[csw-users] New sasl breaks saslpasswd2? Success!
Tim Longo
qy1ggy802 at sneakemail.com
Wed Jun 29 13:03:34 CEST 2005
Thank you for this.. I was trying to figure out this problem also.
On Wed, 2005-06-29 at 02:14 -0400, Robert Stampfli
csw-at-colnet.cboh.org |blastwave| wrote:
> On Wed, Jun 29, 2005 at 12:46:57AM -0400, Robert Stampfli wrote:
> > On Tue, Jun 28, 2005 at 09:49:33PM -0500, Alex S Moore wrote:
> > > On Mon, 20 Jun 2005 00:34:34 -0400 (EDT)
> > > Robert Stampfli <rob at cboh.org> wrote:
> > >
> > > > Admittedly, I'm no SASL expert, but I have been unable to
> > > > get saslpasswd2 to work with the latest SASL package. Before
> > > > updating it, I could "/opt/csw/sbin/saslpasswd2 -c user"
> > > > to create a password for "user" in the file /opt/csw/etc/sasldb2.
> > >
> > > Hi, Robert
> > >
> > > Did you have a sasldb2 database before the last update to CSWsasl? If
> > > so, do you have a backup copy? I have to leave, so we can get into
> > > this more tomorrow, but I remember Damjan saying something about a
> > > directory that has to have a group of sasl. Not sure about the file,
> > > but it may also need to have group sasl assigned.
> >
> > Right. It was pretty clear that the group sasl is needed to access
> > the BerkeleyDB4 file that the SASL lib uses to store the passwords, at
> > least for normal programs. (And, the program has to somehow acquire
> > sasl group privileges to boot.) But, I'm not sure this is germane to
> > sendmail, which runs as root. Still, I chgrp'ed the file (see below).
> >
> > > Use either your backup copy or create a new sasldb2 database with
> > > `/opt/csw/sbin/saslpasswd2 -f /opt/csw/etc/sasldb2/sasldb2 -c user`
> >
> > This works to create a database in the specified filename, but
> > I'm not sure the database is located where the SASL library
> > is looking for it. It appears that sendmail (SASL lib?) still
> > expects the database to be in /opt/csw/etc/sasldb2 (as a file,
> > not a directory). I can mv the directory and create the DB
> > in its place, but still cannot get sendmail to authenticate the
> > session using DIGEST-MD5, and I don't know enough about SASL/
> > sendmail to debug it much further. It goes through all the
> > handshaking and then says "Authentication Fails". (And, if
> > you roll back to the previous SASL pkg w/o also rolling back
> > sendmail, it dumps core.)
> >
> > > Does this work for you? I think you said that you were wanting sasl2
> > > with sendmail. If true, a sendmail .mc file may need to be changed to
> > > point to the new sasldb2 location.
> >
> > What is the conf variable that sets this? I only see confDEF_AUTH_INFO
> > which is a deprecated way of specifying the client data. I suspect
> > if it is possible to set this location, it would be in Sendmail.conf
> > rather than .mc, but I don't know how to do it or even if it is
> > indeed possible.
> >
> > > Also, do you have a file
> > > named /opt/csw/lib/sasl2/Sendmail.conf? If true, post a cat of the
> > > file.
> >
> > I've tried it both ways, with and without this file. Even tried
> > symlinking /usr/lib/sasl2 to /opt/csw/lib/sasl2 to no avail.
> > Right now, I have the file in place, but everything commented out.
> >
> > Alex, thanks for you help here. I really appreciate it.
> >
> > Rob
>
> Success! I finally got AUTH to work. Here's what it took:
>
> # mv /opt/csw/etc/sasldb2 /opt/csw/etc/sasldb2~
> # /opt/csw/sbin/saslpasswd2 -f /opt/csw/etc/sasldb2 -c -u machine.domain.tld userid
>
> Notes:
> + sendmail seems to need the berkeleydb4 password database to
> reside at /opt/csw/etc/sasldb2, and saslpasswd2 doesn't put
> it there by default anymore. (Obviously, it can't since this
> is a directory now.) However, if the directory is elided,
> saslpasswd2 can be forced to create the database there by
> using the -f argument.
> + The new version of SASL does not default the realm ('-u')
> to the full machine name. Instead, it simply inserts the
> hostname without any domain appended. But this seems to be
> required, and can be forced by using the '-u' argument to
> specify it in toto.
>
> Once I did these two things (and then set up all the other
> normal AUTH things to make sendmail correctly), it all started
> working.
>
> I have no idea what problems removing the /opt/csw/etc/sasldb2
> directory will create for other users of SASL.
>
> FWIW,
> Rob
> _______________________________________________
> users mailing list
> users at lists.blastwave.org
> https://lists.blastwave.org/mailman/listinfo/users
More information about the users
mailing list