Cyrus-IMAPd+SASL+PAM not communicating (but testsaslauthd says OK)

Thomas Hannan thomas at raapid.net
Thu Jan 16 15:02:19 EST 2003 

Hi all,

The cliffnotes version of my problem is that even though I run
/usr/local/sbin/saslauthd -a pam&
and my /etc/imapd.conf contains "sasl_pwcheck_method: pam"
I get an auth failed when trying to login over IMAP or imtest:
$ testsaslauthd -u tico2 -p test1234 -s imap
0: OK "Success."

$ testsaslauthd -u tico2 -p test1234
0: OK "Success."

$ imtest -u tico2 -a tico2 -w test1234 -v -m login 192.168.1.98
S: * OK mail.test Cyrus IMAP4 v2.1.11 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=OTP AUTH=DIGEST-MD5
AUTH=CRAM-MD5
S: C01 OK Completed
C: L01 LOGIN tico2 {8}
S: + go ahead
C: <omitted>
S: L01 NO Login failed: no mechanism available
Authentication failed. generic failure
Security strength factor: 0

$ imtest -u tico2 -a tico2 -w test1234 -v -m plain 192.168.1.98
S: * OK mail.test.pharm-olam.com Cyrus IMAP4 v2.1.11 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=OTP AUTH=DIGEST-MD5
AUTH=CRAM-MD5
S: C01 OK Completed
C: A01 AUTHENTICATE PLAIN
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 0

/var/log/auth.log says:
Jan 16 12:59:26 frosty imapd[2968]: unknown password verifier
 /var/log/imap.log says:
Jan 16 12:59:05 frosty imapd[2968]: badlogin: mail.test [192.168.1.98]
PLAIN [SASL(-4): no mechanism available: security flags do not match
required]
Jan 16 12:59:26 frosty imapd[2968]: accepted connection
Jan 16 12:59:26 frosty imapd[2968]: badlogin: mail.test [192.168.1.98]
plaintext test1 SASL(-4): no mechanism available: checkpass failed

I'm on my first Cyrus install and have RTFM all I can find, so bear with
me. I have a Redhat 7.2 box on which I'm trying to accomplish the
following:
Get Cyrus IMAPd to authenticate (via SASLv2) against PAM instead of
directly to a /etc/sasldb or a MySQL table or anything of that nature. My
users are set up in PAM using Samba/winbind modules, and they can
authenticate for anything else. Additionally, I have a few /etc/shadow
users that I've created just for testing, and behavior is the exact same no
matter which type of user I try.

Any help would be greatly appreciated!!
Regards,
Tico Hannan [CCDP,CCNP]

more notes:

Locally I can auth against any of them (winbind or /etc/shadow) since they
are in my /etc/pam.d/system-auth:
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so
account     required      /lib/security/pam_unix.so
password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
shadow use_first_pass
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

and currently (just for testing purposes) I have everything
(including /etc/pam.d/imap) set to use:
$ cat /etc/pam.d/imap
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth

I have a startup script that runs
        /usr/local/sbin/saslauthd -a pam&
        /usr/cyrus/bin/master &
and my configs are /etc/imapd.conf:
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: cyrus root
allowanonymouslogin: no
sasl_pwcheck_method: pam
defaultacl: anyone lrs
postmaster: postmaster
sendmail: /usr/sbin/sendmail.postfix
allowplaintext: yes
servername: mail.test
autocreatequota: 10000
quotawarn: 90

my /etc/cyrus.conf:
START {
  # do not delete these entries!
  mboxlist      cmd="ctl_mboxlist -r"
  deliver       cmd="ctl_deliver -r"
}
SERVICES {
  imap          cmd="/usr/cyrus/bin/imapd" listen="imap" prefork=0
  imaps         cmd="/usr/cyrus/bin/imapd -s" listen="imaps" prefork=0
  pop3          cmd="/usr/cyrus/bin/pop3d" listen="pop3" prefork=0
  pop3s         cmd="/usr/cyrus/bin/pop3d -s" listen="pop3s" prefork=0
  sieve         cmd="/usr/cyrus/bin/timsieved" listen="sieve" prefork=0
  lmtpunix      cmd="/usr/cyrus/bin/lmtpd" listen="/var/imap/socket/lmtp"
prefork=0
}
EVENTS {
 checkpoint    cmd="ctl_mboxlist -c" period=30
}

My installation options:
SASL:
make clean
./configure \
 --with-dblib=berkeley \
 --with-bdb-libdir=/usr/local/BerkeleyDB.3.1/lib \
 --with-bdb-incdir=/usr/local/BerkeleyDB.3.1/include \
 --with-pam=/usr/include/security \
 --with-openssl=/usr/include/openssl \
 --enable-plain \
 --enable-krb4=no \
 --without-des \
 --enable-digest=no
make
make install
IMAP:
make clean
./configure \
 --with-auth=unix \
 --with-openssl=/usr/include/openssl \
 --with-dbdir=/usr/local/BerkeleyDB.3.3
make depend
make all CFLAGS=-O
make install

More information about the Info-cyrus mailing list