Authetification HELP!!!

Mike O'Rourke mike.orourke at op.org
Tue Feb 4 06:51:04 EST 2003 

Hi Peter,


>Sorry, I need your help.
>
>I spend a lot of hours with my cyrus server, but I sill have no idea how to
>solve my problem.
>
>I cannot authenticate. I installed cyrus21-admin cyrus21-common,
>cyrus21-imapd, sasl2-bin on a debian system.
>
>I want to set up an autentification via sasldb, cause it seems to be the
>easiest way. I changed the permission of /etc/sasldb2 to cyrus.
>
>I set up imapd.conf
>
>#################
>
># Debian Cyrus imapd.conf
># See imapd.conf(5) for more information and more options
>
># Configuration directory
>configdirectory: /var/lib/cyrus
>
># Which partition to use for default mailboxes
>defaultpartition: default
>partition-default: /var/spool/cyrus/mail
>
># News setup
>partition-news: /var/spool/cyrus/news
>newsspool: /var/spool/news
>
># Alternate namespace
># If enabled, activate the alternate namespace as documented in
># /usr/share/doc/cyrus2-common/html/altnamespace.html, where an user's
># subfolders are in the same level as the INBOX
>altnamespace: no
>
># UNIX Hierarchy Convention
># Set to yes, and cyrus will accept dots in names, and use the forward
># slash "/" to delimit levels of the hierarchy. This is done by converting
># internally all dots to "^", and all "/" to dots. So the "rabbit.holes"
># mailbox of user "helmer.fudd" is stored in "user.elmer^fud.rabbit^holes"
>#
># WARNING: This option does NOT apply to admin tools such as cyradm
># (admins ONLY), reconstruct, quota, etc., NOR does it affect LMTP delivery
># of messages directly to mailboxes via plus-addressing.
># See also userprefix and sharedprefix on imapd.conf(5)
>unixhierarchysep: no
>
># Munging illegal characters in headers
># Headers of RFC2882 messages must not have characters with the 8th bit
># set. However, too many badly-written MUAs generate this, including most
># spamware.  Disable this if you want Cyrus to leave the crappage untouched
># and you don't care that IMAP SEARCH won't work right anymore.
>#munge8bit: no
>
># Forcing recipient user to lowercase
># Cyrus 2.1 is case-sensitive.  If all your mail users are in lowercase, it is
># probably a very good idea to set lmtp_downcase_rcpt to true.  The default is
># to assume the user knows what he is doing, and not downcase anything.
>#lmtp_downcase_rcpt: yes
>
># Uncomment the following and add the space-separated users who
># have admin rights for all services.
>admins: cyrus
>
># Space-separated list of users that have lmtp "admin" status (i.e. that
># can deliver email through TCP/IP lmtp) in addition to those in the
># admins: entry above
>#lmtp_admins: postman
>
># Space-separated list of users that have mupdate "admin" status, in
># addition to those in the admins: entry above. Note that mupdate slaves and
># backends in a Murder cluster need to autenticate against the mupdate master
># as admin users.
>#mupdate_admins: mupdateman
>
># Space-separated list of users that have imapd "admin" status, in
># addition to those in the admins: entry above
>#imap_admins: cyrus
>
># Space-separated list of users that have sieve "admin" status, in
># addition to those in the admins: entry above
>#sieve_admins: cyrus
>
># List of users and groups that are allowed to proxy for other users,
># seperated by spaces.  Any user listed in this will be allowed to login
># for any other user.  Like "admins:" above, you can have imap_proxyservers
># and sieve_proxyservers.
>#proxyservers: cyrus
>
># No anonymous logins
>allowanonymouslogin: no
>
># Minimum time between POP mail fetches in minutes
>popminpoll: 1
>
># If nonzero, normal users may create their own IMAP accounts by creating
># the mailbox INBOX.  The user's quota is set to the value if it is positive,
># otherwise the user has unlimited quota.
>autocreatequota: 0
>
># umask used by Cyrus programs
>umask: 077
>
># Sendmail binary location (used by sieve)
>#sendmail: /usr/sbin/sendmail
>
># If enabled, cyrdeliver will look for Sieve scripts in user's home
># directories: ~user/.sieve.
>sieveusehomedir: false
>
># If sieveusehomedir is false, this directory is searched for Sieve scripts.
