does xfer require murder?
Perry Brown
vbperry at hotmail.com
Fri Apr 21 16:30:27 EDT 2006
Sorry to keep bugging everyone on this but it seems I am close I'm just over
looking something obvious.
I looked through the config on the hosts and we are using pam.
I changed the imapd.conf a little
defaultpartition: imap1
configdirectory: /var/imap
partition-imap1: /var/spool/imap1
admins: cyrus support
srvtab: /var/imap/srvtab
quotawarn: 85
popminpoll: 0
autocreatequota: 30000
sasl_pwcheck_method: saslauthd
lmtp_over_quota_perm_failure: 1
allowusermoves: yes
proxy_authname: cyrus
proxy_password: password
force_sasl_client_mech: LOGIN PLAIN
Imtest looks to work Ok with Login
server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -p imap -m login
WARNING: no hostname supplied, assuming localhost
S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY
SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyrus {8}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
This works to the localhost as well as to server2.
I try the xfer from server1 to server2:
server1.sub1% /opt/mail/cyrus-imapd/bin/cyradm --user cyrus --server
server1.sub1 --auth login
IMAP Password:
server1.sub1.domain.com>
server1.sub1.domain.com> xfer user.vbperry server2.sub2
xfermailbox: Server(s) unavailable to complete operation
the log from server2 shows:
Apr 21 12:56:31 server2 imap[27408]: badlogin: server1.sub1.domain.com
[10.12.12.12] PLAIN [SASL(-4): no mechanism available: security flags do not
match required]
/etc/sysconfig/saslauthd
MECH=pam
FLAGS=${FLAGS:=}
Is there a doc on the sysconfig/saslauthd flags? I looked through the docs
that came with cyrus-imap and cyrus-sasl and did not find anything.
>From server1 I can log into server2 with imtest, testsaslauthd works OK as
well. What security flags do not match? Is there a way to kick up the
verbosity of the logging to see if that would give a clue?
Perry
>
>I tried with plain: /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap
>
>And it got rejected.
>
>C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
>S: A01 NO no mechanism available
>Authentication failed. generic failure
>Security strength factor: 0
>
>
>I can not find a tls conf file so I do not thing starttls is set up.
>
>I added the entry mentioned to imapd.conf
>$ cat /etc/imapd.conf
>defaultpartition: imap1
>configdirectory: /var/imap
>partition-imap1: /var/spool/imap1
>admins: cyrus support
>srvtab: /var/imap/srvtab
>quotawarn: 85
>popminpoll: 0
>autocreatequota: 30000
>sasl_pwcheck_method: saslauthd
>lmtp_over_quota_perm_failure: 1
>allowusermoves: yes
>proxy_authname: cyrus
>proxy_password: password
>force_sasl_client_mech: PLAIN
>
>And it gets things furthur along then before
>
>$ sudo /opt/mail/cyrus-imapd/bin/cyradm --user cyrus --server server1
>--auth PLAIN
>domain.com authorized use only. vbperry at server1 Password:
>Password:
>IMAP Password:
> server1.sub1.domain.com>
>server1.sub1.domain.com> xfer user.vbperry server2.sub2.domain.com
>xfermailbox: Server(s) unavailable to complete operation
>
>log on source:
>
>Apr 20 17:42:05 server1 imap[1458]: accepted connection
>Apr 20 17:42:07 server1 imap[1458]: badlogin: server1.ssub1.domain.com
>[10.12.12.12] PLAIN [SASL(-4): no mechanism available: security flags do
>not match required]
>Apr 20 17:42:14 server1 imap[1458]: login: server1.sub1.domain.com
>[10.12.12.12] cyrus plaintext User logged in
>Apr 20 17:42:41 server1 master[27630]: process 32354 exited, status 0
>Apr 20 17:42:41 server1 master[2161]: about to exec
>/opt/mail/cyrus-imapd/bin/imapd
>Apr 20 17:42:41 server1 imap[2161]: executed
>Apr 20 17:42:55 server1 imap[1458]: couldn't authenticate to backend
>server: authentication failure
>Apr 20 17:42:55 server1 imap[1458]: Could not move mailbox: user.vbperry,
>Initial backend connect failed
>
>
>
>But I'm now at least seeing something on the destination server:
>
>Apr 20 17:42:52 server2 imap[24375]: badlogin: server1.sub1.domain.com
>[10.12.12.12] PLAIN [SASL(-4): no mechanism available: security flags do
>not match required]
>
>
>If I can take a step back (sorry I'm trying to decipher how the previous
>admin had things set up in the environment). The document on how this was
>set up states.
>
>
>cyrus-sasl was config'ed with
>
>./configure --prefix=/opt/mail/cyrus-sasl \
> --enable-login --enable-plain --enable-cram \
> --enable-digest --with-bdb-incdir=/usr/include/db4 \
> --with-pam --enable-static=yes --enable-sample \
> --disable-java --disable-otp --disable-krb4 \
> --with-plugindir=/opt/mail/cyrus-sasl/lib/sasl2
>
>The cyrus-sasl cyrus.conf states:
>srvtab: /var/imap/srvtab <<< seems I could remove this since kerberos is
>disabled above.
>pwcheck_method: saslauthd
>
>
>saslauthd is started in with pam support:
>root 2060 0.0 0.0 2564 1036 ? S Apr14 0:00
>/usr/sbin/saslauthd -m /var/run/saslauthd -a pam
>
>There is /etc/pam.d/imap and pop3 with the following content..
>#%PAM-1.0
>auth required /lib/security/pam_stack.so service=system-auth
>account required /lib/security/pam_stack.so service=system-auth
>
>Cyrus-imap was compiled with (again what is in the notes from install from
>previoys admin)
>
> CFLAGS=-I/usr/kerberos/include ./configure --prefix=/opt/mail/cyrus-imapd
>\
> --with-cyrus-prefix=/opt/mail/cyrus-imapd \
> --with-cyrus-user=cyrimap \
> --with-cyrus-group=mail \
> --with-bdb-incdir=/usr/include/db4 \
> --build=i686-pc-linux-gnu \
> --with-sasl=/opt/mail/cyrus-sasl \
> --with-auth=unix \
> --enable-netscapehack \
> --enable-listext \
> --with-perl=/opt/third-party/bin/perl \
> --disable-murder
>
>
>I can run a testsaslauthd and it works fine to the local host
>
>server1.sub1% /usr/sbin/testsaslauthd -u cyrus -p password -R 3
>0: OK "Success."
>1: OK "Success."
>2: OK "Success."
>
>It seems I do not need to have a realm defined because we are using pam.
>and if I do a sasldbpasswd2 it says /etc/sasldb2 does not exist. This not
>seem to be the problem though since saslauthd is using pam. yes?
>
>When I login into cyradm again locally with --auth plain I can do commands
>like listmailbox and such. I can't seem to be able to run "info" I just go
>back to the prompt on that one.
>
>What should my security flags be? What am I missing?
>
>Thank you
>perry
>
>
>
>>You need to use tls as well for PLAIN to work. add -t "" to your
>>arguments
>>
>>
>>What mechanism do you want to use for connecting between backends? If its
>>PLAIN then you want
>>force_sasl_client_mech: PLAIN
>>
>>in your imapd.conf file.
>>
>>Otherwise, the machines will see GSSAPI advertised and will try using
>>that.
>>
>>-Patrick
>>
>>
>>
>>
>>
>>On Apr 20, 2006, at 5:19 PM, Perry Brown wrote:
>>
>>>
>>>
>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>Perry Brown wrote:
>>>>>>Thanks for the imtest idea.
>>>>>>
>>>>>>It looks like I can log in OK.
