Mozilla Mail and authentication
grenoml
grenoml at yahoo.com
Fri May 9 23:42:24 EDT 2003
Ok, think I found the main problem. In /etc/pam.d/imap I had several
authentication methods. So it would try the first and then the second,
etc. to try to authenticate. My first entry was set as 'required'
which meant that if we failed to authenticate with that entry then the
entire authentication process would fail even if some other method
succeeded. This is why 'cyrus' would succeed but any user would not
since 'cyrus' was also a system user account and would pass the first
authentication method whereas the mail users did not have system
accounts. So the solution was to change this first entry from
'required' to 'sufficient'. I also could have removed this first
entry.
rgds,
Gerry Reno
--- grenoml <grenoml at yahoo.com> wrote:
> Still not getting anywhere after working for quite a while on this.
>
>
> Red Hat Linux release 9 (Shrike)
> cyrus-imapd-2.2.0-1
> postfix-2.0.8-1.pcre.mysql.sasl2.tls.rh9
> cyrus-sasl-2.1.10-4
>
> Things I can do:
> 1. create accounts via webcyradm (password is encrypted).
>
> 2. use cyradm to access the 'cyrus' admin account.
>
> 3. use imtest to access the user account via -a cyrus if I use -t ''
> e.g.: imtest -a cyrus -u test.mydomain.com -m plain -t '' localhost
>
> Things I cannot do:
> 1. use cyradm to access user account
> e.g.: cyradm --user test.mydomain.com --server localhost
> IMAP Password:
>
>
> Login failed: authentication failure at
>
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm
> line 114
> cyradm: cannot authenticate to server with as test.mydomain.com
>
> log entry:
> May 9 16:51:53 tltamx01-lin01 perl: No worthy mechs found
> May 9 16:51:59 tltamx01-lin01 imap(pam_unix)[18837]: check pass;
> user
> unknown
> May 9 16:51:59 tltamx01-lin01 imap(pam_unix)[18837]: authentication
> failure; logname= uid=0 euid=0 tty= ruser= rhost=
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: pam_sm_authenticate
> called.
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: dbuser changed.
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: dbpasswd changed.
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: host changed.
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: database changed.
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: table changed.
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: usercolumn changed.
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: passwdcolumn
> changed.
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: crypt changed.
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: db_connect called.
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: returning 0 .
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: db_checkpasswd
> called.
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: pam_mysql: where
> clause =
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: SELECT password FROM
> accountuser WHERE username='test.mydomain.com'
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: sqlLog called.
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: pam_mysql: error:
> sqllog set but logtable not set
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: pam_mysql: error:
> sqllog set but logmsgcolumn not set
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: pam_mysql: error:
> sqllog set but logusercolumn not set
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: pam_mysql: error:
> sqllog set but loghostcolumn not set
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: pam_mysql: error:
> sqllog set but logtimecolumn not set
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: returning 0 .
> May 9 16:51:59 tltamx01-lin01 saslauthd[18837]: returning 0.
> May 9 16:52:01 tltamx01-lin01 saslauthd[18837]: AUTHFAIL:
> user=test.mydomain.com service=imap realm= [PAM auth error]
> May 9 16:52:01 tltamx01-lin01 imap[19214]: badlogin:
> localhost.localdomain [127.0.0.1] plaintext test.mydomain.com
> SASL(-13): authentication failure: checkpass failed
>
> 2. use imtest to access user account
> e.g.: imtest -u test.mydomain.com -m plain -t '' localhost
> S: * OK tltamx01-lin01.mydomain.com Cyrus IMAP4
> v2.2.0-ALPHA-Invoca-RPM-2.2.0-1 server ready^M
> C: C01 CAPABILITY^M
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
> SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT
> LIST-SUBSCRIBED ANNOTATEMORE X-NETSCAPE^M
> S: C01 OK Completed^M
> C: S01 STARTTLS^M
> S: S01 OK Begin TLS negotiation now^M
> verify error:num=18:self signed certificate
> TLS connection established: TLSv1 with cipher AES256-SHA (256/256
> bits)
> C: C01 CAPABILITY^M
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
> SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=PLAIN
> LISTEXT LIST-SUBSCRIBED ANNOTATEMORE X-NETSCAPE^M
> S: C01 OK Completed^M
> C: A01 AUTHENTICATE PLAIN^M
> S: + ^M
> Please enter your password:
> C: dGVzdC50ZWxpYW50Lm5ldAByb290AHRsdHRlc3Qx
> S: A01 NO authentication failure^M
> Authentication failed. generic failure
> Security strength factor: 256
> C: Q01 LOGOUT^M
> * BYE LOGOUT received^M
> Q01 OK Completed^M
> Connection closed.
>
> log entry:
> May 9 16:54:59 tltamx01-lin01 imap[19438]: starttls: TLSv1 with
> cipher
> AES256-SHA (256/256 bits new) no authentication
> May 9 16:55:04 tltamx01-lin01 imap(pam_unix)[18833]: authentication
> failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
> May 9 16:55:04 tltamx01-lin01 saslauthd[18833]: pam_sm_authenticate
> called.
> May 9 16:55:04 tltamx01-lin01 saslauthd[18833]: dbuser changed.
> May 9 16:55:04 tltamx01-lin01 saslauthd[18833]: dbpasswd changed.
> May 9 16:55:04 tltamx01-lin01 saslauthd[18833]: host changed.
> May 9 16:55:04 tltamx01-lin01 saslauthd[18833]: database changed.
> May 9 16:55:04 tltamx01-lin01 saslauthd[18833]: table changed.
> May 9 16:55:04 tltamx01-lin01 saslauthd[18833]: usercolumn changed.
> May 9 16:55:04 tltamx01-lin01 saslauthd[18833]: passwdcolumn
> changed.
> May 9 16:55:04 tltamx01-lin01 saslauthd[18833]: crypt changed.
> May 9 16:55:04 tltamx01-lin01 saslauthd[18833]: db_connect called.
> May 9 16:55:04 tltamx01-lin01 saslauthd[18833]: returning 0 .
> May 9 16:55:04 tltamx01-lin01 saslauthd[18833]: db_checkpasswd
> called.
> May 9 16:55:04 tltamx01-lin01 saslauthd[18833]: pam_mysql: where
> clause =
> May 9 16:55:04 tltamx01-lin01 saslauthd[18833]: SELECT password FROM
> accountuser WHERE username='root'
> May 9 16:55:04 tltamx01-lin01 saslauthd[18833]: pam_mysql: select
> returned more than one result
> May 9 16:55:04 tltamx01-lin01 saslauthd[18833]: returning 7 after
> db_checkpasswd.
> May 9 16:55:07 tltamx01-lin01 saslauthd[18833]: AUTHFAIL: user=root
> service=imap realm= [PAM auth error]
> May 9 16:55:07 tltamx01-lin01 imap[19438]: Password verification
> failed
> May 9 16:55:07 tltamx01-lin01 imap[19438]: badlogin:
> localhost.localdomain [127.0.0.1] PLAIN [SASL(-13): authentication
> failure: Password verification failed]
>
> Why is this showing user=root when I passed a -u argument? ?????
> It shows similar (user=cyrus) if I su - cyrus and then run command.
>
> Here are auth entries in all configs:
> # /etc/imapd.conf
>
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: PLAIN
> allowanonymouslogin: no
> allowplaintext: yes
> ----------
> # /etc/pam.d/imap
>
> auth required /lib/security/pam_stack.so service=system-auth
> account required /lib/security/pam_stack.so service=system-auth
> auth sufficient pam_mysql.so user=mail passwd=secret
> host=localhost db=mail table=accountuser usercolumn=username
> passwdcolumn=password crypt=1
> account required pam_mysql.so user=mail passwd=secret
> host=localhost db=mail table=accountuser usercolumn=username
> passwdcolumn=password crypt=1
> ----------
> # /etc/sysconfig/saslauthd
>
> MECH=pam
> ----------
> # /usr/lib/sasl2/smtpd.conf
>
> pwcheck_method: saslauthd
> ----------
> # /etc/postfix/main.cf
>
> smtpd_sasl_auth_enable = yes
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, reject_unauth_destination
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_local_domain = $mydomain
> broken_sasl_auth_clients = yes
> proxy:unix:passwd.byname
> ----------
> # /var/www/html/web-cyradm/config.inc.php
>
> $CRYPT="crypt";
> ----------
>
>
> Any insight would be appreciated.
>
> thx,
> Gerry Reno
>
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.
> http://search.yahoo.com
__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com
More information about the Info-cyrus
mailing list