Problem authenticating with sasl in jail
mel.flynn+fbsd.questions at mailing.thruhere.net
Thu Jun 18 21:32:48 UTC 2009
On Thursday 18 June 2009 11:21:51 Erik Norgaard wrote:
> Mel Flynn wrote:
> > On Wednesday 17 June 2009 21:51:03 Erik Norgaard wrote:
> >>>> Jun 17 23:39:17 jail imap: badlogin: jail.example.com
> >>>> [172.16.0.2] plaintext cyrus at example.com SASL(-13): user not found:
> >>>> checkpass failed
> > So does the imap server know the domain name? How does it figure it out?
> > Does it know to strip domain names because you configured the unix passwd
> > backend? If it uses the domainname command to figure out the domainname,
> > you may have it set on the working server, yet not on the jail.
> > Any differences related to domains in /etc/rc.conf and /etc/resolv.conf
> > that might shed some light?
> I added the line
> defaultdomain: example.com
> to imapd.conf, this line is not in my working server configuration,
> however, it does make the realm part go away from the error message, not
> that it solves the problem though:
> Jun 18 21:09:57 jail imap: badlogin: jail.example.com
> [172.16.0.2] plaintext cyrus SASL(-1): generic failure: checkpass failed
> Now, adding debug mode to saslautd, I got some extra info in auth.log:
> Jun 18 21:13:21 jail saslauthd: DEBUG: auth_pam: pam_authenticate
> failed: authentication error
> Jun 18 21:13:21 jail saslauthd: do_auth : auth failure:
> [user=cyrus at example.com] [service=imap] [realm=] [mech=pam] [reason=PAM
> auth error]
Can you add the same debug mode to the working server and do a failed login?
Interesting point being if the user has the domain appended as well.
> I have checked /etc/pam.d in the jail against the host and they are
> identical, also /usr/local/etc/pam.d - both empty. Are there any known
> problems with pam in jails?
Not that I'm aware of.
More information about the freebsd-questions