Cyrus-IMAPd+SASL+PAM not communicating (but testsaslauthd says

Thomas Hannan thomas at raapid.net
Thu Jan 16 15:47:50 EST 2003 

Thanks much! (for some reason I thought the only options available were
sasldb or pam for that setting)

However, I still get errors when trying to do PLAIN auth (haven't even
tried setting up SSL yet)

# imtest -u test1 -a test1 -w 1234 -v -m PLAIN 192.168.1.98
S: * OK mail.test Cyrus IMAP4 v2.1.11 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=OTP AUTH=DIGEST-MD5
AUTH=CRAM-MD5
S: C01 OK Completed
C: A01 AUTHENTICATE PLAIN
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 0

#tail /var/log/auth.log :
Jan 16 13:42:06 frosty imapd[3037]: badlogin: frosty.test [192.168.1.98]
PLAIN [SASL(-4): no mechanism available: security flags do not match
required]

Also, could someone explain to me exactly what the difference between LOGIN
and PLAIN is? I haven't been able to see find any details in my RTFM'ing...

Can/will cyrus-imapd create a maildir (and INBOX) for a user that has
logged in for their first time?

thanks much!!
--Tico

> You want to use:
>
> sasl_pwcheck_method: saslauthd
>
> -Rob
>
> On Thu, 16 Jan 2003, Thomas Hannan wrote:
>
>> Hi all,
>>
>> The cliffnotes version of my problem is that even though I run
>> /usr/local/sbin/saslauthd -a pam&
>> and my /etc/imapd.conf contains "sasl_pwcheck_method: pam"
>> I get an auth failed when trying to login over IMAP or imtest:
>> $ testsaslauthd -u tico2 -p test1234 -s imap
>> 0: OK "Success."
>>
>> $ testsaslauthd -u tico2 -p test1234
>> 0: OK "Success."
>>
>> $ imtest -u tico2 -a tico2 -w test1234 -v -m login 192.168.1.98
>> S: * OK mail.test Cyrus IMAP4 v2.1.11 server ready
>> C: C01 CAPABILITY
>> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
>> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
>> SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=OTP
>> AUTH=DIGEST-MD5 AUTH=CRAM-MD5
>> S: C01 OK Completed
>> C: L01 LOGIN tico2 {8}
>> S: + go ahead
>> C: <omitted>
>> S: L01 NO Login failed: no mechanism available
>> Authentication failed. generic failure
>> Security strength factor: 0
>>
>> $ imtest -u tico2 -a tico2 -w test1234 -v -m plain 192.168.1.98
>> S: * OK mail.test.pharm-olam.com Cyrus IMAP4 v2.1.11 server ready C:
>> C01 CAPABILITY
>> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
>> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
>> SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=OTP
>> AUTH=DIGEST-MD5 AUTH=CRAM-MD5
>> S: C01 OK Completed
>> C: A01 AUTHENTICATE PLAIN
>> S: A01 NO no mechanism available
>> Authentication failed. generic failure
>> Security strength factor: 0
>>
>> /var/log/auth.log says:
>> Jan 16 12:59:26 frosty imapd[2968]: unknown password verifier
>>  /var/log/imap.log says:
>> Jan 16 12:59:05 frosty imapd[2968]: badlogin: mail.test [192.168.1.98]
>> PLAIN [SASL(-4): no mechanism available: security flags do not match
>> required]
>> Jan 16 12:59:26 frosty imapd[2968]: accepted connection
>> Jan 16 12:59:26 frosty imapd[2968]: badlogin: mail.test [192.168.1.98]
>> plaintext test1 SASL(-4): no mechanism available: checkpass failed
>>
>> I'm on my first Cyrus install and have RTFM all I can find, so bear
>> with me. I have a Redhat 7.2 box on which I'm trying to accomplish the
>> following:
>> Get Cyrus IMAPd to authenticate (via SASLv2) against PAM instead of
>> directly to a /etc/sasldb or a MySQL table or anything of that nature.
