imapd is not talking to saslauthd
Michael Rüger
michael.g.rueger at gmail.com
Wed Jan 31 17:41:16 EST 2018
Hello Ken,
thank you very much. Adding „-m plain“ did it.
Now i also get it now that enabling mech’s thru sasl_mech_list must be supported the backing auth providers.
Thx again for your support.
BTW i’m very pleased that cyrus still has such an active and supportive community. I’m convinced that i have picked the right dovecot successor for me :-)
Mike
> Am 31.01.2018 um 01:29 schrieb Ken Murchison <murch at fastmail.com>:
>
> OK. Major brain fart, since I'm trying to do 5 things at once. saslauthd will only be using for verifying plaintext passwords -- meaning its only used for plaintext authentication methods. Your imtest is trying to use SCRAM by default.
>
> Add '-m plain' to your imtest and see what happens.
>
> If you want to do your auth using only PAM, you will have to disable non-plaintext SASL mechs for Cyrus. Add the following to imapd.conf:
>
> sasl_mech_list: PLAIN LOGIN
>
>
>
> On 01/30/2018 06:51 PM, Michael Rüger wrote:
>> After enabling debug and restarting saslauthd and retrigger imtest, saslauthd gets no request.
>>
>> root at cyrus3:/etc # /usr/local/etc/rc.d/saslauthd restart
>> Stopping saslauthd.
>> Waiting for PIDS: 88717.
>> Starting saslauthd.
>> saslauthd[90858] :main : num_procs : 5
>> saslauthd[90858] :main : mech_option: NULL
>> saslauthd[90858] :main : run_path : /var/run/saslauthd
>> saslauthd[90858] :main : auth_mech : pam
>> saslauthd[90858] :ipc_init : using accept lock file: /var/run/saslauthd/mux.accept
>> saslauthd[90858] :detach_tty : master pid is: 0
>> saslauthd[90858] :ipc_init : listening on socket: /var/run/saslauthd/mux
>> saslauthd[90858] :main : using process model
>> saslauthd[90858] :have_baby : forked child: 90859
>> saslauthd[90859] :get_accept_lock : acquired accept lock
>> saslauthd[90858] :have_baby : forked child: 90860
>> saslauthd[90858] :have_baby : forked child: 90861
>> saslauthd[90858] :have_baby : forked child: 90862
>>
>>
>>> Am 31.01.2018 um 00:39 schrieb Ken Murchison <murch at fastmail.com <mailto:murch at fastmail.com>>:
>>>
>>> You're understanding is correct. Can you run saslauthd with the -d (debug) command line option and see if it sheds any light?
>>>
>>>
>>>
>>> On 01/30/2018 06:31 PM, Michael Rüger wrote:
>>>> Yes, Ken. The whole jail is freshly fired up. Yes it seems that imapd is not calling saslauthd at all. I wondered if saslauthd support is even compiled in.
>>>>
>>>> But if i understand the architecture correctly (and please correct me if i’m wrong), imap is using the sasl lib, and the sasl lib should have saslauthd support compiled in. This is as far as i can see configured by HAVE_SASLAUTHD. I have compiled the cyrus-sasl lib myself to verify that
>>>>
>>>> config.h:#define HAVE_SASLAUTHD /**/
>>>>
>>>> is enabled and
>>>>
>>>> root at cyrus3:/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.26/ <mailto:root at cyrus3:/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.26/> # strings /usr/local/lib/libsasl2.so | grep saslauthd
>>>> saslauthd_path
>>>> /var/run/saslauthd
>>>> cannot create socket for saslauthd: %m
>>>> cannot connect to saslauthd server: %m
>>>>
>>>> gives me confidence that it is compiled in.
>>>>
>>>> I also tried to „dtrace“ into imapd, but had no success. FreeBSD’s dtrace has some problems inside a jail.
>>>>
>>>> So i guess i miss something tiny but important ;)
>>>>
>>>> Thx again for your support.
