Re: SASL disappears on Redhat FC2

From: Rob Siemborski (no email)
Date: Tue Dec 21 2004 - 13:51:27 EST

  • Next message: Igor Brezac: "Re: using saslauthd to authenticate against multiple kerberos realms"

    On Mon, 13 Dec 2004, David Lee wrote:

    > System: Linux Redhat Fedora Core 2. Includes:
    > sendmail-8.12.11-4.6
    > cyrus-sasl-md5-2.1.18-2.2
    > cyrus-sasl-2.1.18-2.2
    > cyrus-sasl-devel-2.1.18-2.2
    > cyrus-sasl-plain-2.1.18-2.2
    >
    > I have just tried sendmail STARTTLS operation on this. So I adjust
    > "/etc/sysconfig/saslauthd" to use "pam" (our users are in NIS, with the
    > passwords in Active Directory):
    > /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
    > (and I see 5 such processes).
    >
    > It runs for a while, successfully authenticating TLS connections. Then
    > something happens (no idea what), and sendmail no longer authenticates.
    > Upon investigation most, or all, of these "saslauthd" processes have
    > disappeared (crashed? null-pointer-like?). A "service saslauthd restart"
    > fixes it.
    >
    > Does this ring any bells? Are there known sendmail/sasl interaction
    > problems (which only kick in after a time) on Redhat FC2?
    >
    > I see that the next version of Redhat, namely, FC3 offers versions
    > of cyrus-sasl numbered 2.1.19-3. Do these fix known bugs (crashes?) in
    > this area?

    PAM modules are notoriously badly written, it wouldn't surprise me if they
    were leaking memory, file descriptors, or crashing althogether. You don't
    normally notice it because most pam-using applications are one-shot, while
    saslauthd is long running.

    > If I'm going to have to debug this, any suggestions of what options to
    > turn on ("-d"? syslog things?) to pursue it?

    -n 0 is likely to "solve" your problem, at a performance penalty.

    The real answer is to contact the author of your pam module and have them
    stress test it a bit.

    -Rob

    ---------------------------------------------------------------------
    Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
    Research Systems Programmer * /usr/contributed Gatekeeper


  • Next message: Igor Brezac: "Re: using saslauthd to authenticate against multiple kerberos realms"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD