I've had this ejabberd serrver running for more than 2 years now. I restarted the ejabberd server after a system upgrade and could not login with my unix account. Reproducible: Always Steps to Reproduce: 1. Install ejabberd w/ Pam auth 2. Configure 3. Launch 4. Log in with unix account Actual Results: unix_chkpwd[15246]: check pass; user unknown unix_chkpwd[15247]: check pass; user unknown unix_chkpwd[15247]: password check failed for user (bathizte) epam: pam_unix(xmpp:auth): authentication failure; logname= uid=107 euid=107 tty= ruser=bathizte rhost= user=bathizte Expected Results: Correct login. This threads helped me solving this and shows the problem occured at least for someone else. http://old.nabble.com/Fwd%3A-Re%3A-ejabberd-and-pam-debugging--p29552507s24859.html What I did $ ls -al /sbin/unix_chkpwd -rws--x--x 1 root root 26084 16 nov. 22:22 /sbin/unix_chkpwd* $ chown root.jabber /usr/lib/erlang/lib/ejabberd-2.1.5/priv/bin/epam $ vim /usr/sbin/ejabberdctl l.15 : INSTALLUSER=jabber -> INSTALLUSER=jabber
Created attachment 254703 [details, diff] ejabberd-2.1.5*.ebuild.patch As per following the ejabberd guide for pam at http://www.process-one.net/en/ejabberd/guide_en#pam this ebuild patch attempts a fix. Permissions look good after this but I have not tested with pam as I don't use this authentication method in ejabberd. Thanks.
Hello Gavin. > this ebuild patch attempts a fix. Permissions look good after this Ok, I was not meaning permissions but *ownerships* on the epam helper. To be sure to mention everything, I reemerged ejabberd. Let's look together : $ ls -al /usr/lib/erlang/lib/ejabberd-2.1.5/priv/bin/epam -rws--x--- 1 jabber root 42408 18 nov. 13:54 /usr/lib/erlang/lib/ejabberd-2.1.5/priv/bin/epam* So this is not correct, according to the ejabberd manual : > Execute with root privileges: > | chown root:ejabberd /var/lib/ejabberd/priv/bin/epam Ok, So the ebuild should do that. I'll do this : $ chown root.jabber /usr/lib/erlang/lib/ejabberd-2.1.5/priv/bin/epam Start ejabberd. try to login from my client. $ tail /var/log/auth.log unix_chkpwd[23927]: check pass; user unknown unix_chkpwd[23928]: check pass; user unknown unix_chkpwd[23928]: password check failed for user (bathizte) Check epam helper user : $ ps aux | grep epam jabber 23905 0.0 0.0 2124 968 ? Ss 14:02 0:00 /usr/lib/erlang/lib/ejabberd-2.1.5/priv/bin/epam The epam process cannot access unix_chkpwd which is suid'ed. Has to be launched as root. I have a limited comprehension of ejabberd processes, erlang nodes etc, so for now I hacked /usr/sbin/ejabberdctl to change INSTALL_USER to root. And that's it. My guesses : - the ebuild doesn't fix epam's right *ownership* - the epam helper then runs as jabber user, so it cannot use unix_chkpwd
Thank you for report. Fix in ejabberd-2.1.5-r3.