Cyrus fails to authenticate with saslauthd/pam

Configuration:
/etc/imapd.conf (important settings):
 sasl_pwcheck_method: saslauthd
 sasl_mech_list: PLAIN

/etc/default/saslauthd:
 MECHANISMS="pam"

With cyrus configured to use SASLAUTHD and SASLAUTHD configured to authenticate against PAM, initial authentication succeeds (the first one). Subsequent authentication attempts fail with the following error message:

# cyradm localhost --auth login --user cyrus
IMAP Password:
Login failed: user not found at usr/lib/perl5/Cyrus/IMAP/Admin.pm line 118
cyradm: cannot authenticate to server with mech login as user cyrus

The following is found in /var/log/syslog:
 cyrus/imapd[5034]: badlogin: localhost[127.0.0.1] plaintext cyrus SASL(-13): user not found: checkpass failed

testsaslauthd works flawlessly with no inconsistency for any user.

Through many hours of gnashing of teeth and pulling out hair I can't afford to lose, I was able to determine that authentication settings are indeed changing between the successful and unsuccessful authentications.

imtest shows the inconsistency:
sh-3.00$ imtest -u matt -a matt -w <password> localhost
S: * OK ubublock1.eisgr.com Cyrus IMAP4 v2.1.18-IPv6-Debian-2.1.18-1ubuntu1 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS ANNOTATEMORE
S: C01 OK Completed
C: L01 LOGIN matt {8}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
^[[A
* BAD Invalid tag
C: Q01 LOGOUT
* BYE LOGOUT received
Q01 OK Completed
Connection closed.
sh-3.00$ imtest -u matt -a matt -w <password> localhost
S: * OK ubublock1.eisgr.com Cyrus IMAP4 v2.1.18-IPv6-Debian-2.1.18-1ubuntu1 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=NTLM AUTH=DIGEST-MD5 AUTH=CRAM-MD5 ANNOTATEMORE
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
S: + bm9uY2U9IjN<snip>
C: dXNlcm5hbWU<snip>
S: A01 NO user not found
Authentication failed. generic failure
Security strength factor: 128

Notice the additional "AUTH=NTLM" and "AUTH=DIGEST-MD5" Clearly this does not fit the required configuration, since PAM requires plaintext..

Running SASLAUTHD in debug mode shows that the failing authentication attempts are not even being attempted:

root@ubublock1:~# saslauthd -a pam -t 5 -n 0 -d
saslauthd[21811] :main : num_procs : 0
saslauthd[21811] :main : mech_option: NULL
saslauthd[21811] :main : run_path : /var/run/saslauthd
saslauthd[21811] :main : auth_mech : pam
saslauthd[21811] :detach_tty : master pid is: 0
saslauthd[21811] :ipc_init : listening on socket: /var/run/saslauthd/mux
saslauthd[21811] :do_auth : auth success: [user=matt] [service=imap] [realm=] [mech=pam]
saslauthd[21811] :do_request : response: OK
  (nothing happens when a failed authentication occurs)

This appears to be a bug with the way threads are recycled. The authentication settings seem to be reset incorrectly.

Setting "-U 1" in /etc/cyrus.conf for the "imap" lines seems to work around the problem. This forces each thread to be used only once. This is not efficient.

When this setting is in place, each authentication attempt shows up in the saslauthd debugging session as "response: OK"

Thank you for all your hard work. We appreciate the value you have added to the community, as well as that of your upstream debian and CMU.