Hello,
I am using the latest Ngircd on an Ubuntu 64 bit vps. I am trying to setup Ngircd with PAM. I've read the documentation for PAM here: http://ngircd.barton.de/doc/PAM.txt but I am having a few questions and issues:
- I've set up /etc/pam.d/ngircd as follows: #%PAM-1.0 auth required pam_userdb.so db=/etc/ngircd/ngircd-vuser.db account required pam_userdb.so db=/etc/ngircd/ngircd-vuser.db session required pam_loginuid.so
Ngircd is running under the user irc but I am not sure if the user has permissions to use this pam file as specified in the PAM.txt file?
- I see the following message in /var/log/syslog:
==> /var/log/auth.log <== Aug 23 10:41:12 mail ngircd[8733]: PAM _pam_init_handlers: could not open /etc/pam.conf Aug 23 10:41:12 mail ngircd[8733]: PAM pam_start: failed to initialize handlers
==> /var/log/syslog <== Aug 23 10:41:12 mail ngircd[8733]: PAM: Failed to create authenticator! (26)
Why is it looking in the empty file /etc/pam.conf and not /etc/pam.d/ngircd ?
My relevant config sniplet: # Use PAM if ngIRCd has been compiled with support for it. PAM = yes PAMIsOptional = no
Can I force Ngircd to look for /etc/pam.d/ngricd (world readable) ?
I am using this berkley vuser setup the same way with vsftpd.
Regards,
Michiel
Hello Michiel!
On Fri, Aug 23, 2013 at 12:55:32PM +0200, Michiel van Es wrote:
I am using the latest Ngircd on an Ubuntu 64 bit vps. I am trying to setup Ngircd with PAM. I've read the documentation for PAM here: http://ngircd.barton.de/doc/PAM.txt but I am having a few questions and issues:
- I've set up /etc/pam.d/ngircd as follows:
#%PAM-1.0 auth required pam_userdb.so db=/etc/ngircd/ngircd-vuser.db account required pam_userdb.so db=/etc/ngircd/ngircd-vuser.db session required pam_loginuid.so
Ngircd is running under the user irc but I am not sure if the user has permissions to use this pam file as specified in the PAM.txt file?
- I see the following message in /var/log/syslog:
==> /var/log/auth.log <== Aug 23 10:41:12 mail ngircd[8733]: PAM _pam_init_handlers: could not open /etc/pam.conf Aug 23 10:41:12 mail ngircd[8733]: PAM pam_start: failed to initialize handlers
==> /var/log/syslog <== Aug 23 10:41:12 mail ngircd[8733]: PAM: Failed to create authenticator! (26)
Why is it looking in the empty file /etc/pam.conf and not /etc/pam.d/ngircd ?
Not ngIRCd is looking for this file, but your PAM library. And I think the library will always look for this file and _additionally_ for the files in /etc/pam.d/.
And /etc/pam.conf should be world-readable.
My relevant config sniplet: # Use PAM if ngIRCd has been compiled with support for it. PAM = yes PAMIsOptional = no
Can I force Ngircd to look for /etc/pam.d/ngricd (world readable) ?
Most probably not, because you would have to force your PAM library to do so -- no ngIRCd.
Alex
On 08/23/2013 11:04 PM, Alexander Barton wrote:
Hello Michiel!
Hello Alexander!
On Fri, Aug 23, 2013 at 12:55:32PM +0200, Michiel van Es wrote:
I am using the latest Ngircd on an Ubuntu 64 bit vps. I am trying to setup Ngircd with PAM. I've read the documentation for PAM here: http://ngircd.barton.de/doc/PAM.txt but I am having a few questions and issues:
- I've set up /etc/pam.d/ngircd as follows:
#%PAM-1.0 auth required pam_userdb.so db=/etc/ngircd/ngircd-vuser.db account required pam_userdb.so db=/etc/ngircd/ngircd-vuser.db session required pam_loginuid.so
Ngircd is running under the user irc but I am not sure if the user has permissions to use this pam file as specified in the PAM.txt file?
- I see the following message in /var/log/syslog:
==> /var/log/auth.log <== Aug 23 10:41:12 mail ngircd[8733]: PAM _pam_init_handlers: could not open /etc/pam.conf Aug 23 10:41:12 mail ngircd[8733]: PAM pam_start: failed to initialize handlers
==> /var/log/syslog <== Aug 23 10:41:12 mail ngircd[8733]: PAM: Failed to create authenticator! (26)
Why is it looking in the empty file /etc/pam.conf and not /etc/pam.d/ngircd ?
