Bug 1649917 - latest pam update breaks sasl/cyrus authentication
Summary: latest pam update breaks sasl/cyrus authentication
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: rawhide
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Björn 'besser82' Esser
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-14 19:20 UTC by David Hill
Modified: 2018-11-15 13:43 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-15 13:33:47 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description David Hill 2018-11-14 19:20:10 UTC 
Description of problem:
latest pam update breaks sasl/cyrus authentication and downgrading to previous versions restores authentication.

Nov 14 14:16:27 zappa imap[5542]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits new) no authentication
Nov 14 14:16:29 zappa imap[4390]: SASL Password verification failed
Nov 14 14:16:29 zappa imap[4390]: badlogin: [192.168.1.22] PLAIN [SASL(-13): authentication failure: Password verification failed]
Nov 14 14:16:29 zappa imap[5542]: SASL Password verification failed
Nov 14 14:16:29 zappa imap[5542]: badlogin: [192.168.1.22] PLAIN [SASL(-13): authentication failure: Password verification failed]
Nov 14 14:16:36 zappa imap[5542]: badlogin: [192.168.1.22] LOGIN [SASL(-13): authentication failure: checkpass failed]
Nov 14 14:16:36 zappa imap[4390]: badlogin: [192.168.1.22] LOGIN [SASL(-13): authentication failure: checkpass failed]


2018-11-14T17:01:14Z INFO Upgrade: pam-1.3.1-6.fc30.x86_64
2018-11-14T17:01:17Z INFO Upgrade: pam-1.3.1-6.fc30.x86_64
2018-11-14T17:06:27Z INFO Upgraded: pam-1.3.1-4.fc30.x86_64
2018-11-14T17:06:27Z INFO Upgraded: pam-1.3.1-4.fc30.x86_64
2018-11-14T19:13:59Z INFO Downgrade: pam-1.3.1-3.fc29.x86_64
2018-11-14T19:14:01Z INFO warning: /etc/pam.d/fingerprint-auth created as /etc/pam.d/fingerprint-auth.rpmnew
warning: /etc/pam.d/password-auth created as /etc/pam.d/password-auth.rpmnew
warning: /etc/pam.d/postlogin created as /etc/pam.d/postlogin.rpmnew
warning: /etc/pam.d/smartcard-auth created as /etc/pam.d/smartcard-auth.rpmnew
warning: /etc/pam.d/system-auth created as /etc/pam.d/system-auth.rpmnew
2018-11-14T19:14:01Z INFO Downgrade: pam-1.3.1-3.fc29.x86_64
2018-11-14T19:14:01Z INFO Downgraded: pam-1.3.1-6.fc30.x86_64
2018-11-14T19:14:01Z INFO Downgraded: pam-1.3.1-6.fc30.x86_64


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Björn 'besser82' Esser 2018-11-14 21:37:23 UTC 
Just a simple question, before I start into debugging this:

Did you restart `saslauthd` *after* upgrading pam to the latest revision?

***

Could you please give me some more logs about pam?
Comment 2 Björn 'besser82' Esser 2018-11-15 12:12:24 UTC 
I've just tested authenticating a local user for imap using cyrus-imapd, pam-1.3.1-7.fc30.x86_64, and libxcrypt-4.3.4-1.fc30.x86_64 without problems:

$testsaslauthd -u besser82 -p $passwd -s imap
0: OK "Success."

Can you please test again with those packages and/or give me any further instructions how to reproduce this issue on my machine?
Comment 3 David Hill 2018-11-15 13:33:47 UTC 
I'm trying to reproduce this issue and I'm no longer able to.   I did restart cyrus-imapd and downgrade pam but I see there was also an openssl package update so perhaps I needed to only restart cyrus-imapd and I restarted the service while I downgraded pam ... this appears to have solved the problem because I've updated pam to the same version as when it was failing and now it's no longer failing.   I'm closing this BZ.  Sorry for the noise.
Comment 4 Björn 'besser82' Esser 2018-11-15 13:43:46 UTC 
Allrighty, never mind!
Note You need to log in before you can comment on or make changes to this bug.