POP3-Login-Problem on debian etch (pam_authenticate failed)

[kaschig]

Hello,

I've followed the 'perfect setup' for Debian etch (new installation no upgrading) and afterwards installed ISPconfig from the scratch.

But by now I have problems loggin in to mail accounts. 'Normal' accounts (like my admin) work fine, but via ISPconfig created user-accounts results in a 'login failure'. I've set the authdaemon-DEBUG to 2 - and here's the result from the syslog:

May 10 08:39:43 server2 courierpop3login: Connection, ip=[::ffff:192.168.10.10]
May 10 08:39:49 server2 authdaemond: received auth request, service=pop3, authtype=login
May 10 08:39:49 server2 authdaemond: authpam: trying this module
May 10 08:39:49 server2 authdaemond: authpam: sysusername=u2info, sysuserid=<null>, sysgroupid=10002, homedir=/var/www/web2/user/u2info, address=u2info, fullname=Christopher Kaschig - 2, maildir=<null>, quota=<null>, options=<null>
May 10 08:39:49 server2 authdaemond: authpam: clearpasswd=<null>, passwd=x
May 10 08:39:49 server2 authdaemond: pam_service=pop3, pam_username=u2info
May 10 08:39:50 server2 authdaemond: pam_authenticate failed, result 7
May 10 08:39:50 server2 authdaemond: authpam: REJECT - try next module
May 10 08:39:50 server2 authdaemond: FAIL, all modules rejected


A working "real" user-login looks like that:

May 10 09:27:01 server2 courierpop3login: Connection, ip=[::ffff:192.168.10.10]
May 10 09:27:01 server2 authdaemond: received auth request, service=pop3, authtype=login
May 10 09:27:01 server2 authdaemond: authpam: trying this module
May 10 09:27:01 server2 authdaemond: authpam: sysusername=ck, sysuserid=<null>, sysgroupid=1000, homedir=/home/ck, address=ck, fullname=Christopher Kaschig,,,, maildir=<null>, quota=<null>, options=<null>
May 10 09:27:01 server2 authdaemond: authpam: clearpasswd=<null>, passwd=x
May 10 09:27:01 server2 authdaemond: pam_service=pop3, pam_username=ck
May 10 09:27:01 server2 authdaemond: dopam successful
May 10 09:27:01 server2 authdaemond: Authenticated: sysusername=ck, sysuserid=<null>, sysgroupid=1000, homedir=/home/ck, address=ck, fullname=Christopher Kaschig,,,, maildir=<null>, quota=<null>, options=<null>
May 10 09:27:01 server2 authdaemond: Authenticated: clearpasswd=..., passwd=...
May 10 09:27:01 server2 courierpop3login: LOGIN, user=ck, ip=[::ffff:192.168.10.10]
May 10 09:27:01 server2 courierpop3login: LOGOUT, user=ck, ip=[::ffff:192.168.10.10], top=0, retr=0, rcvd=12, sent=39, time=0


Do You have any suggestions where or what I have to look for?

Thanks in advance,
Chris

[kaschig]

By now I've seen, that some "virtual" users can login either. It seems as if the "administrator"-users of each web-account could log in his mail-account (pop3/imap) but the other "normal" user (where 'administrator' is NOT selected on the first user-config-page) cannot do so.

Some suggestions? Help :-)

May 10 14:11:47 server2 courierpop3login: Connection, ip=[::ffff:62.96.95.218]
May 10 14:11:48 server2 authdaemond: received auth request, service=pop3, authtype=login
May 10 14:11:48 server2 authdaemond: authpam: trying this module
May 10 14:11:48 server2 authdaemond: authpam: sysusername=u16_admin, sysuserid=<null>, sysgroupid=10016, homedir=/var/www/web16, address=u16_admin, fullname=Administrator, maildir=<null>, quota=<null>, options=<null>
May 10 14:11:48 server2 authdaemond: authpam: clearpasswd=<null>, passwd=x
May 10 14:11:48 server2 authdaemond: pam_service=pop3, pam_username=u16_admin
May 10 14:11:48 server2 authdaemond: dopam successful
May 10 14:11:48 server2 authdaemond: Authenticated: sysusername=u16_admin, sysuserid=<null>, sysgroupid=10016, homedir=/var/www/web16, address=u16_admin, fullname=Administrator, maildir=<null>, quota=<null>, options=<null>
May 10 14:11:48 server2 authdaemond: Authenticated: clearpasswd=..., passwd=...
May 10 14:11:48 server2 courierpop3login: LOGIN, user=u16_admin, ip=[::ffff:62.96.95.218]
May 10 14:11:48 server2 courierpop3login: LOGOUT, user=u16_admin, ip=[::ffff:62.96.95.218], top=0, retr=0, rcvd=12, sent=39, time=0

