PAM /saslauthd pam_mysql-.странное поведение

Irina22

j091# cd /usr/ports/security/cyrus-sasl2-saslauthd/
j091# make
...
configure: running /bin/sh './configure' --prefix=/usr/local '--sysconfdir=/usr/local/etc' '--with-plugindir=/usr/local/lib/sasl2' '--with-dbpath=/usr/local/etc/sasldb2' '--includedir=/usr/local/include' '--mandir=/usr/local/man' '--enable-static' '--enable-login' '--enable-auth-sasldb' '--with-rc4=openssl' '--with-saslauthd=/var/run/saslauthd' '--enable-sql' '--with-mysql=/usr/local' '--disable-ldapdb' '--with-dblib=ndbm' '--enable-gssapi' '--disable-krb4' '--with-openssl=yes' '--prefix=/usr/local' 'i386-portbld-freebsd5.5' 'LDFLAGS= -rpath=/usr/lib:/usr/local/lib' 'CFLAGS=-O -pipe ' 'host_alias=i386-portbld-freebsd5.5' 'build_alias=i386-portbld-freebsd5.5' 'target_alias=i386-portbld-freebsd5.5' 'CC=cc' --cache-file=.././config.cache --srcdir=.
...
#make install
#j091# /usr/local/sbin/saslauthd -v
saslauthd 2.1.22
authentication mechanisms: sasldb getpwent kerberos5 pam rimap
j091#

Irina22

otets-mihail

sergey_m

Irina22

Irina22

j091# cat config.log | grep mysql
$ ./configure --sysconfdir=/usr/local/etc --with-plugindir=/usr/local/lib/sasl2 --with-dbpath=/usr/local/etc/sasldb2 --includedir=/usr/local/include --mandir=/usr/local/man --enable-static --enable-login --enable-auth-sasldb --with-rc4=openssl --with-saslauthd=/var/run/saslauthd --enable-sql --with-mysql=/usr/local --disable-ldapdb --with-dblib=ndbm --enable-gssapi --disable-krb4 --with-openssl=yes --prefix=/usr/local i386-portbld-freebsd5.5
configure checking for mysql_select_db in -lmysqlclient
configure cc -o conftest -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib/mysql -R/usr/local/lib/mysql conftest.c -lmysqlclient >&5
configure cc -o conftest -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql -rpath=/usr/lib:/usr/local/lib conftest.c >&5
configure cc -o conftest -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql -rpath=/usr/lib:/usr/local/lib conftest.c >&5
configure cc -o conftest -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql -rpath=/usr/lib:/usr/local/lib conftest.c >&5
configure cc -o conftest -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql -rpath=/usr/lib:/usr/local/lib conftest.c -lresolv >&5
configure cc -o conftest -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql -rpath=/usr/lib:/usr/local/lib conftest.c >&5
configure cc -o conftest -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql -rpath=/usr/lib:/usr/local/lib conftest.c >&5
configure cc -o conftest -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql -rpath=/usr/lib:/usr/local/lib conftest.c >&5
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -o conftest -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql -rpath=/usr/lib:/usr/local/lib conftest.c >&5
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -E -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -E -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -E -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -E -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -E -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -E -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -E -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -E -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -E -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -E -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -E -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -E -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -E -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure cc -E -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c
configure cc -c -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql conftest.c >&5
configure

Irina22

я нашёл ещё способ без saslauthd, собираю sasl2

configure checking for mysql_select_db in -lmysqlclient
configure cc -o conftest -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib/mysql -R/usr/local/lib/mysql conftest.c -lmysqlclient >&5
configure $? = 0
configure test -s conftest
configure $? = 0
configure result: yes
configure checking LDAPDB
configure result: disabled
configure checking for dmalloc library
configure result: no
configure checking for sfio library
configure result: no
configure checking for getsubopt
configure cc -o conftest -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql -rpath=/usr/lib:/usr/local/lib conftest.c >&5
configure $? = 0
configure test -s conftest
configure $? = 0
configure result: yes
configure checking for snprintf
configure cc -o conftest -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql -rpath=/usr/lib:/usr/local/lib conftest.c >&5
configure warning: conflicting types for built-in function 'snprintf'
configure $? = 0
configure test -s conftest
configure $? = 0
configure result: yes
configure checking for vsnprintf
configure cc -o conftest -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql -rpath=/usr/lib:/usr/local/lib conftest.c >&5
configure warning: conflicting types for built-in function 'vsnprintf'
configure $? = 0
configure test -s conftest
configure $? = 0
configure result: yes
configure checking for inet_aton in -lresolv
configure cc -o conftest -Wall -W -O -pipe -DKRB5_HEIMDAL -I/usr/local/include/mysql -rpath=/usr/lib:/usr/local/lib conftest.c -lresolv >&5
/usr/bin/ld: cannot find -lresolv
configure $? = 1
configure: failed program was:
| #line 12933 "configure"
| /* confdefs.h. */
|
| #define PACKAGE_NAME ""

