Cyrus-IMAPd+SASL+PAM not communicating (but testsaslauthd says

Rob Siemborski rjs3 at andrew.cmu.edu
Thu Jan 16 14:51:05 EST 2003


You need to have an SSL layer established before Cyrus will offer PLAIN.

-Rob

On Thu, 16 Jan 2003, Thomas Hannan wrote:

> Thanks much! (for some reason I thought the only options available were
> sasldb or pam for that setting)
>
> However, I still get errors when trying to do PLAIN auth (haven't even
> tried setting up SSL yet)
>
> # imtest -u test1 -a test1 -w 1234 -v -m PLAIN 192.168.1.98
> S: * OK mail.test Cyrus IMAP4 v2.1.11 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=OTP AUTH=DIGEST-MD5
> AUTH=CRAM-MD5
> S: C01 OK Completed
> C: A01 AUTHENTICATE PLAIN
> S: A01 NO no mechanism available
> Authentication failed. generic failure
> Security strength factor: 0
>
> #tail /var/log/auth.log :
> Jan 16 13:42:06 frosty imapd[3037]: badlogin: frosty.test [192.168.1.98]
> PLAIN [SASL(-4): no mechanism available: security flags do not match
> required]
>
> Also, could someone explain to me exactly what the difference between LOGIN
> and PLAIN is? I haven't been able to see find any details in my RTFM'ing...
>
> Can/will cyrus-imapd create a maildir (and INBOX) for a user that has
> logged in for their first time?
>
> thanks much!!
> --Tico
>
> > You want to use:
> >
> > sasl_pwcheck_method: saslauthd
> >
> > -Rob
> >
> > On Thu, 16 Jan 2003, Thomas Hannan wrote:
> >
> >> Hi all,
> >>
> >> The cliffnotes version of my problem is that even though I run
> >> /usr/local/sbin/saslauthd -a pam&
> >> and my /etc/imapd.conf contains "sasl_pwcheck_method: pam"
> >> I get an auth failed when trying to login over IMAP or imtest:
> >> $ testsaslauthd -u tico2 -p test1234 -s imap
> >> 0: OK "Success."
> >>
> >> $ testsaslauthd -u tico2 -p test1234
> >> 0: OK "Success."
> >>
> >> $ imtest -u tico2 -a tico2 -w test1234 -v -m login 192.168.1.98
> >> S: * OK mail.test Cyrus IMAP4 v2.1.11 server ready
> >> C: C01 CAPABILITY
> >> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> >> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
> >> SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=OTP
> >> AUTH=DIGEST-MD5 AUTH=CRAM-MD5
> >> S: C01 OK Completed
> >> C: L01 LOGIN tico2 {8}
> >> S: + go ahead
> >> C: <omitted>
> >> S: L01 NO Login failed: no mechanism available
> >> Authentication failed. generic failure
> >> Security strength factor: 0
> >>
> >> $ imtest -u tico2 -a tico2 -w test1234 -v -m plain 192.168.1.98
> >> S: * OK mail.test.pharm-olam.com Cyrus IMAP4 v2.1.11 server ready C:
> >> C01 CAPABILITY
> >> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> >> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
> >> SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=OTP
> >> AUTH=DIGEST-MD5 AUTH=CRAM-MD5
> >> S: C01 OK Completed
> >> C: A01 AUTHENTICATE PLAIN
> >> S: A01 NO no mechanism available
> >> Authentication failed. generic failure
> >> Security strength factor: 0
> >>
> >> /var/log/auth.log says:
> >> Jan 16 12:59:26 frosty imapd[2968]: unknown password verifier
> >>  /var/log/imap.log says:
> >> Jan 16 12:59:05 frosty imapd[2968]: badlogin: mail.test [192.168.1.98]
> >> PLAIN [SASL(-4): no mechanism available: security flags do not match
> >> required]
> >> Jan 16 12:59:26 frosty imapd[2968]: accepted connection
> >> Jan 16 12:59:26 frosty imapd[2968]: badlogin: mail.test [192.168.1.98]
> >> plaintext test1 SASL(-4): no mechanism available: checkpass failed
> >>
> >> I'm on my first Cyrus install and have RTFM all I can find, so bear
> >> with me. I have a Redhat 7.2 box on which I'm trying to accomplish the
> >> following:
> >> Get Cyrus IMAPd to authenticate (via SASLv2) against PAM instead of
