Re: saslauthd and pam_krb5

From: Jeremy Rumpf (jrumpf at heavyload dot net)
Date: Sat Mar 13 2004 - 15:50:52 EST

  • Next message: Jason Dixon: "cyrus-sasl with mysql support"

    On Friday 12 March 2004 05:16 am, ms419 at freezone dot co dot uk wrote:
    > Unfortunately, saslauthd doesn't perform normally, as expected: It
    > fails to authenticate and dies:
    >
    > ---
    >
    > tor:~# ps aux | grep saslauthd
    > root 12923 0.0 0.5 5868 1456 ? S Mar11 0:00
    > /usr/sbin/saslauthd -a pam
    > root 19872 0.0 0.1 1536 456 pts/1 S 02:08 0:00 grep sasl
    >
    > ---
    >
    > Mar 12 02:08:24 tor imap(pam_unix)[12926]: check pass; user unknown
    > Mar 12 02:08:24 tor imap(pam_unix)[12926]: authentication failure;
    > logname= uid=0 euid=0 tty= ruser= rhost=
    > Mar 12 02:08:24 tor krb5kdc[607]: AS_REQ (6 etypes {16 5 23 3 2 1})
    > 192.168.103.158: NEEDED_PREAUTH: jablko at LAT for krbtgt/LAT at LAT,
    > Additional pre-authentication required
    > Mar 12 02:08:25 tor krb5kdc[607]: AS_REQ (6 etypes {16 5 23 3 2 1})
    > 192.168.179.81: ISSUE: authtime 1079086105, etypes {rep=16 tkt=16
    > ses=16}, jablko at LAT for krbtgt/LAT at LAT
    > Mar 12 02:08:25 tor saslauthd[12923]: ipc_loop : socket accept
    > failure
    > Mar 12 02:08:25 tor saslauthd[12923]: ipc_loop : accept:
    > Interrupted system call
    > Mar 12 02:08:25 tor cyrus/imapd[19878]: size read failed
    >
    > ---
    >
    > tor:~# ps aux | grep sasl
    > root 19885 0.0 0.1 1536 456 pts/1 S 02:10 0:00 grep sasl
    >
    > ---
    >
    > So, I think I'm supposed to use the kerberos5 mechanism instead, but
    > I'd like to use my PAM stack - and I haven't found a clear explanation
    > of why saslauthd and pam_krb5 don't play nice ...
    >
    > Thanks,
    >
    > Jack
    >
    >

    Ok, the socket accept thing is probably a red herring. That's the current
    saslauthd accept caller trapping a signal (probably SIGCHLD) , which is
    probably due to the previous accept caller getting a SIGSEGV or something
    nasty. Notice the pids, process in PAM is 12926, the accept() error is 12923.

    Can you recompile saslauthd with debug information (gcc -g) and get a core
    dump. You might need to set a ulimit in your startup script.

    ulimit -c unlimited or something

    If you can't recompile, set the ulimit and then run it from the command line
    in debug mode with something like:

    saslauthd -d -V <other options>

    If you can get a core file, send it to me offline with whatever additional
    information on your setup.

    FWIW, every investigation I've done on saslauthd/PAM the problem has been in
    the PAM libs and not saslauthd. PAM can be shakey...

    Cheers,
    Jeremy


  • Next message: Jason Dixon: "cyrus-sasl with mysql support"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD