[Samba] Samba Hylafax PAM

Marcel Ebbrecht m.ebbrecht at dortmundit.de
Wed Jan 27 14:35:08 UTC 2016 

Hi Louis,

I tried that and (and sure tried that before) - but got a new error

Jan 27 15:23:18 voip1 HylaFAX[24795]: pam_authenticate failed in
pamCheck with 0x6: Permission denied

I'll check that this evening and asked the hylafax guys ... by default
we use nslcd and libpam-ldapd package on debian - works like a charm.

Meanwhile: Do you have any clue why only hylafax pam is not working ?

If I got this running I'll like to contribute to the wiki ... the ldap
article is very poor and pam_ldap.conf is afaik deprecated ;)

Greetings

Marshall

Am 26.01.2016 um 11:56 schrieb L.P.H. van Belle:
> O, try the following. 
>
>  
>
> Test this first. 
>
> ldd /usr/sbin/hfaxd
>
>  if you getting libpam.so..  something, then hylafax is compiled with pam support. 
>
>  
>
> Next, 
>
>  
>
> apt-get install libpam-ldap   ( just to be sure, i do believe you have installed it already ) 
>
>  
>
> create the file :  
>
> /etc/pam.d/hylafax 
>
> Add : 
>
>  
>
> auth         required       pam_ldap.so
>
> account   required       pam_ldap.so
>
> session    required       pam_ldap.so
>
>  
>
> and check the content of : 
>
>  
>
> /etc/pam_ldap.conf
>
> And this as example adjust as needed. 
>
>  
>
> base dc=domain,dc=local
>
> uri ldap://dc01.domain.local/ ldap://dc02.domain.local/
>
> ldap_version 3
>
> binddn auth_ldap_user at domain.local
>
> bindpw password
>
> rootbinddn auth_ldap_user at domain.local
>
> pam_filter objectclass=user
>
> pam_login_attribute sAMAccountName
>
> pam_password crypt
>
>  
>
> ^^ test with and without the pam_password crypt 
>
> And test with 
>
> pam_password bind  
>
>  
>
>  
>
> Greetz, 
>
>  
>
> Louis
>
>  
>
>  
>
>
> Van: Marcel Ebbrecht [mailto:m.ebbrecht at dortmundit.de] 
> Verzonden: maandag 25 januari 2016 19:54
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba Hylafax PAM
>
>
>  
>
> Hi Louis,
>
> I gave it another shot - but without success. 
>
> System: Debian Jessie, Hylafax-Server 6.0.6, pam 1.1.8, libpam-ldapd
> 0.9.4, nslcd 0.9.4 (all actual debian packets from stable),
> sernet-samba-*-4.2.7-8
>
> I got a Samba4 AD DC and use winbind or pam_ldapd on many servers successfully. On the specific machine (asterisk with hylafax and iaxmodem - works like a charm) pam works - I can switch to a different user, login by ssh with ad users a.s.o. - everything works, except hylafax auth :(
>
> I can also login with user created with hylafax itself. But when I put 
>
> auth required    pam_access.so
> auth            sufficient              pam_ldap.so
> account         sufficient              pam_ldap.so
> password        sufficient              pam_ldap.so
>
> in /etc/pam.d/hylafax, I get 
>
> Jan 25 08:28:40 voip1 HylaFAX[1560]: pam_ldap(hylafax:auth): conversation failed
> Jan 25 08:28:40 voip1 HylaFAX[1560]: pam_ldap(hylafax:auth): conversation failed
> Jan 25 08:28:40 voip1 HylaFAX[1560]: pam_ldap(hylafax:auth): failed to get password: Authentication token manipulation error
>
> Same result with winbind and classic pam_ldap without nslcd :(
>
> I dont want to spam you - what kind information do you want :)
>
> Greetings :)
>
> Marcel
>
> Am 18.01.2016 um 11:48 schrieb L.P.H. van Belle:
>> Hai, 
>>  
>> I dont have hylafax running atm, but can you check for the following. 
>>  
>> /etc/pam.d/common-account/password/session .. etc.  and pam_ldap
>>  
>> Look for any : minimum_uid=1000  if you see that, remove "minimum_uid=1000" 
>> And whats the UID for user : hylafax 
>>  
>> After the changes, 
>> stop nslcd. 
>> Restart samba 
>> Restart hylafax
>>  
>> If needed reboot the server. 
>> And check again. 
>>  
>> This is the first and only i can think of, it would be handy if above does not work, you share some more info of your config. 
>>  
>>  
>> Greetz, 
>>  
>> Louis
>>  
>>  
>>  
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcel Ebbrecht
>>> Verzonden: maandag 18 januari 2016 10:15
>>> Aan: samba at lists.samba.org
>>> Onderwerp: [Samba] Samba Hylafax PAM
>>>  
>
>
> Hi,
>
> I posted this also on hylafax list - maybe here is someone with a hint.
>
>
> System: Debian Jessie, Hylafax-Server 6.0.6, pam 1.1.8, libpam-ldapd
> 0.9.4, nslcd 0.9.4 (all actual debian packets from stable),
> sernet-samba-*-4.2.7-8
>
> After a switch from OpenLDAP to a Samba 4.2 based LDAP Server, I cannot
> auth users anymore in Hylafax, everything else works. All on Debian
> Jessie.
>
> Strace:
> 11:30:44.510380 send(2, "<83>Jan  9 11:30:44 HylaFAX[25657]:
> pam_ldap(hylafax:auth): conversation failed", 79, MSG_NOSIGNAL) = 79
> <0.000066>
> 11:30:44.510592 send(2, "<83>Jan  9 11:30:44 HylaFAX[25657]:
> pam_ldap(hylafax:auth): conversation failed", 79, MSG_NOSIGNAL) = 79
> <0.000041>
> 11:30:44.510875 send(2, "<83>Jan  9 11:30:44 HylaFAX[25657]:
> pam_ldap(hylafax:auth): failed to get password: Authentication token
> manipulation error", 123, MSG_NOSIGNAL) = 123 <0.000060>
>
> To shorten my mail: Is there anyone out there who made it? I mean
> authentication for hylafax against a Samba 4 DC ? I tried: pam_ldap,
> pam_winbind, ... everything (ssh local login, ...) works, except hylafax.
>
> Any hints?
>
> Greetings
>
> Marcel
>
>>>  
>>>  
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>  
>>  
>>  
>

