auth_cyrus module error initializing

[Lennon Cook]

I have Prosody set up to use Cyrus SASL for authent against PAM/shadow. This was working well until a recent Arch system upgrade (to prosody version 0.9.0-1), since then, prosody gives me this generic error on startup:
   

modulemanager: Error initializing module 'auth_cyrus' on 'localhost': /usr/lib/prosody/../../bin/prosody:169: loop or previous error loading module 'util.sasl_cyrus'

Naturally, attempting to log in doesn't work - prosody apparently drops the authent information:

Sep 09 22:15:50 riscque.net prosody[21383]: c2s20bbc10: Received[c2s_unauthed]: <iq id='purple1ca641d8' type='get'>
Sep 09 22:15:50 riscque.net prosody[21383]: stanzarouter: Stanza of type iq from c2s_unauthed has xmlns: jabber:iq:auth
Sep 09 22:15:50 riscque.net prosody[21383]: stanzarouter: Unhandled c2s_unauthed stanza: iq; xmlns=jabber:iq:auth
Sep 09 22:15:50 riscque.net prosody[21383]: c2s20bbc10: Received </stream:stream>
Sep 09 22:15:50 riscque.net prosody[21383]: c2s20bbc10: c2s stream for <27.32.65.246> closed: session closed

Is there any way to tell exactly what error auth_cyrus has? 

[Waqas Hussain]

Is that the only error in the logs? Which Lua version are you on?

Can you provide a full debug log of Prosody's startup, and your config?

--
Waqas Hussain

[Lennon Cook]

On Wednesday, 11 September 2013 01:42:32 UTC+10, Waqas wrote:

Is that the only error in the logs? Which Lua version are you on?

Can you provide a full debug log of Prosody's startup, and your config?

 Lua 5.2.2

Prosody startup log:

Sep 11 12:08:18 riscque.net systemd[1]: Starting XMPP (Jabber) Server...
Sep 11 12:08:18 riscque.net prosody[2917]: mod_posix: Prosody is about to detach from the console, disabling further console output
Sep 11 12:08:18 riscque.net prosody[2919]: mod_posix: Successfully daemonized to PID 2919
Sep 11 12:08:18 riscque.net prosody[2919]: hostmanager: Activated host: localhost
Sep 11 12:08:18 riscque.net prosody[2919]: modulemanager: Error initializing module 'auth_cyrus' on 'localhost': /usr/lib/prosody/../../bin/prosody:169: loop or previous error loading module 'util.sasl_cyrus'
Sep 11 12:08:18 riscque.net prosodyctl[2916]: Started
Sep 11 12:08:18 riscque.net systemd[1]: Started XMPP (Jabber) Server.

/etc/prosody/prosody.cfg.lua :

-- Prosody Example Configuration File
--
-- Information on configuring Prosody can be found on our
-- website at http://prosody.im/doc/configure
--
-- Tip: You can check that the syntax of this file is correct
-- when you have finished by running: luac -p prosody.cfg.lua
-- If there are any errors, it will let you know what and where
-- they are, otherwise it will keep quiet.
--
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
-- blanks. Good luck, and happy Jabbering!


---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts

-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see http://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "us...@example.com", "us...@example.net" }
admins = { }
daemonize = true
pidfile = "/var/run/prosody/prosody.pid"

-- Enable use of libevent for better performance under high load
-- For more information see: http://prosody.im/doc/libevent
--use_libevent = true;

-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation on modules can be found at: http://prosody.im/doc/modules
modules_enabled = {

    -- Generally required
        "roster"; -- Allow users to have a roster. Recommended ;)
        "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
        "tls"; -- Add support for secure TLS on c2s/s2s connections
        "dialback"; -- s2s dialback support
        "disco"; -- Service discovery

    -- Not essential, but recommended
        "private"; -- Private XML storage (for room bookmarks, etc.)
        "vcard"; -- Allow users to set vCards
        --"privacy"; -- Support privacy lists
        --"compression"; -- Stream compression

    -- Nice to have
        -- "legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
        "version"; -- Replies to server version requests
        "uptime"; -- Report how long server has been running
        "time"; -- Let others know the time here on this server
        "ping"; -- Replies to XMPP pings with pongs
        "pep"; -- Enables users to publish their mood, activity, playing music and more
        "register"; -- Allow users to register on this server using a client and change passwords
        "adhoc"; -- Support for "ad-hoc commands" that can be executed with an XMPP client

