Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Jun 2009 13:32:44 -0800
From:      Mel Flynn <mel.flynn+fbsd.questions@mailing.thruhere.net>
To:        freebsd-questions@freebsd.org
Subject:   Re: Problem authenticating with sasl in jail
Message-ID:  <200906181332.44981.mel.flynn%2Bfbsd.questions@mailing.thruhere.net>
In-Reply-To: <4A3A93CF.4050603@locolomo.org>
References:  <4A38D6FE.8000804@locolomo.org> <200906180620.25768.mel.flynn%2Bfbsd.questions@mailing.thruhere.net> <4A3A93CF.4050603@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thursday 18 June 2009 11:21:51 Erik Norgaard wrote:
> Mel Flynn wrote:
> > On Wednesday 17 June 2009 21:51:03 Erik Norgaard wrote:
> >>>> Jun 17 23:39:17 jail imap[8412]: badlogin: jail.example.com
> >>>> [172.16.0.2] plaintext cyrus@example.com SASL(-13): user not found:
> >>>> checkpass failed
> >
> > So does the imap server know the domain name? How does it figure it out?
> > Does it know to strip domain names because you configured the unix passwd
> > backend? If it uses the domainname command to figure out the domainname,
> > you may have it set on the working server, yet not on the jail.
> > Any differences related to domains in /etc/rc.conf and /etc/resolv.conf
> > that might shed some light?
>
> I added the line
>
> defaultdomain: example.com
>
> to imapd.conf, this line is not in my working server configuration,
> however, it does make the realm part go away from the error message, not
> that it solves the problem though:
>
> Jun 18 21:09:57 jail imap[22562]: badlogin: jail.example.com
> [172.16.0.2] plaintext cyrus SASL(-1): generic failure: checkpass failed
>
> Now, adding debug mode to saslautd, I got some extra info in auth.log:
>
> Jun 18 21:13:21 jail saslauthd[21300]: DEBUG: auth_pam: pam_authenticate
> failed: authentication error
> Jun 18 21:13:21 jail saslauthd[21300]: do_auth         : auth failure:
> [user=cyrus@example.com] [service=imap] [realm=] [mech=pam] [reason=PAM
> auth error]

Can you add the same debug mode to the working server and do a failed login? 
Interesting point being if the user has the domain appended as well.

> I have checked /etc/pam.d in the jail against the host and they are
> identical, also /usr/local/etc/pam.d - both empty. Are there any known
> problems with pam in jails?

Not that I'm aware of.
-- 
Mel

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200906181332.44981.mel.flynn%2Bfbsd.questions>