> >> directly to a /etc/sasldb or a MySQL table or anything of that nature.
> >> My users are set up in PAM using Samba/winbind modules, and they can
> >> authenticate for anything else. Additionally, I have a few /etc/shadow
> >> users that I've created just for testing, and behavior is the exact
> >> same no matter which type of user I try.
> >>
> >> Any help would be greatly appreciated!!
> >> Regards,
> >> Tico Hannan [CCDP,CCNP]
> >>
> >> more notes:
> >>
> >> Locally I can auth against any of them (winbind or /etc/shadow) since
> >> they are in my /etc/pam.d/system-auth:
> >> auth        required      /lib/security/pam_env.so
> >> auth        sufficient    /lib/security/pam_winbind.so
> >> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> >> auth        required      /lib/security/pam_deny.so
> >> account     required      /lib/security/pam_unix.so
> >> password    required      /lib/security/pam_cracklib.so retry=3 type=
> >> password    sufficient    /lib/security/pam_unix.so nullok use_authtok
> >> md5 shadow use_first_pass
> >> password    required      /lib/security/pam_deny.so
> >> session     required      /lib/security/pam_limits.so
> >> session     required      /lib/security/pam_unix.so
> >>
> >> and currently (just for testing purposes) I have everything
> >> (including /etc/pam.d/imap) set to use:
> >> $ cat /etc/pam.d/imap
> >> #%PAM-1.0
> >> auth       required     /lib/security/pam_stack.so service=system-auth
> >> account    required     /lib/security/pam_stack.so service=system-auth
> >>
> >> I have a startup script that runs
> >>         /usr/local/sbin/saslauthd -a pam&
> >>         /usr/cyrus/bin/master &
> >> and my configs are /etc/imapd.conf:
> >> configdirectory: /var/imap
> >> partition-default: /var/spool/imap
> >> admins: cyrus root
> >> allowanonymouslogin: no
> >> sasl_pwcheck_method: pam
> >> defaultacl: anyone lrs
> >> postmaster: postmaster
> >> sendmail: /usr/sbin/sendmail.postfix
> >> allowplaintext: yes
> >> servername: mail.test
> >> autocreatequota: 10000
> >> quotawarn: 90
> >>
> >> my /etc/cyrus.conf:
> >> START {
> >>   # do not delete these entries!
> >>   mboxlist      cmd="ctl_mboxlist -r"
> >>   deliver       cmd="ctl_deliver -r"
> >> }
> >> SERVICES {
> >>   imap          cmd="/usr/cyrus/bin/imapd" listen="imap" prefork=0
> >>   imaps         cmd="/usr/cyrus/bin/imapd -s" listen="imaps" prefork=0
> >>   pop3          cmd="/usr/cyrus/bin/pop3d" listen="pop3" prefork=0
> >>   pop3s         cmd="/usr/cyrus/bin/pop3d -s" listen="pop3s" prefork=0
> >>   sieve         cmd="/usr/cyrus/bin/timsieved" listen="sieve"
> >>   prefork=0 lmtpunix      cmd="/usr/cyrus/bin/lmtpd"
> >>   listen="/var/imap/socket/lmtp"
> >> prefork=0
> >> }
> >> EVENTS {
> >>  checkpoint    cmd="ctl_mboxlist -c" period=30
> >> }
> >>
> >> My installation options:
> >> SASL:
> >> make clean
> >> ./configure \
> >>  --with-dblib=berkeley \
> >>  --with-bdb-libdir=/usr/local/BerkeleyDB.3.1/lib \
> >>  --with-bdb-incdir=/usr/local/BerkeleyDB.3.1/include \
> >>  --with-pam=/usr/include/security \
> >>  --with-openssl=/usr/include/openssl \
> >>  --enable-plain \
> >>  --enable-krb4=no \
> >>  --without-des \
> >>  --enable-digest=no
> >> make
> >> make install
> >> IMAP:
> >> make clean
> >> ./configure \
> >>  --with-auth=unix \
> >>  --with-openssl=/usr/include/openssl \
> >>  --with-dbdir=/usr/local/BerkeleyDB.3.3
> >> make depend
> >> make all CFLAGS=-O
> >> make install
> >>
> >>
> >>
> >>
> >>
> >>
> >
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
> > Research Systems Programmer * /usr/contributed Gatekeeper
>
>
>
>
>

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper






More information about the Info-cyrus mailing list