[Samba] Samba Hylafax PAM

L.P.H. van Belle belle at bazuin.nl
Wed Jan 27 15:42:18 UTC 2016 

No, and google is not helping much.. :-/ 
But based you your error :
> HylaFAX[24795]: pam_authenticate failed in
> pamCheck with 0x6: Permission denied

This looks like hylafax is working, and PAM is failing the request intentionally.
Im not a pam expert :-/ 

Last thing you can try, what i found online.. 
Test with an account with only a-Z and 0-9 chars in the password. 
In the /etc/pam/hylafax try the following. ( also test the pam_ldap with an account with a-Z 0-9 password. 

You have samba/winbind working yes? 

auth    sufficient      pam_winbind.so
account sufficient      pam_winbind.so
password sufficient      pam_winbind.so 
session sufficient      pam_winbind.so


very interested when you have this working. 
Hylafax is on my todo list here..   ;-) 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcel Ebbrecht
> Verzonden: woensdag 27 januari 2016 15:35
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba Hylafax PAM
> 
> Hi Louis,
> 
> I tried that and (and sure tried that before) - but got a new error
> 
> Jan 27 15:23:18 voip1 HylaFAX[24795]: pam_authenticate failed in
> pamCheck with 0x6: Permission denied
> 
> I'll check that this evening and asked the hylafax guys ... by default
> we use nslcd and libpam-ldapd package on debian - works like a charm.
> 
> Meanwhile: Do you have any clue why only hylafax pam is not working ?
> 
> If I got this running I'll like to contribute to the wiki ... the ldap
> article is very poor and pam_ldap.conf is afaik deprecated ;)
> 
> Greetings
> 
> Marshall
> 
> Am 26.01.2016 um 11:56 schrieb L.P.H. van Belle:
> > O, try the following.
> >
> >
> >
> > Test this first.
> >
> > ldd /usr/sbin/hfaxd
> >
> >  if you getting libpam.so..  something, then hylafax is compiled with
> pam support.
> >
> >
> >
> > Next,
> >
> >
> >
> > apt-get install libpam-ldap   ( just to be sure, i do believe you have
> installed it already )
> >
> >
> >
> > create the file :
> >
> > /etc/pam.d/hylafax
> >
> > Add :
> >
> >
> >
> > auth         required       pam_ldap.so
> >
> > account   required       pam_ldap.so
> >
> > session    required       pam_ldap.so
> >
> >
> >
> > and check the content of :
> >
> >
> >
> > /etc/pam_ldap.conf
> >
> > And this as example adjust as needed.
> >
> >
> >
> > base dc=domain,dc=local
> >
> > uri ldap://dc01.domain.local/ ldap://dc02.domain.local/
> >
> > ldap_version 3
> >
> > binddn auth_ldap_user at domain.local
> >
> > bindpw password
> >
> > rootbinddn auth_ldap_user at domain.local
> >
> > pam_filter objectclass=user
> >
> > pam_login_attribute sAMAccountName
> >
> > pam_password crypt
> >
> >
> >
> > ^^ test with and without the pam_password crypt
> >
> > And test with
> >
> > pam_password bind
> >
> >
> >
> >
> >
> > Greetz,
> >
> >
> >
> > Louis
> >
> >
> >
> >
> >
> >
> > Van: Marcel Ebbrecht [mailto:m.ebbrecht at dortmundit.de]
> > Verzonden: maandag 25 januari 2016 19:54
> > Aan: L.P.H. van Belle
> > CC: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Samba Hylafax PAM
> >
> >
> >
> >
> > Hi Louis,
> >
> > I gave it another shot - but without success.
> >
> > System: Debian Jessie, Hylafax-Server 6.0.6, pam 1.1.8, libpam-ldapd
> > 0.9.4, nslcd 0.9.4 (all actual debian packets from stable),
> > sernet-samba-*-4.2.7-8
> >
> > I got a Samba4 AD DC and use winbind or pam_ldapd on many servers
> successfully. On the specific machine (asterisk with hylafax and iaxmodem
> - works like a charm) pam works - I can switch to a different user, login
> by ssh with ad users a.s.o. - everything works, except hylafax auth :(
> >
> > I can also login with user created with hylafax itself. But when I put
> >
> > auth required    pam_access.so
> > auth            sufficient              pam_ldap.so
> > account         sufficient              pam_ldap.so
> > password        sufficient              pam_ldap.so
> >
> > in /etc/pam.d/hylafax, I get
> >
> > Jan 25 08:28:40 voip1 HylaFAX[1560]: pam_ldap(hylafax:auth):
> conversation failed
> > Jan 25 08:28:40 voip1 HylaFAX[1560]: pam_ldap(hylafax:auth):
> conversation failed
> > Jan 25 08:28:40 voip1 HylaFAX[1560]: pam_ldap(hylafax:auth): failed to
> get password: Authentication token manipulation error
> >
> > Same result with winbind and classic pam_ldap without nslcd :(
> >
> > I dont want to spam you - what kind information do you want :)
> >
> > Greetings :)
> >
> > Marcel
> >
> > Am 18.01.2016 um 11:48 schrieb L.P.H. van Belle:
> >> Hai,
> >>
> >> I dont have hylafax running atm, but can you check for the following.
> >>
> >> /etc/pam.d/common-account/password/session .. etc.  and pam_ldap
> >>
> >> Look for any : minimum_uid=1000  if you see that, remove
> "minimum_uid=1000"
> >> And whats the UID for user : hylafax
> >>
> >> After the changes,
> >> stop nslcd.
> >> Restart samba
> >> Restart hylafax
> >>
> >> If needed reboot the server.
> >> And check again.
> >>
> >> This is the first and only i can think of, it would be handy if above
> does not work, you share some more info of your config.
> >>
> >>
> >> Greetz,
> >>
> >> Louis
> >>
> >>
> >>
> >>> -----Oorspronkelijk bericht-----
> >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcel
> Ebbrecht
> >>> Verzonden: maandag 18 januari 2016 10:15
> >>> Aan: samba at lists.samba.org
> >>> Onderwerp: [Samba] Samba Hylafax PAM
> >>>
> >
> >
> > Hi,
> >
> > I posted this also on hylafax list - maybe here is someone with a hint.
> >
> >
> > System: Debian Jessie, Hylafax-Server 6.0.6, pam 1.1.8, libpam-ldapd
> > 0.9.4, nslcd 0.9.4 (all actual debian packets from stable),
> > sernet-samba-*-4.2.7-8
> >
> > After a switch from OpenLDAP to a Samba 4.2 based LDAP Server, I cannot
> > auth users anymore in Hylafax, everything else works. All on Debian
> > Jessie.
> >
> > Strace:
> > 11:30:44.510380 send(2, "<83>Jan  9 11:30:44 HylaFAX[25657]:
> > pam_ldap(hylafax:auth): conversation failed", 79, MSG_NOSIGNAL) = 79
> > <0.000066>
> > 11:30:44.510592 send(2, "<83>Jan  9 11:30:44 HylaFAX[25657]:
> > pam_ldap(hylafax:auth): conversation failed", 79, MSG_NOSIGNAL) = 79
> > <0.000041>
> > 11:30:44.510875 send(2, "<83>Jan  9 11:30:44 HylaFAX[25657]:
> > pam_ldap(hylafax:auth): failed to get password: Authentication token
> > manipulation error", 123, MSG_NOSIGNAL) = 123 <0.000060>
> >
> > To shorten my mail: Is there anyone out there who made it? I mean
> > authentication for hylafax against a Samba 4 DC ? I tried: pam_ldap,
> > pam_winbind, ... everything (ssh local login, ...) works, except
> hylafax.
> >
> > Any hints?
> >
> > Greetings
> >
> > Marcel
> >
> >>>
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> >>
> >
> 
> --
> Marcel Ebbrecht <m.ebbrecht at dortmundit.de>
> e2 consulting UG (haftungsbeschraenkt)
> 
> Geschaeftssitz:
> Rheinlanddamm 201
> D-44139 Dortmund
> 
> Telefon: +49 231 99778310
> Telefax: +49 231 99778381
> Mobil: +49 160 90345852
> Jabber: m.ebbrecht at dortmundit.de
> Internet: https://www.dortmundit.de
> 
> Handelsregister Dortmund HRB 24666
> Geschaeftsfuehrer: Marcel Ebbrecht
> Steuernummer: 314/5723/1889
> USTID: DE283203942
> 
> PKI: https://ssl.dortmundit.de:18016
> 
> AGB: http://agb.dortmundit.de
> 
> Diese E-Mail und moegliche Anhaenge enthalten vertrauliche Informationen,
> die rechtlich besonders geschuetzt sein koennen. Wenn Sie nicht der
> beabsichtigte Empfaenger bzw. Adressat dieser E-mail sind und diese E-Mail
> etwa aufgrund eines technischen Fehlers oder eines Versehens erhalten
> haben, informieren Sie uns bitte sofort und loeschen Sie anschliessend die
> E-Mail. Das unbefugte Kopieren dieser E-Mail, etwaiger Anhaenge sowie die
> unbefugte Weitergabe der enthaltenen Informationen an Dritte ist nicht
> gestattet.
> 
> This e-mail message together with its attachments, if any, is confidential
> and may contain information subject to legal privilege (e.g. attorney-
> client-privilege). If you are not the intended recipient or have received
> this e-mail in error, please inform us immediately and delete this
> message. Any unauthorised copying of this message (and attachments) or
> unauthorised distribution of the information contained herein is
> prohibited.
> 
> Go Green! Print this email only when necessary.
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list