John Siu's questions

We get a lot of event id 4735 like following:

Subject:
    Security ID:        SYSTEM
    Account Name:       xxx$
    Account Domain:     xxx
    Logon ID:       0x3E7

Group:
    Security ID:        BUILTIN\Administrators
    Group Name:     Administrators
    Group Domain:       Builtin

Changed Attributes:
    SAM Account Name:   -
    SID History:        -

Additional Information:
    Privileges:     -
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{xxx}" />
    <EventID>4735</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13826</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2023-10-13T16:56:50.930730000Z" />
    <EventRecordID>113144987</EventRecordID>
    <Correlation ActivityID="{xxx}" />
    <Execution ProcessID="840" ThreadID="10404" />
    <Channel>Security</Channel>
    <Computer>xxx</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">Administrators</Data>
    <Data Name="TargetDomainName">Builtin</Data>
    <Data Name="TargetSid">S-xxx</Data>
    <Data Name="SubjectUserSid">S-xxx</Data>
    <Data Name="SubjectUserName">xxx$</Data>
    <Data Name="SubjectDomainName">xxx</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="PrivilegeList">-</Data>
    <Data Name="SamAccountName">-</Data>
    <Data Name="SidHistory">-</Data>
  </EventData>
</Event>

According to doc, "This event is logged on domain controllers for Active Directory domain local groups to change the Security Local group identified in Group." However, it does not seems contain information about what was changed. "PrivilegeList", "SamAccountName", "SidHistory" are all "-"

We are seeing this in both DC and member servers.

Anyone has clue?

PS(SOLVED: Solution for Alpine Linux as of Mar 2021, the fix in cyrus-sasl 2.1.27-r12 is in edge branch. 3.13 only has cyrus-sasl 2.1.27-r10.

PS: I know there are similar posts but they are very dated like 2015. My issue is 2021 and was working last year.

I use postfix with sasldb2 inside alpine:edge docker container. But recently(Jan 2021) I discovered it stop working. Situation is strange because the same /etc/sasl2/sasldb2 file work with saslauthd, but not if I use auxprop setup.

Use sasldb2(not working)

/etc/sasl2/smtpd.conf

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN

Postfix log:

Jan 17 07:46:07 johnsiu postfix/smtpd[108]: connect from mail-ej1-x635.google.com[2a00:1450:4864:20::635]
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: warning: SASL authentication failure: Couldn't fetch entry from /etc/sasl2/sasldb2
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: warning: SASL authentication failure: Password verification failed
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: warning: mail-ej1-x635.google.com[2a00:1450:4864:20::635]: SASL PLAIN authentication failed: generic failure
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: lost connection after AUTH from mail-ej1-x635.google.com[2a00:1450:4864:20::635]
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: disconnect from mail-ej1-x635.google.com[2a00:1450:4864:20::635] ehlo=2 starttls=1 auth=0/1 commands=3/4

Use saslauthd(working)

/etc/sasl2/smtpd.conf    
pwcheck_method: saslauthd
mech_list: PLAIN

Run saslauthd mannually:

saslauthd -a sasldb -d

Output:

saslauthd[125] :num_procs : 5
saslauthd[125] :mech_option: NULL
saslauthd[125] :run_path : /run/saslauthd
saslauthd[125] :auth_mech : sasldb
saslauthd[125] :using accept lock file: /run/saslauthd/mux.accept
saslauthd[125] :master pid is: 0
saslauthd[125] :listening on socket: /run/saslauthd/mux
saslauthd[125] :using process model
saslauthd[125] :forked child: 126
saslauthd[125] :forked child: 127
saslauthd[125] :forked child: 128
saslauthd[125] :forked child: 129
saslauthd[125] :acquired accept lock

saslauthd[125] :released accept lock
saslauthd[129] :acquired accept lock
saslauthd[125] :auth success: [user=test] [service=smtp] [realm=example.org] [mech=sasldb]
saslauthd[125] :response: OK

Postfix log:

Jan 17 07:48:41 johnsiu postfix/smtpd[120]: connect from mail-ej1-x631.google.com[2a00:1450:4864:20::631]
Jan 17 07:48:42 johnsiu postfix/smtpd[120]: disconnect from mail-ej1-x631.google.com[2a00:1450:4864:20::631] ehlo=2 starttls=1 auth=1 quit=1 commands=5

OS Version

# cat /etc/os-release

NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.13.0_alpha20201218
PRETTY_NAME="Alpine Linux edge"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"

