Bug 1649917

Summary: latest pam update breaks sasl/cyrus authentication
Product: [Fedora] Fedora Reporter: David Hill <dhill>
Component: pamAssignee: Björn Esser (besser82) <besser82>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: rawhideCC: besser82, dhill, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-15 13:33:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Hill 2018-11-14 19:20:10 UTC 
Description of problem:
latest pam update breaks sasl/cyrus authentication and downgrading to previous versions restores authentication.

Nov 14 14:16:27 zappa imap[5542]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits new) no authentication
Nov 14 14:16:29 zappa imap[4390]: SASL Password verification failed
Nov 14 14:16:29 zappa imap[4390]: badlogin: [192.168.1.22] PLAIN [SASL(-13): authentication failure: Password verification failed]
Nov 14 14:16:29 zappa imap[5542]: SASL Password verification failed
Nov 14 14:16:29 zappa imap[5542]: badlogin: [192.168.1.22] PLAIN [SASL(-13): authentication failure: Password verification failed]
Nov 14 14:16:36 zappa imap[5542]: badlogin: [192.168.1.22] LOGIN [SASL(-13): authentication failure: checkpass failed]
Nov 14 14:16:36 zappa imap[4390]: badlogin: [192.168.1.22] LOGIN [SASL(-13): authentication failure: checkpass failed]


2018-11-14T17:01:14Z INFO Upgrade: pam-1.3.1-6.fc30.x86_64
2018-11-14T17:01:17Z INFO Upgrade: pam-1.3.1-6.fc30.x86_64
2018-11-14T17:06:27Z INFO Upgraded: pam-1.3.1-4.fc30.x86_64
2018-11-14T17:06:27Z INFO Upgraded: pam-1.3.1-4.fc30.x86_64
2018-11-14T19:13:59Z INFO Downgrade: pam-1.3.1-3.fc29.x86_64
2018-11-14T19:14:01Z INFO warning: /etc/pam.d/fingerprint-auth created as /etc/pam.d/fingerprint-auth.rpmnew
warning: /etc/pam.d/password-auth created as /etc/pam.d/password-auth.rpmnew
warning: /etc/pam.d/postlogin created as /etc/pam.d/postlogin.rpmnew
warning: /etc/pam.d/smartcard-auth created as /etc/pam.d/smartcard-auth.rpmnew
warning: /etc/pam.d/system-auth created as /etc/pam.d/system-auth.rpmnew
2018-11-14T19:14:01Z INFO Downgrade: pam-1.3.1-3.fc29.x86_64
2018-11-14T19:14:01Z INFO Downgraded: pam-1.3.1-6.fc30.x86_64
2018-11-14T19:14:01Z INFO Downgraded: pam-1.3.1-6.fc30.x86_64


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Björn Esser (besser82) 2018-11-14 21:37:23 UTC 
Just a simple question, before I start into debugging this:

Did you restart `saslauthd` *after* upgrading pam to the latest revision?

***

Could you please give me some more logs about pam?
Comment 2 Björn Esser (besser82) 2018-11-15 12:12:24 UTC 
I've just tested authenticating a local user for imap using cyrus-imapd, pam-1.3.1-7.fc30.x86_64, and libxcrypt-4.3.4-1.fc30.x86_64 without problems:

$testsaslauthd -u besser82 -p $passwd -s imap
0: OK "Success."

Can you please test again with those packages and/or give me any further instructions how to reproduce this issue on my machine?
Comment 3 David Hill 2018-11-15 13:33:47 UTC 
I'm trying to reproduce this issue and I'm no longer able to.   I did restart cyrus-imapd and downgrade pam but I see there was also an openssl package update so perhaps I needed to only restart cyrus-imapd and I restarted the service while I downgraded pam ... this appears to have solved the problem because I've updated pam to the same version as when it was failing and now it's no longer failing.   I'm closing this BZ.  Sorry for the noise.
Comment 4 Björn Esser (besser82) 2018-11-15 13:43:46 UTC 
Allrighty, never mind!