imapd is not talking to saslauthd
Ken Murchison
murch at fastmail.com
Tue Jan 30 19:29:32 EST 2018
OK. Major brain fart, since I'm trying to do 5 things at once.
saslauthd will only be using for verifying plaintext passwords --
meaning its only used for plaintext authentication methods. Your imtest
is trying to use SCRAM by default.
Add '-m plain' to your imtest and see what happens.
If you want to do your auth using only PAM, you will have to disable
non-plaintext SASL mechs for Cyrus. Add the following to imapd.conf:
sasl_mech_list: PLAIN LOGIN
On 01/30/2018 06:51 PM, Michael Rüger wrote:
> After enabling debug and restarting saslauthd and retrigger imtest,
> saslauthd gets no request.
>
> root at cyrus3:/etc # /usr/local/etc/rc.d/saslauthd restart
> Stopping saslauthd.
> Waiting for PIDS: 88717.
> Starting saslauthd.
> saslauthd[90858] :main : num_procs : 5
> saslauthd[90858] :main : mech_option: NULL
> saslauthd[90858] :main : run_path : /var/run/saslauthd
> saslauthd[90858] :main : auth_mech : pam
> saslauthd[90858] :ipc_init : using accept lock file:
> /var/run/saslauthd/mux.accept
> saslauthd[90858] :detach_tty : master pid is: 0
> saslauthd[90858] :ipc_init : listening on socket:
> /var/run/saslauthd/mux
> saslauthd[90858] :main : using process model
> saslauthd[90858] :have_baby : forked child: 90859
> saslauthd[90859] :get_accept_lock : acquired accept lock
> saslauthd[90858] :have_baby : forked child: 90860
> saslauthd[90858] :have_baby : forked child: 90861
> saslauthd[90858] :have_baby : forked child: 90862
>
>
>> Am 31.01.2018 um 00:39 schrieb Ken Murchison <murch at fastmail.com
>> <mailto:murch at fastmail.com>>:
>>
>> You're understanding is correct. Can you run saslauthd with the -d
>> (debug) command line option and see if it sheds any light?
>>
>>
>>
>> On 01/30/2018 06:31 PM, Michael Rüger wrote:
>>> Yes, Ken. The whole jail is freshly fired up. Yes it seems that
>>> imapd is not calling saslauthd at all. I wondered if saslauthd
>>> support is even compiled in.
>>>
>>> But if i understand the architecture correctly (and please correct
>>> me if i’m wrong), imap is using the sasl lib, and the sasl lib
>>> should have saslauthd support compiled in. This is as far as i can
>>> see configured by HAVE_SASLAUTHD. I have compiled the cyrus-sasl lib
>>> myself to verify that
>>>
>>> config.h:#define HAVE_SASLAUTHD /**/
>>>
>>> is enabled and
>>>
>>> root at cyrus3:/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.26/
>>> # strings /usr/local/lib/libsasl2.so | grep saslauthd
>>> saslauthd_path
>>> /var/run/saslauthd
>>> cannot create socket for saslauthd: %m
>>> cannot connect to saslauthd server: %m
>>>
>>> gives me confidence that it is compiled in.
>>>
>>> I also tried to „dtrace“ into imapd, but had no success. FreeBSD’s
>>> dtrace has some problems inside a jail.
>>>
>>> So i guess i miss something tiny but important ;)
>>>
>>> Thx again for your support.
>>> Mike
>>>
>>>
>>>> Am 31.01.2018 um 00:09 schrieb Ken Murchison <murch at fastmail.com
>>>> <mailto:murch at fastmail.com>>:
>>>>
>>>> Has Cyrus IMAP been restarted since switching to saslauthd? It
>>>> doesn't look like Cyrus is even trying to use saslauthd.
>>>>
>>>>
>>>> On 01/30/2018 06:03 PM, Michael Rüger wrote:
>>>>> Struggled with enabling local6. The trick was to touch the new
>>>>> syslog output file before restarting syslog with this new line
>>>>>
>>>>> local6.* /var/log/local6
>>>>>
>>>>>
>>>>> root at cyrus3:/var/log # cat local6
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher
>>>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher
>>>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user
>>>>> and get auxprops
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user
>>>>> and get auxprops
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210]
>>>>> SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user
>>>>> and get auxprops]
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210]
>>>>> SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user
>>>>> and get auxprops]
>>>>>
>>>>>
>>>>>> Am 30.01.2018 um 23:41 schrieb Ken Murchison <murch at fastmail.com
>>>>>> <mailto:murch at fastmail.com>>:
>>>>>>
>>>>>> Hmm.
