Why is SASL authentication have to be so difficult? Round 2

Robert Lubbers rlubbers at borg.com
Mon Dec 6 11:33:08 EST 2004 

I am still working on getting this IMAP server authenticating against my 
Windows domain PDC, and I did manage to get the POP server 
authenticating, which is a giant step forward.  But both the IMAP 
component and the cyradm component are complaining:  They both give me 
the same error message:

 cyrus-server>telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK cyrus.domain.com Cyrus IMAP4 v2.2.9 server ready
. login cyrususer  secret
. NO Login failed: can't request info until later in exchange
. logout
* BYE LOGOUT received
. OK Completed

whereas the POP3 server doesn't complain at all:

cyrus-server> telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK cyrus-server.domain.com Cyrus POP3 v2.2.9 server ready 
<1679296964.1102348490 at cyrus-server.domain.com>
user cyrususer
+OK Name is a valid mailbox
pass intisol
+OK Mailbox locked and ready

The wild thing is that the /var/log/secure fuile shows a valid 
authentication for either one:

For POP3

Dec  6 10:59:51 cyrus-server saslauthd[1841]: rel_accept_lock : released 
accept lock
Dec  6 10:59:51 cyrus-server saslauthd[1842]: get_accept_lock : acquired 
accept lock
Dec  6 10:59:51 cyrus-server pam_winbind[1841]: user 'cyrususer' granted 
acces
Dec  6 10:59:51 cyrus-server pam_winbind[1841]: user 'cyrususer' granted 
acces
Dec  6 10:59:51 cyrus-server saslauthd[1841]: do_auth         : auth 
success: [user=cyrususer] [service=pop] [realm=] [mech=pam]
Dec  6 10:59:51 cyrus-server saslauthd[1841]: do_request      : response: 0


Whereas for IMAP:

Dec  6 11:03:24 cyrus-server saslauthd[1842]: rel_accept_lock : released 
accept lock
Dec  6 11:03:24 cyrus-server saslauthd[1837]: get_accept_lock : acquired 
accept lock
Dec  6 11:03:24 cyrus-server pam_winbind[1842]: user 'cyrususer' granted 
acces
Dec  6 11:03:24 cyrus-server pam_winbind[1842]: user 'cyrususer' granted 
acces
Dec  6 11:03:24 cyrus-server saslauthd[1842]: do_auth         : auth 
success: [user=cyrususer] [service=imap] [realm=] [mech=pam]
Dec  6 11:03:24 cyrus-server saslauthd[1842]: do_request      : 
response: OK'

See?  No difference.

For cyradm:
cyrus-server>cyradm --user  cyrusadmin --auth login localhost
IMAP Password:

Login failed: can't request info until later in exchange at 
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm 
line 118
cyradm: cannot authenticate to server with login as cyrus

Yet this is a user that exists in /etc/sasldb2:

cyrus-server> sasldblistusers2

noctest at cyrus-server.domain.com: userPassword
admin at cyrus-server.domain.com: userPassword
noctest at cyrus-server.domain.com: cmusaslsecretOTP
admin at cyrus-server.domain.com: cmusaslsecretOTP

Just for the sake of completeness, here is the contents of my 
/usr/local/lib/sasl directory:

cyrus-server> ls -l /usr/local/lib/sasl2
total 600
-rwxr-xr-x    1 root     root          711 Dec  6 10:02 libanonymous.la
lrwxrwxrwx    1 root     root           22 Dec  6 10:02 libanonymous.so 
-> libanonymous.so.2.0.20
lrwxrwxrwx    1 root     root           22 Dec  6 10:02 
libanonymous.so.2 -> libanonymous.so.2.0.20
-rwxr-xr-x    1 root     root        89354 Dec  6 10:02 
libanonymous.so.2.0.20
-rwxr-xr-x    1 root     root          695 Dec  6 10:02 liblogin.la
lrwxrwxrwx    1 root     root           18 Dec  6 10:02 liblogin.so -> 
liblogin.so.2.0.20
lrwxrwxrwx    1 root     root           18 Dec  6 10:02 liblogin.so.2 -> 
liblogin.so.2.0.20
-rwxr-xr-x    1 root     root        88558 Dec  6 10:02 liblogin.so.2.0.20
-rwxr-xr-x    1 root     root          684 Dec  6 10:02 libotp.la
lrwxrwxrwx    1 root     root           16 Dec  6 10:02 libotp.so -> 
libotp.so.2.0.20
lrwxrwxrwx    1 root     root           16 Dec  6 10:02 libotp.so.2 -> 
libotp.so.2.0.20
-rwxr-xr-x    1 root     root       155138 Dec  6 10:02 libotp.so.2.0.20
-rwxr-xr-x    1 root     root          695 Dec  6 10:02 libplain.la
lrwxrwxrwx    1 root     root           18 Dec  6 10:02 libplain.so -> 
libplain.so.2.0.20
lrwxrwxrwx    1 root     root           18 Dec  6 10:02 libplain.so.2 -> 
libplain.so.2.0.20
-rwxr-xr-x    1 root     root        88316 Dec  6 10:02 libplain.so.2.0.20
-rwxr-xr-x    1 root     root          716 Dec  6 10:02 libsasldb.la
lrwxrwxrwx    1 root     root           19 Dec  6 10:02 libsasldb.so -> 
libsasldb.so.2.0.20
lrwxrwxrwx    1 root     root           19 Dec  6 10:02 libsasldb.so.2 
-> libsasldb.so.2.0.20
-rwxr-xr-x    1 root     root       145666 Dec  6 10:02 libsasldb.so.2.0.20

I have a sym link from /usr/local/lib/sals2 to /usr/local/lib/sasl, 
/usr/lib/sasl2, and /usr/lib/sasl.

Here is my /etc/imapd.conf:

postmaster: postmaster
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: noctest admin
allowanonymouslogin: no
allowplaintext: yes
sasl_mech_list: PLAIN
servername:  cyrus-server.domain.com
autocreatequota: 40000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
ievedir: /usr/sieve
sendmail: /usr/sbin/sendmail
sieve_maxscriptsize: 32
sieve_maxscripts: 5
tls_ca_file: /var/imap/server.pem
tls_cert_file: /var/imap/server.pem
tls_key_file: /var/imap/server.pem










---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list