krb5.so and saslauthd, but the similar
                  > configuration for Postfix, always fails.

                  Turn up the debug level in saslauthd, and find out what queries it is
                  handling and why it believes the password to be incorrect.

                  --
                         Viktor.

                  Disclaimer: off-list followups get on-list replies or get ignored.
                  Please do not ignore the "Reply-To" header.

                  To unsubscribe from the postfix-users list, visit
                  http://www.postfix.org/lists.html or click the link below:
                  <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                  If my response solves your problem, the best way to thank me is to not
                  send an "it worked, thanks" follow-up. If you must respond, please put
                  "It worked, thanks" in the "Subject" so I can delete these quickly.

                • Ali Majdzadeh
                  Viktor, Thanks a lot, I managed to solve the problem. I can now authenticate users using SASL, saslauthd, PAM and pam_krb5.so (and of cource Kerberos!) Thanks
                  Message 8 of 9 , Nov 8, 2009
                  • 0 Attachment
                    Viktor,
                    Thanks a lot, I managed to solve the problem. I can now authenticate users using SASL, saslauthd, PAM and pam_krb5.so (and of cource Kerberos!)
                    Thanks again.

                    Kind Regards
                    Ali Majdzadeh Kohbanani

                    2009/11/8 Ali Majdzadeh <ali.majdzadeh@...>
                    Viktor,
                    Thanks a lot. You are very helpful.


                    Kind Regards
                    Ali Majdzadeh Kohbanani

                    2009/11/8 Victor Duchovni <Victor.Duchovni@...>

                    On Sat, Nov 07, 2009 at 11:11:36PM +0330, Ali Majdzadeh wrote:

                    > Viktor,
                    > Hi
                    > I managed to test the configuration using the sample programs provided by
                    > Cyrus. But I can not test the configuration using Postfix. Sample users
                    > which are defined as principles are successfully authenticated using PLAIN
                    > authentication mechanism, pam_krb5.so and saslauthd, but the similar
                    > configuration for Postfix, always fails.

                    Turn up the debug level in saslauthd, and find out what queries it is
                    handling and why it believes the password to be incorrect.

                    --
                           Viktor.

                    Disclaimer: off-list followups get on-list replies or get ignored.
                    Please do not ignore the "Reply-To" header.

                    To unsubscribe from the postfix-users list, visit
                    http://www.postfix.org/lists.html or click the link below:
                    <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                    If my response solves your problem, the best way to thank me is to not
                    send an "it worked, thanks" follow-up. If you must respond, please put
                    "It worked, thanks" in the "Subject" so I can delete these quickly.


                  Your message has been successfully submitted and would be delivered to recipients shortly.