>>>>>>
>>>>>>
>>>>>>server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m login -p imap
>>>>>>server2.sub2.domain.com
>>>>>
>>>>>Force imtest to use one of the SASL mechanisms that are listed. The
>>>>>backends *only* use SASL, not protocol specific login commands (IMAP
>>>>>LOGIN, POP3 USER/PASS, NNTP AUTHINFO USER/PASS).
>>>>>
>>>>
>>>>I'm sorry I got my dounce cap on today or something.
>>>>
>>>>Should I change the -m login to -m and one of the AUTH= values from the
>>>>CAPABILITY output?
>>>>ie -m GSSAPI? or digest-md5 etc...
>>>>
>>>>Andy Morgan wrote:
>>>>Maybe "-m plain"?
>>>
>>>thank you for the suggestion Andy but no luck.
>>>
>>>server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap
>>>WARNING: no hostname supplied, assuming localhost
>>>
>>>S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
>>>C: C01 CAPABILITY
>>>S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS
>>>NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
>>>BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
>>>AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT
>>>LIST-SUBSCRIBED X-NETSCAPE
>>>S: C01 OK Completed
>>>Please enter your password:
>>>C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
>>>S: A01 NO no mechanism available
>>>Authentication failed. generic failure
>>>Security strength factor: 0
>>>
>>>
>>>>
>>>>I gave this a try with GSSAPI, and got nothing.
>>>>
>>>>digest-md5,
>>>>
>>>>server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m digest-md5
>>>>WARNING: no hostname supplied, assuming localhost
>>>>
>>>>S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
>>>>C: C01 CAPABILITY
>>>>S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS
>>>>NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
>>>>BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
>>>>AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL- IR LISTEXT
>>>>LIST-SUBSCRIBED X-NETSCAPE
>>>>S: C01 OK Completed
>>>>C: A01 AUTHENTICATE DIGEST-MD5
>>>>S:
>>>>wkrnfjknf (etc list of characters)
>>>>Please enter your password: (I enter passwd for cyrus)
>>>>C: dXNlcm5h (another long list of characters)
>>>>S: A01 NO user not found
>>>>Authentication failed. generic failure
>>>>Security strength factor: 128
>>>>
>>>>
>>>>This is what I see in local6.log on server1.sub1
>>>>
>>>>Apr 20 11:04:32 server1 imap[17729]: accepted connection
>>>>Apr 20 11:04:38 server1 imap[17729]: badlogin: localhost.localdomain
>>>>[127.0.0.1] DIGEST-MD5 [SASL(-13): user not found: no secret in
>>>>database]
>>>>
>>>>This is in the auth.log
>>>>Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley db /
>>>>etc/sasldb2: No such file or directory
>>>>Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley db /
>>>>etc/sasldb2: No such file or directory
>>>>Apr 20 11:06:26 server1 imap[15971]: no secret in database
>>>>
>>>>
>>>>
>>>>cram-md5 got me pretty much the same thing.
>>>>
>>>>Is there a cyrus or sasl command I should/can run to get the auth for
>>>>digest-md5 working?
>>>>
>>>>
>>>>Perry
>>>>
>>>>
>>>>
>>>>>
>>>>>>S: * OK server2.sub2.domain.com Cyrus IMAP4 v2.2.8 server ready
>>>>>>C: C01 CAPABILITY
>>>>>>S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS
>>>>>>NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
>>>>>>BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
>>>>>>AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT
>>>>>>LIST-SUBSCRIBED X-NETSCAPE
>>>>>>S: C01 OK Completed
>>>>>>Please enter your password:
>>>>>>C: L01 LOGIN cyrus {8}
>>>>>>S: + go ahead
>>>>>>C: <omitted>
>>>>>>S: L01 OK User logged in
>>>>>>Authenticated.
>>>>>>Security strength factor: 0
>>>>>>CAPABILITY
>>>>
>>>>
>>>>----
>>>>Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>>>>Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>>>>List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>
>>>
>>>----
>>>Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>>>Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>>>List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>
>
>
>----
>Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list