# [SOLVED] Upgraded to ejabberd 16.04, getting auth failures

## Pasketti

ejabberd upgraded this morning from version 2.1.13-r2 to 16.04.

As part of this, I had to convert the config file to yml format using the included conversion program.

It starts up fine, but Pidgin is now unable to authenticate any users.

The error in the log is:

2016-08-25 10:43:37.164 [info] <0.504.0>@ejabberd_c2s:wait_for_feature_request:782 ({socket_state,fast_tls,{tlssock,#Port<0.22028>,#Port<0.22029>},<0.503.0>}) Failed authentication for me@mydomain.org from 192.168.1.3

I went through the new config file comparing it to the old one, but nothing stood out.

I suspect something is all wonky with pam, but the pam module hasn't changed.  I tried both the new xmpp pam module, and the old ejabberd module.

I tried to reinstall the old version, but it's not available in the portage tree anymore.

I'm probably doing something stupid and am hoping that someone can whack me over the head and tell me what I'm doing wrong.

Here's my ejabberd.yml:

```

hosts:

  - "mydomain.org"

access:

  announce:

    admin: allow

  c2s:

    blocked: deny

    all: allow

  c2s_shaper:

    admin: none

    all: normal

  configure:

    admin: allow

  local:

    local: allow

  max_user_offline_messages:

    admin: 5000

    all: 100

  max_user_sessions:

    all: 10

  mod_register_networks:

    ip_127.0.0.0/8: allow

    ip_0.0.0.0/0: deny

  muc:

    all: allow

  muc_admin:

    admin: allow

  muc_create:

    local: allow

  pubsub_createnode:

    local: allow

  register:

    all: allow

  s2s_shaper:

    all: fast

acl:

  admin:

    user:

      -

        "me": "mydomain.org"

  ip_0.0.0.0/0:

    ip:

      - "0.0.0.0/0"

  ip_127.0.0.0/8:

    ip:

      - "127.0.0.0/8"

  local:

    user_regexp:

      - ""

auth_method:

#  - internal

  - pam

pam_service: "ejabberd"

#pam_service: "xmpp"

language: "en"

listen:

  -

    port: 5222

    module: ejabberd_c2s

    max_stanza_size: 65536

    shaper: c2s_shaper

    access: c2s

    starttls: true

    certfile: "/etc/ssl/ejabberd/jabbercert.pem"

  -

    port: 5269

    module: ejabberd_s2s_in

    max_stanza_size: 131072

    shaper: s2s_shaper

  -

    port: 5280

    module: ejabberd_http

    web_admin: true

    http_poll: true

    http_bind: true

loglevel: 4

max_fsm_queue: 1000

modules:

  mod_register:

    ip_access: mod_register_networks

    welcome_message:

      subject: "Welcome!"

      body: "Hi.

Welcome to the mydomain.org IM server."

    access: register

  mod_adhoc: []

  mod_announce:

    access: announce

  mod_blocking: []

  mod_caps: []

  mod_configure: []

  mod_disco: []

  mod_http_bind: []

  mod_last: []

  mod_muc:

    access: muc

    access_create: muc_create

    access_persistent: muc_create

    access_admin: muc_admin

  mod_offline:

    access_max_user_messages: max_user_offline_messages

  mod_ping: []

  mod_privacy: []

  mod_private: []

  mod_roster: []

  mod_shared_roster: []

  mod_stats: []

  mod_time: []

  mod_vcard: []

  mod_version: []

shaper:

  normal: 1000

  fast: 50000

```

Last edited by Pasketti on Sat Aug 27, 2016 1:02 am; edited 1 time in total

----------

## Pasketti

More info.  Pam is working, but I think ejabberd isn't calling it correctly.  Specifically, the epam helper program isn't calling it correctly.

I put pam_warn.so in the xmpp pam service file, like so:

```

# File autogenerated by pamd_mimic in pam eclass

auth    required        pam_warn.so

auth    include         system-auth

account include         system-auth

```

I used the pamtester program (from here: http://pamtester.sourceforge.net/) to test the pam authentication using the xmpp service:

```

pamtester -I ruser=me xmpp me authenticate

Password:

pamtester: successfully authenticated

```

When I do that, this shows up in syslog:

```

Aug 26 10:36:29 hostname pamtester: pam_warn(xmpp:auth): function=[pam_sm_authenticate] flags=0 service=[xmpp] terminal=[<unknown>] user=[me] ruser=[me] rhost=[<unknown>]

```

That all looks OK.  But then when I try to log in using pidgin, this shows up in syslog:

```

Aug 26 10:39:20 hostname epam: pam_warn(xmpp:auth): function=[pam_sm_authenticate] flags=0 service=[xmpp] terminal=[<unknown>] user=[me] ruser=[me] rhost=[<unknown>]

Aug 26 10:39:20 hostname unix_chkpwd[11274]: check pass; user unknown

Aug 26 10:39:20 hostname unix_chkpwd[11275]: check pass; user unknown

Aug 26 10:39:20 hostname unix_chkpwd[11275]: password check failed for user (me)

Aug 26 10:39:20 hostname epam: pam_unix(xmpp:auth): authentication failure; logname= uid=103 euid=103 tty= ruser=me rhost=  user=me

```

ejapperd invokes epam, which then invokes the pam_unix service to authenticate.  pam_unix uses unix_chkpwd to actually check the password, and that's failing.

For completeness, here is what happens when I give pamtester a bad password:

```

Aug 26 10:41:08 hostname pamtester: pam_warn(xmpp:auth): function=[pam_sm_authenticate] flags=0 service=[xmpp] terminal=[<unknown>] user=[me] ruser=[me] rhost=[<unknown>]

Aug 26 10:41:11 hostname pamtester: pam_unix(xmpp:auth): authentication failure; logname=me uid=0 euid=0 tty= ruser=me rhost=  user=me

```

And here is what happens when I give pamtester a bad user name:

```

Aug 26 10:43:43 hostname pamtester: pam_warn(xmpp:auth): function=[pam_sm_authenticate] flags=0 service=[xmpp] terminal=[<unknown>] user=[badname] ruser=[badname] rhost=[<unknown>]

Aug 26 10:43:45 hostname pamtester: pam_unix(xmpp:auth): check pass; user unknown

Aug 26 10:43:45 hostname pamtester: pam_unix(xmpp:auth): authentication failure; logname=me uid=0 euid=0 tty= ruser=badname rhost=

```

Any ideas?

----------

## Pasketti

Solved!

The epam program in /usr/lib64/erlang/lib/p1_pam-1.0.0/priv/bin/epam must be run as root.

This command fixed it:

```
chmod +4750 /usr/lib64/erlang/lib/p1_pam-1.0.0/priv/bin/epam
```

This should have been done at install time.  I shall submit a bug.

----------

## Pasketti

When I rebuilt everything for the profile upgrade, it reinstalled jabber, and auth stopped working again.

This time, it was /usr/lib64/erlang/lib/epam-1.0.0/priv/bin/epam that needed to be run as root.

Fix:

chmod +4750 /usr/lib64/erlang/lib/epam-1.0.0/priv/bin/epam

/etc/init.d/ejabberd restart

Not sure if this helps anyone else, but I remember having this issue and posting about it, so I thought I'd update for myself if it happens again in the future.

----------

