| View previous topic :: View next topic |
| Author |
Message |
Pasketti
Tux's lil' helper
Joined: 04 Sep 2003
Posts: 109
Location: Austin, Texas
|
 Posted: Thu Aug 25, 2016 5:03 pm Post subject: [SOLVED] Upgraded to ejabberd 16.04, getting auth failures |
 |
|
ejabberd upgraded this morning from version 2.1.13-r2 to 16.04.
As part of this, I had to convert the config file to yml format using the included conversion program.
It starts up fine, but Pidgin is now unable to authenticate any users.
The error in the log is:
2016-08-25 10:43:37.164 [info] <0.504.0>@ejabberd_c2s:wait_for_feature_request:782 ({socket_state,fast_tls,{tlssock,#Port<0.22028>,#Port<0.22029>},<0.503.0>}) Failed authentication for me@mydomain.org from 192.168.1.3
I went through the new config file comparing it to the old one, but nothing stood out.
I suspect something is all wonky with pam, but the pam module hasn't changed. I tried both the new xmpp pam module, and the old ejabberd module.
I tried to reinstall the old version, but it's not available in the portage tree anymore.
I'm probably doing something stupid and am hoping that someone can whack me over the head and tell me what I'm doing wrong.
Here's my ejabberd.yml:
| Code: |
hosts:
- "mydomain.org"
access:
announce:
admin: allow
c2s:
blocked: deny
all: allow
c2s_shaper:
admin: none
all: normal
configure:
admin: allow
local:
local: allow
max_user_offline_messages:
admin: 5000
all: 100
max_user_sessions:
all: 10
mod_register_networks:
ip_127.0.0.0/8: allow
ip_0.0.0.0/0: deny
muc:
all: allow
muc_admin:
admin: allow
muc_create:
local: allow
pubsub_createnode:
local: allow
register:
all: allow
s2s_shaper:
all: fast
acl:
admin:
user:
-
"me": "mydomain.org"
ip_0.0.0.0/0:
ip:
- "0.0.0.0/0"
ip_127.0.0.0/8:
ip:
- "127.0.0.0/8"
local:
user_regexp:
- ""
auth_method:
# - internal
- pam
pam_service: "ejabberd"
#pam_service: "xmpp"
language: "en"
listen:
-
port: 5222
module: ejabberd_c2s
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
starttls: true
certfile: "/etc/ssl/ejabberd/jabbercert.pem"
-
port: 5269
module: ejabberd_s2s_in
max_stanza_size: 131072
shaper: s2s_shaper
-
port: 5280
module: ejabberd_http
web_admin: true
http_poll: true
http_bind: true
loglevel: 4
max_fsm_queue: 1000
modules:
mod_register:
ip_access: mod_register_networks
welcome_message:
subject: "Welcome!"
body: "Hi.
Welcome to the mydomain.org IM server."
access: register
mod_adhoc: []
mod_announce:
access: announce
mod_blocking: []
mod_caps: []
mod_configure: []
mod_disco: []
mod_http_bind: []
mod_last: []
mod_muc:
access: muc
access_create: muc_create
access_persistent: muc_create
access_admin: muc_admin
mod_offline:
access_max_user_messages: max_user_offline_messages
mod_ping: []
mod_privacy: []
mod_private: []
mod_roster: []
mod_shared_roster: []
mod_stats: []
mod_time: []
mod_vcard: []
mod_version: []
shaper:
normal: 1000
fast: 50000
|
Last edited by Pasketti on Sat Aug 27, 2016 1:02 am; edited 1 time in total |
|
| Back to top |
|
 |
Pasketti
Tux's lil' helper
Joined: 04 Sep 2003
Posts: 109
Location: Austin, Texas
|
| Posted: Fri Aug 26, 2016 4:08 pm Post subject: |
|
|
More info. Pam is working, but I think ejabberd isn't calling it correctly. Specifically, the epam helper program isn't calling it correctly.
