New 2.4.10 install - authentication problems with saslauthd
John
cyrus at jelmail.com
Fri Aug 5 17:10:12 EDT 2011
Hello, I have a problem with a new installation. I've been trying to
sort this for several days now without any luck so post here in the hope
for a solution.
I have a server, currently running 2.4.7 and all is well (and has been
for a very long time). I am trying to build a new server with 2.4.10 but
I can't get anything to authenticate on it.
In both cases the host is Arch Linux and both have exactly the same
configuration files: Here is imapd.conf:
configdirectory: /srv/mail/cyrus
partition-default: /srv/mail/cyrus/mail
admins: cyrus
sasl_pwcheck_method: saslauthd
sasl_saslauthd_path: /var/run/saslauthd/mux
allowplaintext: yes
altnamespace: yes
unixhierarchysep: yes
virtdomains: userid
defaultdomain: mydomain.com
hashimapspool: true
I know it's reading the correct file because I can force an error by
temporarily corrupting it:
Aug 5 21:44:14 localhost master[407]: invalid option name on line 1 of
configuration file /etc/cyrus/imapd.conf
Aug 5 21:44:14 localhost master[407]: exiting
Firstly, saslauthd is running to use PAM for authentication and on both
boxes I have tested this works using "testsaslauthd" getting identical
results on both cases. ( in both cases the test was "testsaslauthd -u
cyrus -p cyruspw -f /var/run/saslauthd/mux" and the result was "0: OK
"Success."")
Both boxes have the same sasl package, installed from the ArchLinux
repository:
# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
I try "imtest -a cyrus" on each box. On the 2.4.7 box it prompts for a
password, which I enter, and I am told it is "Authenticated". On the
2.4.10 box it does not prompt for a password but just returns "
Authentication failed. generic failure"
The log shows it is trying to use GSSAPI despite my saslauthd configuration:
Aug 5 21:41:11 localhost imtest: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Credentials cache
file '/tmp/krb5cc_0' not found)
If I put "sasl_mech_list: PLAIN" into imapd.conf and retry "imtest -a
cyrus" on the 2.4.10 box I do get a password prompt but it still errors:
The log then shows:
Aug 5 21:46:10 localhost imap[491]: badlogin: localhost.localdomain
[::1] PLAIN [SASL(-1): generic failure: Password verification failed]
I also tried using telnet. On the 2.4.7 box it authenticates fine. On
the 2.4.10 box I get "Login failed: generic failure"
I tried using imtest from the new box to access the old box (imtest -a
cyrus -m PLAIN old-box) and it authenticates:
# imtest -a cyrus -m PLAIN 10.0.200.6
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN AUTH=OTP
AUTH=CRAM-MD5 AUTH=GSSAPI AUTH=LOGIN AUTH=DIGEST-MD5 SASL-IR] carbon
Cyrus IMAP v2.4.7 server ready
Please enter your password:
C: A01 AUTHENTICATE PLAIN AGN5cnVzAGd1aW5uZXNz
S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED
WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED
COMPRESS=DEFLATE IDLE] Success (no protection)
Authenticated.
Security strength factor: 0
I tried using imtest from the old box to access the new box (imtest -a
cyrus -m PLAIN new-box). This prompts for a password but returns
"Authentication failed. generic failure"
# imtest -a cyrus -m PLAIN 10.0.200.6
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN AUTH=OTP
AUTH=CRAM-MD5 AUTH=GSSAPI AUTH=LOGIN AUTH=DIGEST-MD5 SASL-IR] carbon
Cyrus IMAP v2.4.7 server ready
Please enter your password:
C: A01 AUTHENTICATE PLAIN AGN5cnVzAGd1aW5uZXNz
S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED
WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED
COMPRESS=DEFLATE IDLE] Success (no protection)
Authenticated.
Security strength factor: 0
The log shows:
Aug 5 22:02:54 localhost imap[733]: badlogin: [10.0.200.6] PLAIN
[SASL(-1): generic failure: Password verification failed]
I don't know what else to try. I have read and reread the documentation
on cyrusimap.org for both Cyrus-IMAP and Cyrus SASL. The sasl tests are
ok, imtest works from both boxes to connect to the 2.4.7 imapd but fails
from both boxes when connecting to the 2.4.10 box. It appears to use
saslauthd but for some reason isn't working.
I would really appreciate some help.
Thanks in advance.
More information about the Info-cyrus
mailing list