при авторизации пишет:

Sep 27 08:53:48 j091 postfix/smtpd[98474]: > be31.masterhost.ru[83.222.23.201]: 250-AUTH=NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
Sep 27 08:53:48 j091 postfix/smtpd[98474]: > be31.masterhost.ru[83.222.23.201]: 250 8BITMIME
Sep 27 08:53:48 j091 postfix/smtpd[98474]: watchdog_pat: 0x81ae308
Sep 27 08:53:48 j091 postfix/smtpd[98474]: vstream_fflush_some: fd 10 flush 183
Sep 27 08:53:48 j091 postfix/smtpd[98474]: vstream_buf_get_ready: fd 10 got 15
Sep 27 08:53:48 j091 postfix/smtpd[98474]: < be31.masterhost.ru[83.222.23.201]: AUTH CRAM-MD5
Sep 27 08:53:48 j091 postfix/smtpd[98474]: smtpd_sasl_authenticate: sasl_method CRAM-MD5
Sep 27 08:53:48 j091 postfix/smtpd[98474]: smtpd_sasl_authenticate: uncoded challenge: <2290720691.j091.mt.ru>
Sep 27 08:53:48 j091 postfix/smtpd[98474]: > be31.masterhost.ru[83.222.23.201]: 334 PDIyOTA3MjA2OTEuMTcwNDk5M0BqMDkxLm10LnJ1Pg==
Sep 27 08:53:48 j091 postfix/smtpd[98474]: vstream_fflush_some: fd 10 flush 50
Sep 27 08:53:48 j091 postfix/smtpd[98474]: vstream_buf_get_ready: fd 10 got 54
Sep 27 08:53:48 j091 postfix/smtpd[98474]: < be31.masterhost.ru[83.222.23.201]: aWdvciBlZDMxNzNlOGIxMGY5ZjA0MGU1MzBmOTU4NDRjNTIzYg==
Sep 27 08:53:48 j091 postfix/smtpd[98474]: smtpd_sasl_authenticate: decoded response: igor ed3173e8b10f9f040e530f95844c523b

Sep 27 08:53:48 j091 postfix/smtpd[98474]: warning: SASL authentication failure: no secret in database

Sep 27 08:53:48 j091 postfix/smtpd[98474]: warning: be31.masterhost.ru[83.222.23.201]: SASL CRAM-MD5 authentication failed
Sep 27 08:53:48 j091 postfix/smtpd[98474]: > be31.masterhost.ru[83.222.23.201]: 535 Error: authentication failed
Sep 27 08:53:48 j091 postfix/smtpd[98474]: watchdog_pat: 0x81ae308
Sep 27 08:53:48 j091 postfix/smtpd[98474]: vstream_fflush_some: fd 10 flush 34

Irina22

21:05: Sep 27 21:03:56 j091 saslauthd[31584]: get_accept_lock : acquired accept lock
Sep 27 21:03:56 j091 saslauthd[31583]: rel_accept_lock : released accept lock
Sep 27 21:03:56 j091 saslauthd[31583]: do_auth : auth success: потом postfix передаёт domain saslauthd, а тот уже от неё откалупывает igor (в манах написано в целях безопасности)
для того, что получилось выше пришлось добавить в базу пользователя без домена.

10438 060927 21:03:56 532 Connect localhost on mail_db
10439 532 Init DB mail_db
10440 532 Query SELECT password FROM mailbox WHERE username = 'igor'
10441 532 Quit

теперь запускаем saslauthd, но с ключом -r. казалось бы он должен просто к имени пользователя добавить домен! так и есть(судя по логам запросов mysql)

10454 536 Connect localhost on mail_db
10455 536 Init DB mail_db
10456 536 Query SELECT password FROM mailbox WHERE username = 'web-sight.ru'
10457 536 Quit

а вот авторизация прошла не очень успешно %)

Sep 27 21:06:36 j091 saslauthd[31601]: get_accept_lock : acquired accept lock
Sep 27 21:06:36 j091 saslauthd[31599]: rel_accept_lock : released accept lock
Sep 27 21:06:36 j091 saslauthd[31599]: DEBUG: auth_pam: pam_acct_mgmt failed: error in service module
Sep 27 21:06:36 j091 saslauthd[31599]: do_auth : auth failure: [user=web-sight.ru] [service=smtp] [realm=web-sight.ru] [mech=pam] [reason=PAM acct error]
Sep 27 21:06:36 j091 saslauthd[31602]: get_accept_lock : acquired accept lock
Sep 27 21:06:36 j091 saslauthd[31601]: rel_accept_lock : released accept lock
Sep 27 21:06:36 j091 saslauthd[31601]: DEBUG: auth_pam: pam_acct_mgmt failed: error in service module
Sep 27 21:06:36 j091 saslauthd[31601]: do_auth : auth failure: [user=web-sight.ru] [service=smtp] [realm=web-sight.ru] [mech=pam] [reason=PAM acct error]