Hi,
I have a problem to authentication Scalix 9.4.2.5 against Windows NT Domain?
I change the Files like the “Scalix Plug gable Authentications Modules (OM-PAM)” in Technical Notes. But t receive no error in the logs.
Thanks
Newbie: Authentication against NT Domain
Moderators: ScalixSupport, admin
-
florian
- Scalix
- Posts: 3852
- Joined: Fri Dec 24, 2004 8:16 am
- Location: Frankfurt, Germany
- Contact:
you need to use the pam_smb PAM module.
three things that are risky here:
1. the pam_smb module requires a config file, I believe this is /etc/pam_smb.conf or similar. The format of this config file is pretty significant:
- no blank lines
- proper capitalization
- no comments
- even if you have only a single SMB server, you need to specify primary and alternate (specify the same server twice)
The first time I was trying with this module, i got really frustrated over it and at some point started looking at the source code; unfortunately, and in addition, the module provides almost no debugging information on log files or so.
Note: this is the Linux standard pam_smb module; the module has _NOT_ been written by Scalix! ;-)
2. the pam_smb module requires the username in AuthId format (which must contain the windows usrename then). To get there, you'll need to
a) make sure your AuthId field contains the Windows Username
b) use the om_om2authid bridge pam module (see it's man page for details) to convert the Scalix Username into the Authid before the pam_smb module is called.
3. I'm not sure about this one, but the pam_smb module might require an additional option that tells it to ignore the fact that the user does not exist in the Linux /etc/passwd file or database.
Hope this helps, if someone get's all the steps together completely, may I suggest that he/she writes up a little doc piece on the Scalix Wiki (www.scalix.com/wiki) so that others can benefit from it. I would love to do myself, but I don't have the time right now to go through the testing cylcle. I would promise to read any comment on it, if required, though.
-- f.
three things that are risky here:
1. the pam_smb module requires a config file, I believe this is /etc/pam_smb.conf or similar. The format of this config file is pretty significant:
- no blank lines
- proper capitalization
- no comments
- even if you have only a single SMB server, you need to specify primary and alternate (specify the same server twice)
The first time I was trying with this module, i got really frustrated over it and at some point started looking at the source code; unfortunately, and in addition, the module provides almost no debugging information on log files or so.
Note: this is the Linux standard pam_smb module; the module has _NOT_ been written by Scalix! ;-)
2. the pam_smb module requires the username in AuthId format (which must contain the windows usrename then). To get there, you'll need to
a) make sure your AuthId field contains the Windows Username
b) use the om_om2authid bridge pam module (see it's man page for details) to convert the Scalix Username into the Authid before the pam_smb module is called.
3. I'm not sure about this one, but the pam_smb module might require an additional option that tells it to ignore the fact that the user does not exist in the Linux /etc/passwd file or database.
Hope this helps, if someone get's all the steps together completely, may I suggest that he/she writes up a little doc piece on the Scalix Wiki (www.scalix.com/wiki) so that others can benefit from it. I would love to do myself, but I don't have the time right now to go through the testing cylcle. I would promise to read any comment on it, if required, though.
-- f.
Florian von Kurnatowski, Die Harder!
-
andys
Thanks for your help Florian. I am one steep forward.
The authentication via webmail is working fine, the problem is now the Outlook2K-Client. In the var /log/message:
Apr 25 11:17:24 tarzan ual.remote: No Local authentication done, relying on other modules for password file entry.
Apr 25 11:17:24 tarzan ual.remote: pamsmbd : msg_snd problem
Apr 25 11:17:24 tarzan ual.remote: pam_smb: got back 2 username nu
Apr 25 11:17:24 tarzan ual.remote: pam_smb: unable to contact servers
Ap
display this message. Is it a configurations problem about the pam_smb or is anything missing in theual.remoute file:
auth required om_om2authid.so
auth sufficient /lib/security/pam_smb_auth.so nolocal debug
auth required om_auth
auth required om_admin
account required om_om2authid.so
password required om_om2authid.so
Thanks
The authentication via webmail is working fine, the problem is now the Outlook2K-Client. In the var /log/message:
Apr 25 11:17:24 tarzan ual.remote: No Local authentication done, relying on other modules for password file entry.
Apr 25 11:17:24 tarzan ual.remote: pamsmbd : msg_snd problem
Apr 25 11:17:24 tarzan ual.remote: pam_smb: got back 2 username nu
Apr 25 11:17:24 tarzan ual.remote: pam_smb: unable to contact servers
Ap
display this message. Is it a configurations problem about the pam_smb or is anything missing in theual.remoute file:
auth required om_om2authid.so
auth sufficient /lib/security/pam_smb_auth.so nolocal debug
auth required om_auth
auth required om_admin
account required om_om2authid.so
password required om_om2authid.so
Thanks
-
florian
- Scalix
- Posts: 3852
- Joined: Fri Dec 24, 2004 8:16 am
- Location: Frankfurt, Germany
- Contact:
Hi,
I believe your ual.remote pam config file should look like
auth required om_om2authid
auth sufficient ... smb ...
auth sufficient om_auth use_first_pass
auth required pam_deny
account required om_auth
In your example, you specify om_admin; that should't be in there at all. Also note that for the time being the only pam type you should be changing is auth.
I have to assume that the reason why swa signon works is that you authenticate through scalix, not SMB; this, in conjunction with om_admin, could actually explain the difference between outlook and swa that shouldn't be there.
does the user that you're testing with have the same scalix password (as set through sac or omaddu/ommodu) as the SMB user? you should have different passwords set on both sides to see what you authenticate as.
also, please post the contents of your pam_smb config file.
In addition, you can use the om_debug pam module and sxpamauth debug command to help testing pam; both are documented in their respective man pages.
Cheers,
Florian.
I believe your ual.remote pam config file should look like
auth required om_om2authid
auth sufficient ... smb ...
auth sufficient om_auth use_first_pass
auth required pam_deny
account required om_auth
In your example, you specify om_admin; that should't be in there at all. Also note that for the time being the only pam type you should be changing is auth.
I have to assume that the reason why swa signon works is that you authenticate through scalix, not SMB; this, in conjunction with om_admin, could actually explain the difference between outlook and swa that shouldn't be there.
does the user that you're testing with have the same scalix password (as set through sac or omaddu/ommodu) as the SMB user? you should have different passwords set on both sides to see what you authenticate as.
also, please post the contents of your pam_smb config file.
In addition, you can use the om_debug pam module and sxpamauth debug command to help testing pam; both are documented in their respective man pages.
Cheers,
Florian.
Florian von Kurnatowski, Die Harder!
-
ScalixSupport
- Scalix
- Posts: 5503
- Joined: Thu Mar 25, 2004 8:15 pm
The problem is most likely to do with the pamsmbd daemon.
When it starts up, it creates a shared message queue but it is only owned by root so Scalix processes are unable to use it.
The solution is to recompile the pamsmbd source with the --disable-root-only switch so that the message queue has more accessible permissions.
Cheers
Dave
When it starts up, it creates a shared message queue but it is only owned by root so Scalix processes are unable to use it.
The solution is to recompile the pamsmbd source with the --disable-root-only switch so that the message queue has more accessible permissions.
Cheers
Dave
Who is online
Users browsing this forum: No registered users and 11 guests