>> My users are set up in PAM using Samba/winbind modules, and they can
>> authenticate for anything else. Additionally, I have a few /etc/shadow
>> users that I've created just for testing, and behavior is the exact
>> same no matter which type of user I try.
>>
>> Any help would be greatly appreciated!!
>> Regards,
>> Tico Hannan [CCDP,CCNP]
>>
>> more notes:
>>
>> Locally I can auth against any of them (winbind or /etc/shadow) since
>> they are in my /etc/pam.d/system-auth:
>> auth        required      /lib/security/pam_env.so
>> auth        sufficient    /lib/security/pam_winbind.so
>> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
>> auth        required      /lib/security/pam_deny.so
>> account     required      /lib/security/pam_unix.so
>> password    required      /lib/security/pam_cracklib.so retry=3 type=
>> password    sufficient    /lib/security/pam_unix.so nullok use_authtok
>> md5 shadow use_first_pass
>> password    required      /lib/security/pam_deny.so
>> session     required      /lib/security/pam_limits.so
>> session     required      /lib/security/pam_unix.so
>>
>> and currently (just for testing purposes) I have everything
>> (including /etc/pam.d/imap) set to use:
>> $ cat /etc/pam.d/imap
>> #%PAM-1.0
>> auth       required     /lib/security/pam_stack.so service=system-auth
>> account    required     /lib/security/pam_stack.so service=system-auth
>>
>> I have a startup script that runs
>>         /usr/local/sbin/saslauthd -a pam&
>>         /usr/cyrus/bin/master &
>> and my configs are /etc/imapd.conf:
>> configdirectory: /var/imap
>> partition-default: /var/spool/imap
>> admins: cyrus root
>> allowanonymouslogin: no
>> sasl_pwcheck_method: pam
>> defaultacl: anyone lrs
>> postmaster: postmaster
>> sendmail: /usr/sbin/sendmail.postfix
>> allowplaintext: yes
>> servername: mail.test
>> autocreatequota: 10000
>> quotawarn: 90
>>
>> my /etc/cyrus.conf:
>> START {
>>   # do not delete these entries!
>>   mboxlist      cmd="ctl_mboxlist -r"
>>   deliver       cmd="ctl_deliver -r"
>> }
>> SERVICES {
>>   imap          cmd="/usr/cyrus/bin/imapd" listen="imap" prefork=0
>>   imaps         cmd="/usr/cyrus/bin/imapd -s" listen="imaps" prefork=0
>>   pop3          cmd="/usr/cyrus/bin/pop3d" listen="pop3" prefork=0
>>   pop3s         cmd="/usr/cyrus/bin/pop3d -s" listen="pop3s" prefork=0
>>   sieve         cmd="/usr/cyrus/bin/timsieved" listen="sieve"
>>   prefork=0 lmtpunix      cmd="/usr/cyrus/bin/lmtpd"
>>   listen="/var/imap/socket/lmtp"
>> prefork=0
>> }
>> EVENTS {
>>  checkpoint    cmd="ctl_mboxlist -c" period=30
>> }
>>
>> My installation options:
>> SASL:
>> make clean
>> ./configure \
>>  --with-dblib=berkeley \
>>  --with-bdb-libdir=/usr/local/BerkeleyDB.3.1/lib \
>>  --with-bdb-incdir=/usr/local/BerkeleyDB.3.1/include \
>>  --with-pam=/usr/include/security \
>>  --with-openssl=/usr/include/openssl \
>>  --enable-plain \
>>  --enable-krb4=no \
>>  --without-des \
>>  --enable-digest=no
>> make
>> make install
>> IMAP:
>> make clean
>> ./configure \
>>  --with-auth=unix \
>>  --with-openssl=/usr/include/openssl \
>>  --with-dbdir=/usr/local/BerkeleyDB.3.3
>> make depend
>> make all CFLAGS=-O
>> make install
>>
>>
>>
>>
>>
>>
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
> Research Systems Programmer * /usr/contributed Gatekeeper

More information about the Info-cyrus mailing list