-- 
Marcel Ebbrecht <m.ebbrecht at dortmundit.de>
e2 consulting UG (haftungsbeschraenkt)

Geschaeftssitz:
Rheinlanddamm 201
D-44139 Dortmund

Telefon: +49 231 99778310
Telefax: +49 231 99778381
Mobil: +49 160 90345852
Jabber: m.ebbrecht at dortmundit.de
Internet: https://www.dortmundit.de

Handelsregister Dortmund HRB 24666
Geschaeftsfuehrer: Marcel Ebbrecht
Steuernummer: 314/5723/1889
USTID: DE283203942

PKI: https://ssl.dortmundit.de:18016

AGB: http://agb.dortmundit.de

Diese E-Mail und moegliche Anhaenge enthalten vertrauliche Informationen, die rechtlich besonders geschuetzt sein koennen. Wenn Sie nicht der beabsichtigte Empfaenger bzw. Adressat dieser E-mail sind und diese E-Mail etwa aufgrund eines technischen Fehlers oder eines Versehens erhalten haben, informieren Sie uns bitte sofort und loeschen Sie anschliessend die E-Mail. Das unbefugte Kopieren dieser E-Mail, etwaiger Anhaenge sowie die unbefugte Weitergabe der enthaltenen Informationen an Dritte ist nicht gestattet.

This e-mail message together with its attachments, if any, is confidential and may contain information subject to legal privilege (e.g. attorney-client-privilege). If you are not the intended recipient or have received this e-mail in error, please inform us immediately and delete this message. Any unauthorised copying of this message (and attachments) or unauthorised distribution of the information contained herein is prohibited.

Go Green! Print this email only when necessary.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20160127/2a548e04/signature.sig>

More information about the samba mailing list