>sievedir: /var/spool/sieve
>
># notifyd(8) method to use for "MAIL" notifications.  If not set, "MAIL"
># notifications are disabled.  Valid methods are: null, log, zephyr
>#mailnotifier: zephyr
>
># notifyd(8) method to use for "SIEVE" notifications.  If not set, "SIEVE"
># notifications are disabled.  This method is only used when no method is
># specified in the script.  Valid methods are null, log, zephyr, mailto
>#sievenotifier: zephyr
>
># DRAC (pop-before-smtp, imap-before-smtp) support
># Set dracinterval to the time in minutes to call DRAC while a user is
># connected to the imap/pop services. Set to 0 to disable DRAC (default)
># Set drachost to the host where the rpc drac service is running
>#dracinterval: 0
>#drachost: localhost
>
># If enabled, the partitions will also be hashed, in addition to the hashing
># done on configuration directories. This is recommended if one partition has
>a
># very bushy mailbox tree.
>hashimapspool: true
>
># Allow plaintext logins by default (SASL PLAIN)
>allowplaintext: yes
>
># Force PLAIN/LOGIN authentication only
># (you need to uncomment this if you are not using an auxprop-based SASL
># mechanism.  saslauthd users, that means you!). And pay attention to
># sasl_minimum_layer below, too.
>#sasl_mech_list: PLAIN
>
>
># The minimum SSF that the server will allow a client to negotiate. A
># value of 1 requires integrity protection; any higher value requires some
># amount of encryption.
>#sasl_minimum_layer: 0
>
># The maximum SSF that the server will allow a client to negotiate. A
># value of 1 requires integrity protection; any higher value requires some
># amount of encryption.
>#sasl_maximum_layer: 256
>
># List of remote realms whose users may log in using cross-realm
># authentications.  Seperate each realm name by a space. A cross-realm
># identity is considered any identity returned by SASL with an "@" in it.
>#loginrealms:
>
>#
># SASL library options (these are handled directly by the SASL libraries,
># refer to SASL documentation for an up-to-date list of these)
>#
>
># The mechanism(s) used by the server to verify plaintext passwords. Possible
># values are "saslauthd", "auxprop", "pwcheck" and "alwaystrue".  They
># are tried in order, you can specify more than one, separated by spaces.
>#
># Do note that, since sasl will be run as user cyrus, you may have a lot of
># trouble to set this up right.
>sasl_pwcheck_method: auxprob
>
># What auxpropd plugins to load, if using sasl_pwcheck_method: auxprop
># by default, all plugins are tried (which is probably NOT what you want).
>sasl_auxprop_plugin: sasldb
>
># If enabled, the SASL library will automatically create authentication
>secrets
># when given a plaintext password. Refer to SASL documentation
>sasl_auto_transition: no
>
>#
># SSL/TLS Options
>#
>
># File containing the global certificate used for ALL services (imap, pop3,
># lmtp, sieve)
>#tls_cert_file: /etc/ssl/certs/cyrus-global.pem
>
># File containing the private key belonging to the global server certificate.
>#tls_key_file: /etc/ssl/private/cyrus-global.key
>
># File containing the certificate used for imap. If not specified, the global
># certificate is used.  A value of "disabled" will disable SSL/TLS for imap.
>#tls_imap_cert_file: /etc/ssl/certs/cyrus-imap.pem
>
># File containing the private key belonging to the imap-specific server
># certificate.  If not specified, the global private key is used.  A value of
># "disabled" will disable SSL/TLS for imap.
>#tls_imap_key_file: /etc/ssl/private/cyrus-imap.key
>
># File containing the certificate used for pop3. If not specified, the global
># certificate is used.  A value of "disabled" will disable SSL/TLS for pop3.
>#tls_pop3_cert_file: /etc/ssl/certs/cyrus-pop3.pem
>
># File containing the private key belonging to the pop3-specific server
># certificate.  If not specified, the global private key is used.  A value of
># "disabled" will disable SSL/TLS for pop3.
>#tls_pop3_key_file: /etc/ssl/private/cyrus-pop3.key
>
># File containing the certificate used for lmtp. If not specified, the global
># certificate is used.  A value of "disabled" will disable SSL/TLS for lmtp.
>#tls_lmtp_cert_file: /etc/ssl/certs/cyrus-lmtp.pem
>
># File containing the private key belonging to the lmtp-specific server
># certificate.  If not specified, the global private key is used.  A value of
># "disabled" will disable SSL/TLS for lmtp.
>#tls_lmtp_key_file: /etc/ssl/private/cyrus-lmtp.key
>
># File containing the certificate used for sieve. If not specified, the global
># certificate is used.  A value of "disabled" will disable SSL/TLS for sieve.