>>>> Mike
>>>>
>>>>
>>>>> Am 31.01.2018 um 00:09 schrieb Ken Murchison <murch at fastmail.com <mailto:murch at fastmail.com>>:
>>>>>
>>>>> Has Cyrus IMAP been restarted since switching to saslauthd? It doesn't look like Cyrus is even trying to use saslauthd.
>>>>>
>>>>> On 01/30/2018 06:03 PM, Michael Rüger wrote:
>>>>>> Struggled with enabling local6. The trick was to touch the new syslog output file before restarting syslog with this new line
>>>>>>
>>>>>> local6.* /var/log/local6
>>>>>>
>>>>>>
>>>>>> root at cyrus3:/var/log # cat local6
>>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
>>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
>>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
>>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
>>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
>>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
>>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
>>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
>>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
>>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
>>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]
>>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]
>>>>>>
>>>>>>
>>>>>>> Am 30.01.2018 um 23:41 schrieb Ken Murchison <murch at fastmail.com <mailto:murch at fastmail.com>>:
>>>>>>>
>>>>>>> Hmm.
>>>>>>>
>>>>>>> I just switched my dev box to using saslauthd and it just worked. I'm sure your problem is something simple, but its escaping me at the moment.
>>>>>>> When imtest fails, what is logged in the Cyrus IMAP log (wherever local6 is logged)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 01/30/2018 05:34 PM, Michael Rüger wrote:
>>>>>>>> Ken, thank you for jumping in!
>>>>>>>>
>>>>>>>> Some more info: the apps run as the following users and groups
>>>>>>>>
>>>>>>>> root at cyrus3:~ # ps aux
>>>>>>>> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
>>>>>>>> root 88686 0.0 0.0 10500 2044 - SsJ 21:40 0:00.02 /usr/sbin/syslogd -s
>>>>>>>> root 88717 0.0 0.1 43928 4360 - IsJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
>>>>>>>> root 88718 0.0 0.1 43928 4360 - IJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
>>>>>>>> root 88720 0.0 0.1 43928 4276 - IJ 21:40 0:00.00 /usr/local/sbin/saslauthd -a pam
>>>>>>>> root 88721 0.0 0.1 43928 4360 - IJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
>>>>>>>> root 88722 0.0 0.1 43928 4276 - IJ 21:40 0:00.00 /usr/local/sbin/saslauthd -a pam
>>>>>>>> cyrus 88724 0.0 0.1 65504 5884 - SsJ 21:40 0:00.07 /usr/local/cyrus/libexec/master -d
>>>>>>>>
>>>>>>>> root at cyrus3:~ # su - cyrus
>>>>>>>> % id
>>>>>>>> uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
>>>>>>>>
>>>>>>>>
>>>>>>>>> Am 30.01.2018 um 23:25 schrieb Michael Rüger <michael.g.rueger at gmail.com <mailto:michael.g.rueger at gmail.com>>:
>>>>>>>>>
>>>>>>>>> root at cyrus3:~ # ls -la /var/run/saslauthd/
>>>>>>>>> total 13
>>>>>>>>> drwxr-x--- 2 cyrus saslauth 5 Jan 30 21:40 .
>>>>>>>>> drwxr-xr-x 6 root wheel 15 Jan 30 21:40 ..
>>>>>>>>> srwxrwxrwx 1 root saslauth 0 Jan 30 21:40 mux
>>>>>>>>> -rw------- 1 root saslauth 0 Jan 30 21:40 mux.accept
>>>>>>>>> -rw------- 1 root saslauth 6 Jan 30 21:40 saslauthd.pid
>>>>>>>>>
>>>>>>>>>> Am 30.01.2018 um 23:23 schrieb Ken Murchison <murch at fastmail.com <mailto:murch at fastmail.com>>:
>>>>>>>>>>
>>>>>>>>>> Hi Michael,
>>>>>>>>>>
>>>>>>>>>> What are the permissions on the socket that saslauthd is listening on?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 01/30/2018 05:06 PM, Michael Rüger wrote:
>>>>>>>>>>> Hi
>>>>>>>>>>>
>>>>>>>>>>> (btw. i was Guest39278 on IRC yesterday and got the chance to introduce myself on googletalk)
>>>>>>>>>>>
>>>>>>>>>>> I’m trying to set up imapd to use saslauthd for authentication.
