New 2.4.10 install - authentication problems with saslauthd

Dan White dwhite at olp.net
Fri Aug 5 17:32:47 EDT 2011


On 05/08/11 22:10 +0100, John wrote:
>I have a server, currently running 2.4.7 and all is well (and has been
>for a very long time). I am trying to build a new server with 2.4.10 but
>I can't get anything to authenticate on it.
>
>configdirectory: /srv/mail/cyrus
>partition-default: /srv/mail/cyrus/mail
>admins: cyrus
>sasl_pwcheck_method: saslauthd
>sasl_saslauthd_path: /var/run/saslauthd/mux
>allowplaintext: yes
>altnamespace: yes
>unixhierarchysep: yes
>virtdomains: userid
>defaultdomain: mydomain.com
>hashimapspool: true
>
>Firstly, saslauthd is running to use PAM for authentication and on both
>boxes I have tested this works using "testsaslauthd" getting identical
>results on both cases. ( in both cases the test was "testsaslauthd -u
>cyrus -p cyruspw -f /var/run/saslauthd/mux" and the result was "0: OK
>"Success."")
>
>Both boxes have the same sasl package, installed from the ArchLinux
>repository:
># saslauthd -v
>saslauthd 2.1.23
>authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
>
>If I put "sasl_mech_list: PLAIN" into imapd.conf and retry "imtest -a
>cyrus" on the 2.4.10 box I do get a password prompt but it still errors:
>
>The log then shows:
>Aug  5 21:46:10 localhost imap[491]: badlogin: localhost.localdomain
>[::1] PLAIN [SASL(-1): generic failure: Password verification failed]

Try running your saslauthd daemon in debug mode and see if it is getting
contacted at all by cyrus imap.

Does your cyrus user have permissions to access the saslauthd mux?

Try running your testsaslauthd command as your cyrus user... I'm assuming
that during testing you were using root, or another account.

># imtest -a cyrus -m PLAIN 10.0.200.6
>S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN AUTH=OTP
>AUTH=CRAM-MD5 AUTH=GSSAPI AUTH=LOGIN AUTH=DIGEST-MD5 SASL-IR] carbon
>Cyrus IMAP v2.4.7 server ready
>Please enter your password:
>C: A01 AUTHENTICATE PLAIN AGN5cnVzAGd1aW5uZXNz

Be aware that your password here is uuencoded and can be trivially
reversed.

-- 
Dan White


More information about the Info-cyrus mailing list