Created attachment 65225 [details]
strace of sasldblistusers

The /etc/sasldb which can't be read was created on RH 7.3.  From the trace, it
looks like perhaps the db format has changed:

2826  open("/etc/sasldb", O_RDONLY|O_LARGEFILE) = 3
2826  fstat64(3, {st_mode=S_IFREG|0600, st_size=12645, ...}) = 0
2826  flock(3, LOCK_SH|LOCK_NB)         = 0
2826  read(3, "\316\232W\23\0\20\0\0\0\20\0\0\0\20\0\0\n\0\0\0\0\20\0"..., 68) =
 68
2826  read(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 4028)
 = 4028
2826  _llseek(3, 17592186048512, 0xbffff440, SEEK_SET) = -1 EINVAL (Invalid argu
ment)


If so, something needs to be provided to convert old sasldb files to the new
format, or SASL users will not be able to upgrade from RHL 7.x (SASL 1.5) to RHL
8 (SASL 2)

On a RHL 7.3 box, this password db can be read just fine:

[kaboom@hanuman kaboom]$ sudo /usr/sbin/sasldblistusers 
user: kaboom-sasl realm: mail.oobleck.net mech: PLAIN
user: kaboom-sasl realm: mail.oobleck.net mech: DIGEST-MD5
user: kaboom-sasl realm: mail.oobleck.net mech: CRAM-MD5
[kaboom@hanuman kaboom]$ 

I've renamed this because the problems not just with sasldblistusers.  I just
hit a problem with postfix choking (Bug 68800) because it couldn't read a sasldb
file from RH 7.3

According to the SASL documentation (see
/usr/share/doc/cyrus-sasl-2.1.5/upgrading.html)

"If   you   are  using  /etc/sasldb  for  any  authentication,  run
utils/dbconverter-2 after installation."

dbconverter-2 is not included in the SASL packages, and the need to use it is
not documented in the RELEASE_NOTES.  Both of these have to be fixed, since they
are a change in backwards compatibility with prior releases.

Fixed in gdbm-1.8.0-18

Reopening this -- dbconverter2 is still missing.

Because dbconverter2 is missing, I can't switch from sasldb to sasldb2 (which
applications written for SASL2 require instead of sasldb)

Fixed component -- switching back to cyrus-sasl, since its what's missing utils

Added dbconverter-2 to 2.1.7-2, along with note in bundled README.RPM.

Kaboom, are the new packages working for you now?

I'll check tonight and see.  It should though -- I think the conversion utility
was the only thing I noticed missing for upgrading.

If anyone's handy with SASL experience, you might want to have them check as
well.  So far I've had zero luck getting the SASL2 / Postfix combo working using
sasldb2, even when I try from scratch (rather than upgrading)....  I'm not sure
if the problem is me, or SASL2, or the patch put into Postfix in 68800.

I have, in the past, gotten SASL2 / Postfix working using the patch in 68800,
but authenticating using saslauthd and system accounts, not sasldb2.  It'd be
helpful if someone could test, say, sendmail with sasldb2 and see if it's
generic, or at least specific to either Postfix or my stupidity ;-)

Also, someone *SERIOUSLY* needs to write up some documentation for RELEASE_NOTES
about all the changes between SASL1 and SASL2:

* configs in /usr/lib/sasl2 (not /usr/lib/sasl)
* different config file contents
* saslauthd

FWIW, I fixed it to work with the attached database early in this report.

teg, you fixed sasldblistusers so it would read the attached file.  That's part
of the problem.

The rest of the problem is that there are two interfaces, SASL1 and SASL2. 
Software using SASL1 can read /etc/sasldb.
Software using SASL2 can read /etc/sasldb2.
They have different structures, etc....  Even if sasldblistusers can now read
old /etc/sasldb, you still have to run dbconverter2 to convert it to
/etc/sasldb2 (and then migrate configs from /usr/lib/sasl/ to /usr/lib/sasl2)

Alright, I spent a lot of quality time last night with a debugger and got
Postfix / SASL / sasldb all straightened out.  Here's the basic situation, at
least regarding Postfix.

* null uses SASL-2.1 rpms which actually provide both SASL1 and SASL2 interfaces
* Postfix in null is actually compiled only to use the SASL1 interface

All this time, I'd been trying to get SASL2 going with it, and it wasn't working
because the Postfix RPM in null just doesn't do SASL2 correctly.  That's a
different bug, though, assuming its a bug at all (probably a re-open of Bug
68800 if so).

So, the question now is if:

1. any software in null actually uses the SASL2 interface?
2. or if everything should be using SASL2, and Postfix using SASL1 is a bug?
3. or if it all uses the SASL1 interface like Postfix does?

If it's 3, this bug is closed, though it's probably worth mentioning in the
/usr/share/doc/sasl-2* docs to avoid other people getting confused like me and
actually expecting the SASL clients to be using SASL2 interfaces.....

If it's 1 or 2, then the major subject of this bug (need for dbconverter2,
correct gdbm versions) is working, but documentation is needed in RELEASE_NOTES
about all the differences between SASL1 and SASL2.

Also, what's the policy regarding SASL1 vs SASL2?  Should Postfix be doing SASL2
or not?  If it should, I think it's probably just going to be a matter of
tweaking the Makefile (ie, trivial fix), though now that I have Internet access
I'll have to double-check 68800 and make sure I didn't submit the wrong patch,
which could also be why that's not working....

Bug 67217 contains a patch for the postfix spec file to correct library linkages
to use SASL2.

FWIW, sendmail seems to support both SASL1 and SASL2.  I don't think that's
possible for postfix (the current code actually can do it, but upstream has
already removed SASL1 support entirely, so it's not viable long-term and will
make short-term maintenance relatively painful if bugfixes are necessary).

*shrug*  I'll shut up now before I wind up making this maze of inter-related
bugs even more complicated ;-).  I'd prefer that postfix go SASL2 personally,
but whatever the RH policy decision is is fine....  Whatever happens, though,
SASL RELEASE_NOTES documentation is needed.

Closing this -- the basic problem of missing dbconverter2 / db structure is fixed

Postfix still doesn't work w/ SASL2, but that's probably a separate bug and
there are plenty filed about it already