    -- Admin interfaces
        "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
        --"admin_telnet"; -- Opens telnet console interface on localhost port 5582

    -- Other specific functionality
        "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
        --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
        --"httpserver"; -- Serve static files from a directory over HTTP
        --"groups"; -- Shared roster support
        --"announce"; -- Send announcement to all online users
        --"welcome"; -- Welcome users who register accounts
        --"watchregistrations"; -- Alert admins of registrations
        --"motd"; -- Send a message to users when they log in
    -- Unbreak the protocol
               "carbons";
               "archive";
};

-- These modules are auto-loaded, should you
-- (for some mad reason) want to disable
-- them then uncomment them below
modules_disabled = {
    -- "presence"; -- Route user/contact status information
    -- "message"; -- Route messages
    -- "iq"; -- Route info queries
    -- "offline"; -- Store offline messages
};

-- Disable account creation by default, for security
-- For more information see http://prosody.im/doc/creating_accounts
allow_registration = false;

-- These are the SSL/TLS-related settings. If you don't want
-- to use SSL/TLS, you may comment or remove this
ssl = {
    key = "/srv/riscque.net.key";
    certificate = "/srv/riscque.net.crt";
}

-- Only allow encrypted streams? Encryption is already used when
-- available. These options will cause Prosody to deny connections that
-- are not encrypted. Note that some servers do not support s2s
-- encryption or have it disabled, including gmail.com and Google Apps
-- domains.

--c2s_require_encryption = false
--s2s_require_encryption = false

-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
-- To allow Prosody to offer secure authentication mechanisms to clients, the
-- default provider stores passwords in plaintext. If you do not trust your
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
-- for information about using the hashed backend.

authentication = "cyrus"

-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See http://prosody.im/doc/storage for more info.

--storage = "sql" -- Default is "internal"

-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }

-- Logging configuration
-- For advanced logging see http://prosody.im/doc/logging
log = {
    -- info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
    -- error = "/var/log/prosody/prosody.err";
    "*syslog"; -- Uncomment this for logging to syslog
    -- "*console"; -- Log to the console, useful for debugging with daemonize=false
}

----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
-- Settings under each VirtualHost entry apply *only* to that host.

VirtualHost "localhost"
VirtualHost "riscque.net"

VirtualHost "example.com"
    enabled = false -- Remove this line to enable this host

    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/example.com.key";
        certificate = "/etc/prosody/certs/example.com.crt";
    }

------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
-- For more information on components, see http://prosody.im/doc/components

---Set up a MUC (multi-user chat) room server on conference.example.com:
--Component "conference.example.com" "muc"

-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
--Component "proxy.example.com" "proxy65"

---Set up an external component (default component port is 5347)
--
-- External components allow adding various services, such as gateways/
-- transports to other networks like ICQ, MSN and Yahoo. For more info
-- see: http://prosody.im/doc/components#adding_an_external_component
--
--Component "gateway.example.com"
--    component_secret = "password"


In a possibly related issue, I've been attempting to work around this problem (and slightly simplify my setup) using mod_auth_pam . Changing authentication="cyrus" to authentication="pam" in the config gives me this startup:

Sep 11 12:14:35 riscque.net systemd[1]: Starting XMPP (Jabber) Server...
Sep 11 12:14:35 riscque.net prosody[2934]: mod_posix: Prosody is about to detach from the console, disabling further console output
Sep 11 12:14:35 riscque.net prosody[2936]: mod_posix: Successfully daemonized to PID 2936
Sep 11 12:14:35 riscque.net prosody[2936]: hostmanager: Activated host: localhost
Sep 11 12:14:35 riscque.net prosody[2936]: modulemanager: Error initializing module 'auth_pam' on 'localhost': /usr/lib/prosody/../../bin/prosody:164: module 'posix' not found:
Sep 11 12:14:36 riscque.net prosodyctl[2933]: Started
Sep 11 12:14:36 riscque.net systemd[1]: Started XMPP (Jabber) Server.

But LuaPosix is certainly installed, as is lua-pam - running lua mod_auth_pam.lua complains about util.sasl , and running "require 'posix'; require 'pam' " in the lua interactive console gives no error.