Not ngIRCd is looking for this file, but your PAM library. And I think the library will always look for this file and _additionally_ for the files in /etc/pam.d/.
And /etc/pam.conf should be world-readable.
My relevant config sniplet: # Use PAM if ngIRCd has been compiled with support for it. PAM = yes PAMIsOptional = no
Can I force Ngircd to look for /etc/pam.d/ngricd (world readable) ?
Most probably not, because you would have to force your PAM library to do so -- no ngIRCd.
Ok, so by default it will check /etc/pam.conf first and then /etc/pam.d/ngircd?
Do you have an example /etc/pam.d/ngircd config I can use or try? With my config posted above it does not seem to work..
Alex
Michiel
On Mon, Aug 26, 2013 at 12:25:25AM +0200, Michiel van Es wrote:
==> /var/log/auth.log <== Aug 23 10:41:12 mail ngircd[8733]: PAM _pam_init_handlers: could not open /etc/pam.conf Aug 23 10:41:12 mail ngircd[8733]: PAM pam_start: failed to initialize handlers
[…]
Ok, so by default it will check /etc/pam.conf first and then /etc/pam.d/ngircd?
I think so, yes.
Do you have an example /etc/pam.d/ngircd config I can use or try? With my config posted above it does not seem to work..
And I don't think that it is a problem with your /etc/pam.d/ngircd file, but with your /etc/pam.conf -- which it "could not open" (auth.log). Why? I don't know. Do you have such a file? The permissions are ok? (ls -l /etc/pam.conf)
Regards Alex
On 08/24/2013 12:50 AM, Alexander Barton wrote:
On Mon, Aug 26, 2013 at 12:25:25AM +0200, Michiel van Es wrote:
==> /var/log/auth.log <== Aug 23 10:41:12 mail ngircd[8733]: PAM _pam_init_handlers: could not open /etc/pam.conf Aug 23 10:41:12 mail ngircd[8733]: PAM pam_start: failed to initialize handlers
[…]
Ok, so by default it will check /etc/pam.conf first and then /etc/pam.d/ngircd?
I think so, yes.
Do you have an example /etc/pam.d/ngircd config I can use or try? With my config posted above it does not seem to work..
And I don't think that it is a problem with your /etc/pam.d/ngircd file, but with your /etc/pam.conf -- which it "could not open" (auth.log). Why? I don't know. Do you have such a file? The permissions are ok? (ls -l /etc/pam.conf)
The file itself is world readable and existent but is empty since PAM now looks in /etc/pam.d
Can I add more verbosity to Ngircd?
The strange thing is, if this should work with pam-mysql which the PAM.txt suggests, then the file /etc/pam-mysql.conf would have even less permissions 6-0-0... It would be nice to find an example PAM config though how to set up Ngircd with pam (mysql, berkley db, pgsql or such).
Regards Alex
Regards,
Michiel
Ok to answer my own question, it seems that chroot (doh!) was the problem, perhaps I can fix it by copying the files and folder structure to /var/empty (chroot dir). I turned off chroot but now it says it can not find the file:
==> /var/log/auth.log <== Aug 24 12:43:28 mail ngircd[26539]: pam_userdb(ngircd:auth): user_lookup: could not open database `/etc/ngircd/ngircd-vusers.db': No such file or directory
I checked the permissions and that the user ngircd is running from (irc) can read the file:
$ whoami irc $ less /etc/ngircd/ngircd-vusers.db "/etc/ngircd/ngircd-vusers.db" may be a binary file. See it anyway?
As you can see it can read it but the file is a BerkleyDB file, perhaps Ngircd can not open it? Or am I missing something from PAM?
The same file setup is working correctly by VSftpd so it should not be PAM.
Regards,
Michiel On 08/26/2013 01:18 PM, Michiel van Es wrote:
On 08/24/2013 12:50 AM, Alexander Barton wrote:
On Mon, Aug 26, 2013 at 12:25:25AM +0200, Michiel van Es wrote:
==> /var/log/auth.log <== Aug 23 10:41:12 mail ngircd[8733]: PAM _pam_init_handlers: could not open /etc/pam.conf Aug 23 10:41:12 mail ngircd[8733]: PAM pam_start: failed to initialize handlers
[…]
Ok, so by default it will check /etc/pam.conf first and then /etc/pam.d/ngircd?
I think so, yes.
Do you have an example /etc/pam.d/ngircd config I can use or try? With my config posted above it does not seem to work..
