Re: Can't authorize as different user in cyradm and sieveshell

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



i run saslauthd as follows:

 

/usr/sbin/saslauthd -a pam -m /var/state/saslauthd -n 4 -r

 

i guess the notable difference is option '-r', which combines realm with login username.

i've tried to create a couple of unqualified users and run saslauthd without it with the same result - proxyauth doesn't work.

 

pam:

 

root@rway-imap-vm:~# cat /etc/pam.d/sieve

auth required pam_warn.so

auth required pam_userdb.so db=/etc/mail/virtpasswd crypt=crypt

account required pam_warn.so

account required pam_userdb.so db=/etc/mail/virtpasswd crypt=crypt

 

yes i can connect as target user or admin user or proxy user. proxyauth is the only problematic scenario.

that's what puzzles me the most

 

On Monday, November 21, 2016 10:07:23 AM Andrew Morgan wrote:

> Maybe there is something wrong with your saslauthd parameters or PAM

> config?

>

> Here is what I use:

>

> saslauthd -a pam -c -t 300 -m /var/run/saslauthd -n 5

>

> # cat /etc/pam.d/sieve

> # PAM configuration file for Cyrus IMAP service

>

> auth sufficient pam_ldap.so

> auth required pam_unix.so

>

> account sufficient pam_ldap.so

> account required pam_unix.so

>

>

> (pretty simple!)

>

> In your original email, you showed that you could authenticate as the

> target user successfully. Can you connect to sieve as the admin user (no

> proxy-auth)?

>

> Thanks,

> Andy

>

>

> On Mon, 21 Nov 2016, Michael Ulitskiy wrote:

>

> > Andrew,

> >

> > Thanks for the reply. It's good to know it works for someone.

> > I've tried to downgrade cyrus to 2.4.18, but that didn't help.

> > sivtest doesn't provide much clue:

> >

> > root@rway-imap-vm:~# sivtest -a proxyadmin -u t4@xxxxxxxxxxxxxxx localhost

> > S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18"

> > S: "SASL" "PLAIN"

> > S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope imap4flags relational regex subaddress copy"

> > S: "UNAUTHENTICATE"

> > S: OK

> > Please enter your password:

> > C: AUTHENTICATE "PLAIN" {48+}

> > <redacted>

> > S: NO "Authentication Error"

> > Authentication failed. generic failure

> > Security strength factor: 0

> >

> > while log is saying:

> > Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access

> > Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1] PLAIN no mechanism available

> >

> > the same happens if I use admin user.

> > i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure no authentication problems stand in the way, but that also didn't help.

> > I'm at loss now. Anymore troubleshooting clues?

> >

> > Thanks,

> > Michael

> >

> > On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote:

> >> This works for me under v2.4.18. I'm able to run sieveshell against a

> >> frontend or backend authenticating as a cyrus "admins" user or a

> >> "proxyservers" user (on the backend).

> >>

> >> Against a frontend:

> >>

> >> # sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu

> >> connecting to imap.onid.oregonstate.edu

> >> Please enter your password:

> >>> list

> >> onid-web

> >> real <- active script

> >>> quit

> >>

> >>

> >> Against a backend:

> >>

> >> # sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu

> >> connecting to cyrus-be1.onid.oregonstate.edu

> >> Please enter your password:

> >>> list

> >> onid-web

> >> real <- active script

> >>> quit

> >>

> >>

> >> My imapd.conf settings:

> >>

> >> admins: cyrus

> >> allowplaintext: 0

> >> sasl_mech_list: PLAIN

> >> sasl_minimum_layer: 0

> >> sasl_pwcheck_method: saslauthd

> >> sieve_allowreferrals: 0

> >> sieve_allowplaintext: 1

> >>

> >>

> >> Have you tried using the "sivtest" program? It will show you the protocol

> >> handshakes, which might help. Here is an example for me:

> >>

> >> # sivtest -u morgan -a cyrus localhost

> >> S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18"

> >> S: "SASL" "PLAIN"

> >> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags

> >> notify envelope body relational regex subaddress copy"

> >> S: "STARTTLS"

> >> S: "UNAUTHENTICATE"

> >> S: OK

> >> Please enter your password:

> >> C: AUTHENTICATE "PLAIN" {28+}

> >> <redacted>

> >> S: OK

> >> Authenticated.

