Problem using Postfix, saslauthd and pam_krb5

2009-11-01 Thread Ali Majdzadeh 
Hello all
I have configured saslauthd to use pam for password verification and I want
to use pam_krb5 as the authentication back-end. I have set the following
options in /etc/postfix/sasl/smtpd.conf:

log_level: 3
pwcheck_method: saslauthd
mech_list: plain login

Also, I have entered the following lines in /etc/pam.d/smtp

authsufficient  /lib/security/pam_krb5.so minimum_uid=1000
session required/lib/security/pam_krb5.so minimum_uid=1000
account required/lib/security/pam_krb5.so minimum_uid=1000
passwordsufficient  /lib/security/pam_krb5.so minimum_uid=1000

When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
/var/run/saslauthd/mux", it can successfully authenticate the user which has
a corresponding principal in my kerberos configuration. But, when I want to
use telnet to actually test the smtp server, the authentication fails. By
the way, what should be provided to the server when the desired
authentication mechanism is plain? (Is that something like:  perl
-MMIME::Base64 -e 'print encode_base64("user\0pass")')? And the last
questions, are all those configuration file names (and definitely) their
content correct? I mean, /etc/postfix/smtpd.conf and /etc/pam.d/smtp?

Kind Regards
Ali Majdzadeh Kohbanani

Re: Problem using Postfix, saslauthd and pam_krb5

2009-11-02 Thread Victor Duchovni 
On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:

> I have configured saslauthd to use pam for password verification and I want
> to use pam_krb5 as the authentication back-end. I have set the following
> options in /etc/postfix/sasl/smtpd.conf:
> 
> log_level: 3
> pwcheck_method: saslauthd
> mech_list: plain login
> 
> Also, I have entered the following lines in /etc/pam.d/smtp
> 
> authsufficient  /lib/security/pam_krb5.so minimum_uid=1000
> session required/lib/security/pam_krb5.so minimum_uid=1000
> account required/lib/security/pam_krb5.so minimum_uid=1000
> passwordsufficient  /lib/security/pam_krb5.so minimum_uid=1000
> 
> When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
> /var/run/saslauthd/mux", it can successfully authenticate the user which has
> a corresponding principal in my kerberos configuration. But, when I want to
> use telnet to actually test the smtp server, the authentication fails.

> By
> the way, what should be provided to the server when the desired
> authentication mechanism is plain? (Is that something like:  perl
> -MMIME::Base64 -e 'print encode_base64("user\0pass")')?

No. You need a leading "\0" for an empty authzid.

"\0user\0pass"

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Problem using Postfix, saslauthd and pam_krb5

2009-11-02 Thread Ali Majdzadeh 
Victor,
Hello
Thanks a lot for your help. I am going to test your solutions. Thanks again.

Warm Regards
Ali Majdzadeh Kohbanani

2009/11/2 Victor Duchovni 

> On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:
>
> > I have configured saslauthd to use pam for password verification and I
> want
> > to use pam_krb5 as the authentication back-end. I have set the following
> > options in /etc/postfix/sasl/smtpd.conf:
> >
> > log_level: 3
> > pwcheck_method: saslauthd
> > mech_list: plain login
> >
> > Also, I have entered the following lines in /etc/pam.d/smtp
> >
> > authsufficient  /lib/security/pam_krb5.so
> minimum_uid=1000
> > session required/lib/security/pam_krb5.so
> minimum_uid=1000
> > account required/lib/security/pam_krb5.so
> minimum_uid=1000
> > passwordsufficient  /lib/security/pam_krb5.so
> minimum_uid=1000
> >
> > When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
> > /var/run/saslauthd/mux", it can successfully authenticate the user which
> has
> > a corresponding principal in my kerberos configuration. But, when I want
> to
> > use telnet to actually test the smtp server, the authentication fails.
>
> > By
> > the way, what should be provided to the server when the desired
> > authentication mechanism is plain? (Is that something like:  perl
> > -MMIME::Base64 -e 'print encode_base64("user\0pass")')?
>
> No. You need a leading "\0" for an empty authzid.
>
>"\0user\0pass"
>
> --
>Viktor.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> 
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
>

Re: Problem using Postfix, saslauthd and pam_krb5

2009-11-06 Thread Ali Majdzadeh 
Viktor,
Hi
I hope that you are still following this thread. After a couple of testing,
I saw the following error in auth.log:

Nov  7 11:14:51 client2 saslauthd[2882]: DEBUG: auth_pam: pam_authenticate
failed: Permission denied
Nov  7 11:14:51 client2 saslauthd[2882]: do_auth : auth failure:
[user=rana] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

Do you have any ideas about these?

