New 2.4.10 install - authentication problems with saslauthd

John cyrus at jelmail.com
Fri Aug 5 17:10:12 EDT 2011 

Hello, I have a problem with a new installation. I've been trying to 
sort this for several days now without any luck so post here in the hope 
for a solution.

I have a server, currently running 2.4.7 and all is well (and has been 
for a very long time). I am trying to build a new server with 2.4.10 but 
I can't get anything to authenticate on it.

In both cases the host is Arch Linux and both have exactly the same 
configuration files: Here is imapd.conf:

configdirectory: /srv/mail/cyrus
partition-default: /srv/mail/cyrus/mail
admins: cyrus
sasl_pwcheck_method: saslauthd
sasl_saslauthd_path: /var/run/saslauthd/mux
allowplaintext: yes
altnamespace: yes
unixhierarchysep: yes
virtdomains: userid
defaultdomain: mydomain.com
hashimapspool: true

I know it's reading the correct file because I can force an error by 
temporarily corrupting it:
Aug  5 21:44:14 localhost master[407]: invalid option name on line 1 of 
configuration file /etc/cyrus/imapd.conf
Aug  5 21:44:14 localhost master[407]: exiting

Firstly, saslauthd is running to use PAM for authentication and on both 
boxes I have tested this works using "testsaslauthd" getting identical 
results on both cases. ( in both cases the test was "testsaslauthd -u 
cyrus -p cyruspw -f /var/run/saslauthd/mux" and the result was "0: OK 
"Success."")

Both boxes have the same sasl package, installed from the ArchLinux 
repository:
# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap

I try "imtest -a cyrus" on each box. On the 2.4.7 box it prompts for a 
password, which I enter, and I am told it is "Authenticated". On the 
2.4.10 box it does not prompt for a password but just returns "
  Authentication failed. generic failure"

The log shows it is trying to use GSSAPI despite my saslauthd configuration:
Aug  5 21:41:11 localhost imtest: GSSAPI Error: Unspecified GSS 
failure.  Minor code may provide more information (Credentials cache 
file '/tmp/krb5cc_0' not found)

If I put "sasl_mech_list: PLAIN" into imapd.conf and retry "imtest -a 
cyrus" on the 2.4.10 box I do get a password prompt but it still errors:

The log then shows:
Aug  5 21:46:10 localhost imap[491]: badlogin: localhost.localdomain 
[::1] PLAIN [SASL(-1): generic failure: Password verification failed]

I also tried using telnet. On the 2.4.7 box it authenticates fine. On 
the 2.4.10 box I get "Login failed: generic failure"

I tried using imtest from the new box to access the old box (imtest -a 
cyrus -m PLAIN old-box) and it authenticates:

# imtest -a cyrus -m PLAIN 10.0.200.6
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN AUTH=OTP 
AUTH=CRAM-MD5 AUTH=GSSAPI AUTH=LOGIN AUTH=DIGEST-MD5 SASL-IR] carbon 
Cyrus IMAP v2.4.7 server ready
Please enter your password:
C: A01 AUTHENTICATE PLAIN AGN5cnVzAGd1aW5uZXNz
S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA 
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN 
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED 
WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED 
COMPRESS=DEFLATE IDLE] Success (no protection)
Authenticated.
Security strength factor: 0

I tried using imtest from the old box to access the new box (imtest -a 
cyrus -m PLAIN new-box). This prompts for a password but returns 
"Authentication failed. generic failure"

# imtest -a cyrus -m PLAIN 10.0.200.6
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN AUTH=OTP 
AUTH=CRAM-MD5 AUTH=GSSAPI AUTH=LOGIN AUTH=DIGEST-MD5 SASL-IR] carbon 
Cyrus IMAP v2.4.7 server ready
Please enter your password:
C: A01 AUTHENTICATE PLAIN AGN5cnVzAGd1aW5uZXNz
S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA 
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN 
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED 
WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED 
COMPRESS=DEFLATE IDLE] Success (no protection)
Authenticated.
Security strength factor: 0

The log shows:
Aug  5 22:02:54 localhost imap[733]: badlogin: [10.0.200.6] PLAIN 
[SASL(-1): generic failure: Password verification failed]

I don't know what else to try. I have read and reread the documentation 
on cyrusimap.org for both Cyrus-IMAP and Cyrus SASL. The sasl tests are 
ok, imtest works from both boxes to connect to the 2.4.7 imapd but fails 
from both boxes when connecting to the 2.4.10 box. It appears to use 
saslauthd but for some reason isn't working.

I would really appreciate some help.

Thanks in advance.

More information about the Info-cyrus mailing list