Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[hylafax-users] FaxAdmin and hfaxd.conf

74 views
Skip to first unread message

Joe Kissner

unread,
Oct 15, 2008, 7:58:47 AM10/15/08
to hylafa...@hylafax.org
We have been investigating some LDAP issues over the last few days and one thing that has been happening is my fax server is constantly trying to resolve "FaxAdmin" through LDAP. Now after extensive searching and research I cannot find where this is originating. The best lead i have is "faxadmin" is located in the hfaxd.conf file but it is commented out. Does anyone have any idea how i can go about checking to see where this is originating, I think its coming from faxgetty but i can't be sure and have no idea how to check and see what exactly it does. I am running Hylafax 4.0.3 on Fedora Core 6 with AvantFax 3.3 front end.

Aidan Van Dyk

unread,
Oct 15, 2008, 9:46:32 AM10/15/08
to Joe Kissner, hylafa...@hylafax.org
* Joe Kissner <jkis...@totalcardinc.com> [081015 07:58]:

HylaFAX itself doesn't know anything about LDAP. But it is PAM aware,
which means that PAM can be doing LDAP on it's behalf.

The only "pam aware" part of HylaFAX is hfaxd. And it simply requests
PAM to authenticate whatever user the client gives to it. Turning up
hfaxd logging should show you what's trying to log in as "faxadmin"

But faxgetty surely doesn't use PAM directly... So unless you've got NSS
setup to do LDAP on standarge getpwname/getpwuid it's *not* faxgetty.

a.
--
Aidan Van Dyk ai...@ifax.com
Senior Software Developer +1 215 825-8700 x8103
iFAX Solutions, Inc. http://www.ifax.com/

signature.asc

Joe Kissner

unread,
Oct 15, 2008, 3:09:54 PM10/15/08
to Aidan Van Dyk, hylafa...@hylafax.org
May not be the brightest of questions, but how do i enable logging?

Aidan Van Dyk

unread,
Oct 15, 2008, 3:14:42 PM10/15/08
to Joe Kissner, hylafa...@hylafax.org
In hfaxd.conf, set ServerTracing to an appropriate value. See the
hfaxd man page for a descriptiong... 0xFFFFFF is an over-the-top
setting which will make it log everything.

All it's logs to to syslog (see LogFacility in the same man page), and
should appear wherever syslog is saving them.

2008/10/15 Joe Kissner <jkis...@totalcardinc.com>:


> May not be the brightest of questions, but how do i enable logging?
>

--

Aidan Van Dyk ai...@ifax.com
Senior Software Developer +1 215 825-8700 x8103
iFAX Solutions, Inc. http://www.ifax.com/


____________________ HylaFAX(tm) Users Mailing List _______________________
To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-us...@hylafax.org < /dev/null
*To learn about commercial HylaFAX(tm) support, mail sa...@ifax.com.*

Joe Kissner

unread,
Oct 16, 2008, 9:00:37 AM10/16/08
to Aidan Van Dyk, hylafa...@hylafax.org
Ok more info on this one. I have traced it back and the request is coming from AvantFax when AvantFAX calls faxstat, faxalter, faxrm, sendfax, and friends it causes this to happen. As best as i can tell hylafax just sees this as apache making the request but for some reason dumps the request off through PAM as faxadmin. Which we do use to authenticate on log in. My question is: Is there a way to stop Hylafax from using PAM if nothing else just to see if the AvantFax crew is correct or way off. I have tried adding the "faxadmin" user but that didn't make one bit of difference.

Aidan Van Dyk

unread,
Oct 16, 2008, 9:22:29 AM10/16/08
to Joe Kissner, hylafa...@hylafax.org
Sorry, should have send this to -users list too.

2008/10/16 Aidan Van Dyk <ai...@ifax.com>:
> 2008/10/16 Joe Kissner <jkis...@totalcardinc.com>:


>> Ok more info on this one. I have traced it back and the request is coming
>> from AvantFax when AvantFAX calls faxstat, faxalter, faxrm, sendfax, and
>> friends it causes this to happen. As best as i can tell hylafax just sees
>> this as apache making the request but for some reason dumps the request off
>> through PAM as faxadmin. Which we do use to authenticate on log in. My
>> question is: Is there a way to stop Hylafax from using PAM if nothing else
>> just to see if the AvantFax crew is correct or way off. I have tried adding
>> the "faxadmin" user but that didn't make one bit of difference.
>

> If HylaFAX is compiled with PAM, it *will* use pam (but only if no local
> hosts.hfaxd record matches). But it looks like it's not HylaFAX
> that's causing *this* LDAP query, but your base OS setup. "faxadmin"
> is the default value of "AdminGroup". hfaxd does a "getgrnam()" call
> on that to, and I'm guessing you've got your NSS setup to to LDAP
> queries automatically on users/groups.

Joe Kissner

unread,
Oct 16, 2008, 12:35:16 PM10/16/08
to Aidan Van Dyk, hylafa...@hylafax.org
With your info I did some more experimenting. I first added FaxAdmin to the hosts.hfaxd but I have no idea what it may be trying to use for a password or if it should even have one for that matter. This made no difference. I then tried to modify the hfaxd.conf file and change the "#AdminGroup: FaxAdmin # which user group is admin (when using PAM)". I can un-comment this and change the UID to anything and it does pass it through this is what my LDAP server is picking up. I then checked and did a "ldd" on hfaxd and it is compiled for PAM. from here i took the liberty of creating a hylafax file in etc/pam.d/ following the hylafax handbook. No matter what i added to this file it made no difference to hfaxd or pam. It all acted the same no change. Not sure if there was something else needing configuring but this is all the Hylafax Manual covered. Now i have undone all my changes and now I am wondering how do i just block hfaxd from using PAM. do i have to recompile
with out PAM or is there an easier way of blocking a service from using PAM?

Lee Howard

unread,
Oct 26, 2008, 10:03:48 PM10/26/08
to Joe Kissner, hylafa...@hylafax.org
Joe Kissner wrote:
> I am wondering how do i just block hfaxd from using PAM. do i have to
> recompile with out PAM or is there an easier way of blocking a service
> from using PAM?

As far as I'm aware it is a compiled-in feature. There is no runtime
configuration option to disable it.

/configure --with-DISABLE_PAM=yes

Thanks,

Lee.

Aidan Van Dyk

unread,
Oct 27, 2008, 9:33:06 AM10/27/08
to Lee Howard, Joe Kissner, hylafa...@hylafax.org
* Lee Howard <fax...@howardsilvan.com> [081026 22:04]:

> Joe Kissner wrote:
> >I am wondering how do i just block hfaxd from using PAM. do i have to
> >recompile with out PAM or is there an easier way of blocking a service
> >from using PAM?
>
> As far as I'm aware it is a compiled-in feature. There is no runtime
> configuration option to disable it.
>
> ./configure --with-DISABLE_PAM=yes

It's *not* going to fix his problem. As I said before, "faxadmin" is
the *group* that hfaxd does a getgrnam() call on for checking if the
group has a list of users that should be given admin access. It (hfaxd)
does not do *anything* related to PAM or LDAP(via pam) with that.
That's completely his "operating system" (i.e. glibc/NSS) doing that.

He can either:
1) Disable AdminGroup by forcing it to nothing in hfaxd.conf:
AdminGroup: ""

2) Fix his NSS to not do ldap queries on groups if he doesn't want LDAP
queries on groups.

a.

signature.asc
0 new messages