And I don't think that it is a problem with your /etc/pam.d/ngircd file, but with your /etc/pam.conf -- which it "could not open" (auth.log). Why? I don't know. Do you have such a file? The permissions are ok? (ls -l /etc/pam.conf)
The file itself is world readable and existent but is empty since PAM now looks in /etc/pam.d
Can I add more verbosity to Ngircd?
The strange thing is, if this should work with pam-mysql which the PAM.txt suggests, then the file /etc/pam-mysql.conf would have even less permissions 6-0-0... It would be nice to find an example PAM config though how to set up Ngircd with pam (mysql, berkley db, pgsql or such).
Regards Alex
Regards,
Michiel _______________________________________________
ngIRCd Mailing List: ngIRCd-ML@arthur.barton.de http://arthur.barton.de/mailman/listinfo/ngircd-ml
On Mon, Aug 26, 2013 at 02:48:02PM +0200, Michiel van Es wrote:
Ok to answer my own question, it seems that chroot (doh!) was the problem, perhaps I can fix it by copying the files and folder structure to /var/empty (chroot dir).
You would have to copy all the (required) PAM libraries, modules, and dependencies, too ...
I turned off chroot but now it says it can not find the file:
==> /var/log/auth.log <== Aug 24 12:43:28 mail ngircd[26539]: pam_userdb(ngircd:auth): user_lookup: could not open database `/etc/ngircd/ngircd-vusers.db': No such file or directory
I checked the permissions and that the user ngircd is running from (irc) can read the file:
$ whoami irc $ less /etc/ngircd/ngircd-vusers.db "/etc/ngircd/ngircd-vusers.db" may be a binary file. See it anyway?
As you can see it can read it but the file is a BerkleyDB file, perhaps Ngircd can not open it? Or am I missing something from PAM?
I really don't know, the error message above -- "No such file or directory" -- is quite explicit, normally.
But this all has not that much to do with ngIRCd, but with the PAM libraries and setup: ngIRCd "only" tells PAM to check the user name and password, it doesn't even know which PAM modules and configuration is involved. So ngIRCd itself doesn't even try to read the ngircd-vusers.db file at all -- this is the pam_userdb module. And this module logs
pam_userdb(ngircd:auth): "user_lookup: could not open database `/etc/ngircd/ngircd-vusers.db': No such file or directory
chroot is a good point; the PAM libraries inherit the "runtime environment" of ngIRCd. But if you _disabled_ chroot, I can't imagine a reason why you can read this file and pam_userdb can't ... strange?
Regards Alex
On 08/24/2013 03:39 PM, Alexander Barton wrote:
On Mon, Aug 26, 2013 at 02:48:02PM +0200, Michiel van Es wrote:
Ok to answer my own question, it seems that chroot (doh!) was the problem, perhaps I can fix it by copying the files and folder structure to /var/empty (chroot dir).
You would have to copy all the (required) PAM libraries, modules, and dependencies, too ...
Yes, will try that at a later stage :)
I turned off chroot but now it says it can not find the file:
==> /var/log/auth.log <== Aug 24 12:43:28 mail ngircd[26539]: pam_userdb(ngircd:auth): user_lookup: could not open database `/etc/ngircd/ngircd-vusers.db': No such file or directory
I checked the permissions and that the user ngircd is running from (irc) can read the file:
$ whoami irc $ less /etc/ngircd/ngircd-vusers.db "/etc/ngircd/ngircd-vusers.db" may be a binary file. See it anyway?
As you can see it can read it but the file is a BerkleyDB file, perhaps Ngircd can not open it? Or am I missing something from PAM?
I really don't know, the error message above -- "No such file or directory" -- is quite explicit, normally.
But this all has not that much to do with ngIRCd, but with the PAM libraries and setup: ngIRCd "only" tells PAM to check the user name and password, it doesn't even know which PAM modules and configuration is involved. So ngIRCd itself doesn't even try to read the ngircd-vusers.db file at all -- this is the pam_userdb module. And this module logs
pam_userdb(ngircd:auth): "user_lookup: could not open database `/etc/ngircd/ngircd-vusers.db': No such file or directory
chroot is a good point; the PAM libraries inherit the "runtime environment" of ngIRCd. But if you _disabled_ chroot, I can't imagine a reason why you can read this file and pam_userdb can't ... strange?
I have found the issue: PAM automatically add the .db extension for lookup so actually it is looking up ngircd-vusers.db.db which does not exists. When changing the PAM file (/etc/pam.d/ngircd) to /etc/ngircd/ngircd-vusers (with the .db left out of the config) it works like a charm! Ngircd with PAM and Berkely DB virtual users!
Thanks for all the pointers!
Regards Alex
Regards,
Michiel
-
Alexander Barton -
Michiel van Es