Can't authorize as different user in cyradm and sieveshell

Andrew Morgan morgan at orst.edu
Mon Nov 21 13:07:23 EST 2016 

Maybe there is something wrong with your saslauthd parameters or PAM 
config?

Here is what I use:

saslauthd -a pam -c -t 300 -m /var/run/saslauthd -n 5

# cat /etc/pam.d/sieve
# PAM configuration file for Cyrus IMAP service

auth    sufficient      pam_ldap.so
auth    required        pam_unix.so

account sufficient      pam_ldap.so
account required        pam_unix.so


(pretty simple!)

In your original email, you showed that you could authenticate as the 
target user successfully.  Can you connect to sieve as the admin user (no 
proxy-auth)?

Thanks,
 	Andy


On Mon, 21 Nov 2016, Michael Ulitskiy wrote:

> Andrew,
>
> Thanks for the reply. It's good to know it works for someone.
> I've tried to downgrade cyrus to 2.4.18, but that didn't help.
> sivtest doesn't provide much clue:
>
> root at rway-imap-vm:~# sivtest -a proxyadmin -u t4 at virtualcrap.com localhost
> S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18"
> S: "SASL" "PLAIN"
> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope imap4flags relational regex subaddress copy"
> S: "UNAUTHENTICATE"
> S: OK
> Please enter your password:
> C: AUTHENTICATE "PLAIN" {48+}
> <redacted>
> S: NO "Authentication Error"
> Authentication failed. generic failure
> Security strength factor: 0
>
> while log is saying:
> Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access
> Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1] PLAIN no mechanism available
>
> the same happens if I use admin user.
> i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure no authentication problems stand in the way, but that also didn't help.
> I'm at loss now. Anymore troubleshooting clues?
>
> Thanks,
> Michael
>
> On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote:
>> This works for me under v2.4.18.  I'm able to run sieveshell against a
>> frontend or backend authenticating as a cyrus "admins" user or a
>> "proxyservers" user (on the backend).
>>
>> Against a frontend:
>>
>> # sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu
>> connecting to imap.onid.oregonstate.edu
>> Please enter your password:
>>> list
>> onid-web
>> real  <- active script
>>> quit
>>
>>
>> Against a backend:
>>
>> # sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu
>> connecting to cyrus-be1.onid.oregonstate.edu
>> Please enter your password:
>>> list
>> onid-web
>> real  <- active script
>>> quit
>>
>>
>> My imapd.conf settings:
>>
>> admins: cyrus
>> allowplaintext: 0
>> sasl_mech_list: PLAIN
>> sasl_minimum_layer: 0
>> sasl_pwcheck_method: saslauthd
>> sieve_allowreferrals: 0
>> sieve_allowplaintext: 1
>>
>>
>> Have you tried using the "sivtest" program?  It will show you the protocol
>> handshakes, which might help.  Here is an example for me:
>>
>> # sivtest -u morgan -a cyrus localhost
>> S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18"
>> S: "SASL" "PLAIN"
>> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags
>> notify envelope body relational regex subaddress copy"
>> S: "STARTTLS"
>> S: "UNAUTHENTICATE"
>> S: OK
>> Please enter your password:
>> C: AUTHENTICATE "PLAIN" {28+}
>> <redacted>
>> S: OK
>> Authenticated.
>> Security strength factor: 0
>> C: LOGOUT
>> OK "Logout Complete"
>> Connection closed.
>>
>>
>>  	Andy
>>
>> On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote:
>>
>>> Since nobody answered, I guess, nobody has any idea.
>>> I wonder if anybody uses this feature and it works for you?
>>> I mean I'd like to know if that's just me and something is wrong with my setup or may be that feature isn't functional at all?
>>> Thanks in advance,
>>>
>>> Michael
>>>
>>> On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus wrote:
>>>> Hello,
>>>>
>>>> I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26.
>>>> i'm trying to use sieveshell to setup users sieve scripts, but since
>>>> i don't know users passwords i want to use a special user for authentication
>>>> and authorize as the target user.
>>>> Here's what I have.
>>>>
>>>> imapd.conf:
>>>> admins: mailadmin
>>>> proxyservers: proxyadmin
>>>> sasl_pwcheck_method: saslauthd
>>>> #sasl_pwcheck_method: alwaystrue
>>>> sasl_mech_list: PLAIN
>>>> allowplaintext: yes
>>>>
>>>> here's what i do:
>>>>
>>>> root at rway-imap-vm:~# sieveshell -a proxyadmin -u t4 at virtualcrap.com localhost
>>>> connecting to localhost
>>>> Please enter your password:
>>>> unable to connect to server at /usr/bin/sieveshell line 191, <STDIN> line 1.
>>>>
>>>> here's the log:
>>>> Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available.
>>>> Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access
>>>> Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1] PLAIN no mechanism available
>>>> Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client -- exiting
>>>>
>>>> as you can see user proxyadmin authenticated successfully, but then something (authorization?) went wrong
>>>> and it says "PLAIN no mechanism available".
>>>> this only happens if i try to authorize as different user. if i don't everything works fine:
>>>>
>>>> root at rway-imap-vm:~# sieveshell -a t4 at virtualcrap.com -u t4 at virtualcrap.com localhost
>>>> connecting to localhost
>>>> Please enter your password:
>>>>>
>>>>
>>>> log:
>>>> Nov 17 18:24:11 rway-imap-vm sieve[2247]: TLS is available.
>>>> Nov 17 18:24:15 rway-imap-vm saslauthd[1167]: pam_userdb(sieve:auth): user 't4 at virtualcrap.com' granted access
>>>> Nov 17 18:24:15 rway-imap-vm sieve[2247]: login: localhost [127.0.0.1] t4 at virtualcrap.com PLAIN User logged in
>>>>
>>>> the same happends to cyradm:
>>>> root at rway-imap-vm:~# cyradm --user=proxyadmin --authz=t4 at virtualcrap.com --auth=plain localhost
>>>> Password:
>>>> IMAP Password:
>>>>
>>>> log:
>>>> Nov 17 18:26:27 rway-imap-vm saslauthd[1166]: pam_userdb(imap:auth): user 'proxyadmin' granted access
>>>> Nov 17 18:26:27 rway-imap-vm imap[2277]: badlogin: localhost [127.0.0.1] PLAIN [SASL(-4): no mechanism available: Unable to find a callback: 32773]
>>>>
>>>> but ok without trying to authorize as different user:
>>>> root at rway-imap-vm:~# cyradm --user=t4 at virtualcrap.com --auth=plain localhost
>>>> Password:
>>>> localhost>
>>>> Nov 17 18:27:31 rway-imap-vm saslauthd[1167]: pam_userdb(imap:auth): user 't4 at virtualcrap.com' granted access
>>>> Nov 17 18:27:31 rway-imap-vm imap[2276]: login: localhost [127.0.0.1] t4 at virtualcrap.com PLAIN User logged in SESSIONID=<rway-imap.aceinnovative.com-2276-1479425249-1-16233364852996823733>
>>>>
>>>> Can somebody tell me what I am doing wrong?
>>>> Thanks a lot,
>>>>
>>>> Michael

More information about the Info-cyrus mailing list