[OpenAFS-devel] Auth fails with sasl + pam_afs

Jared Brothers brothers@cs.unc.edu
Tue, 07 Jun 2005 17:21:43 -0400 

Hello all,

I'm still having trouble with saslauthd and the openafs pam module. I'm 
not able to authenticate to AFS, with these results being logged,

Jun  1 12:24:09 facil5-cs pam_afs[12888]: AFS Options: nowarn=0, 
use_first_pass=0, try_first_pass=0, ignore_uid = 1, ignore_uid_id = 0, 
refresh_token=0, set_token=0, dont_fork=0, use_klog=0
Jun  1 12:24:09 facil5-cs pam_afs[12888]: AFS Username = `brothers'
Jun  1 12:24:09 facil5-cs pam_afs[12888]: AFS No first password for user 
brothers
Jun  1 12:24:09 facil5-cs pam_afs[12888]: New PAG created in 
pam_authenticate()
Jun  1 12:24:09 facil5-cs pam_afs[12888]: forking ...
Jun  1 12:24:09 facil5-cs pam_afs[12889]: in child
Jun  1 12:24:09 facil5-cs pam_afs[12888]: in parent, waiting ...
Jun  1 12:24:09 facil5-cs pam_afs[12889]: child: auth_ok=1
Jun  1 12:24:09 facil5-cs pam_afs[12888]: parent: auth_ok=0
Jun  1 12:24:09 facil5-cs pam_afs[12888]: leaving auth: auth_ok=0

The module forks a child process that does the authentication, which on 
success calls exit(1). But then for no apparent reason, the parent that 
is waiting receives 0 as the child's status. I found in documentation of 
waitpid that the status is zero if and only if the child was terminated 
by one of,

    1. The process returned 0 from main().
    2. The process called _exit() or exit() with a status argument of 0.
    3. The process was terminated because the last thread in the process 
terminated.

But these shouldn't be the case, AFAIK. This module works fine with sshd 
and radius, but not saslauthd. And saslauthd works with pam when using 
other modules than pam_afs. Is there something different about sasl that 
would cause exit() or waitpid() to have this behavior?

The /etc/pam.d/imap config looks like,
    auth   required       /lib/security/pam_nologin.so
    auth   sufficient     /lib/security/pam_afs.krb.so ignore_root debug
    auth   required       /lib/security/pam_deny.so
    account sufficient    /lib/security/pam_pwdb.so
    account required      /lib/security/pam_deny.so

jared brothers
-- 
brothers@cs.unc.edu   university of north carolina
(919)656-5772         computer science department