Red Hat Bugzilla – Bug 219410
auth methods plain and login plus (cram-md5 and digest-md5) borked ?
Last modified: 2008-01-04 12:02:12 EST
Description of problem: No information about setup - using another distro (known to work) mech: pam login plain digrest-md5 etc in /usr/lib/sasl2/smtpd.conf tried shadow mech - reloaded salsauthd retried login nada selinux turned off (pain in behind) Version-Release number of selected component (if applicable): whatever fc6 ships with this ? http://rpmfind.net//linux/RPM/fedora/6/i386/cyrus-sasl-lib-2.1.22-4.i386.html ? How reproducible: attempt to login to sasldb2 user password combo Steps to Reproduce: 1.create /import sasl2db file read file sasldblistusers2 2.test login with sasltest program. 3.pam (local user) login works 4.sasl login - bad Actual results: no login via /etc/sasldb2 file Expected results: login via /etc/sasldb2 > "OK" Additional info: with the bdb 4 bug as well our cyrus imap server is well borked, the backend stuff is nice too. Looks like where back to suse 9.2 have Googled for info (and docs) - sasl auth problems and bdb issues mean i either have to compile src rpm to fix or pam auth needs works. quite what is up is one too many issues.
I'm not sure I even understand what's going on here. Is this happening with postfix, or cyrus-imapd, or both? Do you have the cyrus-sasl-plain and cyrus-sasl-md5 packages installed? Which SASL mechanism is in use when you're running into failures? If you're using PLAIN or LOGIN, is saslauthd running? If saslauthd is running, is it using its default "pam" mechanism, or has that part of its configuration been changed? If it's using "pam", what are the contents of your /etc/pam.d/smtp, /etc/pam.d/imap, and /etc/pam.d/pop files? For the CRAM-MD5 and DIGEST-MD5 mechanisms, is the service in question able to read the file? What are the errors which are logged?
Hi this bug deals with sasl, and not imap (thats bdb and issue http://mail-index.netbsd.org/tech-pkg/2005/01/27/0031.html it appears) saslauthd is running is i can "ok" verify login to a user account using the test sasl program. my /etc/pam.d files are what shipped with fc6, having found them before wrote i've yet to cover any decent info about them or how they might utiltise sasl2 in fc6. I have found my older distro does not need an /etc/pam.d/imap file but sasldblistusers2 command can read my old sasldb2 password file. fc6 imap pamd.d file: auth include system-auth account include system-auth fwiw: pam.d on the working sasl distro uses pam_unix2.so as an account mech If one cannot test login to sasl i also see no point in setting up postfix and cyrus imap assuming that the bdb bug does mean the datastore cant be read - thats another issue. The error logged is 'no auth' in testsaslauth. While having unix accounts for imap would work in fc6, it rather does miss the point (why have sasl) and that would take forever to setup I've googled for this stuff -but im either looking for the wrong stuff, or need to custom compile stuff. I'll add more info as find the the time, fc6 might look pretty but i'd thought i would not have to reinvent the the sasl wheel, or also find that even customlog config statement in apache2 is broken.
Examples no cyrus-imap/no postfix pure sasl #/usr/lib/sasl2/smtpd.conf pwcheck_method: saslauthd #added below: saslauthd_version: 2 mech_list: plain login cram-md5 digest-md5 #end file #/etc/pam.d/imap #%PAM-1.0 auth include system-auth account include system-auth #end file create user saslpasswd2 -c -f /etc/sasldb2 technical@badsasl.com Password: Again (for verification): start/stop saslauth2 [root@localhost ~]# /etc/rc.d/init.d/saslauthd stop Stopping saslauthd: [ OK ] [root@localhost ~]# /etc/rc.d/init.d/saslauthd start Starting saslauthd: [ OK ] [root@localhost ~]# /etc/rc.d/init.d/saslauthd status saslauthd (pid 11181 11180 11179 11178 11172) is running... read file: [root@localhost ~]# sasldblistusers2 technical@badsasl.com: userPassword now try sasl login testsaslauthd -u technical@badsasl.com -p boy 0: NO "authentication failed" try pam login testsaslauthd -u root -p <password> 0: OK "Success." saslauthd[26299]: do_auth : auth failure: [user=technical@badsasl.com] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] Dec 15 18:23:37 localhost saslauthd[26294]: server_exit : master exited: 26294 see http://www.howtoforge.com/forums/archive/index.php/t-8755.html - Never got to postfix setup does not use /etc/sasldb2 but local user account, note no imap setup either Raw sasl2 ? need http://www.clasohm.com/blog/swcat/11876 but where ? auth required pam_env.so auth required pam_mount.so auth sufficient pam_ssh.so use_first_pass auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so session optional pam_console.so session optional pam_mount.so session optional pam_ssh.so
testsaslauthd is not looking up /etc/sasldb2 with root root -rw-r--r-- privelidges ok with user /etc/shadow. Ive mostly worked through my issues in fc6 but testsaslauthd is a waste of time with salsdb2 db's. Not a good diagnostic tool for sasl auths is the advice i can give you. Whether that was the cyrus teams intentions i leave in your hands. I leave the matter now.
Fedora 6 has reached end of life. If this can be reproduced in a later release, please open a new bug.