Cyrus-IMAPd+SASL+PAM not communicating (but testsaslauthd says
Thomas Hannan
thomas at raapid.net
Thu Jan 16 16:52:52 EST 2003
Thanks again --will work on that. If I compiled it w/o these options then
why the Cyrus daemon offer: AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5
Or is that normal behavior?
-Tico
> You need to have an SSL layer established before Cyrus will offer
> PLAIN.
>
> -Rob
>
> On Thu, 16 Jan 2003, Thomas Hannan wrote:
>
>> Thanks much! (for some reason I thought the only options available
>> were sasldb or pam for that setting)
>>
>> However, I still get errors when trying to do PLAIN auth (haven't even
>> tried setting up SSL yet)
>>
>> # imtest -u test1 -a test1 -w 1234 -v -m PLAIN 192.168.1.98
>> S: * OK mail.test Cyrus IMAP4 v2.1.11 server ready
>> C: C01 CAPABILITY
>> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
>> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
>> SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=OTP
>> AUTH=DIGEST-MD5 AUTH=CRAM-MD5
>> S: C01 OK Completed
>> C: A01 AUTHENTICATE PLAIN
>> S: A01 NO no mechanism available
>> Authentication failed. generic failure
>> Security strength factor: 0
>>
>> #tail /var/log/auth.log :
>> Jan 16 13:42:06 frosty imapd[3037]: badlogin: frosty.test
>> [192.168.1.98] PLAIN [SASL(-4): no mechanism available: security flags
>> do not match required]
>>
>> Also, could someone explain to me exactly what the difference between
>> LOGIN and PLAIN is? I haven't been able to see find any details in my
>> RTFM'ing...
>>
>> Can/will cyrus-imapd create a maildir (and INBOX) for a user that has
>> logged in for their first time?
>>
>> thanks much!!
>> --Tico
>>
>> > You want to use:
>> >
>> > sasl_pwcheck_method: saslauthd
>> >
>> > -Rob
>> >
>> > On Thu, 16 Jan 2003, Thomas Hannan wrote:
>> >
>> >> Hi all,
>> >>
>> >> The cliffnotes version of my problem is that even though I run
>> >> /usr/local/sbin/saslauthd -a pam&
>> >> and my /etc/imapd.conf contains "sasl_pwcheck_method: pam"
>> >> I get an auth failed when trying to login over IMAP or imtest: $
>> >> testsaslauthd -u tico2 -p test1234 -s imap
>> >> 0: OK "Success."
>> >>
>> >> $ testsaslauthd -u tico2 -p test1234
>> >> 0: OK "Success."
>> >>
>> >> $ imtest -u tico2 -a tico2 -w test1234 -v -m login 192.168.1.98 S:
>> >> * OK mail.test Cyrus IMAP4 v2.1.11 server ready
>> >> C: C01 CAPABILITY
>> >> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+
>> >> MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT
>> >> CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES
>> >> IDLE AUTH=OTP
>> >> AUTH=DIGEST-MD5 AUTH=CRAM-MD5
>> >> S: C01 OK Completed
>> >> C: L01 LOGIN tico2 {8}
>> >> S: + go ahead
>> >> C: <omitted>
>> >> S: L01 NO Login failed: no mechanism available
>> >> Authentication failed. generic failure
>> >> Security strength factor: 0
>> >>
>> >> $ imtest -u tico2 -a tico2 -w test1234 -v -m plain 192.168.1.98 S:
>> >> * OK mail.test.pharm-olam.com Cyrus IMAP4 v2.1.11 server ready C:
>> >> C01 CAPABILITY
>> >> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+
>> >> MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT
>> >> CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES
>> >> IDLE AUTH=OTP
>> >> AUTH=DIGEST-MD5 AUTH=CRAM-MD5
>> >> S: C01 OK Completed
>> >> C: A01 AUTHENTICATE PLAIN
>> >> S: A01 NO no mechanism available
>> >> Authentication failed. generic failure
>> >> Security strength factor: 0
>> >>
>> >> /var/log/auth.log says:
>> >> Jan 16 12:59:26 frosty imapd[2968]: unknown password verifier
>> >> /var/log/imap.log says:
>> >> Jan 16 12:59:05 frosty imapd[2968]: badlogin: mail.test
>> >> [192.168.1.98] PLAIN [SASL(-4): no mechanism available: security
>> >> flags do not match required]
>> >> Jan 16 12:59:26 frosty imapd[2968]: accepted connection
>> >> Jan 16 12:59:26 frosty imapd[2968]: badlogin: mail.test
>> >> [192.168.1.98] plaintext test1 SASL(-4): no mechanism available:
>> >> checkpass failed
>> >>
>> >> I'm on my first Cyrus install and have RTFM all I can find, so bear
>> >> with me. I have a Redhat 7.2 box on which I'm trying to accomplish
>> >> the following:
>> >> Get Cyrus IMAPd to authenticate (via SASLv2) against PAM instead of
>> >> directly to a /etc/sasldb or a MySQL table or anything of that
>> >> nature. My users are set up in PAM using Samba/winbind modules, and
>> >> they can authenticate for anything else. Additionally, I have a few
>> >> /etc/shadow users that I've created just for testing, and behavior
>> >> is the exact same no matter which type of user I try.
