Re: imapd is not talking to saslauthd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



OK.  Major brain fart, since I'm trying to do 5 things at once.  saslauthd will only be using for verifying plaintext passwords -- meaning its only used for plaintext authentication methods.  Your imtest is trying to use SCRAM by default.

Add '-m plain' to your imtest and see what happens.

If you want to do your auth using only PAM, you will have to disable non-plaintext SASL mechs for Cyrus.  Add the following to imapd.conf:

sasl_mech_list: PLAIN LOGIN



On 01/30/2018 06:51 PM, Michael Rüger wrote:
After enabling debug and restarting saslauthd and retrigger imtest, saslauthd gets no request. 

root@cyrus3:/etc # /usr/local/etc/rc.d/saslauthd restart
Stopping saslauthd.
Waiting for PIDS: 88717.
Starting saslauthd.
saslauthd[90858] :main            : num_procs  : 5
saslauthd[90858] :main            : mech_option: NULL
saslauthd[90858] :main            : run_path   : /var/run/saslauthd
saslauthd[90858] :main            : auth_mech  : pam
saslauthd[90858] :ipc_init        : using accept lock file: /var/run/saslauthd/mux.accept
saslauthd[90858] :detach_tty      : master pid is: 0
saslauthd[90858] :ipc_init        : listening on socket: /var/run/saslauthd/mux
saslauthd[90858] :main            : using process model
saslauthd[90858] :have_baby       : forked child: 90859
saslauthd[90859] :get_accept_lock : acquired accept lock
saslauthd[90858] :have_baby       : forked child: 90860
saslauthd[90858] :have_baby       : forked child: 90861
saslauthd[90858] :have_baby       : forked child: 90862


Am 31.01.2018 um 00:39 schrieb Ken Murchison <murch@xxxxxxxxxxxx>:

You're understanding is correct.  Can you run saslauthd with the -d (debug) command line option and see if it sheds any light?



On 01/30/2018 06:31 PM, Michael Rüger wrote:
Yes, Ken. The whole jail is freshly fired up. Yes it seems that imapd is not calling saslauthd at all. I wondered if saslauthd support is even compiled in.

But if i understand the architecture correctly (and please correct me if i’m wrong), imap is using the sasl lib, and the sasl lib should have saslauthd support compiled in. This is as far as i can see configured by HAVE_SASLAUTHD. I have compiled the cyrus-sasl lib myself to verify that

config.h:#define HAVE_SASLAUTHD /**/

is enabled and

root@cyrus3:/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.26/ # strings /usr/local/lib/libsasl2.so | grep saslauthd
saslauthd_path
/var/run/saslauthd
cannot create socket for saslauthd: %m
cannot connect to saslauthd server: %m

gives me confidence that it is compiled in.

I also tried to „dtrace“ into imapd, but had no success. FreeBSD’s dtrace has some problems inside a jail.

So i guess i miss something tiny but important ;)

Thx again for your support.
Mike


Am 31.01.2018 um 00:09 schrieb Ken Murchison <murch@xxxxxxxxxxxx>:

Has Cyrus IMAP been restarted since switching to saslauthd?  It doesn't look like Cyrus is even trying to use saslauthd.


On 01/30/2018 06:03 PM, Michael Rüger wrote:
Struggled with enabling local6. The trick was to touch the new syslog output file before restarting syslog with this new line

local6.*   /var/log/local6


root@cyrus3:/var/log # cat local6
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]


Am 30.01.2018 um 23:41 schrieb Ken Murchison <murch@xxxxxxxxxxxx>:

Hmm.

I just switched my dev box to using saslauthd and it just worked.  I'm sure your problem is something simple, but its escaping me at the moment. 

When imtest fails, what is logged in the Cyrus IMAP log (wherever local6 is logged)



On 01/30/2018 05:34 PM, Michael Rüger wrote:
Ken, thank you for jumping in!

Some more info: the apps run as the following users and groups

root@cyrus3:~ # ps aux
USER    PID %CPU %MEM    VSZ  RSS TT  STAT STARTED    TIME COMMAND
root  88686  0.0  0.0  10500 2044  -  SsJ  21:40   0:00.02 /usr/sbin/syslogd -s
root  88717  0.0  0.1  43928 4360  -  IsJ  21:40   0:00.01 /usr/local/sbin/saslauthd -a pam
root  88718  0.0  0.1  43928 4360  -  IJ   21:40   0:00.01 /usr/local/sbin/saslauthd -a pam
root  88720  0.0  0.1  43928 4276  -  IJ   21:40   0:00.00 /usr/local/sbin/saslauthd -a pam
root  88721  0.0  0.1  43928 4360  -  IJ   21:40   0:00.01 /usr/local/sbin/saslauthd -a pam
root  88722  0.0  0.1  43928 4276  -  IJ   21:40   0:00.00 /usr/local/sbin/saslauthd -a pam
cyrus 88724  0.0  0.1  65504 5884  -  SsJ  21:40   0:00.07 /usr/local/cyrus/libexec/master -d

root@cyrus3:~ # su - cyrus
% id
uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)


Am 30.01.2018 um 23:25 schrieb Michael Rüger <michael.g.rueger@xxxxxxxxx>:

root@cyrus3:~ # ls -la /var/run/saslauthd/
total 13
drwxr-x---  2 cyrus  saslauth   5 Jan 30 21:40 .
drwxr-xr-x  6 root   wheel     15 Jan 30 21:40 ..
srwxrwxrwx  1 root   saslauth   0 Jan 30 21:40 mux
-rw-------  1 root   saslauth   0 Jan 30 21:40 mux.accept
-rw-------  1 root   saslauth   6 Jan 30 21:40 saslauthd.pid

Am 30.01.2018 um 23:23 schrieb Ken Murchison <murch@xxxxxxxxxxxx>:

Hi Michael,

What are the permissions on the socket that saslauthd is listening on?



On 01/30/2018 05:06 PM, Michael Rüger wrote:
Hi

(btw. i was Guest39278 on IRC yesterday and got the chance to introduce myself on googletalk)

I’m trying to set up imapd to use saslauthd for authentication.

I have already a running saslauthd which uses PAM. I can run this

root@cyrus3:/ # testsaslauthd -u mike -p mike
0: OK "Success.“

and if i run

root@cyrus3:/ # testsaslauthd -u mike -p abc
0: NO "authentication failed“

i get that logged in auth.log like this

Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth         : auth failure: [user=mike] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]

In imapd.conf i have

sasl_pwcheck_method: saslauthd

Now i’m authenticate against imapd

root@cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
S: C01 OK Completed
C: A01 AUTHENTICATE SCRAM-SHA-1 bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256

Nothing is reported in auth.conf

If i do this

root@cyrus3:~ # saslpasswd2 -c mike@xxxxxxxxxxxxxxxxxxxxxxx
…<entering „mike“ twice here>
root@cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS
Authenticated.
Security strength factor: 256

it is working against local db BUT NOT against saslauthd.

How do i setup imapd to talk to saslauthd?

BTW i’m using 
* cyrus-imapd30-3.0.5
* cyrus-sasl-2.1.26_13
* cyrus-sasl-saslauthd-2.1.26_3
on FreeBSD 11.1

Thank you for any help,
Mike


-- 
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>



-- 
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>


-- 
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>


-- 
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>


-- 
Ken Murchison
Cyrus Development Team
FastMail US LLC
null

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux