Re: [Pam-mysql-general] pam, pam_mysql or saslauthd->pam problem?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Good Morning Mr. Moriyoshi, List,

As Mr. Moriyoshi pointed me, I've started debugging. ltrace saslauthd 
gave me nothing.
I'm quite familiar with Slackware and GRsecurity and totally new with 
centos (I had to) and selinux. I remember, when installing centos, I've 
choosen to disable selinux. And I thought that selinux is disabled (and 
system-config-securitylevel-tui showed me, that SElinux is disabled). 
So, only when Mr. Moriyoshi told me to start looking with security 
related things (I was pretty sure, that permissions and owners was good) 
I've started to check things manually. That led me to selinux config. 
I've disabled it manually,  and NOW EVERYTHING IS WORKING.  It looks 
like, that selinux was blocking saslauthd (?) or pam. I don't know how. 
Cause IMAP and few other network daemons were able to work with outside 
servers/clients. I'm in a rush with that project, so now I don't have 
enough time to determine correct config for SElinux. But, I'm wondering, 
how Selinux was configured, because pamtester was able to connect. 
SElinux doesn't denied everything? Or maybe someone has SElinux for 
saslauthd :)?

After all, I am really happy that the problem was not related directly 
with pam_mysql.so.

Thanks for the help and for the great job.

With Best Regards,

Tautvydas

Moriyoshi Koizumi wrote:
> Hi Tautvydas,
>
> Tautvydas Griskevicius wrote:
>> Hello List,
>>
>> Mr. Moriyoshi redirected me here. Thanks for him. Like I wrote 
>> before, I have a problem. I'm trying to set up Cyrus IMAP server, 
>> which uses saslauthd as his password storage. saslauthd uses pam, and 
>> pam uses pam_mysql.so for imap. Everything is working fine, IF the 
>> MySQL database is locally deployed. I mean, if host directive is set 
>> to "localhost" in /etc/pam.d/imap. Authentication works with normal 
>> IMAP login, with /usr/sbin/testsaslauthd -u cyrus -p secret and with 
>> pamtester imap cyrus authenticate also. But if I change 
>> host=database.domain.tld or host=192.168.1.60 or even with 
>> host=127.0.0.1 authentication fails. With IMAP login and with 
>> testsaslauthd. BUT pamtester is working (logging in) fine. I'm able 
>> to use external database (on different server). So, the problem is 
>> somewhere between saslauthd and pam. But sadly, I'm not able to 
>> determine where. I don't know how pamtester works.
>>   
> I figured out the problem a bit more. It seems to be a contextual 
> problem; something like unix user / group stuff or  SELinux context is 
> involved.
>
> If my understanding is correct, the symptoms are as follows:
>
> 1. It works at least with the context on which you were manipulating 
> the testing tools.
> 2. Connection through unix domain sockets works for everything.
> 3. TCP connection didn't work for either except pamtester.
>
> Did you check out the syslog or the security log and see something in 
> it? If you cannot find anything suspicious, try strace and investigate 
> the raw system calls to look for what makes it going wrong.
>
> Moriyoshi
>
>> Like Mr. Moryuoshi recommended, I've checked all binaries with ldd. 
>> Everything looks fine.
>>
>> My /etc/pam.d/imap config is below.
>>
>> auth sufficient         pam_mysql.so user=mail passwd=secret \
>>                         host=localhost db=mail table=accountuser \
>>                         usercolumn=username passwdcolumn=password \
>>                         crypt=0 logtable=log logmsgcolumn=msg \
>>                         logusercolumn=user loghostcolumn=host \
>>                         logpidcolumn=pid logtimecolumn=time \
>>                         verbose=1 sqllog=true
>>
>> account required        pam_mysql.so user=mail passwd=secret \
>>                         host=localhost db=mail table=accountuser \
>>                         usercolumn=username passwdcolumn=password \
>>                         crypt=0 logtable=log logmsgcolumn=msg \
>>                         loguserclumn=user loghostcolumnt=host \
>>                         logpidcolumn=pid logtimecolumn=time \
>>                         verbose=1 sqllog=true
>>
>> I hope, someone will help me.
>>
>> With Best Regards,
>>
>> Tautvydas
>>
>> ------------------------------------------------------------------------- 
>>
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems?  Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>> _______________________________________________
>> Pam-mysql-general mailing list
>> Pam...@li...
>> https://lists.sourceforge.net/lists/listinfo/pam-mysql-general
>>
>>   
>