You are not logged in.

#1 2019-01-05 18:20:55

GeneArch
Member
Registered: 2013-07-28
Posts: 11

pambase 20190105.1-1 breaks email

pambase 20190105.1-1 caused failure for email.[1]
The error I saw immediately was from postfix failing to authenticate users via saslauthd which in turn blames pam.  Downgrading back to 20171006-1 restores email funtioning.

The problem stems from change to:
/etc/pam.d/other

which replaced
  password      required        pam_unix.so
with
  password  required   pam_deny.so

Does this mean that things like dovecot and postfix need to have explicit additional files in /etc/pam.d so that email authentication work without relying on the catch all "other" file? This was the only change I could find for the pambase package.

Logs say:

saslauthd[22214]: pam_warn(smtp:auth): function=[pam_sm_authenticate] flags=0x8000 service=[smtp] terminal=[<unknown>] user=[lists] ruser=[<unknown>] rhost=[<unknown>]
saslauthd[22214]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
saslauthd[22214]: do_auth         : auth failure: [user=lists] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] 
postfix[] :               warning: SASL authentication failure: Password verification failed 

[1] I also email arch general with same info as I was unable to find email address to reach the packager (Dave Reisner)

Last edited by GeneArch (2019-01-05 20:59:55)

Offline

#2 2019-01-05 20:20:06

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 20,904
Website

Re: pambase 20190105.1-1 breaks email

The need to properly configure pam is already covered (and has been for some time) in the wiki:
https://wiki.archlinux.org/index.php/Do … entication

Also, please edit your post to add code tags around commands and output (which would avoid the proble you had with square brackets).


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2019-01-05 20:33:13

GeneArch
Member
Registered: 2013-07-28
Posts: 11

Re: pambase 20190105.1-1 breaks email

Thanks for comments and link to dovecot pam info - have added that to pam.d

Now what about postfix - I found no similar pam info on the wiki for postfix - do you know what would be needed for that? Same as for dovecot only in a file named what - smtp, smtpd, postfix?
Also if this might break running systems it might help if there was a warning on this update. It certainly came as a surprise to me and others may be similarly caught unawares.

Offline

#4 2019-01-05 20:42:41

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 20,904
Website

Re: pambase 20190105.1-1 breaks email

I can't reply for postfix as that doesn't make sense: postfix doesn't depend on pam (it's nowhere it it's dependency tree).  But your issue isn't with postfix, but with saslauthd and/or cyrus-sasl - so look into the documentation for that to ensure you have configured it properly.  I've never used it so I can't say how/where that is configured, but there are wiki and man pages on it, I just rely on dovecot.

As for a warning about the "other" file, you really never should have been relying on it in the first place:

pam wiki page wrote:

Like the example of sshd, any pam-aware application is required to install its policy to /etc/pam.d in order to integrate and rely on the PAM stack appropriately. If an application fails to do it, the /etc/pam.d/other policy is applied per default. A permissive policy for it is installed per default (FS#48650).

Also see the linked issue with the new change you are referring to fixed.

Last edited by Trilby (2019-01-05 20:48:00)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#5 2019-01-05 20:43:08

GeneArch
Member
Registered: 2013-07-28
Posts: 11

Re: pambase 20190105.1-1 breaks email

The fix for postfix is to create /etc/pam.d/smtp containing (not sure we need more than the first 2 lines?) but adding this and updating pambase works (with the dovecot pam file as well as per trilby's post).

auth            required        pam_unix.so
account         required        pam_unix.so
password        required        pam_unix.so
session         required        pam_unix.so

Offline

#6 2019-01-05 20:47:07

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 20,904
Website

Re: pambase 20190105.1-1 breaks email


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#7 2019-01-05 20:57:45

GeneArch
Member
Registered: 2013-07-28
Posts: 11

Re: pambase 20190105.1-1 breaks email

That sounds right - its saslauthd which is calling on pam. I've yet to find exactly documented somewhere exactly what is needed but the above /etc/pam.d/smtp by trial and error seems to work.

The next trial was to remove the bottom 2 lines and that works fine.

The final result is that /etc/pam.d/smtp

#%PAM-1.0
auth            required        pam_unix.so
account         required        pam_unix.so

Offline

#8 2019-02-11 13:03:07

RalphCorderoy
Member
Registered: 2017-01-25
Posts: 27

Re: pambase 20190105.1-1 breaks email

Package at lacks a /etc/pam.d file.  https://bugs.archlinux.org/task/61700 tracks the breakage.
It seems like quite a few packages may not be providing a /etc/pam.d file.
Was any survey done on introducing the pambase change to try and spot the omissions in advance?
Does the 'any pam-aware application is required to install its policy to /etc/pam.d in'
mean all packages that depend on pam should have a /etc/pam.d/* in their package contents?
I don't have many packages installed, but this shows at, cifs-utils, kbd, ... are lacking.

    pactree -ld1 -r pam | sed 1d | xargs -rtn1 pkgfile -l |& egrep $'\t''/etc/pam\.d/.|^pkgfile'

Offline

#9 2019-02-11 14:48:14

WorMzy
Forum Moderator
From: Scotland
Registered: 2010-06-16
Posts: 8,581
Website

Re: pambase 20190105.1-1 breaks email

Please do not hijack threads, Ralph.

https://wiki.archlinux.org/index.php/Co … _hijacking

As Gene's issue seems to be resolved and pambase-20190105.1 is now in [core], I am going to take this opportunity to close this thread.


Sakura:-
Mobo: MSI X299 TOMAHAWK ARCTIC // Processor: Intel Core i7-7820X 3.6GHz // GFX: nVidia GeForce GTX 970 // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 5x 1TB HDD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

Board footer

Powered by FluxBB