Mailing List Archive: exim: users

Exim with PAM

Index | Next | Previous | View Threaded

samerk1 at gmail

Jun 18, 2008, 7:27 AM

Post #1 of 4 (697 views)
Permalink

Exim with PAM

Hi,
I m trying to to run exin auth with PAM. For that i installed Exim with:
*
SUPPORT_TLS=yes
TLS_LIBS=-lssl -lcrypto
TLS_INCLUDE=-I/usr/include/openssl -I/usr/kerberos/include
AUTH_CRAM_MD5=yes
AUTH_PLAINTEXT=yes
AUTH_SPA=yes
TLS_LIBS=-L/usr/local/openssl/lib -lssl
SUPPORT_PAM=yes
EXTRALIBS=-lpam*

and in my configure file i have:
*
begin authenticators*
*plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = "${if pam{$2:$3}{1}{0}}"
server_set_id = $2*
*login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if pam{$1:$2}{1}{0}}"
server_set_id = $1
*
my etc/pam.d/exim:

*#%PAM-1.0
auth required /lib/security/pam_krb5.so minimum_uid=100
account required /lib/security/pam_unix.so
password required /lib/security/pam_krb5.so
session required /lib/security/pam_unix.so
*

andf my krb5.conf is well configured.

Yet when i test exim i get the following error:

*2008-06-18 17:10:45 login authenticator failed for (samerkPC) [
192.168.1.104]: 435 Unable to authenticate at present (set_id=samerk):
Permission denied*

Am i missing somehting, do you need me to post more details ?

Thnaks for your support

-----------------------------------------------------------------
Samer Khalil
Computing & Networking Services American University of Beirut
E-Mail:samerk [at] aub <E-Mail%3Asamerk [at] aub> Room:341
Phone:961-1-350000 / Ext:2242
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim-users at spodhuis

Jun 18, 2008, 2:57 PM

Post #2 of 4 (649 views)
Permalink

Re: Exim with PAM [In reply to]

On 2008-06-18 at 17:27 +0300, samer khalil wrote:
> Yet when i test exim i get the following error:
>
> *2008-06-18 17:10:45 login authenticator failed for (samerkPC) [
> 192.168.1.104]: 435 Unable to authenticate at present (set_id=samerk):
> Permission denied*
>
> Am i missing somehting, do you need me to post more details ?

Running "exim -d+auth" to get debugging information, with enhanced
details on authentication, would probably be informative.

Since you're using Kerberos and don't mention it, I take it that you've
created the server principal and put it somewhere that Exim will find it
(via PAM?) SMTP uses "smtp/" principals instead of the "host/"
principals normally used for authentication for PAM sign-in.

Eg, I run "ktutil -k /etc/kerberos/tabs/exim.keytab list" and see
principals for "smtp/smtp.spodhuis.org [at] SPODHUIS" with various
ciphers.

I use Cyrus SASL, not PAM; but on a Debian-derived system, I see a
man-page for pam_krb5(8) which mentions the optional "keytab" attribute.
You'd probably want to get an smtp principal into a file readable by
the Exim running process and tell PAM to use that file for Exim with the
keytab attribute.

Regards,
-Phil

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

graeme at graemef

Jun 19, 2008, 1:46 AM

Post #3 of 4 (648 views)
Permalink

Re: Exim with PAM [In reply to]

Hi

On Wed, 2008-06-18 at 17:27 +0300, samer khalil wrote:
> Hi,
> I m trying to to run exin auth with PAM. For that i installed Exim with:

OK, all looks OK here and the authenticators and the PAM config look
fine (to a point, for more of which see below).

> Yet when i test exim i get the following error:
>
> *2008-06-18 17:10:45 login authenticator failed for (samerkPC) [
> 192.168.1.104]: 435 Unable to authenticate at present (set_id=samerk):
> Permission denied*

The "permission denied" bit is the indicator here. What permissions do
you have on /etc/pam.d/exim?

Graeme

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

samerk1 at gmail

Jun 19, 2008, 1:56 AM

Post #4 of 4 (638 views)
Permalink

Re: Exim with PAM [In reply to]

On Thu, Jun 19, 2008 at 12:57 AM, Phil Pennock <exim-users [at] spodhuis>
wrote:

> On 2008-06-18 at 17:27 +0300, samer khalil wrote:
> > Yet when i test exim i get the following error:
> >
> > *2008-06-18 17:10:45 login authenticator failed for (samerkPC) [
> > 192.168.1.104]: 435 Unable to authenticate at present (set_id=samerk):
> > Permission denied*
> >
> > Am i missing somehting, do you need me to post more details ?
>
> Running "exim -d+auth" to get debugging information, with enhanced
> details on authentication, would probably be informative.
>
> Since you're using Kerberos and don't mention it, I take it that you've
> created the server principal and put it somewhere that Exim will find it
> (via PAM?) SMTP uses "smtp/" principals instead of the "host/"
> principals normally used for authentication for PAM sign-in.
>
> Eg, I run "ktutil -k /etc/kerberos/tabs/exim.keytab list" and see
> principals for "smtp/smtp.spodhuis.org [at] SPODHUIS <http://spodhuis.org/>"
> with various
> ciphers.
>

I did not mention kerberos because it is authenticating fine, in
log/messages i have:
*Jun 18 17:28:06 chill sendmail: pam_krb5[20284]: authentication succeeds
for 'samerk' (**samerk [at] AUB* <samerk [at] AUB>*)*

The problem was in the PAM conf, i had to to point the account to
pam_krb5.so
instead of pam_unix.so:
*account required /lib/security/pam_krb5.so

*It is kind of weird since it's working with pam_unix.so on a second server.

Thanks,
SK

-----------------------------------------------------------------
Samer Khalil
Computing & Networking Services American University of Beirut
E-Mail:samerk [at] aub <E-Mail%3Asamerk [at] aub> Room:341
Phone:961-1-350000 / Ext:2242

> Regards,
> -Phil
>
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads