imapd is not talking to saslauthd
Ken Murchison
murch at fastmail.com
Tue Jan 30 18:39:02 EST 2018
You're understanding is correct. Can you run saslauthd with the -d
(debug) command line option and see if it sheds any light?
On 01/30/2018 06:31 PM, Michael Rüger wrote:
> Yes, Ken. The whole jail is freshly fired up. Yes it seems that imapd
> is not calling saslauthd at all. I wondered if saslauthd support is
> even compiled in.
>
> But if i understand the architecture correctly (and please correct me
> if i’m wrong), imap is using the sasl lib, and the sasl lib should
> have saslauthd support compiled in. This is as far as i can see
> configured by HAVE_SASLAUTHD. I have compiled the cyrus-sasl lib
> myself to verify that
>
> config.h:#define HAVE_SASLAUTHD /**/
>
> is enabled and
>
> root at cyrus3:/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.26/ #
> strings /usr/local/lib/libsasl2.so | grep saslauthd
> saslauthd_path
> /var/run/saslauthd
> cannot create socket for saslauthd: %m
> cannot connect to saslauthd server: %m
>
> gives me confidence that it is compiled in.
>
> I also tried to „dtrace“ into imapd, but had no success. FreeBSD’s
> dtrace has some problems inside a jail.
>
> So i guess i miss something tiny but important ;)
>
> Thx again for your support.
> Mike
>
>
>> Am 31.01.2018 um 00:09 schrieb Ken Murchison <murch at fastmail.com
>> <mailto:murch at fastmail.com>>:
>>
>> Has Cyrus IMAP been restarted since switching to saslauthd? It
>> doesn't look like Cyrus is even trying to use saslauthd.
>>
>>
>> On 01/30/2018 06:03 PM, Michael Rüger wrote:
>>> Struggled with enabling local6. The trick was to touch the new
>>> syslog output file before restarting syslog with this new line
>>>
>>> local6.* /var/log/local6
>>>
>>>
>>> root at cyrus3:/var/log # cat local6
>>> Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
>>> Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
>>> Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher
>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
>>> Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher
>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and
>>> get auxprops
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and
>>> get auxprops
>>> Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210]
>>> SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and
>>> get auxprops]
>>> Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210]
>>> SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and
>>> get auxprops]
>>>
>>>
>>>> Am 30.01.2018 um 23:41 schrieb Ken Murchison <murch at fastmail.com
>>>> <mailto:murch at fastmail.com>>:
>>>>
>>>> Hmm.
>>>>
>>>> I just switched my dev box to using saslauthd and it just worked.
>>>> I'm sure your problem is something simple, but its escaping me at
>>>> the moment.
>>>>
>>>> When imtest fails, what is logged in the Cyrus IMAP log (wherever
>>>> local6 is logged)
>>>>
>>>>
>>>>
>>>> On 01/30/2018 05:34 PM, Michael Rüger wrote:
>>>>> Ken, thank you for jumping in!
>>>>>
>>>>> Some more info: the apps run as the following users and groups
>>>>>
>>>>> root at cyrus3:~ # ps aux
>>>>> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
>>>>> root 88686 0.0 0.0 10500 2044 - SsJ 21:40 0:00.02
>>>>> /usr/sbin/syslogd -s
>>>>> root 88717 0.0 0.1 43928 4360 - IsJ 21:40 0:00.01
>>>>> /usr/local/sbin/saslauthd -a pam
>>>>> root 88718 0.0 0.1 43928 4360 - IJ 21:40 0:00.01
>>>>> /usr/local/sbin/saslauthd -a pam
>>>>> root 88720 0.0 0.1 43928 4276 - IJ 21:40 0:00.00
>>>>> /usr/local/sbin/saslauthd -a pam
>>>>> root 88721 0.0 0.1 43928 4360 - IJ 21:40 0:00.01
>>>>> /usr/local/sbin/saslauthd -a pam
>>>>> root 88722 0.0 0.1 43928 4276 - IJ 21:40 0:00.00
>>>>> /usr/local/sbin/saslauthd -a pam
>>>>> cyrus 88724 0.0 0.1 65504 5884 - SsJ 21:40 0:00.07
>>>>> /usr/local/cyrus/libexec/master -d
>>>>>
>>>>> root at cyrus3:~ # su - cyrus
>>>>> % id
>>>>> uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
>>>>>
>>>>>
>>>>>> Am 30.01.2018 um 23:25 schrieb Michael Rüger
>>>>>> <michael.g.rueger at gmail.com <mailto:michael.g.rueger at gmail.com>>:
>>>>>>
>>>>>> root at cyrus3:~ # ls -la /var/run/saslauthd/
>>>>>> total 13
>>>>>> drwxr-x--- 2 cyrus saslauth 5 Jan 30 21:40 .
>>>>>> drwxr-xr-x 6 root wheel 15 Jan 30 21:40 ..
>>>>>> srwxrwxrwx 1 root saslauth 0 Jan 30 21:40 mux
>>>>>> -rw------- 1 root saslauth 0 Jan 30 21:40 mux.accept
>>>>>> -rw------- 1 root saslauth 6 Jan 30 21:40 saslauthd.pid
>>>>>>
>>>>>>> Am 30.01.2018 um 23:23 schrieb Ken Murchison <murch at fastmail.com
>>>>>>> <mailto:murch at fastmail.com>>:
>>>>>>>
>>>>>>> Hi Michael,
>>>>>>>
>>>>>>> What are the permissions on the socket that saslauthd is
>>>>>>> listening on?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 01/30/2018 05:06 PM, Michael Rüger wrote:
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> (btw. i was Guest39278 on IRC yesterday and got the chance to
>>>>>>>> introduce myself on googletalk)
>>>>>>>>
>>>>>>>> I’m trying to set up imapd to use saslauthd for authentication.
>>>>>>>>
>>>>>>>> I have already a running saslauthd which uses PAM. I can run this
>>>>>>>>
>>>>>>>> root at cyrus3:/ # testsaslauthd -u mike -p mike
>>>>>>>> 0: OK "Success.“
>>>>>>>>
>>>>>>>> and if i run
>>>>>>>>
>>>>>>>> root at cyrus3:/ # testsaslauthd -u mike -p abc
>>>>>>>> 0: NO "authentication failed“
>>>>>>>>
>>>>>>>> i get that logged in auth.log like this
>>>>>>>>
>>>>>>>> Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth : auth
>>>>>>>> failure: [user=mike] [service=imap] [realm=] [mech=pam]
>>>>>>>> [reason=PAM auth error]
>>>>>>>>
>>>>>>>> In imapd.conf i have
>>>>>>>>
>>>>>>>> sasl_pwcheck_method: saslauthd
>>>>>>>>
>>>>>>>> Now i’m authenticate against imapd
>>>>>>>>
>>>>>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS
>>>>>>>> LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
>>>>>>>> AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me
>>>>>>>> <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>>>>>> C: S01 STARTTLS
>>>>>>>> S: S01 OK Begin TLS negotiation now
>>>>>>>> verify error:num=18:self signed certificate
>>>>>>>> TLS connection established: TLSv1.2 with cipher
>>>>>>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>>>>>>> C: C01 CAPABILITY
>>>>>>>> S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten
>>>>>>>> QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME
>>>>>>>> UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH
>>>>>>>> SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID
>>>>>>>> THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS
>>>>>>>> ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED
>>>>>>>> LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN
>>>>>>>> XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1
>>>>>>>> X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1
>>>>>>>> AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN
>>>>>>>> SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE
>>>>>>>> X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
>>>>>>>> S: C01 OK Completed
>>>>>>>> C: A01 AUTHENTICATE SCRAM-SHA-1
>>>>>>>> bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
>>>>>>>> S: A01 NO authentication failure
>>>>>>>> Authentication failed. generic failure
>>>>>>>> Security strength factor: 256
>>>>>>>>
>>>>>>>> Nothing is reported in auth.conf
>>>>>>>>
>>>>>>>> If i do this
>>>>>>>>
>>>>>>>> root at cyrus3:~ # saslpasswd2 -c mike at cyrus3.intern.rueger.me
>>>>>>>> <mailto:mike at cyrus3.intern.rueger.me>
>>>>>>>> …<entering „mike“ twice here>
>>>>>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS
>>>>>>>> LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
>>>>>>>> AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me
>>>>>>>> <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>>>>>> C: S01 STARTTLS
>>>>>>>> …
>>>>>>>> Authenticated.
>>>>>>>> Security strength factor: 256
>>>>>>>>
>>>>>>>> it is working against local db BUT NOT against saslauthd.
>>>>>>>>
>>>>>>>> How do i setup imapd to talk to saslauthd?
>>>>>>>>
>>>>>>>> BTW i’m using
>>>>>>>> * cyrus-imapd30-3.0.5
>>>>>>>> * cyrus-sasl-2.1.26_13
>>>>>>>> * cyrus-sasl-saslauthd-2.1.26_3
>>>>>>>> on FreeBSD 11.1
>>>>>>>>
>>>>>>>> Thank you for any help,
>>>>>>>> Mike
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Ken Murchison
>>>>>>> Cyrus Development Team
>>>>>>> FastMail US LLC
>>>>>>> <murch.vcf>
>>>>>>
>>>>>
>>>>
>>>> --
>>>> Ken Murchison
>>>> Cyrus Development Team
>>>> FastMail US LLC
>>>> <murch.vcf>
>>>
>>
>> --
>> Ken Murchison
>> Cyrus Development Team
>> FastMail US LLC
>> <murch.vcf>
>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20180130/2250770a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: murch.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20180130/2250770a/attachment-0001.vcf>
More information about the Cyrus-sasl
mailing list