8 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Fedora + courier ...
FromSent OnAttachments
Dan DelaneyMar 15, 2007 10:57 pm 
Gordon MessmerMar 16, 2007 3:59 pm 
Dan DelaneyMar 20, 2007 9:14 am 
Gordon MessmerMar 20, 2007 11:20 am 
Dan DelaneyMar 20, 2007 11:42 am 
Dan DelaneyMar 22, 2007 6:47 am 
Gordon MessmerMar 22, 2007 8:52 am 
Dan DelaneyMar 22, 2007 10:04 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:Re: [courier-users] Fedora + courier + authlib + radiusActions...
From:Dan Delaney (dr@dls.net)
Date:Mar 22, 2007 6:47:56 am
List:net.sourceforge.lists.courier-users

-----Original Message----- From: cour@lists.sourceforge.net [mailto:courier-users- boun@lists.sourceforge.net] On Behalf Of Gordon Messmer Sent: Tuesday, March 20, 2007 1:21 PM To: cour@lists.sourceforge.net Subject: Re: [courier-users] Fedora + courier + authlib + radius

Before I reply, could I ask you to reconfigure Outlook so that it quotes messages to which you reply? It's quite difficult to read your replies otherwise. Google says: http://www.slipstick.com/mail1/quote.htm

Dan Delaney wrote:

-----Original Message----- From: cour@lists.sourceforge.net On Behalf Of Gordon Messmer

I have tried many variations of things for /etc/pam.d/pop3 and imap, currently set to: auth sufficient /lib/security/pam_radius_auth.so try_first_pass account sufficient /lib/security/pam_radius_auth.so try_first_pass session sufficient /lib/security/pam_radius_auth.so try_first_pass

Do you need RADIUS for account management or session or session setup? I'd have thought it was only useful for the "auth" type.

I believe so. I am pretty good with linux, but I am a newb to this pam stuff. Possibly this is where my problem lies?

No, I don't think so. I would think those lines are extraneous, but not harmful.

[root@drdoversteer ~]# strace authtest -s pop3 user2 password2 ... write(3, "AUTH 26\npop3\nlogin\nuser2\npassw"..., 34) = 34 ... read(3, "FAIL\n", 8191) = 5 ... _llseek(3, 0, 0xbf954d84, SEEK_CUR) = -1 ESPIPE (Illegal seek) write(3, "Authentication FAILED: Operation"..., 47) = 47

Those are the important parts. The "Operation not permitted" message is from perror(), I believe, which seemed very odd. Your trace shows that the message is mostly meaningless. It's an error caused by an lseek() on a pipe.

Basically, we have to disregard that bit of output and figure out why authdaemond can't authenticate user2 with the password you gave. Do your radius utilities allow you to test authentication? Does the username and password that you just tested work with those utilities? What does your "secure" log say when you try using authtest? PAM messages are probably printed there. Does your radius server log errors? What's going on there when you use authtest?

I believe I have pinpointed where this error is coming from. User1 is more of a management account (mine) which allows full access to everything, while user2 is a simple "mailbox only" account. What appears to be happening is that our OpenVMS radius server is allowing user1 because it will permit the interactive-logon, but failing user2 because it does not allow interactive-logins. When we manually allowed these logins for user2, it went through without any problems.

So my next issue is selectively choosing what service type is used for which protocol. I Saw a patch from 2000 which added a service_type function to pam_radius_auth, but it does not seem to be in the current release. I Was going to try to manually patch and recompile. (copying and pasting the patch didn't seem to work right)

Ugg. OK so my manager just messaged me saying its working, so I will follow up with him to see what needed to be done and post back.

Thanks for your help so far.

Dan Delaney

_______________________________________________ courier-users mailing list cour@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users