>>>>>>
>>>>>> I just switched my dev box to using saslauthd and it just
>>>>>> worked. I'm sure your problem is something simple, but its
>>>>>> escaping me at the moment.
>>>>>>
>>>>>> When imtest fails, what is logged in the Cyrus IMAP log (wherever
>>>>>> local6 is logged)
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 01/30/2018 05:34 PM, Michael Rüger wrote:
>>>>>>> Ken, thank you for jumping in!
>>>>>>>
>>>>>>> Some more info: the apps run as the following users and groups
>>>>>>>
>>>>>>> root at cyrus3:~ # ps aux
>>>>>>> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
>>>>>>> root 88686 0.0 0.0 10500 2044 - SsJ 21:40 0:00.02
>>>>>>> /usr/sbin/syslogd -s
>>>>>>> root 88717 0.0 0.1 43928 4360 - IsJ 21:40 0:00.01
>>>>>>> /usr/local/sbin/saslauthd -a pam
>>>>>>> root 88718 0.0 0.1 43928 4360 - IJ 21:40 0:00.01
>>>>>>> /usr/local/sbin/saslauthd -a pam
>>>>>>> root 88720 0.0 0.1 43928 4276 - IJ 21:40 0:00.00
>>>>>>> /usr/local/sbin/saslauthd -a pam
>>>>>>> root 88721 0.0 0.1 43928 4360 - IJ 21:40 0:00.01
>>>>>>> /usr/local/sbin/saslauthd -a pam
>>>>>>> root 88722 0.0 0.1 43928 4276 - IJ 21:40 0:00.00
>>>>>>> /usr/local/sbin/saslauthd -a pam
>>>>>>> cyrus 88724 0.0 0.1 65504 5884 - SsJ 21:40 0:00.07
>>>>>>> /usr/local/cyrus/libexec/master -d
>>>>>>>
>>>>>>> root at cyrus3:~ # su - cyrus
>>>>>>> % id
>>>>>>> uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
>>>>>>>
>>>>>>>
>>>>>>>> Am 30.01.2018 um 23:25 schrieb Michael Rüger
>>>>>>>> <michael.g.rueger at gmail.com <mailto:michael.g.rueger at gmail.com>>:
>>>>>>>>
>>>>>>>> root at cyrus3:~ # ls -la /var/run/saslauthd/
>>>>>>>> total 13
>>>>>>>> drwxr-x--- 2 cyrus saslauth 5 Jan 30 21:40 .
>>>>>>>> drwxr-xr-x 6 root wheel 15 Jan 30 21:40 ..
>>>>>>>> srwxrwxrwx 1 root saslauth 0 Jan 30 21:40 mux
>>>>>>>> -rw------- 1 root saslauth 0 Jan 30 21:40 mux.accept
>>>>>>>> -rw------- 1 root saslauth 6 Jan 30 21:40 saslauthd.pid
>>>>>>>>
>>>>>>>>> Am 30.01.2018 um 23:23 schrieb Ken Murchison
>>>>>>>>> <murch at fastmail.com <mailto:murch at fastmail.com>>:
>>>>>>>>>
>>>>>>>>> Hi Michael,
>>>>>>>>>
>>>>>>>>> What are the permissions on the socket that saslauthd is
>>>>>>>>> listening on?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 01/30/2018 05:06 PM, Michael Rüger wrote:
>>>>>>>>>> Hi
>>>>>>>>>>
>>>>>>>>>> (btw. i was Guest39278 on IRC yesterday and got the chance to
>>>>>>>>>> introduce myself on googletalk)
>>>>>>>>>>
>>>>>>>>>> I’m trying to set up imapd to use saslauthd for authentication.
