From owner-freebsd-questions@FreeBSD.ORG Thu Jun 18 21:32:48 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32F301065673 for ; Thu, 18 Jun 2009 21:32:48 +0000 (UTC) (envelope-from mel.flynn+fbsd.questions@mailing.thruhere.net) Received: from mailhub.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id E74088FC1D for ; Thu, 18 Jun 2009 21:32:47 +0000 (UTC) (envelope-from mel.flynn+fbsd.questions@mailing.thruhere.net) Received: from smoochies.rachie.is-a-geek.net (mailhub.lan.rachie.is-a-geek.net [192.168.2.11]) by mailhub.rachie.is-a-geek.net (Postfix) with ESMTP id 7C4377E842; Thu, 18 Jun 2009 13:32:46 -0800 (AKDT) From: Mel Flynn To: freebsd-questions@freebsd.org Date: Thu, 18 Jun 2009 13:32:44 -0800 User-Agent: KMail/1.11.4 (FreeBSD/8.0-CURRENT; KDE/4.2.4; i386; ; ) References: <4A38D6FE.8000804@locolomo.org> <200906180620.25768.mel.flynn+fbsd.questions@mailing.thruhere.net> <4A3A93CF.4050603@locolomo.org> In-Reply-To: <4A3A93CF.4050603@locolomo.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200906181332.44981.mel.flynn+fbsd.questions@mailing.thruhere.net> Cc: Subject: Re: Problem authenticating with sasl in jail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jun 2009 21:32:48 -0000 On Thursday 18 June 2009 11:21:51 Erik Norgaard wrote: > Mel Flynn wrote: > > On Wednesday 17 June 2009 21:51:03 Erik Norgaard wrote: > >>>> Jun 17 23:39:17 jail imap[8412]: badlogin: jail.example.com > >>>> [172.16.0.2] plaintext cyrus@example.com SASL(-13): user not found: > >>>> checkpass failed > > > > So does the imap server know the domain name? How does it figure it out? > > Does it know to strip domain names because you configured the unix passwd > > backend? If it uses the domainname command to figure out the domainname, > > you may have it set on the working server, yet not on the jail. > > Any differences related to domains in /etc/rc.conf and /etc/resolv.conf > > that might shed some light? > > I added the line > > defaultdomain: example.com > > to imapd.conf, this line is not in my working server configuration, > however, it does make the realm part go away from the error message, not > that it solves the problem though: > > Jun 18 21:09:57 jail imap[22562]: badlogin: jail.example.com > [172.16.0.2] plaintext cyrus SASL(-1): generic failure: checkpass failed > > Now, adding debug mode to saslautd, I got some extra info in auth.log: > > Jun 18 21:13:21 jail saslauthd[21300]: DEBUG: auth_pam: pam_authenticate > failed: authentication error > Jun 18 21:13:21 jail saslauthd[21300]: do_auth : auth failure: > [user=cyrus@example.com] [service=imap] [realm=] [mech=pam] [reason=PAM > auth error] Can you add the same debug mode to the working server and do a failed login? Interesting point being if the user has the domain appended as well. > I have checked /etc/pam.d in the jail against the host and they are > identical, also /usr/local/etc/pam.d - both empty. Are there any known > problems with pam in jails? Not that I'm aware of. -- Mel