I put pam_warn.so in the xmpp pam service file, like so:
| Code: |
# File autogenerated by pamd_mimic in pam eclass
auth required pam_warn.so
auth include system-auth
account include system-auth
|
I used the pamtester program (from here: http://pamtester.sourceforge.net/) to test the pam authentication using the xmpp service:
| Code: |
pamtester -I ruser=me xmpp me authenticate
Password:
pamtester: successfully authenticated
|
When I do that, this shows up in syslog:
| Code: |
Aug 26 10:36:29 hostname pamtester: pam_warn(xmpp:auth): function=[pam_sm_authenticate] flags=0 service=[xmpp] terminal=[<unknown>] user=[me] ruser=[me] rhost=[<unknown>]
|
That all looks OK. But then when I try to log in using pidgin, this shows up in syslog:
| Code: |
Aug 26 10:39:20 hostname epam: pam_warn(xmpp:auth): function=[pam_sm_authenticate] flags=0 service=[xmpp] terminal=[<unknown>] user=[me] ruser=[me] rhost=[<unknown>]
Aug 26 10:39:20 hostname unix_chkpwd[11274]: check pass; user unknown
Aug 26 10:39:20 hostname unix_chkpwd[11275]: check pass; user unknown
Aug 26 10:39:20 hostname unix_chkpwd[11275]: password check failed for user (me)
Aug 26 10:39:20 hostname epam: pam_unix(xmpp:auth): authentication failure; logname= uid=103 euid=103 tty= ruser=me rhost= user=me
|
ejapperd invokes epam, which then invokes the pam_unix service to authenticate. pam_unix uses unix_chkpwd to actually check the password, and that's failing.
For completeness, here is what happens when I give pamtester a bad password:
| Code: |
Aug 26 10:41:08 hostname pamtester: pam_warn(xmpp:auth): function=[pam_sm_authenticate] flags=0 service=[xmpp] terminal=[<unknown>] user=[me] ruser=[me] rhost=[<unknown>]
Aug 26 10:41:11 hostname pamtester: pam_unix(xmpp:auth): authentication failure; logname=me uid=0 euid=0 tty= ruser=me rhost= user=me
|
And here is what happens when I give pamtester a bad user name:
| Code: |
Aug 26 10:43:43 hostname pamtester: pam_warn(xmpp:auth): function=[pam_sm_authenticate] flags=0 service=[xmpp] terminal=[<unknown>] user=[badname] ruser=[badname] rhost=[<unknown>]
Aug 26 10:43:45 hostname pamtester: pam_unix(xmpp:auth): check pass; user unknown
Aug 26 10:43:45 hostname pamtester: pam_unix(xmpp:auth): authentication failure; logname=me uid=0 euid=0 tty= ruser=badname rhost=
|
Any ideas? |
|
| Back to top |
|
|
Pasketti
Tux's lil' helper
Joined: 04 Sep 2003
Posts: 109
Location: Austin, Texas
|
| Posted: Sat Aug 27, 2016 1:01 am Post subject: |
|
|
Solved!
The epam program in /usr/lib64/erlang/lib/p1_pam-1.0.0/priv/bin/epam must be run as root.
This command fixed it:
| Code: | | chmod +4750 /usr/lib64/erlang/lib/p1_pam-1.0.0/priv/bin/epam |
This should have been done at install time. I shall submit a bug. |
|
| Back to top |
|
|
Pasketti
Tux's lil' helper
Joined: 04 Sep 2003
Posts: 109
Location: Austin, Texas
|
| Posted: Tue Dec 05, 2017 5:45 pm Post subject: |
|
|
When I rebuilt everything for the profile upgrade, it reinstalled jabber, and auth stopped working again.
This time, it was /usr/lib64/erlang/lib/epam-1.0.0/priv/bin/epam that needed to be run as root.
Fix:
chmod +4750 /usr/lib64/erlang/lib/epam-1.0.0/priv/bin/epam
/etc/init.d/ejabberd restart
Not sure if this helps anyone else, but I remember having this issue and posting about it, so I thought I'd update for myself if it happens again in the future. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