[kaschig]

Okay it's me, once again.

Setting the passwords via passwd helps. I hope this wont be neccassary on all new accounts?! Are there some reasons known on this behaviour? Perhaps a stopped script?

Greetings, Chris

[falko]

Can you check /etc/passwd and /etc/shadow if the users that don't work are listed there?
What's the value of $go_info["server"]["password_hash"] in /home/admispconfig/ispconfig/lib/config.inc.php?

[kaschig]

In /etc/passwd the users appear
In /etc/shadow I've forgotten to look - by now the misworking users where corrected - and so they're shown in shadow, but I cannot say whether they had an entry in there before. Sorry.
$go_info["server"]["password_hash"] is 'crypt'.

Greetings, Chris

[falko]

Quote:

Originally Posted by kaschig

In /etc/passwd the users appear
In /etc/shadow I've forgotten to look - by now the misworking users where corrected - and so they're shown in shadow, but I cannot say whether they had an entry in there before. Sorry.

You could create a new, non-admin user and see if it has the same problem, and then check both files.

[kaschig]

Hi Falko,
sorry but this behaviour only appears sometimes.

But by now I had another case:

an admin-user which worked before cannot log in today. I now had a look in /etc/shadow - there was an entry on this user. I've save the new (old) password again with passwd - and mail log in was okay again. BUT: the crypted password in shadow lookes some kind different - it's a lot longer by now.

Are there some problems according UTF-8 in etch? Is it possible to set different crypting methods on both ways (ISPconfig vs. passwd)?

Greetings, Chris

[falko]

Please set $go_info["server"]["password_hash"] to md5 in /home/admispconfig/ispconfig/lib/config.inc.php and try again.

[kaschig]

Hi Falko,

sorry but I got once more a different crypted password.

So, here we go:

/etc/pam.d:
password required pam_unix.so nullok obscure min=4 max=8 md5


using passwd on the command line creates the hash/crypted password "$1$W90vsEPz$GuzTA2rmEmdLx6lLSab7w." in /etc/shadow
using $go_info["server"]["password_hash"]='crypt' results in "~il.r2W6qKcEk"
using $go_info["server"]["password_hash"]='md5' results in "b4ssqdY3RgYE"

Both ISPconfig-saved-passwords result in a login error (POP3/IMAP-login and ISPconfig-Admin- and Mailuser-Login).
If neccassary I can give You the clear-text-password for verification purposes - I can change it without problems (and it's a one-time-used password)

BTW: which script do I have to run to get a faster user-update? I've tried several from the hourly crontab, but the correct one seems to be not included in my tryout. To produce a faster refresh I've selected the dustbin and selected the 'empty it' link - this results in a skript-run which updates the user-password in /etc/shadow - but which script is this?


Greetings,
Chris

[falko]

Quote:

Originally Posted by kaschig

BTW: which script do I have to run to get a faster user-update? I've tried several from the hourly crontab, but the correct one seems to be not included in my tryout. To produce a faster refresh I've selected the dustbin and selected the 'empty it' link - this results in a skript-run which updates the user-password in /etc/shadow - but which script is this?

The command to rewrite the configuration is

Code:

/root/ispconfig/php/php /root/ispconfig/scripts/writeconf.php

and it is controlled by the /root/ispconfig/sv/ispconfig_wconf script which checks every 10 seconds if changes have been made and if it has to start the writeconf.php process.