pwcheck_method ignored?

Alexey Melnikov alexey.melnikov at isode.com
Tue Jun 24 07:11:57 EDT 2008 

Marcelo Licastro wrote:

> Hi,

Hi Marcelo,

> I'm struggling to get my SASL config working... It seems that my 
> "pwcheck_method" is being completely ignored! Although I set it as 
> "saslauthd", I receive "could not find auxprop plugin, was searching 
> for '[all]'" im my logs...

"pwcheck_method" config option only affects password verification using 
SASL PLAIN and SASL LOGIN mechanisms.
NTLM mechanism doesn't use saslauthd and it needs access to cleartext 
password.

> I even traced Exim's pid and saw that the correct config file for sasl 
> (/usr/lib64/sasl2/exim.conf) is being used.
>
> Running manually "testsaslauthd" and "imtest" works ok, socket's 
> permission is all right (/var/run/saslauthd/mux). But using SASL lib 
> from Exim, it ignores the pwchek_mtehod... If I run saslauthd in debug 
> mode (/usr/sbin/saslauthd -a pam -m /var/run/saslauthd -d), it logs 
> nothing when SASL lib is called from Exim. When called by 
> testsaslauthd and imtest, saslauthd  debug's log show ok.
>
> Exim seems to be calling SASL lib's normally, I'm posting some info 
> below...
>
> Any ideas? I'm running out of them! Thanks,
> Mark J
>
> Exim STRACE: [pid 29899] open("/usr/lib64/sasl2/exim.conf", O_RDONLY) = 6
>
> [root at interno log]# cat /usr/lib64/sasl2/exim.conf
> pwcheck_method:saslauthd
>
> [root at interno log]# tail /var/log/messages
> Jun 20 22:21:04 interno exim: NTLM server step 1
> Jun 20 22:21:04 interno exim: client flags: ffffb207
> Jun 20 22:21:04 interno exim: NTLM server step 2
> Jun 20 22:21:04 interno exim: client user: MXXXXXX
> Jun 20 22:21:04 interno exim: client domain: SOFISANT
> Jun 20 22:21:04 interno exim: could not find auxprop plugin, was 
> searching for '[all]'
> Jun 20 22:21:04 interno exim: could not find auxprop plugin, was 
> searching for '[all]'
> Jun 20 22:21:04 interno exim: no secret in database
>
>
> [root at interno log]# testsaslauthd -u mXXXXXX -p YYYYYYY
> 0: OK "Success."
>
>
> [root at interno log]# imtest -u mXXXXXX -w YYYYYYY -a mXXXXXX -v -m login
> WARNING: no hostname supplied, assuming localhost
> S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=NTLM 
> SASL-IR] interno.sofisant.local Cyrus IMAP4 
> v2.3.7-Invoca-RPM-2.3.7-1.1.el5 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=NTLM SASL-IR 
> ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS 
> NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ 
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE 
> CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
> S: C01 OK Completed
> C: L01 LOGIN mXXXXXX {8}
> S: + go ahead
> C: <omitted>
> S: L01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL 
> RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME 
> UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ 
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE 
> CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH] User logged in
> Authenticated.
> Security strength factor: 0
>
> [root at interno log]# /usr/sbin/exim -bd -q1h -d+auth
> 29857 SMTP>> 250-server.email.interno Hello CPD39 [10.5.4.39 
> <http://10.5.4.39>]
> 29857 250-AUTH NTLM
> 29857 250 HELP
> 29857 SMTP<< AUTH NTLM
> 29857 Calling sasl_server_start(NTLM,"")
> 29857 SMTP>> 334
> 29857 SMTP<< 
> TlRMTVNTUAABAAAAB7IIoggACAAtAAAABQAFACgAAAAFASgKAAAAD0NQRDM5U09GSVNBTlQ=
> 29857 Calling 
> sasl_server_step("TlRMTVNTUAABAAAAB7IIoggACAAtAAAABQAFACgAAAAFASgKAAAAD0NQRDM5U09GSVNBTlQ=")
> 29857 SMTP>> 334 
> TlRMTVNTUAACAAAAKAAoADAAAAAFsgIApX9RPvX5/PUAAAAAAAAAAAAAAAAAAAAAUwBFAFIAVgBFAFIALgBFAE0AQQBJAEwALgBJAE4AVABFAFIATgBPAA==
> 29857 SMTP<< 
> TlRMTVNTUAADAAAAGAAYAHQAAAAYABgAjAAAABAAEABIAAAAEgASAFgAAAAKAAoAagAAAAAAAACkAAAABYIAAgUBKAoAAAAPUwBPAEYASQBTAEEATgBUAE0ATABpAGMAYQBzAHQAcgBvAEMAUABEADMAOQB1Om5nsDBkan3TNtobQJkbfkPltX9HZ9Shwx9PPg0gIPnArowf9HMeKj2/xOi1t5w=
> 29857 Calling 
> sasl_server_step("TlRMTVNTUAADAAAAGAAYAHQAAAAYABgAjAAAABAAEABIAAAAEgASAFgAAAAKAAoAagAAAAAAAACkAAAABYIAAgUBKAoAAAAPUwBPAEYASQBTAEEATgBUAE0ATABpAGMAYQBzAHQAcgBvAEMAUABEADMAOQB1Om5nsDBkan3TNtobQJkbfkPltX9HZ9Shwx9PPg0gIPnArowf9HMeKj2/xOi1t5w=")
> 29857 Cyrus SASL permanent failure -20 (user not found)
> 29857 LOG: REJECT
> 29857   sasl_auth authenticator (NTLM):
> 29857   Cyrus SASL permanent failure: user not found
> 29857 SMTP>> 535 Incorrect authentication data
> 29857 LOG: MAIN REJECT
> 29857   sasl_auth authenticator failed for (CPD39) [10.5.4.39 
> <http://10.5.4.39>]: 535 Incorrect authentication data
> 29857 SMTP<< AUTH NTLM
> 29857 host in smtp_accept_max_nonmail_hosts? yes (matched "*")
> 29857 Calling sasl_server_start(NTLM,"")
> 29857 SMTP>> 334
> 29857 SMTP<< *
> 29857 SMTP>> 501 Authentication cancelled
> 29857 LOG: MAIN REJECT
> 29857   sasl_auth authenticator failed for (CPD39) [10.5.4.39 
> <http://10.5.4.39>]: 501 Authentication cancelled
>

More information about the Cyrus-sasl mailing list