>>>>>>>>>>>
>>>>>>>>>>> I have already a running saslauthd which uses PAM. I can run this
>>>>>>>>>>>
>>>>>>>>>>> root at cyrus3:/ # testsaslauthd -u mike -p mike
>>>>>>>>>>> 0: OK "Success.“
>>>>>>>>>>>
>>>>>>>>>>> and if i run
>>>>>>>>>>>
>>>>>>>>>>> root at cyrus3:/ # testsaslauthd -u mike -p abc
>>>>>>>>>>> 0: NO "authentication failed“
>>>>>>>>>>>
>>>>>>>>>>> i get that logged in auth.log like this
>>>>>>>>>>>
>>>>>>>>>>> Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth : auth failure: [user=mike] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
>>>>>>>>>>>
>>>>>>>>>>> In imapd.conf i have
>>>>>>>>>>>
>>>>>>>>>>> sasl_pwcheck_method: saslauthd
>>>>>>>>>>>
>>>>>>>>>>> Now i’m authenticate against imapd
>>>>>>>>>>>
>>>>>>>>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>>>>>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>>>>>>>>> C: S01 STARTTLS
>>>>>>>>>>> S: S01 OK Begin TLS negotiation now
>>>>>>>>>>> verify error:num=18:self signed certificate
>>>>>>>>>>> TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>>>>>>>>>> C: C01 CAPABILITY
>>>>>>>>>>> S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
>>>>>>>>>>> S: C01 OK Completed
>>>>>>>>>>> C: A01 AUTHENTICATE SCRAM-SHA-1 bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
>>>>>>>>>>> S: A01 NO authentication failure
>>>>>>>>>>> Authentication failed. generic failure
>>>>>>>>>>> Security strength factor: 256
>>>>>>>>>>>
>>>>>>>>>>> Nothing is reported in auth.conf
>>>>>>>>>>>
>>>>>>>>>>> If i do this
>>>>>>>>>>>
>>>>>>>>>>> root at cyrus3:~ # saslpasswd2 -c mike at cyrus3.intern.rueger.me <mailto:mike at cyrus3.intern.rueger.me>
>>>>>>>>>>> …<entering „mike“ twice here>
>>>>>>>>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>>>>>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>>>>>>>>> C: S01 STARTTLS
>>>>>>>>>>> …
>>>>>>>>>>> Authenticated.
>>>>>>>>>>> Security strength factor: 256
>>>>>>>>>>>
>>>>>>>>>>> it is working against local db BUT NOT against saslauthd.
>>>>>>>>>>>
>>>>>>>>>>> How do i setup imapd to talk to saslauthd?
>>>>>>>>>>>
>>>>>>>>>>> BTW i’m using
>>>>>>>>>>> * cyrus-imapd30-3.0.5
>>>>>>>>>>> * cyrus-sasl-2.1.26_13
>>>>>>>>>>> * cyrus-sasl-saslauthd-2.1.26_3
>>>>>>>>>>> on FreeBSD 11.1
>>>>>>>>>>>
>>>>>>>>>>> Thank you for any help,
>>>>>>>>>>> Mike
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Ken Murchison
>>>>>>>>>> Cyrus Development Team
>>>>>>>>>> FastMail US LLC
>>>>>>>>>> <murch.vcf>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Ken Murchison
>>>>>>> Cyrus Development Team
>>>>>>> FastMail US LLC
>>>>>>> <murch.vcf>
>>>>>>
>>>>>
>>>>> --
>>>>> Ken Murchison
>>>>> Cyrus Development Team
>>>>> FastMail US LLC
>>>>> <murch.vcf>
>>>>
>>>
>>> --
>>> Ken Murchison
>>> Cyrus Development Team
>>> FastMail US LLC
>>> <murch.vcf>
>>
>
> --
> Ken Murchison
> Cyrus Development Team
> FastMail US LLC
> <murch.vcf>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20180131/a0af40e3/attachment-0001.html>
More information about the Cyrus-sasl
mailing list