[Matthew Wild]

On 11 September 2013 02:21, Lennon Cook <lennonvi...@gmail.com> wrote:
> On Wednesday, 11 September 2013 01:42:32 UTC+10, Waqas wrote:
>>
>> Is that the only error in the logs? Which Lua version are you on?
>>
>> Can you provide a full debug log of Prosody's startup, and your config?
>
>
> Lua 5.2.2

Prosody requires Lua 5.1 at the moment. If you have Prosody 0.9, can
you paste the output of 'prosodyctl about'?

Lua 5.1 and 5.2 have different module paths. Could it be that you have
both installed, but 5.1 doesn't have the necessary modules?

Regards,
Matthew

[Lennon Cook]

On Thursday, 12 September 2013 08:41:38 UTC+10, Matthew Wild wrote:

On 11 September 2013 02:21, Lennon Cook <lennonvi...@gmail.com> wrote:
> On Wednesday, 11 September 2013 01:42:32 UTC+10, Waqas wrote:
>>
>> Is that the only error in the logs? Which Lua version are you on?
>>
>> Can you provide a full debug log of Prosody's startup, and your config?
>
>
>  Lua 5.2.2

Prosody requires Lua 5.1 at the moment. If you have Prosody 0.9, can
you paste the output of 'prosodyctl about'?

$ prosodyctl about
Prosody 0.9.0

# Prosody directories
Data directory:         /var/lib/prosody
Plugin directory:       /usr/lib/prosody/modules/
Config directory:       /etc/prosody
Source directory:       /usr/lib/prosody

# Lua environment
Lua version:                    Lua 5.1

Lua module search paths:
  /usr/share/lua/5.1/?.lua
  /usr/share/lua/5.1/?/init.lua
  /home/lvc/.luarocks/share/lua/5.1/?.lua
  /home/lvc/.luarocks/share/lua/5.1/?/init.lua
  /usr/lib/prosody/?.lua
  /usr/share/lua/5.1/?.lua
  /usr/share/lua/5.1/?/init.lua
  /usr/lib/lua/5.1/?.lua
  /usr/lib/lua/5.1/?/init.lua

Lua C module search paths:
  /usr/lib/lua/5.1/?.so
  /home/lvc/.luarocks/lib/lua/5.1/?.so
  /usr/lib/prosody/?.so
  /usr/lib/lua/5.1/?.so
  /usr/lib/lua/5.1/loadall.so

LuaRocks:               Installed (2.0.13)

# Lua module versions
lfs:            LuaFileSystem 1.6.2
lxp:            LuaExpat 1.2.0
pposix:         0.3.6
socket:         LuaSocket 2.0.2
ssl:            0.4.1
 

Lua 5.1 and 5.2 have different module paths. Could it be that you have
both installed, but 5.1 doesn't have the necessary modules?

Success! ... ish. I do indeed have both Lua 5.1 and Lua 5.2 installed, apparently because of dependencies not being kept up to date when packages are renamed (Arch's 'lua' is 5.2, and it has 'lua51' for 5.1 - but lua-cyrussasl depends on lua (5.2), even though it installs into the 5.1 module path. Is it possible that it could be compiled against 5.2 but installing in the 5.1 search path? This could potentially explain that error). So, I installed lua51-posix and recompiled lua-pam with LUA_VERSION=5.1 . I now get a PAM error:

 Sep 12 21:31:17 riscque.net prosody[4022]: c2s14e7ab0: Sent reply <stream:stream> to client
Sep 12 21:31:17 riscque.net prosody[4022]: [178B blob data]
Sep 12 21:31:17 riscque.net prosody[4022]: pam_unix(xmpp:auth): unrecognized option [verbose=1]
Sep 12 21:31:17 riscque.net prosody[4022]: pam_unix(xmpp:auth): conversation failed
Sep 12 21:31:17 riscque.net prosody[4022]: pam_unix(xmpp:auth): unable to obtain a password
Sep 12 21:31:17 riscque.net prosody[4022]: pam_unix(xmpp:auth): auth could not identify password for [lvc]
Sep 12 21:31:17 riscque.net prosody[4022]: riscque.net:saslauth: sasl reply: <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/><text>Unab...</failure>
Sep 12 21:31:17 riscque.net prosody[4022]: c2s14e7ab0: Received </stream:stream>

Since I don't really understand PAM in the slightest, my PAM config for prosody is copied from another known-working one, plus I've turned debugging on:

$ cat /etc/pam.d/xmpp
auth    required        pam_unix.so nullok debug verbose=1
account required        pam_unix.so debug