Can't authorize as different user in cyradm and sieveshell

Michael Ulitskiy mulitskiy at acedsl.com
Mon Nov 21 13:55:52 EST 2016 

i run saslauthd as follows:

/usr/sbin/saslauthd -a pam -m /var/state/saslauthd -n 4 -r

i guess the notable difference is option '-r', which combines realm with login username.
i've tried to create a couple of unqualified users and run saslauthd without it with the same result - proxyauth doesn't work.

pam:

root at rway-imap-vm:~# cat /etc/pam.d/sieve
auth    required        pam_warn.so
auth    required        pam_userdb.so db=/etc/mail/virtpasswd crypt=crypt
account required        pam_warn.so
account required        pam_userdb.so db=/etc/mail/virtpasswd crypt=crypt

yes i can connect as target user or admin user or proxy user. proxyauth is the only problematic scenario.
that's what puzzles me the most

On Monday, November 21, 2016 10:07:23 AM Andrew Morgan wrote:
> Maybe there is something wrong with your saslauthd parameters or PAM 
> config?
> 
> Here is what I use:
> 
> saslauthd -a pam -c -t 300 -m /var/run/saslauthd -n 5
> 
> # cat /etc/pam.d/sieve
> # PAM configuration file for Cyrus IMAP service
> 
> auth    sufficient      pam_ldap.so
> auth    required        pam_unix.so
> 
> account sufficient      pam_ldap.so
> account required        pam_unix.so
> 
> 
> (pretty simple!)
> 
> In your original email, you showed that you could authenticate as the 
> target user successfully.  Can you connect to sieve as the admin user (no 
> proxy-auth)?
> 
> Thanks,
>  	Andy
> 
> 
> On Mon, 21 Nov 2016, Michael Ulitskiy wrote:
> 
> > Andrew,
> >
> > Thanks for the reply. It's good to know it works for someone.
> > I've tried to downgrade cyrus to 2.4.18, but that didn't help.
> > sivtest doesn't provide much clue:
> >
> > root at rway-imap-vm:~# sivtest -a proxyadmin -u t4 at virtualcrap.com localhost
> > S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18"
> > S: "SASL" "PLAIN"
> > S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope imap4flags relational regex subaddress copy"
> > S: "UNAUTHENTICATE"
> > S: OK
> > Please enter your password:
> > C: AUTHENTICATE "PLAIN" {48+}
> > <redacted>
> > S: NO "Authentication Error"
> > Authentication failed. generic failure
> > Security strength factor: 0
> >
> > while log is saying:
> > Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access
> > Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1] PLAIN no mechanism available
> >
> > the same happens if I use admin user.
> > i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure no authentication problems stand in the way, but that also didn't help.
> > I'm at loss now. Anymore troubleshooting clues?
> >
> > Thanks,
> > Michael
> >
> > On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote:
> >> This works for me under v2.4.18.  I'm able to run sieveshell against a
> >> frontend or backend authenticating as a cyrus "admins" user or a
> >> "proxyservers" user (on the backend).
> >>
> >> Against a frontend:
> >>
> >> # sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu
> >> connecting to imap.onid.oregonstate.edu
> >> Please enter your password:
> >>> list
> >> onid-web
> >> real  <- active script
> >>> quit
> >>
> >>
> >> Against a backend:
> >>
> >> # sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu
> >> connecting to cyrus-be1.onid.oregonstate.edu
> >> Please enter your password:
> >>> list
> >> onid-web
> >> real  <- active script
> >>> quit
> >>
> >>
> >> My imapd.conf settings:
> >>
> >> admins: cyrus
> >> allowplaintext: 0
> >> sasl_mech_list: PLAIN
> >> sasl_minimum_layer: 0
> >> sasl_pwcheck_method: saslauthd
> >> sieve_allowreferrals: 0
> >> sieve_allowplaintext: 1
> >>
> >>
> >> Have you tried using the "sivtest" program?  It will show you the protocol
> >> handshakes, which might help.  Here is an example for me:
> >>
> >> # sivtest -u morgan -a cyrus localhost
> >> S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18"
> >> S: "SASL" "PLAIN"