>>>>>>>>>>
>>>>>>>>>> I have already a running saslauthd which uses PAM. I can run this
>>>>>>>>>>
>>>>>>>>>> root at cyrus3:/ # testsaslauthd -u mike -p mike
>>>>>>>>>> 0: OK "Success.“
>>>>>>>>>>
>>>>>>>>>> and if i run
>>>>>>>>>>
>>>>>>>>>> root at cyrus3:/ # testsaslauthd -u mike -p abc
>>>>>>>>>> 0: NO "authentication failed“
>>>>>>>>>>
>>>>>>>>>> i get that logged in auth.log like this
>>>>>>>>>>
>>>>>>>>>> Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth : auth
>>>>>>>>>> failure: [user=mike] [service=imap] [realm=] [mech=pam]
>>>>>>>>>> [reason=PAM auth error]
>>>>>>>>>>
>>>>>>>>>> In imapd.conf i have
>>>>>>>>>>
>>>>>>>>>> sasl_pwcheck_method: saslauthd
>>>>>>>>>>
>>>>>>>>>> Now i’m authenticate against imapd
>>>>>>>>>>
>>>>>>>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>>>>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS
>>>>>>>>>> LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
>>>>>>>>>> AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me
>>>>>>>>>> <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>>>>>>>> C: S01 STARTTLS
>>>>>>>>>> S: S01 OK Begin TLS negotiation now
>>>>>>>>>> verify error:num=18:self signed certificate
>>>>>>>>>> TLS connection established: TLSv1.2 with cipher
>>>>>>>>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>>>>>>>>> C: C01 CAPABILITY
>>>>>>>>>> S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten
>>>>>>>>>> QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME
>>>>>>>>>> UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE
>>>>>>>>>> ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID
>>>>>>>>>> THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS
>>>>>>>>>> ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED
>>>>>>>>>> LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN
>>>>>>>>>> XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1
>>>>>>>>>> X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1
>>>>>>>>>> AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN
>>>>>>>>>> SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE
>>>>>>>>>> X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
>>>>>>>>>> S: C01 OK Completed
>>>>>>>>>> C: A01 AUTHENTICATE SCRAM-SHA-1
>>>>>>>>>> bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
>>>>>>>>>> S: A01 NO authentication failure
>>>>>>>>>> Authentication failed. generic failure
>>>>>>>>>> Security strength factor: 256
>>>>>>>>>>
>>>>>>>>>> Nothing is reported in auth.conf
>>>>>>>>>>
>>>>>>>>>> If i do this
>>>>>>>>>>
>>>>>>>>>> root at cyrus3:~ # saslpasswd2 -c mike at cyrus3.intern.rueger.me
>>>>>>>>>> <mailto:mike at cyrus3.intern.rueger.me>
>>>>>>>>>> …<entering „mike“ twice here>
>>>>>>>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>>>>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS
>>>>>>>>>> LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
>>>>>>>>>> AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me
>>>>>>>>>> <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>>>>>>>> C: S01 STARTTLS
>>>>>>>>>> …
>>>>>>>>>> Authenticated.
>>>>>>>>>> Security strength factor: 256
>>>>>>>>>>
>>>>>>>>>> it is working against local db BUT NOT against saslauthd.
>>>>>>>>>>
>>>>>>>>>> How do i setup imapd to talk to saslauthd?
>>>>>>>>>>
>>>>>>>>>> BTW i’m using
>>>>>>>>>> * cyrus-imapd30-3.0.5
>>>>>>>>>> * cyrus-sasl-2.1.26_13
>>>>>>>>>> * cyrus-sasl-saslauthd-2.1.26_3
>>>>>>>>>> on FreeBSD 11.1
>>>>>>>>>>
>>>>>>>>>> Thank you for any help,
>>>>>>>>>> Mike
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Ken Murchison
>>>>>>>>> Cyrus Development Team
>>>>>>>>> FastMail US LLC
>>>>>>>>> <murch.vcf>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Ken Murchison
>>>>>> Cyrus Development Team
>>>>>> FastMail US LLC
>>>>>> <murch.vcf>
>>>>>
>>>>
>>>> --
>>>> Ken Murchison
>>>> Cyrus Development Team
>>>> FastMail US LLC
>>>> <murch.vcf>
>>>
>>
>> --
>> Ken Murchison
>> Cyrus Development Team
>> FastMail US LLC
>> <murch.vcf>
>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20180130/e42d33be/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: murch.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20180130/e42d33be/attachment-0001.vcf>
More information about the Cyrus-sasl
mailing list