Why is SASL authentication have to be so difficult? Round 2
Ken Murchison
ken at oceana.com
Tue Dec 7 10:39:59 EST 2004
Robert Lubbers wrote:
> I am still working on getting this IMAP server authenticating against my
> Windows domain PDC, and I did manage to get the POP server
> authenticating, which is a giant step forward. But both the IMAP
> component and the cyradm component are complaining: They both give me
> the same error message:
What version of SASL are you using? I can't reproduce this error using
the current versions of Cyrus and SASL.
>
> cyrus-server>telnet localhost 143
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> * OK cyrus.domain.com Cyrus IMAP4 v2.2.9 server ready
> . login cyrususer secret
> . NO Login failed: can't request info until later in exchange
> . logout
> * BYE LOGOUT received
> . OK Completed
>
> whereas the POP3 server doesn't complain at all:
>
> cyrus-server> telnet localhost 110
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> +OK cyrus-server.domain.com Cyrus POP3 v2.2.9 server ready
> <1679296964.1102348490 at cyrus-server.domain.com>
> user cyrususer
> +OK Name is a valid mailbox
> pass intisol
> +OK Mailbox locked and ready
>
> The wild thing is that the /var/log/secure fuile shows a valid
> authentication for either one:
>
> For POP3
>
> Dec 6 10:59:51 cyrus-server saslauthd[1841]: rel_accept_lock : released
> accept lock
> Dec 6 10:59:51 cyrus-server saslauthd[1842]: get_accept_lock : acquired
> accept lock
> Dec 6 10:59:51 cyrus-server pam_winbind[1841]: user 'cyrususer' granted
> acces
> Dec 6 10:59:51 cyrus-server pam_winbind[1841]: user 'cyrususer' granted
> acces
> Dec 6 10:59:51 cyrus-server saslauthd[1841]: do_auth : auth
> success: [user=cyrususer] [service=pop] [realm=] [mech=pam]
> Dec 6 10:59:51 cyrus-server saslauthd[1841]: do_request : response: 0
>
>
> Whereas for IMAP:
>
> Dec 6 11:03:24 cyrus-server saslauthd[1842]: rel_accept_lock : released
> accept lock
> Dec 6 11:03:24 cyrus-server saslauthd[1837]: get_accept_lock : acquired
> accept lock
> Dec 6 11:03:24 cyrus-server pam_winbind[1842]: user 'cyrususer' granted
> acces
> Dec 6 11:03:24 cyrus-server pam_winbind[1842]: user 'cyrususer' granted
> acces
> Dec 6 11:03:24 cyrus-server saslauthd[1842]: do_auth : auth
> success: [user=cyrususer] [service=imap] [realm=] [mech=pam]
> Dec 6 11:03:24 cyrus-server saslauthd[1842]: do_request :
> response: OK'
>
> See? No difference.
>
> For cyradm:
> cyrus-server>cyradm --user cyrusadmin --auth login localhost
> IMAP Password:
>
> Login failed: can't request info until later in exchange at
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm
> line 118
> cyradm: cannot authenticate to server with login as cyrus
>
> Yet this is a user that exists in /etc/sasldb2:
>
> cyrus-server> sasldblistusers2
>
> noctest at cyrus-server.domain.com: userPassword
> admin at cyrus-server.domain.com: userPassword
> noctest at cyrus-server.domain.com: cmusaslsecretOTP
> admin at cyrus-server.domain.com: cmusaslsecretOTP
>
> Just for the sake of completeness, here is the contents of my
> /usr/local/lib/sasl directory:
>
> cyrus-server> ls -l /usr/local/lib/sasl2
> total 600
> -rwxr-xr-x 1 root root 711 Dec 6 10:02 libanonymous.la
> lrwxrwxrwx 1 root root 22 Dec 6 10:02 libanonymous.so
> -> libanonymous.so.2.0.20
> lrwxrwxrwx 1 root root 22 Dec 6 10:02
> libanonymous.so.2 -> libanonymous.so.2.0.20
> -rwxr-xr-x 1 root root 89354 Dec 6 10:02
> libanonymous.so.2.0.20
> -rwxr-xr-x 1 root root 695 Dec 6 10:02 liblogin.la
> lrwxrwxrwx 1 root root 18 Dec 6 10:02 liblogin.so ->
> liblogin.so.2.0.20
> lrwxrwxrwx 1 root root 18 Dec 6 10:02 liblogin.so.2 ->
> liblogin.so.2.0.20
> -rwxr-xr-x 1 root root 88558 Dec 6 10:02 liblogin.so.2.0.20
> -rwxr-xr-x 1 root root 684 Dec 6 10:02 libotp.la
> lrwxrwxrwx 1 root root 16 Dec 6 10:02 libotp.so ->
> libotp.so.2.0.20
> lrwxrwxrwx 1 root root 16 Dec 6 10:02 libotp.so.2 ->
> libotp.so.2.0.20
> -rwxr-xr-x 1 root root 155138 Dec 6 10:02 libotp.so.2.0.20
> -rwxr-xr-x 1 root root 695 Dec 6 10:02 libplain.la
> lrwxrwxrwx 1 root root 18 Dec 6 10:02 libplain.so ->
> libplain.so.2.0.20
> lrwxrwxrwx 1 root root 18 Dec 6 10:02 libplain.so.2 ->
> libplain.so.2.0.20
> -rwxr-xr-x 1 root root 88316 Dec 6 10:02 libplain.so.2.0.20
> -rwxr-xr-x 1 root root 716 Dec 6 10:02 libsasldb.la
> lrwxrwxrwx 1 root root 19 Dec 6 10:02 libsasldb.so ->
> libsasldb.so.2.0.20
> lrwxrwxrwx 1 root root 19 Dec 6 10:02 libsasldb.so.2
> -> libsasldb.so.2.0.20
> -rwxr-xr-x 1 root root 145666 Dec 6 10:02 libsasldb.so.2.0.20
>
> I have a sym link from /usr/local/lib/sals2 to /usr/local/lib/sasl,
> /usr/lib/sasl2, and /usr/lib/sasl.
>
> Here is my /etc/imapd.conf:
>
> postmaster: postmaster
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> admins: noctest admin
> allowanonymouslogin: no
> allowplaintext: yes
> sasl_mech_list: PLAIN
> servername: cyrus-server.domain.com
> autocreatequota: 40000
> reject8bit: no
> quotawarn: 90
> timeout: 30
> poptimeout: 10
> dracinterval: 0
> drachost: localhost
> sasl_pwcheck_method: saslauthd
> ievedir: /usr/sieve
> sendmail: /usr/sbin/sendmail
> sieve_maxscriptsize: 32
> sieve_maxscripts: 5
> tls_ca_file: /var/imap/server.pem
> tls_cert_file: /var/imap/server.pem
> tls_key_file: /var/imap/server.pem
>
>
>
>
>
>
>
>
>
>
> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list