>#tls_sieve_cert_file: /etc/ssl/certs/cyrus-sieve.pem
>
># File containing the private key belonging to the sieve-specific server
># certificate.  If not specified, the global private key is used.  A value of
># "disabled" will disable SSL/TLS for sieve.
>#tls_sieve_key_file: /etc/ssl/private/cyrus-sieve.key
>
># File containing one or more Certificate Authority (CA) certificates.
>#tls_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem
>
># Path to directory with certificates of CAs.
>tls_ca_path: /etc/ssl/certs
>
># The length of time (in minutes) that a TLS session will be cached for later
># reuse.  The maximum value is 1440 (24 hours), the default.  A value of 0
>will
># disable session caching.
>tls_session_timeout: 1440
>
># The list of SSL/TLS ciphers to allow.  The format of the string is described
># in ciphers(1). THIS DISABLES THE WEAK 'FOR EXPORT' CRAP!
>tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
>
># Require a client certificate for ALL services (imap, pop3, lmtp, sieve).
>#tls_require_cert: false
>
># Require a client certificate for imap ONLY.
>#tls_imap_require_cert: false
>
># Require a client certificate for pop3 ONLY.
>#tls_pop3_require_cert: false
>
># Require a client certificate for lmtp ONLY.
>#tls_lmtp_require_cert: false
>
># Require a client certificate for sieve ONLY.
>#tls_sieve_require_cert: false
>
>#
># Cyrus Murder cluster configuration
>#
># Set the following options to the values needed for this server to
># autenticate against the mupdate master server:
># mupdate_server
># mupdate_port
># mupdate_username
># mupdate_authname
># mupdate_realm
># mupdate_password
># mupdate_retry_delay
>
>##
>## KEEP THESE IN SYNC WITH cyrus.conf
>##
># Unix domain socket that lmtpd listens on.
>lmtpsocket: /var/run/cyrus/socket/lmtp
>
># Unix domain socket that idled listens on.
>idlesocket: /var/run/cyrus/socket/idle
>
># Unix domain socket that the new mail notification daemon listens on.
>notifysocket: /var/run/cyrus/socket/notify
>
>##
>## DEBUGGING
>##
># Debugging hook. See /usr/share/doc/cyrus21-common/README.Debian.debug
># Keep the hook disabled when it is not in use
>#
># gdb Back-traces
>#debug_command: /usr/bin/gdb -batch -cd=/tmp -x
>/usr/lib/cyrus/get-backtrace.gdb /usr/lib/cyrus/bin/%s %d
> >/tmp/gdb-backtrace.cyrus.%1$s.%2$d <&- 2>&1 &
>#
># system-call traces
>#debug_command: /usr/bin/strace -tt -o /tmp/strace.cyrus.%s.%d -p %2$d <&-
>2>&1 &
>#
># library traces
>#debug_command: /usr/bin/ltrace -tt -n 2 -o /tmp/ltrace.cyrus.%s.%d -p %2$d
><&- 2>&1 &
>
>############################################
>
>I used saslpasswd2 to create user cyrus. sasldblistuser2 lists all users.
>
>imtest can connect to the server.
>
>But I cannot login with cyradm.
