Authentication 'realm' problem SOLVED

Charles Bradshaw brad at bradcan.homelinux.com
Wed Jan 23 09:23:47 EST 2013 

I am now able to connect using imtest and authenticate using sasldb2 from both
localhost and elsewhere.

1 - In imapd.conf insert the line: "virtdomains: userid".
2 - In the imtest command use: -a user at mydomain

NOTE
imtest -a user -r mydomain does NOT work.
I have to remove the defaultdomain: line from imapd.conf otherwise imtest from
another host fails.

In the above mydomain has absolutly nothing to do with network domains. It is
simply an additional grouping identifier "REALM" to be used in the auth
database lookup process. For example:

[root at imap-host ~]# saslpasswd2 -c test -u administration
and
[user at other-host ~]$ imtest -a test at administration imap-host
Authenticates just fine.

Charles Bradshaw

On: Mon, 21 Jan 2013 17:47:53 +0000, Charles Bradshaw wrote
> I am seeing an authentication problem when using imtest. I have
> cyrus-imapd-utils-2.4.14-1.fc17.i686
> 
> The imtest man page says the -r switch specifies the 'realm', but -r 
> does not seem to work.
> 
> I used:
> [root at imap-server ~]# saslpasswd2 user
> Password ...
> and
> [root at imap-server ~]# saslpasswd2 cyrus
> ...
> Which puts cyrus at imap-host.mydomain and user at imap-host@mydomain into 
> /etc/sasldb2
> 
> Now:
> $ imtest -s -a cyrus localhost'
> Authenticates.
> 
> But 
> $ imtest -s -a cyrus imap-host
> $ imtest -s -a cyrus -r imap-host.mydomain imap-host
> 
> >From another host fails with:
> "Authentication failed. generic failure"
> 
> On the other hand:
> $ imtest -s -a user localhost
> $ imtest -s -a user
> BOTH authenticate, but are pointless because I need to authenticate 
> for other, different, realms.
> 
> If instead I use:
> [root at imap-server ~]# saslpasswd2 -u mydomain user
> Password ... 
> That is, secify the (badly named 'domain') realm realm for sasldb2. Now:
> $ imtest -s -a user -r mydomain localhost
> $ imtest -s -a user -r mydomain imap-host
> 
> Both produce "Authentication failed. generic failure"
> 
> The /var/log/maillog messages are equally un-helpfull:
> 
> Jan 21 17:39:21 imap-host imaps[5610]: starttls: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits new) no authentication
> 
> Jan 21 17:39:48 imap-host imaps[5610]: badlogin: localhost [::1] 
> DIGEST-MD5 [SASL(-13): user not found: no secret in database]
> 
> Obviously I missed some 'realm' configuration for cyrus-imapd or 
> don't understand how to use -u realm for saslpasswd2 or the -r realm 
> parameter for imtest!
> 
> I think I understood saslpasswd -u realm because I have realms 
> working for sendmail using saslauthd.
> 
> What am I doing wrong?
> 
> # cat /etc/imapd.conf
> configdirectory: /var/lib/imap
> partition-default: /var/spool/imap
> admins: cyrus
> sievedir: /var/lib/imap/sieve
> sendmail: /usr/sbin/sendmail
> hashimapspool: true
> sasl_pwcheck_method: auxprop
> sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5
> sasl_auxprop_plugin:sasldb
> #allowplaintext: no
> #defaultdomain: mail
> #loginrealms: mydomain
> tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
> tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
> tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
> 
> I tried loginrealms: mydomain without success!
> 
> The localhost test FQDN is imap-host.mydomain and my DNS works.
> ie '$ host imap-host' produces imap-host.mydomain has address 192.168.#.#
> 
> Thanks in advance, Charles Bradshaw
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
------- End of Original Message -------

More information about the Info-cyrus mailing list