Pam issues w/ upgrading mail server from FC3 to FC5
Philip Prindeville
philipp_subx at redfish-solutions.com
Mon Nov 13 06:01:11 UTC 2006
Craig White wrote:
>On Sun, 2006-11-12 at 21:06 -0700, Philip Prindeville wrote:
>
>
>>Craig White wrote:
>>
>>
>>
>>>On Sun, 2006-11-12 at 15:53 -0700, Philip Prindeville wrote:
>>>
>>>
>>>
>>>
>>>>Sam Varshavchik wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Philip Prindeville writes:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Since we reimaged our mail server (using Sendmail, Cyrus-imap, Mimedefang,
>>>>>>and SpamAssassin) to FC5, we've been seeing:
>>>>>>
>>>>>>Nov 10 11:13:21 mail saslauthd[2912]: Deprecated pam_stack module called from service "imap"
>>>>>>Nov 10 11:13:21 mail saslauthd[2912]: Deprecated pam_stack module called from service "imap"
>>>>>>Nov 10 11:56:03 mail saslauthd[2912]: Deprecated pam_stack module called from service "imap"
>>>>>>Nov 10 11:56:03 mail saslauthd[2912]: Deprecated pam_stack module called from service "imap"
>>>>>>Nov 10 11:56:03 mail saslauthd[2909]: Deprecated pam_stack module called from service "imap"
>>>>>>
>>>>>>in our /var/log/secure logfile. sigh... did I forget to do
>>>>>>something else when setting up the mail server following the
>>>>>>FC5 reimage?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>As the message says: pam_stack is deprecated.
>>>>>
>>>>>After some further poking: pam_stack has been replaced by the include
>>>>>directive. See /etc/pam.d
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>Ok, well, I'm looking at it:
>>>>
>>>>#%PAM-1.0
>>>>auth required pam_stack.so service=system-auth
>>>>account required pam_stack.so service=system-auth
>>>>
>>>>I'm also seeing the contents of the /usr/share/docs/cyrus-imap-*/
>>>>directory that references the link:
>>>>
>>>>http://www.kernel.org/pub/linux/libs/pam/FAQ
>>>>
>>>>and looking at that link, they talk about RedHat lagging behind
>>>>on the PAM release.
>>>>
>>>>Well, this is more than a bit confusing. It looks like Cyrus
>>>>is the one lagging behind... or at least, whoever set the options
>>>>that the Redhat RPM's get packaged with did.
>>>>
>>>>What *should* Cyrus be using to authenticate?
>>>>
>>>>This is assuming that I don't want all users having mailboxes to
>>>>have entries (accounts) in /etc/passwd... I can seed their passwords
>>>>manually using saslpasswd -f /etc/sasldb2 ...
>>>>
>>>>
>>>>
>>>>
>>>----
>>>It depends upon setting in /etc/imapd.conf
>>>
>>># grep sasl /etc/imapd.conf
>>>sasl_pwcheck_method: saslauthd
>>>sasl_mech_list: PLAIN
>>>
>>>when cyrus uses saslauthd for authentication...
>>>
>>># cat /etc/sysconfig/saslauthd
>>># Directory in which to place saslauthd's listening socket, pid file,
>>>and so
>>># on. This directory must already exist.
>>>SOCKETDIR=/var/run/saslauthd
>>>
>>># Mechanism to use when checking passwords. Run "saslauthd -v" to get a
>>>list
>>># of which mechanism your installation was compiled with the ablity to
>>>use.
>>>MECH=pam
>>>
>>># Additional flags to pass to saslauthd on the command line. See
>>>saslauthd(8)
>>># for the list of accepted flags.
>>>FLAGS=
>>>
>>>make sure that saslauthd service is started...
>>>
>>>/sbin/service saslauthd status
>>>saslauthd (pid 3233 3232 3231 3230 3219) is running...
>>>
>>>this should pretty much work.
>>>
>>>Craig
>>>
>>>
>>>
>>>
>>Yeah, saslauthd is running... the config is unchanged, as above...
>>I've created a username with:
>>
>> saslpasswd2 -f /etc/sasldb2 -a imap -c username
>>
>>Oh, did the "chown cyrus.mail /etc/sasldb2" also...
>>
>>So I can't figure out what else needs to be done... Still seeing
>>those messages.
>>
>>
>----
>I don't use sasldb but a check of the man page for saslauthd shows...
>
>sasldb (All platforms)
> Authenticate against the SASL authentication database. Note that this
>is probabally
> not what you want to be using, and is even disabled at compile-time by
>default.
> If you want to use sasldb with the SASL library, you probably want to
>use the
> pwcheck_method of "auxprop" along with the sasldb auxprop plugin
>instead.
>
>Craig
>
>
That doesn't seem right.
Why would Cyrus-imapd be released in a successive version that
removed very popular functionality it previously had? A lot of
people use IMAP-over-SSL with a SASL database to authenticate
from.
Usually RPM's are released in binary form with the maximum
amount of functionality.
BTW: saslauthd -v returns:
saslauthd 2.1.21
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
-Philip
More information about the fedora-list
mailing list