[tech] SMTP Auth Failure

gozzarda at ucc.asn.au gozzarda at ucc.asn.au
Sat Aug 11 00:27:12 AWST 2018 

A bit more digging when time allowed confirmed that PAM on mooneye was 
still set up to use LDAP and not AD.
At first glance the PAM config files look impossible to maintain by 
hand. Had a look for a management system and found none.
Had a chat to Zanchey, turns out there is a management system and it is 
called pam-auth-update.

pam-auth-update confirmed that mooneye was relying on just ldap and unix 
auth.
For comparison motsugo has kerberos, winbind, and unix auth enabled.
I installed libpam-winbind and libpam-krb5 on mooneye and configured pam 
to use them and not ldap at the prompt.

Nothing appears to be broken.
SMTP authentication now works again for me.
I can now send emails from my phone again (and there was much rejoicing 
https://youtu.be/yciX2meIkXI).

If you observe any issues with authentication on mooneye, please report 
them here so I can figure out what I broke and fix it.

Cheers,
Gozz

On 2018-08-02 00:04, trs80 at ucc.gu.uwa.edu.au wrote:
> On Wed, 1 Aug 2018, gozzarda at ucc.asn.au wrote:
> 
>> For a while now I have been unable to authenticate when trying to
>> connect via SMTP.
>> I finally had a chance to dig in a bit today to try figure this out 
>> and
>> found that my auth attempt is getting as far as saslauthd, which is
>> reporting that it is failing to connect to the LDAP server.
>> I am somewhat uninformed about the details of our migration to AD, and
>> even less so about specifically how it is wired into SASL auth, but 
>> this
>> error seems particularly indirect to me.
>> My best uneducated guess is that it is failing through to some old
>> wiring to try hit LDAP, and should not even be getting that far, but I
>> am at a loss for what to poke next.
>> Suggestions for pokable targets are much appreciated, as is background
>> information on how we have wired SMTP auth in general.
> 
> saslauthd is set to use PAM (mooneye:/etc/default/saslauthd). There 
> isn't
> an /etc/pam.d/saslauthd file so I'm not sure how it works. I came 
> across
> https://wiki.debian.org/PostfixAndSASL but I don't know how relevant it 
> is
> these days. It does mention the useful "saslfinger -s" command which 
> hangs
> at "-- mechanisms on localhost --". Further investigation shows it 
> hangs
> because it's grepping for AUTH which is not presented. OK that's 
> because
> we have this in main.cf:
> 
> # asclepius means we can only use ssl anyway
> smtpd_tls_auth_only = yes
> 
> and it does show up when I do
> $ openssl s_client -connect mooneye.ucc.gu.uwa.edu.au:587 -starttls 
> smtp
> and EHLO localhost:
> 
> 250-AUTH LOGIN PLAIN
> 250-AUTH=LOGIN PLAIN
> 
> Trying to auth plain gives this in mail.log
> 
> warning: SASL authentication failure: Password verification failed
> 
> stracing the smtpd process while it's authing me shows:
> 
> connect(29, {sa_family=AF_UNIX, sun_path="/var/run/saslauthd/mux"}, 
> 110) = 0
> 
> it then sends my password and receives
> 
> read(29, "\0\21", 2)                    = 2
> read(29, "NO PAM auth error", 17)       = 17
> 
> auth.log has
> 
> Aug  1 23:47:45 mooneye saslauthd[1420]: pam_unix(smtp:auth):
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> user=trs80
> Aug  1 23:47:45 mooneye saslauthd[1420]: pam_ldap(smtp:auth):
> Authentication failure; user=trs80
> Aug  1 23:47:47 mooneye saslauthd[1420]: DEBUG: auth_pam:
> pam_authenticate failed: Authentication failure
> Aug  1 23:47:47 mooneye saslauthd[1420]:                 : auth
> failure: [user=trs80] [service=smtp] [realm=mooneye.ucc.gu.uwa.edu.au]
> [mech=pam] [reason=PAM auth error]
> 
> Further stracing saslauthd shows it's only talking to nslcd.conf, ie 
> LDAP
> on mussel and mostugo, which of course isn't running, not AD.
> 
> But /etc/nsswitch.conf has
> 
> passwd:         files ldap winbind
> 
> (really it should be winbind ldap) so it should be talking to both. But 
> also
> 
> $ ls -l /etc/nsswitch.conf
> -rw-r--r-- 1 root root 536 Feb 27 08:22 /etc/nsswitch.conf
> 
> vs
> 
> $ ps xua|grep saslauth
> root      1419  0.0  0.1  14212  2184 ?        Ss   Feb26   0:29
> /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
> root      1420  0.0  0.1  14212  2180 ?        S    Feb26   0:29
> /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
> root      1421  0.0  0.1  14212  2228 ?        S    Feb26   0:29
> /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
> root      1422  0.0  0.1  14212  2184 ?        S    Feb26   0:29
> /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
> root      1423  0.0  0.1  14212  2196 ?        S    Feb26   0:29
> /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
> 
> So it's unlikely that saslauthd read in a version os nsswitch.conf that
> included winbind when it started. I invite you to restart saslauthd and
> see if it then works.
> 
> However as a shortcut you might be interested in line 117 of
> mooneye:/etc/postfix/master.cf which I won't quote here but should also
> solve your problem.

More information about the tech mailing list