Scalix Forums

On our Scalix 10 Premium System is following problem:
For one user, every few minutes an error message occure in the fatal log:




such error messages occure always, if the user is logged in, or not.
We use the same ldap configuration with some more servers, where no such errors ocurres.

Here are 3 of the error:



/var/opt/scalix/sys/pam.d/ual.remote


/var/opt/scalix/sys/om_ldap.conf


Thanks

Markus

om_ldap doesn't support password changing. You need to use pam_ldap for that: it works in Scalix 10. There's some useful information in the man pages for sxpampasswd, sxpamauth and om_debug if you're having trouble setting it up.

jch

I may be missing something, but I don't quite see what the original post had to do with password changing... We are seeing the same problem with our newly upgraded Scalix 10 server. Every few seconds we get an error written to fatal. Here are some examples:

ERROR POP3 interface(POP3 Process ) Wed Mar 15 01:35:47 2006
[OM 29260] PAM unable to resolve symbol: pam_sm_chauthtok
Pid of logging process: 11565

ERROR IMAP Server Da(IMAP Server Pr) Fri Mar 24 12:17:00 2006
[OM 29260] PAM unable to resolve symbol: pam_sm_chauthtok
User Name: First Last / scalix, domain/CN=First Last
Pid of logging process: 32639

ERROR Remote Client (U/I Access ) Fri Mar 24 12:20:01 2006
[OM 29260] PAM unable to resolve symbol: pam_sm_chauthtok
User Name: First Last / scalix, domain/CN=First Last
Pid of logging process: 31684

What could be causing this? What further diagnostics can we run?

In the pam config file there are, among others, the lines

When the PAM library loads up the confg file it locates the shared libary for om_ldap, that is /opt/scalix/lib/security/om_ldap.so. For the "auth" line it looks for an entry point, a function, called pam_sm_authenticate; for the "password" line it looks for an entry point pam_sm_chauthtok. Once all the symbols are resolved it goes ahead and does whatever is required, usually authentication.

That's the important point. The PAM library resolves all its symbols before it does anything at all. If it can't resolve a symbol, you'll get an error logged. In this case, since om_ldap doesn't do password changing it has no pam_sm_chauthtok and so you'll get an error logged. Its easy to verify. Put something like this in ~scalix/sys/pam.d/pamcheck

and then run "sxpamauth <surname>". (There's an annoying bug in sxpamauth, it works with unique surnames but not a lot else in the way of login names.) When you've run it, do "omshowlog -p2" and you'll see something like this:

And you'll get that error whether or not you put in the right password.

jch

Hi,

The Scalix server authenticate against OpelLdap. When a User logs in with Outlook, there is the following message in fatal log. But the login is successful.

ERROR Remote Client (U/I Access ) Wed Feb 7 13:17:48 2007
[OM 29260] PAM unable to resolve symbol: pam_sm_chauthtok
User Name: sxadmin / this post will be deleted, via-donau/CN=sxadmin
Pid of logging process: 29717

Hmmm. I seem to have already replied to this in March last year!

Look at the reply immediately before yours where the error message is explained in detail.

jch

Ok, I comment out the line

#password optional om_ldap

now there are no errors.

Thanks!!!

How do we fix this in Scalix 11?


Should I create the file and expect it to work?

Yes, you need to create the pamcheck file.

It's been a while, but last time I did this I copied some other file to pamcheck so that I could debug it.

Thanks jch, but that appears to have no effect. If you have any other ideas, I would appreciate it. We are not using external LDAP for authentication, as per the title of this thread. Google lead me here because pam_sm_chauthtok was mentioned.

pamcheck is only used by sxpamauth and sxpampasswd which are for debugging PAM problems which is why that file doesn't normally exist.

I don't think you said what problem you're trying to solve.

jch wrote:I don't think you said what problem you're trying to solve.

Apologies; I want to get rid of all these superfluous messages in my Fatal log:

Aha.

It's probably the same problem as the original then.

The om_ldap module doesn't do password changing and if you have it in the password section of the imap or smtpd config files then it'll log those errors.

Does that make sense?