[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_radius + saslauthd + cyrus imapd



Are you getting the
ERROR reading %s, line %d:
Could not read hostname or secret\n"
Line?  You have that just inside of an if () block, but nothing in the "else" side of  things.  We may be getting somewhere :) .

Put another log line in the "else" section printing the hostname, the secret, and the timeout just to verify that it is reading the line in your config file properly.  We're getting close!

Joe

Fatemeh Taj wrote:
Joe, 
I did what you said, it seems that there is a
non-ending while loop here (for me) and the last error
I see is what I have printed below (socket23). It gets
the username and goes to this loop and never comes out
to get the password.

Can you help me?

Thanks 
Fatemeh Taj 

 while (!feof(fserver) &&
         (fgets (buffer, sizeof(buffer), fserver) !=
(char*) NULL) &&
         (!ferror(fserver))) {
    line++;
    p = buffer;

    /*
     *  Skip blank lines and whitespace
     */
    while (*p &&
           ((*p == ' ') || (*p == '\t') ||
            (*p == '\r') || (*p == '\n'))) p++;

    /*
     *  Nothing, or just a comment.  Ignore the line.
     */
    if ((!*p) || (*p == '#')) {
      continue;
    }

    timeout = 3;
    if (sscanf(p, "%s %s %d", hostname, secret,
&timeout) < 2) {
      _pam_log(LOG_ERR, "ERROR reading %s, line %d:
Could not read hostname or secret\n",
               conf_file, line);
      continue; /* invalid line */
    } else {                    /* read it in and save
the data */
      radius_server_t *tmp;

      tmp = malloc(sizeof(radius_server_t));
      if (server) {
        server->next = tmp;
        server = server->next;
      } else {
        conf->server = tmp;
        server= tmp;            /* first time */
      }

      /* sometime later do memory checks here */
      server->hostname = strdup(hostname);
      server->secret = strdup(secret);
      server->accounting = accounting;
      server->port = 0;
      if ((timeout < 1) || (timeout > 60)) {
        server->timeout = 3;
      } else {
        server->timeout = timeout;
      }
      server->next = NULL;
    }
   _pam_log(LOG_ERR, "Unable to open socket23: %s\n",
strerror(errno));
  }
   _pam_log(LOG_ERR, "Unable to open socket24: %s\n",
strerror(errno));
  fclose(fserver);



--- Joe Lewis <joe joe-lewis com> wrote:
  
Joe
As I said:
 Also I know that this machine can
      
establish radius connection (udp/1812) to the
radius server. I tried it using nc command.
        
Sorry about that.  Sometimes I read WAY to quickly.

    
Using nc command I could establich udp connection
      
to
    
1812 port and the firewall permits the connection.
It's not a network problem :(
      
Okay.  After the module prints "Got user name %s",
it calls a function
initialize().  This function get's the IP address of
the host to contact
for the radius information.  If it returns any PAM_*
errors, the module
will quit right there.  However, if it continues on,
there is the next
step of checking for the service name or the
client_id - if both of those
fail, the module will quit.  At this point, an open
socket should be
connected to the Radius server, and the module set's
up the Radius packet.
 But it won't quit here.  It grabs the password, and
then determines if it
fails.  If it does not, you should see a debug
message stating "Got
password %s".

So, in this process, there are actually a multitude
of ways that this
could be "malfunctioning".  If it can't find the
/etc/raddb/servers file,
it will complain and log it.  So, obviously, you DO
have the file and it
is in the right place.  In addition, in the
initialize function, it checks
for server configs, and that is working fine.  Then
it opens the socket. 
If it fails to open the socket, IT SHOULD PRINT A
LOG LINE.  Now, I would
suggest that you dump a couple of

 _pam_log(LOG_ERR, "Failed to open RADIUS socket:
%s\n", strerror(errno));

lines throughout the code, primarily AFTER the
initialize function exits,
and then throughout the initialize function itself. 
This should help you
pin point exactly what process is causing the
problem.

The other option is to run 'gdb' on it (attach it to
the process after it
is started).  Try doing it in the "su" service, so
that you can do most of
the leg work on the command line.  Then you can step
through the process
to figure out what is going on.  Some time between
printing "Got user
name" and the next print functions, the module is
doing something wrong. 
Let me know what you find.

Joe

    
Joe
As I said:
 Also I know that this machine can
      
establish radius connection (udp/1812) to the
radius server. I tried it using nc command.
        
Using nc command I could establich udp connection
      
to
    
1812 port and the firewall permits the connection.
It's not a network problem :(

--Fatemeh

--- Joe Lewis <joe joe-lewis com> wrote:
      
Have you run network checks to ensure that ports
        
are
    
being opened?  You
might have a firewall on the sending side, the
recieving side, or
somewhere in between that is causing problems.
Telnet on the radius port
and verify that you can get a connection.

Joe

        
Dear All,
I did install cyrus imapd 2.2.3 on redhat
enterprise 3.Now I want authenticate users
          
trough
    
a
        
radius server.I have done it previously on
          
redhat
    
7.1
        
and it works fine But now pam_radius does not
          
send
    
the
        
request to the radiusserver.
Maybe here
is not the proper place to ask this, but I
          
though
    
you
        
might have such experience.

I have:
--sasl_passwd_check=saslauthd
          
sasl_mech_list=PLAIN
    
--in /etc/pam.d/pop I have
auth required  /lib/security/pam_radius_auth.so
          
debug
        
--and have configured
/etc/raddb/server too and the permission is
          
755.
    
--Also /lib/security/pam_radius_auth.so is
available too. (pam_radius 1.3.16)I ran
          
saslauthd
    
with
        
-a pam , it get the username but there
is no sign of sending the request to radius
          
server.
        
log:
saslauthd[2859]: rel_accept_lock : released
          
accept
    
lock
May22 saslauthd[2860]: get_accept_lock :
          
acquired
    
accept lock
May 2212:06:56 test saslauthd[2859]:
          
pam_radius_auth:
        
Got user name fatemehand

nothing about sending request is found in log.

With my tests I know that pam_radius_auth does
          
read
        
the /etc/radd/server but does not send any
          
request
    
to
        
radius server. Also I know that this machine
          
can
    
establish radius connection (udp/1812) to the
radius server. I tried it using nc command. 
          
Any
    
comment is really appriciated.


Please help.
Thanks F. Taj
P.S, I have asked it in cyrus imapd and cyrus
          
sasl
    
list too but no answer :(





__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo!
          
Messenger.
    
http://messenger.yahoo.com/


_______________________________________________
Pam-list mailing list
Pam-list redhat com

          
https://www.redhat.com/mailman/listinfo/pam-list
    
Joe Lewis


_______________________________________________
Pam-list mailing list
Pam-list redhat com
https://www.redhat.com/mailman/listinfo/pam-list
        



__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/


      
=== message truncated ===




	
		
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/ 


_______________________________________________
Pam-list mailing list
Pam-list redhat com
https://www.redhat.com/mailman/listinfo/pam-list
  

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]