Can't authorize as different user in cyradm and sieveshell
Andrew Morgan
morgan at orst.edu
Mon Nov 21 16:43:58 EST 2016
I'm using Debian packages for sasl. Here is what libsasl2-modules
includes:
/usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2.0.25
But in my imapd.conf, I'm not specifying an auxprop plugins:
# grep sasl /etc/imapd.conf
sasl_mech_list: PLAIN
sasl_minimum_layer: 0
#sasl_maximum_layer: 256
sasl_pwcheck_method: saslauthd
Since we are using saslauthd, we don't use auxprop plugins, I think...
Andy
On Mon, 21 Nov 2016, Michael Ulitskiy wrote:
> I'm trying to read the code and it seems that it tries to lookup authorization id
> in auxprop plugin. since I don't have any auxprop plugins that returns SASL_NOMECH and results
> in the error I'm seeing.
>
> By any chance do you have any auxprop plugin defined?
>
> On Monday, November 21, 2016 10:07:23 AM Andrew Morgan wrote:
>> Maybe there is something wrong with your saslauthd parameters or PAM
>> config?
>>
>> Here is what I use:
>>
>> saslauthd -a pam -c -t 300 -m /var/run/saslauthd -n 5
>>
>> # cat /etc/pam.d/sieve
>> # PAM configuration file for Cyrus IMAP service
>>
>> auth sufficient pam_ldap.so
>> auth required pam_unix.so
>>
>> account sufficient pam_ldap.so
>> account required pam_unix.so
>>
>>
>> (pretty simple!)
>>
>> In your original email, you showed that you could authenticate as the
>> target user successfully. Can you connect to sieve as the admin user (no
>> proxy-auth)?
>>
>> Thanks,
>> Andy
>>
>>
>> On Mon, 21 Nov 2016, Michael Ulitskiy wrote:
>>
>>> Andrew,
>>>
>>> Thanks for the reply. It's good to know it works for someone.
>>> I've tried to downgrade cyrus to 2.4.18, but that didn't help.
>>> sivtest doesn't provide much clue:
>>>
>>> root at rway-imap-vm:~# sivtest -a proxyadmin -u t4 at virtualcrap.com localhost
>>> S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18"
>>> S: "SASL" "PLAIN"
>>> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope imap4flags relational regex subaddress copy"
>>> S: "UNAUTHENTICATE"
>>> S: OK
>>> Please enter your password:
>>> C: AUTHENTICATE "PLAIN" {48+}
>>> <redacted>
>>> S: NO "Authentication Error"
>>> Authentication failed. generic failure
>>> Security strength factor: 0
>>>
>>> while log is saying:
>>> Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access
>>> Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1] PLAIN no mechanism available
>>>
>>> the same happens if I use admin user.
>>> i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure no authentication problems stand in the way, but that also didn't help.
>>> I'm at loss now. Anymore troubleshooting clues?
>>>
>>> Thanks,
>>> Michael
>>>
>>> On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote:
>>>> This works for me under v2.4.18. I'm able to run sieveshell against a
>>>> frontend or backend authenticating as a cyrus "admins" user or a
>>>> "proxyservers" user (on the backend).
>>>>
>>>> Against a frontend:
>>>>
>>>> # sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu
>>>> connecting to imap.onid.oregonstate.edu
>>>> Please enter your password:
>>>>> list
>>>> onid-web
>>>> real <- active script
>>>>> quit
>>>>
>>>>
>>>> Against a backend:
>>>>
>>>> # sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu
>>>> connecting to cyrus-be1.onid.oregonstate.edu
>>>> Please enter your password:
>>>>> list
>>>> onid-web
>>>> real <- active script
>>>>> quit
>>>>
>>>>
>>>> My imapd.conf settings:
>>>>
>>>> admins: cyrus
>>>> allowplaintext: 0
>>>> sasl_mech_list: PLAIN
>>>> sasl_minimum_layer: 0
>>>> sasl_pwcheck_method: saslauthd
>>>> sieve_allowreferrals: 0
>>>> sieve_allowplaintext: 1
>>>>
>>>>
>>>> Have you tried using the "sivtest" program? It will show you the protocol
>>>> handshakes, which might help. Here is an example for me:
>>>>
>>>> # sivtest -u morgan -a cyrus localhost
>>>> S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18"
>>>> S: "SASL" "PLAIN"
>>>> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags
>>>> notify envelope body relational regex subaddress copy"
>>>> S: "STARTTLS"
>>>> S: "UNAUTHENTICATE"
>>>> S: OK
>>>> Please enter your password:
>>>> C: AUTHENTICATE "PLAIN" {28+}
>>>> <redacted>
>>>> S: OK
>>>> Authenticated.
>>>> Security strength factor: 0
>>>> C: LOGOUT
>>>> OK "Logout Complete"
>>>> Connection closed.
>>>>
>>>>
>>>> Andy
>>>>
>>>> On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote:
>>>>
>>>>> Since nobody answered, I guess, nobody has any idea.
>>>>> I wonder if anybody uses this feature and it works for you?
>>>>> I mean I'd like to know if that's just me and something is wrong with my setup or may be that feature isn't functional at all?
>>>>> Thanks in advance,
>>>>>
>>>>> Michael
>>>>>
>>>>> On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26.
>>>>>> i'm trying to use sieveshell to setup users sieve scripts, but since
>>>>>> i don't know users passwords i want to use a special user for authentication
>>>>>> and authorize as the target user.
>>>>>> Here's what I have.
>>>>>>
>>>>>> imapd.conf:
>>>>>> admins: mailadmin
>>>>>> proxyservers: proxyadmin
>>>>>> sasl_pwcheck_method: saslauthd
>>>>>> #sasl_pwcheck_method: alwaystrue
>>>>>> sasl_mech_list: PLAIN
>>>>>> allowplaintext: yes
>>>>>>
>>>>>> here's what i do:
>>>>>>
>>>>>> root at rway-imap-vm:~# sieveshell -a proxyadmin -u t4 at virtualcrap.com localhost
>>>>>> connecting to localhost
>>>>>> Please enter your password:
>>>>>> unable to connect to server at /usr/bin/sieveshell line 191, <STDIN> line 1.
>>>>>>
>>>>>> here's the log:
>>>>>> Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available.
>>>>>> Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access
>>>>>> Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1] PLAIN no mechanism available
>>>>>> Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client -- exiting
>>>>>>
>>>>>> as you can see user proxyadmin authenticated successfully, but then something (authorization?) went wrong
>>>>>> and it says "PLAIN no mechanism available".
>>>>>> this only happens if i try to authorize as different user. if i don't everything works fine:
>>>>>>
>>>>>> root at rway-imap-vm:~# sieveshell -a t4 at virtualcrap.com -u t4 at virtualcrap.com localhost
>>>>>> connecting to localhost
>>>>>> Please enter your password:
>>>>>>>
>>>>>>
>>>>>> log:
>>>>>> Nov 17 18:24:11 rway-imap-vm sieve[2247]: TLS is available.
>>>>>> Nov 17 18:24:15 rway-imap-vm saslauthd[1167]: pam_userdb(sieve:auth): user 't4 at virtualcrap.com' granted access
>>>>>> Nov 17 18:24:15 rway-imap-vm sieve[2247]: login: localhost [127.0.0.1] t4 at virtualcrap.com PLAIN User logged in
>>>>>>
>>>>>> the same happends to cyradm:
>>>>>> root at rway-imap-vm:~# cyradm --user=proxyadmin --authz=t4 at virtualcrap.com --auth=plain localhost
>>>>>> Password:
>>>>>> IMAP Password:
>>>>>>
>>>>>> log:
>>>>>> Nov 17 18:26:27 rway-imap-vm saslauthd[1166]: pam_userdb(imap:auth): user 'proxyadmin' granted access
>>>>>> Nov 17 18:26:27 rway-imap-vm imap[2277]: badlogin: localhost [127.0.0.1] PLAIN [SASL(-4): no mechanism available: Unable to find a callback: 32773]
>>>>>>
>>>>>> but ok without trying to authorize as different user:
>>>>>> root at rway-imap-vm:~# cyradm --user=t4 at virtualcrap.com --auth=plain localhost
>>>>>> Password:
>>>>>> localhost>
>>>>>> Nov 17 18:27:31 rway-imap-vm saslauthd[1167]: pam_userdb(imap:auth): user 't4 at virtualcrap.com' granted access
>>>>>> Nov 17 18:27:31 rway-imap-vm imap[2276]: login: localhost [127.0.0.1] t4 at virtualcrap.com PLAIN User logged in SESSIONID=<rway-imap.aceinnovative.com-2276-1479425249-1-16233364852996823733>
>>>>>>
>>>>>> Can somebody tell me what I am doing wrong?
>>>>>> Thanks a lot,
>>>>>>
>>>>>> Michael
More information about the Info-cyrus
mailing list