Problem with authentication using Cyrus IMAP 2.2.6 and SASL 2.1.19 on FreeBSD RELENG_5_2. User isn't found/can't authenticate
Louis LeBlanc
Cyrus at keyslapper.org
Mon Jul 26 09:27:15 EDT 2004
On 07/26/04 10:08 PM, Anton Jackson-Smith sat at the `puter and typed:
> Hey everyone,
> I'm having some problems with authentication running Cyrus IMAP 2.2.6
> and SASL 2.1.19 on FreeBSD updated to RELENG_5_2 base system and the
> latest ports.
I'm running exactly the same combination of cyrus and FreeBSD
versions. I also had the same authentication problem. Here's what I
finally found (after a weeks googling, doc reading, etc). Don't use a
saslpasswd. Use your regular Unix login password. Saslauthd installs
from the FreeBSD ports with pam as the default mechanism. I kept
resetting the password for my id at a million different possible
realms, and it never worked unless I skipped CRAM-MD5 authentication.
Fially, I realized that there's a line in the
/usr/local/etc/rc.d/saslauthd.sh script that specifies "-a pam" as the
args. If you want to change this, you'll need to verify the correct
mechanism for your needs and set the variable saslauthd_flags in
/etc/rc.conf - which will override the rc.d startup.
> Basically, when attempting to login using imtest there's always a second
> or two delay, followed by "S: L01 NO Login failed: authentication
> failure". I'm using imtest with the following command: "imtest -m login
> -a test localhost".
I got the same thing.
BTW, I also had problems with delivery - I'm using procmail, running
as the recipient to call deliver. I solved this by setting the suid
bit on deliver. Just in case.
HTH
Lou
> Using the SASL sample client/server, I can authenticate fine using the
> user 'test' with any of the offered mechanisms.
>
> CyrAdm also fails to login, giving the error "Login failed:
> authentication failure at
> /usr/local/lib/perl5/site_perl/5.8.2/mach/Cyrus/IMAP/Admin.pm line 118
> cyradm: cannot authenticate to server with LOGIN as admin"
>
> (Both the users test and admin exist and can be logged into with the
> sample client/server).
>
> I've tried recompiling both suites of software (IMAP and SASL) to use
> different versions of Berkely DB to no avail. I also attempted to use
> saslauthd using sasldb, but that also fails to authenticate the user,
> logging the error message "saslauthd[20054]: do_auth : auth
> failure: [user=admin] [service=imap] [realm=] [mech=sasldb]
> [reason=Unknown]"
>
> I was also getting this problem with older versions of IMAP and SASL I
> was attempting to get working before I upgraded my ports tree.
>
> Posted below is excepts from logs and config files that may be of some
> use :).
>
> Thanks very much, apologies if I left out some critical information ;)
>
> Anton Jackson-Smith (Landrocker)
>
>
> === Typical imtest login attempt ===
> [21:48:26] root at aries: /usr/ports/mail/cyrus-imapd22/work# imtest -m
> login -a test localhost
> S: * OK mail.dyingstar.net Cyrus IMAP4 v2.2.6 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
> BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
> AUTH=NTLM AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT
> LIST-SUBSCRIBED
> S: C01 OK Completed
> Please enter your password:
> C: L01 LOGIN test {4}
> S: + go ahead
> C: <omitted>
> S: L01 NO Login failed: authentication failure
> Authentication failed. generic failure
> Security strength factor: 0
> . logout
> * BYE LOGOUT received
> . OK Completed
> Connection closed.
> =========================
>
> === Typical Sample Client login attempt ====
> [21:58:57] root at aries:
> /usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.19/sample# ./client
> -s saslauthd -m DIGEST-MD5 localhost
> receiving capability list... recv: {57}
> NTLM LOGIN ANONYMOUS PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5
> NTLM LOGIN ANONYMOUS PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5
> send: {10}
> DIGEST-MD5
> send: {1}
> N
> recv: {124}
> nonce="<snip for
> length>",realm="aries.dyingstar.net",qop="auth",charset=utf-8,algorithm=md5-sess
> please enter an authentication id: test
> please enter an authorization id: test
> Password:
> send: {246}
> username="test",realm="aries.dyingstar.net",nonce="<snip for
> length>",nc=00000001,qop=auth,digest-uri="saslauthd/localhost",response=a9dcefae5af239d91886f0eabf948f22
> recv: {40}
> rspauth=af70d484fa5b5718132e8489daa25850
> send: {0}
>
> successful authentication
> closing connection"
> =================================
>
> === Log message generated from attempted imtest login ===
> Jul 26 22:01:09 aries imap[32204]: badlogin: localhost [::1] plaintext
> test SASL(-13): user not found: checkpass failed
> =========================================
>
> === Log message from imtest using saslauthd and imtest ===
> saslauthd[20055]: do_auth : auth failure: [user=test]
> [service=imap] [realm=] [mech=sasldb] [reason=Unknown]
> =========================================
>
> === imapd.conf (Comments stripped)===
> configdirectory: /usr/local/cyrus/config
> partition-default: /usr/local/cyrus/spool
> unixhierarchysep: no
> servername: mail.dyingstar.net
> allowanonymouslogin: no
> quotawarn: 95
> imapidresponse: no
> admins: admin
> singleinstancestore: yes
> duplicatesuppression: yes
> sieveusehomedir: false
> sievedir: /usr/local/cyrus/sieve
> sasl_pwcheck_method: auxprop
> lmtpsocket: /usr/local/cyrus/config/socket/lmtp
> idlesocket: /usr/local/cyrus/config/socket/idle
> notifysocket: /usr/local/cyrus/config/socket/notify
> ===============================
> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
>
--
Louis LeBlanc cyrus at keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org Ô¿Ô¬
Law of Procrastination:
Procrastination avoids boredom; one never has
the feeling that there is nothing important to do.
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list