|
i run saslauthd as follows:
/usr/sbin/saslauthd -a pam -m /var/state/saslauthd -n 4 -r
i guess the notable difference is option '-r', which combines realm with login username. i've tried to create a couple of unqualified users and run saslauthd without it with the same result - proxyauth doesn't work.
pam:
root@rway-imap-vm:~# cat /etc/pam.d/sieve auth required pam_warn.so auth required pam_userdb.so db=/etc/mail/virtpasswd crypt=crypt account required pam_warn.so account required pam_userdb.so db=/etc/mail/virtpasswd crypt=crypt
yes i can connect as target user or admin user or proxy user. proxyauth is the only problematic scenario. that's what puzzles me the most
On Monday, November 21, 2016 10:07:23 AM Andrew Morgan wrote: > Maybe there is something wrong with your saslauthd parameters or PAM > config? > > Here is what I use: > > saslauthd -a pam -c -t 300 -m /var/run/saslauthd -n 5 > > # cat /etc/pam.d/sieve > # PAM configuration file for Cyrus IMAP service > > auth sufficient pam_ldap.so > auth required pam_unix.so > > account sufficient pam_ldap.so > account required pam_unix.so > > > (pretty simple!) > > In your original email, you showed that you could authenticate as the > target user successfully. Can you connect to sieve as the admin user (no > proxy-auth)? > > Thanks, > Andy > > > On Mon, 21 Nov 2016, Michael Ulitskiy wrote: > > > Andrew, > > > > Thanks for the reply. It's good to know it works for someone. > > I've tried to downgrade cyrus to 2.4.18, but that didn't help. > > sivtest doesn't provide much clue: > > > > root@rway-imap-vm:~# sivtest -a proxyadmin -u t4@xxxxxxxxxxxxxxx localhost > > S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18" > > S: "SASL" "PLAIN" > > S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope imap4flags relational regex subaddress copy" > > S: "UNAUTHENTICATE" > > S: OK > > Please enter your password: > > C: AUTHENTICATE "PLAIN" {48+} > > <redacted> > > S: NO "Authentication Error" > > Authentication failed. generic failure > > Security strength factor: 0 > > > > while log is saying: > > Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access > > Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1] PLAIN no mechanism available > > > > the same happens if I use admin user. > > i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure no authentication problems stand in the way, but that also didn't help. > > I'm at loss now. Anymore troubleshooting clues? > > > > Thanks, > > Michael > > > > On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote: > >> This works for me under v2.4.18. I'm able to run sieveshell against a > >> frontend or backend authenticating as a cyrus "admins" user or a > >> "proxyservers" user (on the backend). > >> > >> Against a frontend: > >> > >> # sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu > >> connecting to imap.onid.oregonstate.edu > >> Please enter your password: > >>> list > >> onid-web > >> real <- active script > >>> quit > >> > >> > >> Against a backend: > >> > >> # sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu > >> connecting to cyrus-be1.onid.oregonstate.edu > >> Please enter your password: > >>> list > >> onid-web > >> real <- active script > >>> quit > >> > >> > >> My imapd.conf settings: > >> > >> admins: cyrus > >> allowplaintext: 0 > >> sasl_mech_list: PLAIN > >> sasl_minimum_layer: 0 > >> sasl_pwcheck_method: saslauthd > >> sieve_allowreferrals: 0 > >> sieve_allowplaintext: 1 > >> > >> > >> Have you tried using the "sivtest" program? It will show you the protocol > >> handshakes, which might help. Here is an example for me: > >> > >> # sivtest -u morgan -a cyrus localhost > >> S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18" > >> S: "SASL" "PLAIN" > >> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags > >> notify envelope body relational regex subaddress copy" > >> S: "STARTTLS" > >> S: "UNAUTHENTICATE" > >> S: OK > >> Please enter your password: > >> C: AUTHENTICATE "PLAIN" {28+} > >> <redacted> > >> S: OK > >> Authenticated. > >> Security strength factor: 0 > >> C: LOGOUT > >> OK "Logout Complete" > >> Connection closed. > >> > >> > >> Andy > >> > >> On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote: > >> > >>> Since nobody answered, I guess, nobody has any idea. > >>> I wonder if anybody uses this feature and it works for you? > >>> I mean I'd like to know if that's just me and something is wrong with my setup or may be that feature isn't functional at all? > >>> Thanks in advance, > >>> > >>> Michael > >>> > >>> On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus wrote: > >>>> Hello, > >>>> > >>>> I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26. > >>>> i'm trying to use sieveshell to setup users sieve scripts, but since > >>>> i don't know users passwords i want to use a special user for authentication > >>>> and authorize as the target user. > >>>> Here's what I have. > >>>> > >>>> imapd.conf: > >>>> admins: mailadmin > >>>> proxyservers: proxyadmin > >>>> sasl_pwcheck_method: saslauthd > >>>> #sasl_pwcheck_method: alwaystrue > >>>> sasl_mech_list: PLAIN > >>>> allowplaintext: yes > >>>> > >>>> here's what i do: > >>>> > >>>> root@rway-imap-vm:~# sieveshell -a proxyadmin -u t4@xxxxxxxxxxxxxxx localhost > >>>> connecting to localhost > >>>> Please enter your password: > >>>> unable to connect to server at /usr/bin/sieveshell line 191, <STDIN> line 1. > >>>> > >>>> here's the log: > >>>> Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available. > >>>> Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access > >>>> Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1] PLAIN no mechanism available > >>>> Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client -- exiting > >>>> > >>>> as you can see user proxyadmin authenticated successfully, but then something (authorization?) went wrong > >>>> and it says "PLAIN no mechanism available". > >>>> this only happens if i try to authorize as different user. if i don't everything works fine: > >>>> > >>>> root@rway-imap-vm:~# sieveshell -a t4@xxxxxxxxxxxxxxx -u t4@xxxxxxxxxxxxxxx localhost > >>>> connecting to localhost > >>>> Please enter your password: > >>>>> > >>>> > >>>> log: > >>>> Nov 17 18:24:11 rway-imap-vm sieve[2247]: TLS is available. > >>>> Nov 17 18:24:15 rway-imap-vm saslauthd[1167]: pam_userdb(sieve:auth): user 't4@xxxxxxxxxxxxxxx' granted access > >>>> Nov 17 18:24:15 rway-imap-vm sieve[2247]: login: localhost [127.0.0.1] t4@xxxxxxxxxxxxxxx PLAIN User logged in > >>>> > >>>> the same happends to cyradm: > >>>> root@rway-imap-vm:~# cyradm --user=proxyadmin --authz=t4@xxxxxxxxxxxxxxx --auth=plain localhost > >>>> Password: > >>>> IMAP Password: > >>>> > >>>> log: > >>>> Nov 17 18:26:27 rway-imap-vm saslauthd[1166]: pam_userdb(imap:auth): user 'proxyadmin' granted access > >>>> Nov 17 18:26:27 rway-imap-vm imap[2277]: badlogin: localhost [127.0.0.1] PLAIN [SASL(-4): no mechanism available: Unable to find a callback: 32773] > >>>> > >>>> but ok without trying to authorize as different user: > >>>> root@rway-imap-vm:~# cyradm --user=t4@xxxxxxxxxxxxxxx --auth=plain localhost > >>>> Password: > >>>> localhost> > >>>> Nov 17 18:27:31 rway-imap-vm saslauthd[1167]: pam_userdb(imap:auth): user 't4@xxxxxxxxxxxxxxx' granted access > >>>> Nov 17 18:27:31 rway-imap-vm imap[2276]: login: localhost [127.0.0.1] t4@xxxxxxxxxxxxxxx PLAIN User logged in SESSIONID=<rway-imap.aceinnovative.com-2276-1479425249-1-16233364852996823733> > >>>> > >>>> Can somebody tell me what I am doing wrong? > >>>> Thanks a lot, > >>>> > >>>> Michael |
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
