Problems external ldap Authentication

[operator]

On our Scalix 10 Premium System is following problem:
For one user, every few minutes an error message occure in the fatal log:

Code: Select all

ERROR                   IMAP Server Da(IMAP Server Pr) Tue Mar 14 20:40:57 2006
[OM 29260] PAM unable to resolve symbol: pam_sm_chauthtok
Pid of logging process: 14710

such error messages occure always, if the user is logged in, or not.
We use the same ldap configuration with some more servers, where no such errors ocurres.

Here are 3 of the error:

Code: Select all

ERROR                   IMAP Server Da(IMAP Server Pr) Tue Mar 14 20:42:26 2006
[OM 29260] PAM unable to resolve symbol: pam_sm_chauthtok
Pid of logging process: 14782


ERROR                   IMAP Server Da(IMAP Server Pr) Tue Mar 14 20:42:26 2006
[OM 29260] PAM unable to resolve symbol: pam_sm_chauthtok
User Name: xxxxx / xxxxxx/CN=xxxxxx
Pid of logging process: 9895


ERROR                   IMAP Server Da(IMAP Server Pr) Tue Mar 14 20:43:26 2006
[OM 29260] PAM unable to resolve symbol: pam_sm_chauthtok
Pid of logging process: 14820

/var/opt/scalix/sys/pam.d/ual.remote

Code: Select all

auth sufficient om_ldap
auth sufficient om_auth
auth required pam_deny
account required om_auth
password optional om_ldap
password required om_auth
#password required om_sasl
session required om_auth

/var/opt/scalix/sys/om_ldap.conf

Code: Select all

host = localhost:398
base = dc=ebnetux,dc=intra
search = subtree
filter = uid=%s
tls=off

Thanks

Markus

[jch]

om_ldap doesn't support password changing. You need to use pam_ldap for that: it works in Scalix 10. There's some useful information in the man pages for sxpampasswd, sxpamauth and om_debug if you're having trouble setting it up.

jch

[ben.christenson]

I may be missing something, but I don't quite see what the original post had to do with password changing... We are seeing the same problem with our newly upgraded Scalix 10 server. Every few seconds we get an error written to fatal. Here are some examples:

ERROR POP3 interface(POP3 Process ) Wed Mar 15 01:35:47 2006
[OM 29260] PAM unable to resolve symbol: pam_sm_chauthtok
Pid of logging process: 11565

ERROR IMAP Server Da(IMAP Server Pr) Fri Mar 24 12:17:00 2006
[OM 29260] PAM unable to resolve symbol: pam_sm_chauthtok
User Name: First Last / scalix, domain/CN=First Last
Pid of logging process: 32639

ERROR Remote Client (U/I Access ) Fri Mar 24 12:20:01 2006
[OM 29260] PAM unable to resolve symbol: pam_sm_chauthtok
User Name: First Last / scalix, domain/CN=First Last
Pid of logging process: 31684

What could be causing this? What further diagnostics can we run?

[jch]

In the pam config file there are, among others, the lines

Code: Select all

auth sufficient om_auth
password optional om_ldap

When the PAM library loads up the confg file it locates the shared libary for om_ldap, that is /opt/scalix/lib/security/om_ldap.so. For the "auth" line it looks for an entry point, a function, called pam_sm_authenticate; for the "password" line it looks for an entry point pam_sm_chauthtok. Once all the symbols are resolved it goes ahead and does whatever is required, usually authentication.

That's the important point. The PAM library resolves all its symbols before it does anything at all. If it can't resolve a symbol, you'll get an error logged. In this case, since om_ldap doesn't do password changing it has no pam_sm_chauthtok and so you'll get an error logged. Its easy to verify. Put something like this in ~scalix/sys/pam.d/pamcheck

Code: Select all

auth required om_auth
account required om_auth
password optional om_ldap
password required om_auth
session required om_auth

and then run "sxpamauth <surname>". (There's an annoying bug in sxpamauth, it works with unique surnames but not a lot else in the way of login names.) When you've run it, do "omshowlog -p2" and you'll see something like this:

Code: Select all

ERROR                          Administration(sxpamauth     ) 28.03.06 16:20:45
[OM 29260] PAM unable to resolve symbol: pam_sm_chauthtok

And you'll get that error whether or not you put in the right password.

jch

[rudi]

Hi,

The Scalix server authenticate against OpelLdap. When a User logs in with Outlook, there is the following message in fatal log. But the login is successful.

ERROR Remote Client (U/I Access ) Wed Feb 7 13:17:48 2007
[OM 29260] PAM unable to resolve symbol: pam_sm_chauthtok
User Name: sxadmin / this post will be deleted, via-donau/CN=sxadmin
Pid of logging process: 29717

[jch]

Hmmm. I seem to have already replied to this in March last year!

Look at the reply immediately before yours where the error message is explained in detail.

jch

[rudi]

Ok, I comment out the line

#password optional om_ldap

now there are no errors.

Thanks!!!

[ink]

How do we fix this in Scalix 11?

Code: Select all

[root@mail pam.d]# pwd
/var/opt/scalix/ml/s/sys/pam.d
[root@mail pam.d]# ls -l pamcheck
ls: pamcheck: No such file or directory
[root@mail pam.d]#


Should I create the file and expect it to work?

[jch]

Yes, you need to create the pamcheck file.

It's been a while, but last time I did this I copied some other file to pamcheck so that I could debug it.

[ink]

Thanks jch, but that appears to have no effect. If you have any other ideas, I would appreciate it. We are not using external LDAP for authentication, as per the title of this thread. Google lead me here because pam_sm_chauthtok was mentioned.

[jch]

pamcheck is only used by sxpamauth and sxpampasswd which are for debugging PAM problems which is why that file doesn't normally exist.

I don't think you said what problem you're trying to solve.

[ink]

I don't think you said what problem you're trying to solve.

Apologies; I want to get rid of all these superfluous messages in my Fatal log:

Code: Select all

ERROR                   POP3 interface(POP3 Process  ) Tue Feb 23 08:56:40 2010
[OM 29260] PAM unable to resolve symbol: pam_sm_chauthtok
Pid of logging process: 802

ERROR                   IMAP Server Da(IMAP Server Pr) Tue Feb 23 08:55:39 2010
[OM 29260] PAM unable to resolve symbol: pam_sm_chauthtok
User Name: John Doe / mail, domain/CN=John Doe
Pid of logging process: 8407

ERROR                   SMTP Relay    (SMTPD Relay Pr) Mon Feb 22 22:20:13 2010
[OM 29260] PAM unable to resolve symbol: pam_sm_chauthtok
Pid of logging process: 697


[jch]

Aha.

It's probably the same problem as the original then.

The om_ldap module doesn't do password changing and if you have it in the password section of the imap or smtpd config files then it'll log those errors.

Does that make sense?