> >> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags
> >> notify envelope body relational regex subaddress copy"
> >> S: "STARTTLS"
> >> S: "UNAUTHENTICATE"
> >> S: OK
> >> Please enter your password:
> >> C: AUTHENTICATE "PLAIN" {28+}
> >> <redacted>
> >> S: OK
> >> Authenticated.
> >> Security strength factor: 0
> >> C: LOGOUT
> >> OK "Logout Complete"
> >> Connection closed.
> >>
> >>
> >>  	Andy
> >>
> >> On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote:
> >>
> >>> Since nobody answered, I guess, nobody has any idea.
> >>> I wonder if anybody uses this feature and it works for you?
> >>> I mean I'd like to know if that's just me and something is wrong with my setup or may be that feature isn't functional at all?
> >>> Thanks in advance,
> >>>
> >>> Michael
> >>>
> >>> On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus wrote:
> >>>> Hello,
> >>>>
> >>>> I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26.
> >>>> i'm trying to use sieveshell to setup users sieve scripts, but since
> >>>> i don't know users passwords i want to use a special user for authentication
> >>>> and authorize as the target user.
> >>>> Here's what I have.
> >>>>
> >>>> imapd.conf:
> >>>> admins: mailadmin
> >>>> proxyservers: proxyadmin
> >>>> sasl_pwcheck_method: saslauthd
> >>>> #sasl_pwcheck_method: alwaystrue
> >>>> sasl_mech_list: PLAIN
> >>>> allowplaintext: yes
> >>>>
> >>>> here's what i do:
> >>>>
> >>>> root at rway-imap-vm:~# sieveshell -a proxyadmin -u t4 at virtualcrap.com localhost
> >>>> connecting to localhost
> >>>> Please enter your password:
> >>>> unable to connect to server at /usr/bin/sieveshell line 191, <STDIN> line 1.
> >>>>
> >>>> here's the log:
> >>>> Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available.
> >>>> Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access
> >>>> Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1] PLAIN no mechanism available
> >>>> Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client -- exiting
> >>>>
> >>>> as you can see user proxyadmin authenticated successfully, but then something (authorization?) went wrong
> >>>> and it says "PLAIN no mechanism available".
> >>>> this only happens if i try to authorize as different user. if i don't everything works fine:
> >>>>
> >>>> root at rway-imap-vm:~# sieveshell -a t4 at virtualcrap.com -u t4 at virtualcrap.com localhost
> >>>> connecting to localhost
> >>>> Please enter your password:
> >>>>>
> >>>>
> >>>> log:
> >>>> Nov 17 18:24:11 rway-imap-vm sieve[2247]: TLS is available.
> >>>> Nov 17 18:24:15 rway-imap-vm saslauthd[1167]: pam_userdb(sieve:auth): user 't4 at virtualcrap.com' granted access
> >>>> Nov 17 18:24:15 rway-imap-vm sieve[2247]: login: localhost [127.0.0.1] t4 at virtualcrap.com PLAIN User logged in
> >>>>
> >>>> the same happends to cyradm:
> >>>> root at rway-imap-vm:~# cyradm --user=proxyadmin --authz=t4 at virtualcrap.com --auth=plain localhost
> >>>> Password:
> >>>> IMAP Password:
> >>>>
> >>>> log:
> >>>> Nov 17 18:26:27 rway-imap-vm saslauthd[1166]: pam_userdb(imap:auth): user 'proxyadmin' granted access
> >>>> Nov 17 18:26:27 rway-imap-vm imap[2277]: badlogin: localhost [127.0.0.1] PLAIN [SASL(-4): no mechanism available: Unable to find a callback: 32773]
> >>>>
> >>>> but ok without trying to authorize as different user:
> >>>> root at rway-imap-vm:~# cyradm --user=t4 at virtualcrap.com --auth=plain localhost
> >>>> Password:
> >>>> localhost>
> >>>> Nov 17 18:27:31 rway-imap-vm saslauthd[1167]: pam_userdb(imap:auth): user 't4 at virtualcrap.com' granted access
> >>>> Nov 17 18:27:31 rway-imap-vm imap[2276]: login: localhost [127.0.0.1] t4 at virtualcrap.com PLAIN User logged in SESSIONID=<rway-imap.aceinnovative.com-2276-1479425249-1-16233364852996823733>
> >>>>
> >>>> Can somebody tell me what I am doing wrong?
> >>>> Thanks a lot,
> >>>>
> >>>> Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20161121/3c64fc01/attachment-0001.html>

More information about the Info-cyrus mailing list