Hello,
I need help with the following problem. Our password authetication should use SASL but we don't see any requests in our Logs or by tcpdump.
The password authentication should work as follows
- userPassword-Attribute: {SASL}User@Domain - saslauthd -> use PAM - PAM -> use kerberos - kerberos -> send request to Active-Directory Server
RPM list: --------------------- lshxx0693:~ # rpm -qa | grep sasl cyrus-sasl-gssapi-32bit-2.1.22-182.20.1 cyrus-sasl-gssapi-2.1.22-182.20.1 cyrus-sasl-2.1.22-182.20.1 cyrus-sasl-32bit-2.1.22-182.20.1 cyrus-sasl-digestmd5-2.1.22-182.20.1 cyrus-sasl-digestmd5-32bit-2.1.22-182.20.1 cyrus-sasl-devel-2.1.22-182.20.1 cyrus-sasl-saslauthd-2.1.22-182.19
lshxx0693:~ # rpm -qa | grep krb krb5-1.6.3-133.49.64.1 krb5-32bit-1.6.3-133.49.64.1 pam_krb5-2.3.1-47.12.1 pam_krb5-32bit-2.3.1-47.12.1 krb5-doc-1.6.3-133.49.64.1 krb5-plugin-kdb-ldap-1.6.3-133.49.64.1 krb5-server-1.6.3-133.49.64.1 krb5-client-1.6.3-133.49.64.1
lshxx0693:~ # rpm -qa | grep ldap openldap2-2.4.26-0.28.5 openldap2-client-2.4.26-0.28.5 openldap2-devel-2.4.26-0.28.5 pam_ldap-184-147.20 pam_ldap-32bit-184-147.20 nss_ldap-262-11.32.39.1 nss_ldap-32bit-262-11.32.39.1 libldap-2_4-2-2.4.26-0.28.5 libldap-2_4-2-32bit-2.4.26-0.28.5 libldapcpp1-0.3.0-0.9.29 libevoldap-2_4-2-2.4.12-4.19 yast2-ldap-2.17.8-0.7.61 yast2-ldap-client-2.17.38-0.7.2 yast2-ldap-server-2.17.44-0.5.1
lshxx0693:~ # rpm -qa | grep cyrus cyrus-sasl-gssapi-2.1.22-182.20.1 cyrus-sasl-gssapi-32bit-2.1.22-182.20.1 cyrus-sasl-saslauthd-2.1.22-182.19 cyrus-sasl-devel-2.1.22-182.20.1 cyrus-sasl-2.1.22-182.20.1 cyrus-sasl-32bit-2.1.22-182.20.1 cyrus-sasl-digestmd5-2.1.22-182.20.1 cyrus-sasl-digestmd5-32bit-2.1.22-182.20.1
Configuration files: ---------------------------- lshxx0693:~ # cat /etc/sasl2/slapd.conf mech_list: plain login pwcheck_method: saslauthd
lshxx0693:~ # cat /etc/sysconfig/saslauthd SASLAUTHD_AUTHMECH=pam SASLAUTHD_THREADS=5 SASLAUTHD_PARAMS="-r"
lshxx0693:~ # cat /etc/pam.d/ldap auth required pam_krb5.so no_user_check account required pam_permit.so
lshxx0693:/etc/pam.d/ # cat common-account | egrep -v "^#" account requisite pam_unix2.so account sufficient pam_localuser.so account required pam_ldap.so use_first_pass
lshxx0693:/etc/pam.d/ # cat common-account-pc | egrep -v "^#" account requisite pam_unix2.so account sufficient pam_localuser.so account required pam_ldap.so use_first_pass
lshxx0693:/etc/pam.d/ # cat common-auth | egrep -v "^#" auth required pam_env.so auth sufficient pam_unix2.so auth required pam_ldap.so use_first_pass
lshxx0693:/etc/pam.d/ # cat common-auth-pc | egrep -v "^#" auth required pam_env.so auth sufficient pam_unix2.so auth required pam_ldap.so use_first_pass
shxx0693:/etc/pam.d/ # cat common-password | egrep -v "^#" password requisite pam_pwcheck.so nullok cracklib password sufficient pam_unix2.so use_authtok nullok password required pam_ldap.so try_first_pass use_authtok
lshxx0693:/etc/pam.d/ # cat common-session | egrep -v "^#" session optional pam_mkhomedir.so session required pam_limits.so session required pam_unix2.so session optional pam_ldap.so session optional pam_umask.so
lshxx0693:/etc/pam.d/ # cat common-session-pc | egrep -v "^#" session optional pam_mkhomedir.so session required pam_limits.so session required pam_unix2.so session optional pam_ldap.so session optional pam_umask.so
lshxx0693:/etc/pam.d/ # cat common-password-pc | egrep -v "^#" password requisite pam_pwcheck.so nullok cracklib password sufficient pam_unix2.so use_authtok nullok password required pam_ldap.so try_first_pass use_authtok
lshxx0693:~ # pam-config --verify lshxx0693:~ #
lshxx0693:~ # cat /etc/krb5.conf
[libdefaults] default_realm = INT.IT.DPP dns_lookup_kdc = true
[realms] INT.IT.DPP = { kdc = 10.150.10.10 kdc = 10.150.10.10 }
[logging] default = SYSLOG:NOTICE:DAEMON
lshxx0693:~ # cat /etc/nsswitch.conf | egrep -v "#"
passwd: compat group: files ldap
hosts: files dns networks: files dns
services: files ldap protocols: files rpc: files ethers: files netmasks: files netgroup: files ldap publickey: files
bootparams: files automount: files nis aliases: files ldap passwd_compat: ldap
Tell me, if you need more informations, please. I would like to thank you in advance for your help.
Best wishes S. Kuechler