Problem using Postfix, saslauthd and pam_krb5

On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:

> I have configured saslauthd to use pam for password verification and I want
> to use pam_krb5 as the authentication back-end. I have set the following
> options in /etc/postfix/sasl/smtpd.conf:
>
> log_level: 3
> pwcheck_method: saslauthd
> mech_list: plain login
>
> Also, I have entered the following lines in /etc/pam.d/smtp
>
> auth            sufficient      /lib/security/pam_krb5.so minimum_uid=1000
> session         required        /lib/security/pam_krb5.so minimum_uid=1000
> account         required        /lib/security/pam_krb5.so minimum_uid=1000
> password        sufficient      /lib/security/pam_krb5.so minimum_uid=1000
>
> When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
> /var/run/saslauthd/mux", it can successfully authenticate the user which has
> a corresponding principal in my kerberos configuration. But, when I want to
> use telnet to actually test the smtp server, the authentication fails.

> By
> the way, what should be provided to the server when the desired
> authentication mechanism is plain? (Is that something like:  perl
> -MMIME::Base64 -e 'print encode_base64("user\0pass")')?

No. You need a leading "\0" for an empty authzid.

       "\0user\0pass"

--
       Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomo@...?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Victor,
Hello
Thanks a lot for your help. I am going to test your solutions. Thanks again.

Warm Regards
Ali Majdzadeh Kohbanani

2009/11/2 Victor Duchovni <Victor.Duchovni@...>

On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:

> I have configured saslauthd to use pam for password verification and I want
> to use pam_krb5 as the authentication back-end. I have set the following
> options in /etc/postfix/sasl/smtpd.conf:
>
> log_level: 3
> pwcheck_method: saslauthd
> mech_list: plain login
>
> Also, I have entered the following lines in /etc/pam.d/smtp
>
> auth            sufficient      /lib/security/pam_krb5.so minimum_uid=1000
> session         required        /lib/security/pam_krb5.so minimum_uid=1000
> account         required        /lib/security/pam_krb5.so minimum_uid=1000
> password        sufficient      /lib/security/pam_krb5.so minimum_uid=1000
>
> When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
> /var/run/saslauthd/mux", it can successfully authenticate the user which has
> a corresponding principal in my kerberos configuration. But, when I want to
> use telnet to actually test the smtp server, the authentication fails.

> By
> the way, what should be provided to the server when the desired
> authentication mechanism is plain? (Is that something like:  perl
> -MMIME::Base64 -e 'print encode_base64("user\0pass")')?

No. You need a leading "\0" for an empty authzid.

       "\0user\0pass"

--
       Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomo@...?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Viktor,
Hi
I hope that you are still following this thread. After a couple of testing, I saw the following error in auth.log:

Nov  7 11:14:51 client2 saslauthd[2882]: DEBUG: auth_pam: pam_authenticate failed: Permission denied
Nov  7 11:14:51 client2 saslauthd[2882]: do_auth         : auth failure: [user=rana] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

Do you have any ideas about these?

Kind Regards
Ali Majdzadeh Kohbanani

2009/11/2 Ali Majdzadeh <ali.majdzadeh@...>

Victor,
Hello
Thanks a lot for your help. I am going to test your solutions. Thanks again.

Warm Regards
Ali Majdzadeh Kohbanani

2009/11/2 Victor Duchovni <Victor.Duchovni@...>

On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:

> I have configured saslauthd to use pam for password verification and I want
> to use pam_krb5 as the authentication back-end. I have set the following
> options in /etc/postfix/sasl/smtpd.conf:
>
> log_level: 3
> pwcheck_method: saslauthd
> mech_list: plain login
>
> Also, I have entered the following lines in /etc/pam.d/smtp
>
> auth            sufficient      /lib/security/pam_krb5.so minimum_uid=1000
> session         required        /lib/security/pam_krb5.so minimum_uid=1000
> account         required        /lib/security/pam_krb5.so minimum_uid=1000
> password        sufficient      /lib/security/pam_krb5.so minimum_uid=1000
>
> When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
> /var/run/saslauthd/mux", it can successfully authenticate the user which has
> a corresponding principal in my kerberos configuration. But, when I want to
> use telnet to actually test the smtp server, the authentication fails.

> By
> the way, what should be provided to the server when the desired
> authentication mechanism is plain? (Is that something like:  perl
> -MMIME::Base64 -e 'print encode_base64("user\0pass")')?

No. You need a leading "\0" for an empty authzid.

       "\0user\0pass"

--
       Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomo@...?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Viktor,
Sorry about the previous mail. The logs which I sent were incorrect. Actually, there are no log messages just the following one in /var/log/mail.log:

Nov  7 11:44:54 client2 postfix/smtpd[13159]: warning: SASL authentication failure: Password verification failed

But, as I told you before, I can successfully test the authentication process using sasltestuser.

Kind Regards
Ali Majdzadeh Kohbanani

2009/11/7 Ali Majdzadeh <ali.majdzadeh@...>

Viktor,
Hi
I hope that you are still following this thread. After a couple of testing, I saw the following error in auth.log:

Nov  7 11:14:51 client2 saslauthd[2882]: DEBUG: auth_pam: pam_authenticate failed: Permission denied
Nov  7 11:14:51 client2 saslauthd[2882]: do_auth         : auth failure: [user=rana] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

Do you have any ideas about these?

Kind Regards
Ali Majdzadeh Kohbanani

2009/11/2 Ali Majdzadeh <ali.majdzadeh@...>

Victor,
Hello
Thanks a lot for your help. I am going to test your solutions. Thanks again.

Warm Regards
Ali Majdzadeh Kohbanani

2009/11/2 Victor Duchovni <Victor.Duchovni@...>

On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:

> I have configured saslauthd to use pam for password verification and I want
> to use pam_krb5 as the authentication back-end. I have set the following
> options in /etc/postfix/sasl/smtpd.conf:
>
> log_level: 3
> pwcheck_method: saslauthd
> mech_list: plain login
>
> Also, I have entered the following lines in /etc/pam.d/smtp
>
> auth            sufficient      /lib/security/pam_krb5.so minimum_uid=1000
> session         required        /lib/security/pam_krb5.so minimum_uid=1000
> account         required        /lib/security/pam_krb5.so minimum_uid=1000
> password        sufficient      /lib/security/pam_krb5.so minimum_uid=1000
>
> When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
> /var/run/saslauthd/mux", it can successfully authenticate the user which has
> a corresponding principal in my kerberos configuration. But, when I want to
> use telnet to actually test the smtp server, the authentication fails.

> By
> the way, what should be provided to the server when the desired
> authentication mechanism is plain? (Is that something like:  perl
> -MMIME::Base64 -e 'print encode_base64("user\0pass")')?

No. You need a leading "\0" for an empty authzid.

       "\0user\0pass"

--
       Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomo@...?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

On Sat, Nov 07, 2009 at 11:11:36PM +0330, Ali Majdzadeh wrote:

> Viktor,
> Hi
> I managed to test the configuration using the sample programs provided by
> Cyrus. But I can not test the configuration using Postfix. Sample users
> which are defined as principles are successfully authenticated using PLAIN
> authentication mechanism, pam_krb5.so and saslauthd, but the similar
> configuration for Postfix, always fails.

Turn up the debug level in saslauthd, and find out what queries it is
handling and why it believes the password to be incorrect.

--

       Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomo@...?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Viktor,
Thanks a lot. You are very helpful.

Kind Regards
Ali Majdzadeh Kohbanani

2009/11/8 Victor Duchovni <Victor.Duchovni@...>

On Sat, Nov 07, 2009 at 11:11:36PM +0330, Ali Majdzadeh wrote:

> Viktor,
> Hi
> I managed to test the configuration using the sample programs provided by
> Cyrus. But I can not test the configuration using Postfix. Sample users
> which are defined as principles are successfully authenticated using PLAIN
> authentication mechanism, pam_krb5.so and saslauthd, but the similar
> configuration for Postfix, always fails.

Turn up the debug level in saslauthd, and find out what queries it is
handling and why it believes the password to be incorrect.

--

       Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomo@...?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.