> >> Security strength factor: 0

> >> C: LOGOUT

> >> OK "Logout Complete"

> >> Connection closed.

> >>

> >>

> >> Andy

> >>

> >> On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote:

> >>

> >>> Since nobody answered, I guess, nobody has any idea.

> >>> I wonder if anybody uses this feature and it works for you?

> >>> I mean I'd like to know if that's just me and something is wrong with my setup or may be that feature isn't functional at all?

> >>> Thanks in advance,

> >>>

> >>> Michael

> >>>

> >>> On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus wrote:

> >>>> Hello,

> >>>>

> >>>> I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26.

> >>>> i'm trying to use sieveshell to setup users sieve scripts, but since

> >>>> i don't know users passwords i want to use a special user for authentication

> >>>> and authorize as the target user.

> >>>> Here's what I have.

> >>>>

> >>>> imapd.conf:

> >>>> admins: mailadmin

> >>>> proxyservers: proxyadmin

> >>>> sasl_pwcheck_method: saslauthd

> >>>> #sasl_pwcheck_method: alwaystrue

> >>>> sasl_mech_list: PLAIN

> >>>> allowplaintext: yes

> >>>>

> >>>> here's what i do:

> >>>>

> >>>> root@rway-imap-vm:~# sieveshell -a proxyadmin -u t4@xxxxxxxxxxxxxxx localhost

> >>>> connecting to localhost

> >>>> Please enter your password:

> >>>> unable to connect to server at /usr/bin/sieveshell line 191, <STDIN> line 1.

> >>>>

> >>>> here's the log:

> >>>> Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available.

> >>>> Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access

> >>>> Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1] PLAIN no mechanism available

> >>>> Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client -- exiting

> >>>>

> >>>> as you can see user proxyadmin authenticated successfully, but then something (authorization?) went wrong

> >>>> and it says "PLAIN no mechanism available".

> >>>> this only happens if i try to authorize as different user. if i don't everything works fine:

> >>>>

> >>>> root@rway-imap-vm:~# sieveshell -a t4@xxxxxxxxxxxxxxx -u t4@xxxxxxxxxxxxxxx localhost

> >>>> connecting to localhost

> >>>> Please enter your password:

> >>>>>

> >>>>

> >>>> log:

> >>>> Nov 17 18:24:11 rway-imap-vm sieve[2247]: TLS is available.

> >>>> Nov 17 18:24:15 rway-imap-vm saslauthd[1167]: pam_userdb(sieve:auth): user 't4@xxxxxxxxxxxxxxx' granted access

> >>>> Nov 17 18:24:15 rway-imap-vm sieve[2247]: login: localhost [127.0.0.1] t4@xxxxxxxxxxxxxxx PLAIN User logged in

> >>>>

> >>>> the same happends to cyradm:

> >>>> root@rway-imap-vm:~# cyradm --user=proxyadmin --authz=t4@xxxxxxxxxxxxxxx --auth=plain localhost

> >>>> Password:

> >>>> IMAP Password:

> >>>>

> >>>> log:

> >>>> Nov 17 18:26:27 rway-imap-vm saslauthd[1166]: pam_userdb(imap:auth): user 'proxyadmin' granted access

> >>>> Nov 17 18:26:27 rway-imap-vm imap[2277]: badlogin: localhost [127.0.0.1] PLAIN [SASL(-4): no mechanism available: Unable to find a callback: 32773]

> >>>>

> >>>> but ok without trying to authorize as different user:

> >>>> root@rway-imap-vm:~# cyradm --user=t4@xxxxxxxxxxxxxxx --auth=plain localhost

> >>>> Password:

> >>>> localhost>

> >>>> Nov 17 18:27:31 rway-imap-vm saslauthd[1167]: pam_userdb(imap:auth): user 't4@xxxxxxxxxxxxxxx' granted access

> >>>> Nov 17 18:27:31 rway-imap-vm imap[2276]: login: localhost [127.0.0.1] t4@xxxxxxxxxxxxxxx PLAIN User logged in SESSIONID=<rway-imap.aceinnovative.com-2276-1479425249-1-16233364852996823733>

> >>>>

> >>>> Can somebody tell me what I am doing wrong?

> >>>> Thanks a lot,

> >>>>

> >>>> Michael

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux