[partly solved] Authenticate via saslauthd: "generic failure: checkpass failed"

Jacob Friis Larsen jfl at list.idg.dk
Thu Aug 12 10:21:43 EDT 2004 

Now I can use saslauthd.
But only if I login with secure authentication.

I did this:
apt-get install libsasl-digestmd5-plain
  which removed libsasl-digestmd5-des
#sasl_mech_list: PLAIN (disabled)
sasl_sql_engine: mysql
sasl_sql_hostname: localhost
sasl_sql_user: xxx
sasl_sql_passwd: xxx
sasl_sql_database: cyrus
sasl_sql_verbose: true
sasl_sql_select: SELECT password FROM accountuser WHERE username = '%u'
sasl_sql_insert: INSERT INTO accountuser (domain_name, username,
password) VALUES ('%r', '%u', '%v')
sasl_sql_update: UPDATE accountuser SET password = '%v' WHERE username =
'%u'
/etc/init.d/cyrus21 restart

imtest now shows AUTH possibilities:
# imtest -a cyrus -p imap localhost -v
S: * OK debpro Cyrus IMAP4 v2.1.16-IPv6-Debian-2.1.16-6 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=NTLM
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 LISTEXT LIST-SUBSCRIBED ANNOTATEMORE
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5

The problem is that now I can not use squirrelmail.
And I don't see pam using the log as it should in MySQL. Also it only 
works when I have sasl_sql_ settings so I guess the problem is with 
pam/saslauthd
Any ideas?

/Jacob


Jacob Friis Larsen wrote:
> I am trying to make cyrus authenticate via saslauthd.
> 
> The problem is that when using "sasl_pwcheck_method: saslauthd" I get 
> "generic failure: checkpass failed".
> If I use "sasl_pwcheck_method: auxprop" it's working.
> 
> Since I only see SQL queries in /var/log/mysql/mysql.log when using 
> auxprop I guess that the problem is between cyrus, saslauthd and or pam.
> 
> The system is running Debian stable/testing. Cyrus is cyrus21-imapd 
> (2.1.16-6)
> 
> I have read all guides and searched Goggle.
> Below are info you might need. Please help.
> 
> Aug 12 11:53:37 debpro cyrus/imapd[32568]: badlogin: debpro[127.0.0.1] 
> plaintext cyrus SASL(-1): generic failure: checkpass failed
> 
> # imtest -a cyrus -m login -p imap localhost
> S: * OK debpro Cyrus IMAP4 v2.1.16-IPv6-Debian-2.1.16-6 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT 
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT 
> LIST-SUBSCRIBED ANNOTATEMORE
> S: C01 OK Completed
> Please enter your password:
> C: L01 LOGIN cyrus {5}
> S: + go ahead
> C: <omitted>
> S: L01 NO Login failed: generic failure
> Authentication failed. generic failure
> Security strength factor: 0
> 
> # /etc/init.d/saslauthd restart
> Restarting SASL Authentication Daemon: saslauthd[31589] :main  : 
> num_procs  : 0
> saslauthd[31589] :main            : mech_option: NULL
> saslauthd[31589] :main            : run_path   : /var/run/saslauthd
> saslauthd[31589] :main            : auth_mech  : pam
> saslauthd[31589] :cache_alloc_mm  : mmaped shared memory segment on 
> file: /var/run/saslauthd/cache.mmap
> saslauthd[31589] :cache_init      : bucket size: 92 bytes
> saslauthd[31589] :cache_init      : stats size : 36 bytes
> saslauthd[31589] :cache_init      : timeout    : 28800 seconds
> saslauthd[31589] :cache_init      : cache table: 944764 total bytes
> saslauthd[31589] :cache_init      : cache table: 1711 slots
> saslauthd[31589] :cache_init      : cache table: 10266 buckets
> saslauthd[31589] :cache_init_lock : flock file opened at 
> /var/run/saslauthd/cache.flock
> saslauthd[31589] :detach_tty      : master pid is: 0
> saslauthd[31589] :ipc_init        : listening on socket: 
> /var/run/saslauthd/mux
> 
> # dpkg-statoverride --list /etc/sasldb2
> cyrus sasl 660 /etc/sasldb2
> # dpkg-statoverride --list /var/run/saslauthd
> cyrus sasl 710 /var/run/saslauthd
> 
> # less /etc/group | grep cyrus
> sasl:*:45:cyrus
> 
> # sasltestsuite
> NOTE:
> -For KERBEROS_V4 must be able to read srvtab file (usually /etc/srvtab)
> -For GSSAPI must be able to read srvtab (/etc/krb5.keytab)
> -For both KERBEROS_V4 and GSSAPI you must have non-expired tickets
> -For OTP (w/OPIE) must be able to read/write opiekeys (/etc/opiekeys)
> -For OTP you must have a non-expired secret
> -Must be able to read sasldb, which needs to be setup with a.
>  username and a password (see top of testsuite.c)
> 
> 
> Checking plaintext passwords... Failed with: sasl_checkpass() failed on 
> simple case
> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list