>
>##################################
>
>peter at server:~$ su cyrus
>Password:
>cyrus at server:/home/peter$ cyradm
>cyradm> connect localhost
>
>#####################
>
>nothing happens, until I hit return for 3 times
>
>###############
>server: localhost: cannot authenticate
>################
>
>My auth.log
>
>###########
>
>Feb  4 00:37:45 server cyrus/imapd[9996]: OTP unavailable because can't
>read/wri                 te key database /etc/opiekeys: No such file or
>directory
>Feb  4 00:37:45 server cyrus/imapd[9996]: DIGEST-MD5 server step 1
>Feb  4 00:37:45 server perl: DIGEST-MD5 client step 2
>Feb  4 00:38:01 server PAM_unix[9997]: (cron) session opened for user mail by
>(u                 id=0)
>Feb  4 00:38:01 server PAM_unix[9997]: (cron) session closed for user mail
>Feb  4 00:39:20 server cyrus/imapd[9996]: DIGEST-MD5 server step 2
>Feb  4 00:39:20 server cyrus/imapd[9996]: client response doesn't match what
>we                  generated
>Feb  4 00:39:23 server perl: NTLM client step 1
>Feb  4 00:39:23 server cyrus/imapd[9996]: NTLM server step 1
>Feb  4 00:39:23 server perl: NTLM client step 2
>Feb  4 00:39:23 server perl: No worthy mechs found
>Feb  4 00:41:30 server su[10029]: + pts/0 cyrus-root
>Feb  4 00:41:30 server PAM_unix[10029]: (su) session opened for user root by
>pet                 er(uid=101)
>
>########################
>
>here my syslog:
>
>####################
>
>Feb  4 00:36:56 server cyrus/master[9983]: about to exec
>/usr/lib/cyrus/bin/lmtpd
>Feb  4 00:36:56 server cyrus/lmtpunix[9983]: executed
>Feb  4 00:36:56 server cyrus/lmtpd[9983]: telling master 2
>Feb  4 00:36:56 server cyrus/master[9921]: service lmtpunix now has 0 workers
>Feb  4 00:36:56 server cyrus/lmtpd[9983]: accepted connection
>Feb  4 00:36:56 server cyrus/lmtpd[9983]: telling master 3
>Feb  4 00:36:56 server cyrus/master[9921]: service lmtpunix now has 0 workers
>Feb  4 00:36:56 server cyrus/lmtpd[9983]: lmtp connection preauth'd as postman
>Feb  4 00:36:56 server cyrus/lmtpd[9983]: telling master 1
>Feb  4 00:36:56 server cyrus/master[9921]: service lmtpunix now has 1 workers
>Feb  4 00:37:35 server wu-ftpd[9971]: FTP session closed
>Feb  4 00:37:45 server cyrus/master[9996]: about to exec
>/usr/lib/cyrus/bin/imapd
>Feb  4 00:37:45 server cyrus/imap[9996]: executed
>Feb  4 00:37:45 server cyrus/imapd[9996]: telling master 2
>Feb  4 00:37:45 server cyrus/master[9921]: service imap now has 0 workers
>Feb  4 00:37:45 server cyrus/imapd[9996]: accepted connection
>Feb  4 00:37:45 server cyrus/imapd[9996]: telling master 3
>Feb  4 00:37:45 server cyrus/master[9921]: service imap now has 0 workers
>Feb  4 00:37:56 server cyrus/lmtpd[9983]: telling master 2
>Feb  4 00:37:56 server cyrus/master[9921]: service lmtpunix now has 0 workers
>Feb  4 00:37:56 server cyrus/master[9921]: process 9983 exited, status 0
>Feb  4 00:38:01 server /USR/SBIN/CRON[9998]: (mail) CMD (  if [ -x
>/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi)
>Feb  4 00:39:20 server cyrus/imapd[9996]: badlogin: localhost[127.0.0.1]
>DIGEST-MD5 [SASL(-13): authentication failure: client response doesn't match
>what we generated]
>Feb  4 00:41:09 server cyrus/imapd[9996]: telling master 1
>Feb  4 00:41:09 server cyrus/master[9921]: service imap now has 1 workers
>Feb  4 00:42:09 server cyrus/imapd[9996]: telling master 2
>Feb  4 00:42:09 server cyrus/master[9921]: service imap now has 0 workers
>Feb  4 00:42:09 server cyrus/master[9921]: process 9996 exited, status 0
>
>
>##########################################
>
>When I login with imtest:
>
>#######################
>
>cyrus at server:/var/log$ imtest localhost
>S: * OK server Cyrus IMAP4 v2.1.11-Debian-8 server ready
>C: C01 CAPABILITY
>S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
>NAMESPACE
>UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
>THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=NTLM AUTH=DIGEST-MD5
>AUTH=CRAM-MD5 LISTEXT LIST-SUBSCRIBED ANNOTATEMORE
>S: C01 OK Completed
>C: A01 AUTHENTICATE DIGEST-MD5
>S: + a lot of caracters
>Please enter your password:
>C:  a lot of caracters
>S: + a lot of caracters
>C:
>S: A01 OK Success (privacy protection)
>Authenticated.
>Security strength factor: 128
>
>###################################
>
>So for me it seems, imtest is OK.
>
>What can I do. What is my mistake.
>
>I thank you for your help!!!!!
>
>Greetings
>Peter

In your imapd.conf, you have the line:
         sasl_pwcheck_method: auxprob
Is that how it is, or a cut-and-paste error, because it should read:
         sasl_pwcheck_method: auxprop
(note the last character!)

Mike.

More information about the Info-cyrus mailing list