Installed Packages

apk list -I|sort

WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/edge/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/edge/community: No such file or directory
alpine-baselayout-3.2.0-r8 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-keys-2.2-r0 x86_64 {alpine-keys} (MIT) [installed]
apk-tools-2.12.0-r3 x86_64 {apk-tools} (GPL-2.0-only) [installed]
busybox-1.32.0-r8 x86_64 {busybox} (GPL-2.0-only) [installed]
ca-certificates-20191127-r5 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
ca-certificates-bundle-20191127-r5 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
cyrus-sasl-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-crammd5-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-digestmd5-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-gs2-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-gssapiv2-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-login-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-ntlm-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-scram-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
gdbm-1.19-r0 x86_64 {gdbm} (GPL-3.0-or-later) [installed]
heimdal-libs-7.7.0-r4 x86_64 {heimdal} (BSD-3-Clause) [installed]
icu-libs-67.1-r2 x86_64 {icu} (MIT ICU Unicode-TOU) [installed]
krb5-conf-1.0-r2 x86_64 {krb5-conf} (MIT) [installed]
libc-utils-0.7.2-r3 x86_64 {libc-dev} (BSD-2-Clause AND BSD-3-Clause) [installed]
libcom_err-1.45.6-r1 x86_64 {e2fsprogs} (GPL-2.0-or-later AND LGPL-2.0-or-later AND BSD-3-Clause AND MIT) [installed]
libcrypto1.1-1.1.1i-r0 x86_64 {openssl} (OpenSSL) [installed]
libgcc-10.2.1_pre1-r3 x86_64 {gcc} (GPL-2.0-or-later LGPL-2.1-or-later) [installed]
libsasl-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
libssl1.1-1.1.1i-r0 x86_64 {openssl} (OpenSSL) [installed]
libstdc++-10.2.1_pre1-r3 x86_64 {gcc} (GPL-2.0-or-later LGPL-2.1-or-later) [installed]
libtls-standalone-2.9.1-r1 x86_64 {libtls-standalone} (ISC) [installed]
lmdb-0.9.27-r0 x86_64 {lmdb} (OLDAP-2.8) [installed]
musl-1.2.2_pre6-r0 x86_64 {musl} (MIT) [installed]
musl-utils-1.2.2_pre6-r0 x86_64 {musl} (MIT BSD GPL2+) [installed]
ncurses-libs-6.2_p20210109-r0 x86_64 {ncurses} (MIT) [installed]
ncurses-terminfo-base-6.2_p20210109-r0 x86_64 {ncurses} (MIT) [installed]
postfix-3.5.8-r0 x86_64 {postfix} (IPL-1.0 EPL-2.0) [installed]
readline-8.1.0-r0 x86_64 {readline} (GPL-2.0-or-later) [installed]
scanelf-1.2.6-r1 x86_64 {pax-utils} (GPL-2.0-only) [installed]
sqlite-libs-3.34.0-r1 x86_64 {sqlite} (Public-Domain) [installed]
ssl_client-1.32.0-r8 x86_64 {busybox} (GPL-2.0-only) [installed]
tzdata-2020f-r0 x86_64 {tzdata} (Public-Domain) [installed]
zlib-1.2.11-r3 x86_64 {zlib} (Zlib) [installed]

I am not sure if this is alpine distro issue, a postfix issue or a cyrus-sasl issue.

My docker container: https://hub.docker.com/repository/docker/jsiu/postfix

Issue still exit after updating to postfix 3.5.9-r0.

testsaslauthd result:

/ # ls -lh /run/saslauthd/
total 4K
srwxrwxrwx    1 root     root           0 Feb 18 02:36 mux
-rw-------    1 root     root           0 Feb 18 02:36 mux.accept
-rw-------    1 root     root           4 Feb 18 02:36 saslauthd.pid

Following syntax works:

/ # testsaslauthd -f /run/saslauthd/mux -r **** -u **** -p ****

But following doesn't work:

/ # testsaslauthd -f /run/saslauthd/mux -s"smtpd" -u"****@****" -p"****"
0: NO "authentication failed"

Tried single quote, double quote, no quote, space, for the password but same result.

Output from 'saslauthd -a sasldb -d' for the failed attempt:

/etc/postfix # saslauthd -a sasldb -d
saslauthd[195] :num_procs  : 5
saslauthd[195] :mech_option: NULL
saslauthd[195] :run_path   : /run/saslauthd
saslauthd[195] :auth_mech  : sasldb
saslauthd[195] :using accept lock file: /run/saslauthd/mux.accept
saslauthd[195] :master pid is: 0
saslauthd[195] :listening on socket: /run/saslauthd/mux
saslauthd[195] :using process model
saslauthd[195] :forked child: 196
saslauthd[196] :acquired accept lock
saslauthd[195] :forked child: 197
saslauthd[195] :forked child: 198
saslauthd[195] :forked child: 199


saslauthd[198] :acquired accept lock
saslauthd[196] :released accept lock
saslauthd[196] :auth failure: [user=****@****] [service=smtpd] [realm=] [mech=sasldb] [reason=Unknown]
saslauthd[196] :response: NO

How to configure systemd journal-remote to listen on specific port?

All I can find are command line examples. And base on man page, there don't seems to be any option in journal-remote.conf.