>> >>
>> >> Any help would be greatly appreciated!!
>> >> Regards,
>> >> Tico Hannan [CCDP,CCNP]
>> >>
>> >> more notes:
>> >>
>> >> Locally I can auth against any of them (winbind or /etc/shadow)
>> >> since they are in my /etc/pam.d/system-auth:
>> >> auth required /lib/security/pam_env.so
>> >> auth sufficient /lib/security/pam_winbind.so
>> >> auth sufficient /lib/security/pam_unix.so likeauth nullok
>> >> auth required /lib/security/pam_deny.so
>> >> account required /lib/security/pam_unix.so
>> >> password required /lib/security/pam_cracklib.so retry=3
>> >> type= password sufficient /lib/security/pam_unix.so nullok
>> >> use_authtok md5 shadow use_first_pass
>> >> password required /lib/security/pam_deny.so
>> >> session required /lib/security/pam_limits.so
>> >> session required /lib/security/pam_unix.so
>> >>
>> >> and currently (just for testing purposes) I have everything
>> >> (including /etc/pam.d/imap) set to use:
>> >> $ cat /etc/pam.d/imap
>> >> #%PAM-1.0
>> >> auth required /lib/security/pam_stack.so
>> >> service=system-auth account required
>> >> /lib/security/pam_stack.so service=system-auth
>> >>
>> >> I have a startup script that runs
>> >> /usr/local/sbin/saslauthd -a pam&
>> >> /usr/cyrus/bin/master &
>> >> and my configs are /etc/imapd.conf:
>> >> configdirectory: /var/imap
>> >> partition-default: /var/spool/imap
>> >> admins: cyrus root
>> >> allowanonymouslogin: no
>> >> sasl_pwcheck_method: pam
>> >> defaultacl: anyone lrs
>> >> postmaster: postmaster
>> >> sendmail: /usr/sbin/sendmail.postfix
>> >> allowplaintext: yes
>> >> servername: mail.test
>> >> autocreatequota: 10000
>> >> quotawarn: 90
>> >>
>> >> my /etc/cyrus.conf:
>> >> START {
>> >> # do not delete these entries!
>> >> mboxlist cmd="ctl_mboxlist -r"
>> >> deliver cmd="ctl_deliver -r"
>> >> }
>> >> SERVICES {
>> >> imap cmd="/usr/cyrus/bin/imapd" listen="imap" prefork=0
>> >> imaps cmd="/usr/cyrus/bin/imapd -s" listen="imaps"
>> >> prefork=0 pop3 cmd="/usr/cyrus/bin/pop3d" listen="pop3"
>> >> prefork=0 pop3s cmd="/usr/cyrus/bin/pop3d -s"
>> >> listen="pop3s" prefork=0 sieve
>> >> cmd="/usr/cyrus/bin/timsieved" listen="sieve" prefork=0 lmtpunix
>> >> cmd="/usr/cyrus/bin/lmtpd"
>> >> listen="/var/imap/socket/lmtp"
>> >> prefork=0
>> >> }
>> >> EVENTS {
>> >> checkpoint cmd="ctl_mboxlist -c" period=30
>> >> }
>> >>
>> >> My installation options:
>> >> SASL:
>> >> make clean
>> >> ./configure \
>> >> --with-dblib=berkeley \
>> >> --with-bdb-libdir=/usr/local/BerkeleyDB.3.1/lib \
>> >> --with-bdb-incdir=/usr/local/BerkeleyDB.3.1/include \
>> >> --with-pam=/usr/include/security \
>> >> --with-openssl=/usr/include/openssl \
>> >> --enable-plain \
>> >> --enable-krb4=no \
>> >> --without-des \
>> >> --enable-digest=no
>> >> make
>> >> make install
>> >> IMAP:
>> >> make clean
>> >> ./configure \
>> >> --with-auth=unix \
>> >> --with-openssl=/usr/include/openssl \
>> >> --with-dbdir=/usr/local/BerkeleyDB.3.3
>> >> make depend
>> >> make all CFLAGS=-O
>> >> make install
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>> > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 *
>> > 412-268-7456 Research Systems Programmer * /usr/contributed
>> > Gatekeeper
>>
>>
>>
>>
>>
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
> Research Systems Programmer * /usr/contributed Gatekeeper
More information about the Info-cyrus
mailing list