On Thu, 21 Jun 2001, Kenneth Porter wrote:
> On Thu, 21 Jun 2001 11:52:45 -0400 (EDT), Michael Puskar wrote:
>
> >I have tried getting qpopper to work with PAM on a Solaris 8 box. I
> >configured with ./configure --with-pam=pop3 and the compile goes fine. I
> >make install. I edit /etc/pam.conf. I edit inetd.conf to allow pop3 and
> >restart inetd.
> >
> >The pam.conf is :
> >
> >pop3 auth required /usr/lib/security/$ISA/pam_krb5.so.1
>
> >Jun 20 18:09:45.783 2001 [19952] mp1 at i4.nyu.edu (128.122.108.192): -ERR
> >[AUTH] PAM authentication failed for user "mp1": Authentication failed (9)
> >Jun 20 18:09:45.784 2001 [19952] [AUTH] Failed attempted login to mp1 from host
>(i4.nyu.edu)
>
> Have you successfully used Kerberos with anything besides qpopper? This
> looks like Kerberos is rejecting the login.
>
> You might also try using an ordinary Unix password config in PAM just
> to see if the problem is with PAM or with Kerberos. (Ie. first try
> something simple to isolate where the problem is.)
I have succesfully logged in with the straight Unix password, just a
straight configure, make, make install. That works fine. The kerb stuff
should be fine, as that is what we use for the login via ssh/telnet.
I turned on debugging, which yielded this:
Jun 21 16:20:26.772 2001 [20499] Trace and Debug destination is file
"/tmp/pop.log" [pop_init.c:8
55]
Jun 21 16:20:26.772 2001
Jun 21 16:20:26.773 2001 [20499] Will generate stats records (-s)
[pop_init.c:825]
Jun 21 16:20:26.773 2001
Jun 21 16:20:26.774 2001 [20499] (v4.0.3) Servicing request from
"i4.nyu.edu" at 128.122.108.192
[pop_init.c:1153]
Jun 21 16:20:26.774 2001
Jun 21 16:20:26.775 2001 [20499] before TLS; tls_support==0 [popper.c:172]
Jun 21 16:20:26.775 2001
Jun 21 16:20:26.775 2001 [20499] Skipped TLS Init [popper.c:196]
Jun 21 16:20:26.775 2001
Jun 21 16:20:26.775 2001 [20499] (v4.0.3) Intro [popper.c:238]
Jun 21 16:20:26.775 2001
Jun 21 16:20:26.775 2001 [20499] +OK Qpopper (version 4.0.3) at i4.nyu.edu
starting. [popper.c:
251]
Jun 21 16:20:26.775 2001
Jun 21 16:20:26.775 2001 [20499] Qpopper ready for input from (null) at
i4.nyu.edu [128.122.108.1
92] [popper.c:285]
Jun 21 16:20:26.775 2001
Jun 21 16:20:33.401 2001 [20499] Received (8): "USER mp1"
[pop_get_command.c:105]
Jun 21 16:20:33.401 2001
Jun 21 16:20:33.402 2001 [20499] home (12): '/home1/m/mp1'
[pop_user.c:215]
Jun 21 16:20:33.402 2001
Jun 21 16:20:33.402 2001 [20499] +OK Password required for mp1.
[pop_user.c:426]
Jun 21 16:20:33.402 2001
Jun 21 16:20:33.402 2001 [20499] user returned 1; CurrentState now auth2
[popper.c:329]
Jun 21 16:20:33.402 2001
Jun 21 16:20:33.402 2001 [20499] Qpopper ready for input from mp1 at
i4.nyu.edu [128.122.108.192]
[popper.c:285]
Jun 21 16:20:33.402 2001
Jun 21 16:20:37.799 2001 [20499] Received: "pass xxxxxxxxx"
[pop_get_command.c:96]
Jun 21 16:20:37.799 2001
Jun 21 16:20:37.800 2001 [20499] pam_start (service name pop3) returned 0;
gp_errcode=0 [pop_pass
.c:451]
Jun 21 16:20:37.800 2001
Jun 21 16:20:37.811 2001 [20499] pam_authenticate returned 9; gp_errcode=0
[pop_pass.c:473]
Jun 21 16:20:37.811 2001
Jun 21 16:20:47.809 2001 [20499] mp1 at i4.nyu.edu (128.122.108.192): -ERR
[AUTH] PAM authenticat
ion failed for user "mp1": Authentication failed (9) [pop_pass.c:479]
Jun 21 16:20:47.809 2001
Jun 21 16:20:47.810 2001 [20499] [AUTH] Failed attempted login to mp1 from
host (i4.nyu.edu) 128.
122.108.192 [pop_pass.c:1379]
Jun 21 16:20:47.810 2001
Jun 21 16:20:57.815 2001 [20499] pass returned 0; CurrentState now halt
[popper.c:329]
Jun 21 16:20:57.815 2001
Jun 21 16:20:57.815 2001 [20499] +OK Pop server at i4.nyu.edu signing off.
[popper.c:351]
Jun 21 16:20:57.815 2001
Jun 21 16:20:57.815 2001 [20499] (v4.0.3) Ending request from "mp1" at
(i4.nyu.edu) 128.122.108.1
92 [popper.c:369]
Jun 21 16:20:57.815 2001
So the problem seems to be somewhere in PAM. I have been looking for what
the error number 9 means, but with no luck.
It is my understanding that the authentication plugins for PAM are
invisible to the application that is calling the PAM functions, so either
the authenticaiton works or doesn't work, regardless of who is asking for
it.
Thanks for your help :)
Michael
>
> Ken
> mailto:[EMAIL PROTECTED]
> http://www.sewingwitch.com/ken/
> [If answering a mailing list posting, please don't cc me your reply. I'll take my
>answer on the list.]
>
>