Kind Regards
Ali Majdzadeh Kohbanani

2009/11/2 Ali Majdzadeh 

> Victor,
> Hello
> Thanks a lot for your help. I am going to test your solutions. Thanks
> again.
>
> Warm Regards
> Ali Majdzadeh Kohbanani
>
> 2009/11/2 Victor Duchovni 
>
> On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:
>>
>> > I have configured saslauthd to use pam for password verification and I
>> want
>> > to use pam_krb5 as the authentication back-end. I have set the following
>> > options in /etc/postfix/sasl/smtpd.conf:
>> >
>> > log_level: 3
>> > pwcheck_method: saslauthd
>> > mech_list: plain login
>> >
>> > Also, I have entered the following lines in /etc/pam.d/smtp
>> >
>> > authsufficient  /lib/security/pam_krb5.so
>> minimum_uid=1000
>> > session required/lib/security/pam_krb5.so
>> minimum_uid=1000
>> > account required/lib/security/pam_krb5.so
>> minimum_uid=1000
>> > passwordsufficient  /lib/security/pam_krb5.so
>> minimum_uid=1000
>> >
>> > When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
>> > /var/run/saslauthd/mux", it can successfully authenticate the user which
>> has
>> > a corresponding principal in my kerberos configuration. But, when I want
>> to
>> > use telnet to actually test the smtp server, the authentication fails.
>>
>> > By
>> > the way, what should be provided to the server when the desired
>> > authentication mechanism is plain? (Is that something like:  perl
>> > -MMIME::Base64 -e 'print encode_base64("user\0pass")')?
>>
>> No. You need a leading "\0" for an empty authzid.
>>
>>"\0user\0pass"
>>
>> --
>>Viktor.
>>
>> Disclaimer: off-list followups get on-list replies or get ignored.
>> Please do not ignore the "Reply-To" header.
>>
>> To unsubscribe from the postfix-users list, visit
>> http://www.postfix.org/lists.html or click the link below:
>> 
>>
>> If my response solves your problem, the best way to thank me is to not
>> send an "it worked, thanks" follow-up. If you must respond, please put
>> "It worked, thanks" in the "Subject" so I can delete these quickly.
>>
>
>

Re: Problem using Postfix, saslauthd and pam_krb5

2009-11-07 Thread Ali Majdzadeh 
Viktor,
Sorry about the previous mail. The logs which I sent were incorrect.
Actually, there are no log messages just the following one in
/var/log/mail.log:

Nov  7 11:44:54 client2 postfix/smtpd[13159]: warning: SASL authentication
failure: Password verification failed

But, as I told you before, I can successfully test the authentication
process using sasltestuser.

Kind Regards
Ali Majdzadeh Kohbanani

2009/11/7 Ali Majdzadeh 

> Viktor,
> Hi
> I hope that you are still following this thread. After a couple of testing,
> I saw the following error in auth.log:
>
> Nov  7 11:14:51 client2 saslauthd[2882]: DEBUG: auth_pam: pam_authenticate
> failed: Permission denied
> Nov  7 11:14:51 client2 saslauthd[2882]: do_auth : auth failure:
> [user=rana] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
>
> Do you have any ideas about these?
>
> Kind Regards
> Ali Majdzadeh Kohbanani
>
> 2009/11/2 Ali Majdzadeh 
>
> Victor,
>> Hello
>> Thanks a lot for your help. I am going to test your solutions. Thanks
>> again.
>>
>> Warm Regards
>> Ali Majdzadeh Kohbanani
>>
>> 2009/11/2 Victor Duchovni 
>>
>> On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:
>>>
>>> > I have configured saslauthd to use pam for password verification and I
>>> want
>>> > to use pam_krb5 as the authentication back-end. I have set the
>>> following
>>> > options in /etc/postfix/sasl/smtpd.conf:
>>> >
>>> > log_level: 3
>>> > pwcheck_method: saslauthd
>>> > mech_list: plain login
>>> >
>>> > Also, I have entered the following lines in /etc/pam.d/smtp
>>> >
>>> > authsufficient  /lib/security/pam_krb5.so
>>> minimum_uid=1000
>>> > session required/lib/security/pam_krb5.so
>>> minimum_uid=1000
>>> > account required/lib/security/pam_krb5.so
>>> minimum_uid=1000
>>> > passwordsufficient  /lib/security/pam_krb5.so
>>> minimum_uid=1000
>>> >
>>> > When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
>>> > /var/run/saslauthd/mux", it can successfully authenticate the user
>>> which has
>>> > a corresponding principal in my kerberos configuration. But, when I
>>> want to
>>> > use telnet to actually test the smtp server, the authentication fails.
>>>
>>> > By
>>> > the way, what should be provided to the server when the desired
>>> > authentication mechanism is plain? (Is that something like:  perl
>>> > -MMIME::Base64 -e 'print encode_base64("user\0pass")')?
>>>
>>> No. You need a leading "\0" for an empty authzid.
>>>
>>>"\0user\0pass"
>>>
>>> --
>>>Viktor.
>>>
>>> Disclaimer: off-list followups get on-list replies or get ignored.
>>> Please do not ignore the "Reply-To" header.
>>>
>>> To unsubscribe from the postfix-users list, visit
>>> http://www.postfix.org/lists.html or click the link below:
>>> 
>>>
>>> If my response solves your problem, the best way to thank me is to not
>>> send an "it worked, thanks" follow-up. If you must respond, please put
>>> "It worked, thanks" in the "Subject" so I can delete these quickly.
>>>
>>
>>
>

Re: Problem using Postfix, saslauthd and pam_krb5

2009-11-07 Thread Ali Majdzadeh 
Viktor,
Hi
I managed to test the configuration using the sample programs provided by
Cyrus. But I can not test the configuration using Postfix. Sample users
which are defined as principles are successfully authenticated using PLAIN
authentication mechanism, pam_krb5.so and saslauthd, but the similar
configuration for Postfix, always fails.

Kind Regards
Ali Majdzadeh Kohbanani

2009/11/7 Ali Majdzadeh 

> Viktor,
> Sorry about the previous mail. The logs which I sent were incorrect.
> Actually, there are no log messages just the following one in
> /var/log/mail.log:
>
> Nov  7 11:44:54 client2 postfix/smtpd[13159]: warning: SASL authentication
> failure: Password verification failed
>
> But, as I told you before, I can successfully test the authentication
> process using sasltestuser.
>
>
> Kind Regards
> Ali Majdzadeh Kohbanani
>
> 2009/11/7 Ali Majdzadeh 
>
> Viktor,
>> Hi
>> I hope that you are still following this thread. After a couple of
>> testing, I saw the following error in auth.log:
>>
>> Nov  7 11:14:51 client2 saslauthd[2882]: DEBUG: auth_pam: pam_authenticate
>> failed: Permission denied
>> Nov  7 11:14:51 client2 saslauthd[2882]: do_auth : auth failure:
>> [user=rana] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
>>
>> Do you have any ideas about these?
>>
>> Kind Regards
>> Ali Majdzadeh Kohbanani
>>
>> 2009/11/2 Ali Majdzadeh 
>>
>> Victor,
>>> Hello
>>> Thanks a lot for your help. I am going to test your solutions. Thanks
>>> again.
>>>
>>> Warm Regards
>>> Ali Majdzadeh Kohbanani
>>>
>>> 2009/11/2 Victor Duchovni 
>>>
>>> On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote:

 > I have configured saslauthd to use pam for password verification and I
 want
 > to use pam_krb5 as the authentication back-end. I have set the
 following
 > options in /etc/postfix/sasl/smtpd.conf:
 >
 > log_level: 3
 > pwcheck_method: saslauthd
 > mech_list: plain login
 >
 > Also, I have entered the following lines in /etc/pam.d/smtp
 >
 > authsufficient  /lib/security/pam_krb5.so
 minimum_uid=1000
 > session required/lib/security/pam_krb5.so
 minimum_uid=1000
 > account required/lib/security/pam_krb5.so
 minimum_uid=1000
 > passwordsufficient  /lib/security/pam_krb5.so
 minimum_uid=1000
 >
 > When I use testsaslauthd as "testsaslauthd -u user -p pass -s smtp -f
 > /var/run/saslauthd/mux", it can successfully authenticate the user
 which has
 > a corresponding principal in my kerberos configuration. But, when I
 want to
 > use telnet to actually test the smtp server, the authentication fails.

 > By
 > the way, what should be provided to the server when the desired
 > authentication mechanism is plain? (Is that something like:  perl
 > -MMIME::Base64 -e 'print encode_base64("user\0pass")')?

 No. You need a leading "\0" for an empty authzid.

"\0user\0pass"

 --
Viktor.

 Disclaimer: off-list followups get on-list replies or get ignored.
 Please do not ignore the "Reply-To" header.

 To unsubscribe from the postfix-users list, visit
 http://www.postfix.org/lists.html or click the link below:
 

 If my response solves your problem, the best way to thank me is to not
 send an "it worked, thanks" follow-up. If you must respond, please put
 "It worked, thanks" in the "Subject" so I can delete these quickly.

>>>
>>>
>>
>

Re: Problem using Postfix, saslauthd and pam_krb5

2009-11-07 Thread Victor Duchovni 
On Sat, Nov 07, 2009 at 11:11:36PM +0330, Ali Majdzadeh wrote:

> Viktor,
> Hi
> I managed to test the configuration using the sample programs provided by
> Cyrus. But I can not test the configuration using Postfix. Sample users
> which are defined as principles are successfully authenticated using PLAIN
> authentication mechanism, pam_krb5.so and saslauthd, but the similar
> configuration for Postfix, always fails.

Turn up the debug level in saslauthd, and find out what queries it is
handling and why it believes the password to be incorrect.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Problem using Postfix, saslauthd and pam_krb5

2009-11-07 Thread Ali Majdzadeh 
Viktor,
Thanks a lot. You are very helpful.

Kind Regards
Ali Majdzadeh Kohbanani

2009/11/8 Victor Duchovni 

> On Sat, Nov 07, 2009 at 11:11:36PM +0330, Ali Majdzadeh wrote:
>
> > Viktor,
> > Hi
> > I managed to test the configuration using the sample programs provided by
> > Cyrus. But I can not test the configuration using Postfix. Sample users
> > which are defined as principles are successfully authenticated using
> PLAIN
> > authentication mechanism, pam_krb5.so and saslauthd, but the similar
> > configuration for Postfix, always fails.
>
> Turn up the debug level in saslauthd, and find out what queries it is
> handling and why it believes the password to be incorrect.
>
> --
> Viktor.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> 
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
>

Re: Problem using Postfix, saslauthd and pam_krb5

2009-11-08 Thread Ali Majdzadeh 
Viktor,
Thanks a lot, I managed to solve the problem. I can now authenticate users
using SASL, saslauthd, PAM and pam_krb5.so (and of cource Kerberos!)
Thanks again.

Kind Regards
Ali Majdzadeh Kohbanani

2009/11/8 Ali Majdzadeh 

> Viktor,
> Thanks a lot. You are very helpful.
>
>
> Kind Regards
> Ali Majdzadeh Kohbanani
>
> 2009/11/8 Victor Duchovni 
>
> On Sat, Nov 07, 2009 at 11:11:36PM +0330, Ali Majdzadeh wrote:
>>
>> > Viktor,
>> > Hi
>> > I managed to test the configuration using the sample programs provided
>> by
>> > Cyrus. But I can not test the configuration using Postfix. Sample users
>> > which are defined as principles are successfully authenticated using
>> PLAIN
>> > authentication mechanism, pam_krb5.so and saslauthd, but the similar
>> > configuration for Postfix, always fails.
>>
>> Turn up the debug level in saslauthd, and find out what queries it is
>> handling and why it believes the password to be incorrect.
>>
>> --
>> Viktor.
>>
>> Disclaimer: off-list followups get on-list replies or get ignored.
>> Please do not ignore the "Reply-To" header.
>>
>> To unsubscribe from the postfix-users list, visit
>> http://www.postfix.org/lists.html or click the link below:
>> 
>>
>> If my response solves your problem, the best way to thank me is to not
>> send an "it worked, thanks" follow-up. If you must respond, please put
>> "It worked, thanks" in the "Subject" so I can delete these quickly.
>>
>
>