[csw-users] New sasl breaks saslpasswd2? Success!

Tim Longo qy1ggy802 at sneakemail.com
Wed Jun 29 13:03:34 CEST 2005 

Thank you for this.. I was trying to figure out this problem also.

On Wed, 2005-06-29 at 02:14 -0400, Robert Stampfli
csw-at-colnet.cboh.org |blastwave| wrote:
> On Wed, Jun 29, 2005 at 12:46:57AM -0400, Robert Stampfli wrote:
> > On Tue, Jun 28, 2005 at 09:49:33PM -0500, Alex S Moore wrote:
> > > On Mon, 20 Jun 2005 00:34:34 -0400 (EDT)
> > > Robert Stampfli <rob at cboh.org> wrote:
> > > 
> > > > Admittedly, I'm no SASL expert, but I have been unable to
> > > > get saslpasswd2 to work with the latest SASL package.  Before
> > > > updating it, I could "/opt/csw/sbin/saslpasswd2 -c user"
> > > > to create a password for "user" in the file /opt/csw/etc/sasldb2.
> > > 
> > > Hi, Robert
> > > 
> > > Did you have a sasldb2 database before the last update to CSWsasl?  If
> > > so, do you have a backup copy?  I have to leave, so we can get into
> > > this more tomorrow, but I remember Damjan saying something about a
> > > directory that has to have a group of sasl. Not sure about the file,
> > > but it may also need to have group sasl assigned.
> > 
> > Right.  It was pretty clear that the group sasl is needed to access
> > the BerkeleyDB4 file that the SASL lib uses to store the passwords, at
> > least for normal programs.  (And, the program has to somehow acquire
> > sasl group privileges to boot.)  But, I'm not sure this is germane to
> > sendmail, which runs as root.  Still, I chgrp'ed the file (see below).
> > 
> > > Use either your backup copy or create a new sasldb2 database with
> > > `/opt/csw/sbin/saslpasswd2 -f /opt/csw/etc/sasldb2/sasldb2 -c user`
> > 
> > This works to create a database in the specified filename, but
> > I'm not sure the database is located where the SASL library
> > is looking for it.  It appears that sendmail (SASL lib?) still
> > expects the database to be in /opt/csw/etc/sasldb2 (as a file,
> > not a directory).  I can mv the directory and create the DB
> > in its place, but still cannot get sendmail to authenticate the
> > session using DIGEST-MD5, and I don't know enough about SASL/
> > sendmail to debug it much further.  It goes through all the
> > handshaking and then says "Authentication Fails".  (And, if
> > you roll back to the previous SASL pkg w/o also rolling back
> > sendmail, it dumps core.)
> > 
> > > Does this work for you?  I think you said that you were wanting sasl2
> > > with sendmail.  If true, a sendmail .mc file may need to be changed to
> > > point to the new sasldb2 location.
> > 
> > What is the conf variable that sets this?  I only see confDEF_AUTH_INFO
> > which is a deprecated way of specifying the client data.  I suspect
> > if it is possible to set this location, it would be in Sendmail.conf
> > rather than .mc, but I don't know how to do it or even if it is
> > indeed possible.
> > 
> > > Also, do you have a file
> > > named /opt/csw/lib/sasl2/Sendmail.conf?  If true, post a cat of the
> > > file.
> > 
> > I've tried it both ways, with and without this file.  Even tried
> > symlinking /usr/lib/sasl2 to /opt/csw/lib/sasl2 to no avail.
> > Right now, I have the file in place, but everything commented out.
> > 
> > Alex, thanks for you help here.  I really appreciate it.
> > 
> > Rob
> 
> Success!  I finally got AUTH to work.  Here's what it took:
> 
> # mv /opt/csw/etc/sasldb2 /opt/csw/etc/sasldb2~
> # /opt/csw/sbin/saslpasswd2 -f /opt/csw/etc/sasldb2 -c -u machine.domain.tld userid
> 
> Notes:
> + sendmail seems to need the berkeleydb4 password database to
>   reside at /opt/csw/etc/sasldb2, and saslpasswd2 doesn't put
>   it there by default anymore.  (Obviously, it can't since this
>   is a directory now.)  However, if the directory is elided,
>   saslpasswd2 can be forced to create the database there by
>   using the -f argument.
> + The new version of SASL does not default the realm ('-u')
>   to the full machine name.  Instead, it simply inserts the
>   hostname without any domain appended.  But this seems to be
>   required, and can be forced by using the '-u' argument to
>   specify it in toto.
> 
> Once I did these two things (and then set up all the other
> normal AUTH things to make sendmail correctly), it all started
> working.
> 
> I have no idea what problems removing the /opt/csw/etc/sasldb2
> directory will create for other users of SASL.
> 
> FWIW,
> Rob
> _______________________________________________
> users mailing list
> users at lists.blastwave.org
> https://lists.blastwave.org/mailman/listinfo/users

More information about the users mailing list