[csw-users] New sasl breaks saslpasswd2? Success!

[Robert Stampfli]

On Wed, Jun 29, 2005 at 12:46:57AM -0400, Robert Stampfli wrote:
> On Tue, Jun 28, 2005 at 09:49:33PM -0500, Alex S Moore wrote:
> > On Mon, 20 Jun 2005 00:34:34 -0400 (EDT)
> > Robert Stampfli <rob at cboh.org> wrote:
> > 
> > > Admittedly, I'm no SASL expert, but I have been unable to
> > > get saslpasswd2 to work with the latest SASL package.  Before
> > > updating it, I could "/opt/csw/sbin/saslpasswd2 -c user"
> > > to create a password for "user" in the file /opt/csw/etc/sasldb2.
> > 
> > Hi, Robert
> > 
> > Did you have a sasldb2 database before the last update to CSWsasl?  If
> > so, do you have a backup copy?  I have to leave, so we can get into
> > this more tomorrow, but I remember Damjan saying something about a
> > directory that has to have a group of sasl. Not sure about the file,
> > but it may also need to have group sasl assigned.
> 
> Right.  It was pretty clear that the group sasl is needed to access
> the BerkeleyDB4 file that the SASL lib uses to store the passwords, at
> least for normal programs.  (And, the program has to somehow acquire
> sasl group privileges to boot.)  But, I'm not sure this is germane to
> sendmail, which runs as root.  Still, I chgrp'ed the file (see below).
> 
> > Use either your backup copy or create a new sasldb2 database with
> > `/opt/csw/sbin/saslpasswd2 -f /opt/csw/etc/sasldb2/sasldb2 -c user`
> 
> This works to create a database in the specified filename, but
> I'm not sure the database is located where the SASL library
> is looking for it.  It appears that sendmail (SASL lib?) still
> expects the database to be in /opt/csw/etc/sasldb2 (as a file,
> not a directory).  I can mv the directory and create the DB
> in its place, but still cannot get sendmail to authenticate the
> session using DIGEST-MD5, and I don't know enough about SASL/
> sendmail to debug it much further.  It goes through all the
> handshaking and then says "Authentication Fails".  (And, if
> you roll back to the previous SASL pkg w/o also rolling back
> sendmail, it dumps core.)
> 
> > Does this work for you?  I think you said that you were wanting sasl2
> > with sendmail.  If true, a sendmail .mc file may need to be changed to
> > point to the new sasldb2 location.
> 
> What is the conf variable that sets this?  I only see confDEF_AUTH_INFO
> which is a deprecated way of specifying the client data.  I suspect
> if it is possible to set this location, it would be in Sendmail.conf
> rather than .mc, but I don't know how to do it or even if it is
> indeed possible.
> 
> > Also, do you have a file
> > named /opt/csw/lib/sasl2/Sendmail.conf?  If true, post a cat of the
> > file.
> 
> I've tried it both ways, with and without this file.  Even tried
> symlinking /usr/lib/sasl2 to /opt/csw/lib/sasl2 to no avail.
> Right now, I have the file in place, but everything commented out.
> 
> Alex, thanks for you help here.  I really appreciate it.
> 
> Rob

Success!  I finally got AUTH to work.  Here's what it took:

# mv /opt/csw/etc/sasldb2 /opt/csw/etc/sasldb2~
# /opt/csw/sbin/saslpasswd2 -f /opt/csw/etc/sasldb2 -c -u machine.domain.tld userid

Notes:
+ sendmail seems to need the berkeleydb4 password database to
  reside at /opt/csw/etc/sasldb2, and saslpasswd2 doesn't put
  it there by default anymore.  (Obviously, it can't since this
  is a directory now.)  However, if the directory is elided,
  saslpasswd2 can be forced to create the database there by
  using the -f argument.
+ The new version of SASL does not default the realm ('-u')
  to the full machine name.  Instead, it simply inserts the
  hostname without any domain appended.  But this seems to be
  required, and can be forced by using the '-u' argument to
  specify it in toto.

Once I did these two things (and then set up all the other
normal AUTH things to make sendmail correctly), it all started
working.

I have no idea what problems removing the /opt/csw/etc/sasldb2
directory will create for other users of SASL.

FWIW,
Rob