Cyrus fails to authenticate with saslauthd/pam
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cyrus21-imapd (Ubuntu) |
New
|
Medium
|
Unassigned |
Bug Description
Configuration:
/etc/imapd.conf (important settings):
sasl_pwcheck_
sasl_mech_list: PLAIN
/etc/default/
MECHANISMS="pam"
With cyrus configured to use SASLAUTHD and SASLAUTHD configured to authenticate against PAM, initial authentication succeeds (the first one). Subsequent authentication attempts fail with the following error message:
# cyradm localhost --auth login --user cyrus
IMAP Password:
Login failed: user not found at usr/lib/
cyradm: cannot authenticate to server with mech login as user cyrus
The following is found in /var/log/syslog:
cyrus/imapd[5034]: badlogin: localhost[
testsaslauthd works flawlessly with no inconsistency for any user.
Through many hours of gnashing of teeth and pulling out hair I can't afford to lose, I was able to determine that authentication settings are indeed changing between the successful and unsuccessful authentications.
imtest shows the inconsistency:
sh-3.00$ imtest -u matt -a matt -w <password> localhost
S: * OK ubublock1.eisgr.com Cyrus IMAP4 v2.1.18-
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=
S: C01 OK Completed
C: L01 LOGIN matt {8}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
^[[A
* BAD Invalid tag
C: Q01 LOGOUT
* BYE LOGOUT received
Q01 OK Completed
Connection closed.
sh-3.00$ imtest -u matt -a matt -w <password> localhost
S: * OK ubublock1.eisgr.com Cyrus IMAP4 v2.1.18-
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
S: + bm9uY2U9IjN<snip>
C: dXNlcm5hbWU<snip>
S: A01 NO user not found
Authentication failed. generic failure
Security strength factor: 128
Notice the additional "AUTH=NTLM" and "AUTH=DIGEST-MD5" Clearly this does not fit the required configuration, since PAM requires plaintext..
Running SASLAUTHD in debug mode shows that the failing authentication attempts are not even being attempted:
root@ubublock1:~# saslauthd -a pam -t 5 -n 0 -d
saslauthd[21811] :main : num_procs : 0
saslauthd[21811] :main : mech_option: NULL
saslauthd[21811] :main : run_path : /var/run/saslauthd
saslauthd[21811] :main : auth_mech : pam
saslauthd[21811] :detach_tty : master pid is: 0
saslauthd[21811] :ipc_init : listening on socket: /var/run/
saslauthd[21811] :do_auth : auth success: [user=matt] [service=imap] [realm=] [mech=pam]
saslauthd[21811] :do_request : response: OK
(nothing happens when a failed authentication occurs)
This appears to be a bug with the way threads are recycled. The authentication settings seem to be reset incorrectly.
Setting "-U 1" in /etc/cyrus.conf for the "imap" lines seems to work around the problem. This forces each thread to be used only once. This is not efficient.
When this setting is in place, each authentication attempt shows up in the saslauthd debugging session as "response: OK"
Thank you for all your hard work. We appreciate the value you have added to the community, as well as that of your upstream debian and CMU.
Probably should also mention that I'm also using pam_ldap and nss_ldap.
/etc/pam. d/common- auth
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_ldap.so try_first_pass
/etc/pam. d/common- account
account sufficient pam_unix.so
account sufficient pam_ldap.so
/etc/pam. d/common- password
password sufficient pam_unix.so nullok obscure min=4 max=8 md5
password sufficient pam_ldap.so
/etc/pam. d/common- session
session required pam_unix.so
session required pam_ldap.so
Let me know if you need pam_ldap.conf or libnss-ldap.conf information.
Matt