| View previous topic :: View next topic |
| Author |
Message |
penetrode
Apprentice
Joined: 29 Dec 2003
Posts: 285
Location: Calgary, Alberta
|
 Posted: Tue May 17, 2005 2:34 am Post subject: qmail, smtp-auth and checkpassword-pam problem [SOLVED] |
 |
|
I have an EXTREMELY puzzling problem.
I am running netqmail 1.05, built from source, patched with Bill Shupp's combo smtp-auth/tls patch and checkpassword-pam 0.97, built from an ebuild.
When I try an SMTP session and authenticate, authentication fails with '535 authentication failed (#5.7.1)'
When I try and do it with telnet, same error.
If I invoke checkpassword-pam from the command line, using the same login and password, it succeeds:
| Code: |
echo -e "sfbosch\0flibbets\0\0" | checkpassword-pam -s system-auth --debug --stdout -- /usr/bin/id 3<&0
Reading username and password
Username 'sfbosch'
Password read successfully
Initializing PAM library using service name 'system-auth'
Pam library initialization succeeded
conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: "
Authentication passed
Account management succeeded
Setting PAM credentials succeeded
PAM session opened
PAM session closed
Terminating PAM library
Executing /usr/bin/id
uid=1005(sfbosch) gid=100(users) groups=10(wheel),18(audio),100(users)
|
I have hacked up qmail-smtpd to make sure it is passing the right information to checkpassword-pam, and it is (i have it write a small output file in /tmp showing what it is passing to checkpassword-pam; . If I move the hacked up qmail-smtpd to a known good host, authentication works fine on the known good host. If I move the checkpassword-pam from the known good host to the broken host, authentication doesn't work. It doesn't matter if I use TLS or not - I have the same problem.
The major difference between these two machines is that the one that doesn't work is running kernel 2.6, and the other is running kernel 2.4.
I have found another post from a person with a similar problem they claim they solved, but the solution doesn't make any sense to me -- it's totally unintelligible (I also don't think it applies here).
Does anybody have an idea why this might be happening? I'm at the end of my rope here. I've tried damn near everything; I'm starting to think can't see the forest for the trees. This has got to be something stupid simple...
Last edited by penetrode on Wed May 18, 2005 6:40 pm; edited 1 time in total |
|
| Back to top |
|
 |
penetrode
Apprentice
Joined: 29 Dec 2003
Posts: 285
Location: Calgary, Alberta
|
| Posted: Tue May 17, 2005 4:21 am Post subject: |
|
|
| touch |
|
| Back to top |
|
|
penetrode
Apprentice
Joined: 29 Dec 2003
Posts: 285
Location: Calgary, Alberta
|
| Posted: Tue May 17, 2005 6:27 am Post subject: |
|
|
| touch |
|
| Back to top |
|
|
Pete M
Apprentice
Joined: 30 Apr 2005
Posts: 154
|
| Posted: Tue May 17, 2005 5:16 pm Post subject: |
|
|
Not sure if this will help but to get pam authentication in Sendmail with TLS to work I had to create
/etc/pam.d/smtp
Then add to the file
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
As I say this may be along shot but you never know
Pete |
|
| Back to top |
|
|
penetrode
Apprentice
Joined: 29 Dec 2003
Posts: 285
Location: Calgary, Alberta
|
| Posted: Tue May 17, 2005 5:25 pm Post subject: Beginning to suspect hardware problems |
|
|
We tried moving unix_chkpwd from a known good machine and got it to work -- once.
The fact that it successfully authenticated just one time is an indication that something is suspect in the hardware. We are now doing some memory tests and the tests are turning up errors.
I will post again as soon as we have more information. |
|
| Back to top |
|
|
penetrode
Apprentice
Joined: 29 Dec 2003
Posts: 285
Location: Calgary, Alberta
|
| Posted: Wed May 18, 2005 4:24 pm Post subject: Problem persists |
|
|
Okay --
it turns out there was some bad RAM. We've replaced the bad RAM, tested the replacement, and it's clean.
I've rebuilt the whole machine. I removed all the distfiles, did
| Code: |
emerge --emptytree -u world
|
and rebuilt checkpassword-pam. I rebuilt netqmail-1.05 from clean sources.
The problem is still there. I still get authentication failures on known good accounts.
Do my mail users have to be a member of any specific group? I know other people have had this problem. I really don't know what other option I have when it comes to qmail and smtp authentication... |
|
| Back to top |
|
|
penetrode
Apprentice
Joined: 29 Dec 2003
Posts: 285
Location: Calgary, Alberta
|
| Posted: Wed May 18, 2005 6:39 pm Post subject: Culprit discovered |
|
|
Okay --
I blame both the bad RAM and the permissions on checkpassword-pam.
The permissions on the last installation were set correctly. After doing the complete emerge world, checkpassword-pam was rebuilt and this time the permissions were incorrect:
| Code: |
228234 -rwxr-xr-x 1 root root 13672 May 18 12:07 checkpassword-pam
|
They should be
| Code: |
228234 -rwsr-xr-x 1 root root 13672 May 18 12:07 checkpassword-pam
|
Is there any way to fix this in the ebuild? |
|
| Back to top |
|
|
Vieri
l33t
Joined: 18 Dec 2005
Posts: 908
|
| Posted: Fri Jul 28, 2006 12:03 pm Post subject: |
|
|
fperms 4755 /usr/bin/checkpassword-pam
could be added to the ebuild or at least an einfo saying to chmod the file. |
|
| Back to top |
|
|
penetrode
Apprentice
Joined: 29 Dec 2003
Posts: 285
Location: Calgary, Alberta
|
| Posted: Fri Jul 28, 2006 2:38 pm Post subject: Ebuild fixed yet? |
|
|
| Vieri wrote: | fperms 4755 /usr/bin/checkpassword-pam
could be added to the ebuild or at least an einfo saying to chmod the file. |
Did the ebuild ever actually get fixed, or is this problem still there? |
|
| Back to top |
|
|
Vieri
l33t
Joined: 18 Dec 2005
Posts: 908
|
|
| Back to top |
|
|
|
Networking & Security
