Bug 219410 - auth methods plain and login plus (cram-md5 and digest-md5) borked ?
Summary: auth methods plain and login plus (cram-md5 and digest-md5) borked ?
Alias: None
Product: Fedora
Classification: Fedora
Component: cyrus-sasl
Version: 6
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Steve Conklin
QA Contact: Brian Brock
URL: http://rpmfind.net//linux/RPM/fedora/...
Depends On:
TreeView+ depends on / blocked
Reported: 2006-12-12 22:45 UTC by sheridan west
Modified: 2008-01-04 17:02 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-01-04 17:02:12 UTC

Attachments (Terms of Use)

Description sheridan west 2006-12-12 22:45:34 UTC
Description of problem:
No information about setup - using another distro (known to work)

mech: pam
login plain digrest-md5 etc in /usr/lib/sasl2/smtpd.conf

tried shadow mech - reloaded salsauthd
retried login nada
selinux turned off (pain in behind)

Version-Release number of selected component (if applicable):
whatever fc6 ships with this ?

How reproducible:

attempt to login to sasldb2 user password combo

Steps to Reproduce:
1.create /import sasl2db file read file sasldblistusers2
2.test login with sasltest program.
3.pam (local user) login works
4.sasl login - bad
Actual results:
no login via /etc/sasldb2 file

Expected results:
login via /etc/sasldb2 > "OK"

Additional info:

with the bdb 4 bug as well our cyrus imap server is well borked, the backend
stuff is nice too.  Looks like where back to suse 9.2 

have Googled for info (and docs) - sasl auth problems and bdb issues mean i
either have to compile src rpm to fix or pam auth needs works.  quite what is up
is one too many issues.

Comment 1 Nalin Dahyabhai 2006-12-13 18:57:31 UTC
I'm not sure I even understand what's going on here.  Is this happening with
postfix, or cyrus-imapd, or both?  Do you have the cyrus-sasl-plain and
cyrus-sasl-md5 packages installed?

Which SASL mechanism is in use when you're running into failures?  If you're
using PLAIN or LOGIN, is saslauthd running?  If saslauthd is running, is it
using its default "pam" mechanism, or has that part of its configuration been
changed?  If it's using "pam", what are the contents of your /etc/pam.d/smtp,
/etc/pam.d/imap, and /etc/pam.d/pop files?

For the CRAM-MD5 and DIGEST-MD5 mechanisms, is the service in question able to
read the file?

What are the errors which are logged?

Comment 2 sheridan west 2006-12-14 11:03:52 UTC
Hi this bug deals with sasl, and not imap (thats bdb and issue
http://mail-index.netbsd.org/tech-pkg/2005/01/27/0031.html it appears) 
saslauthd is running is i can "ok" verify login to a user account using the test
sasl program.

my /etc/pam.d files are what shipped with fc6, having found them before wrote
i've yet to cover any decent info about them or how they might utiltise sasl2 in
fc6.  I have found my older distro does not need an /etc/pam.d/imap file but
sasldblistusers2 command can read my old sasldb2 password file.

fc6 imap pamd.d file:
auth include system-auth
account include system-auth

fwiw: pam.d on the working sasl distro uses pam_unix2.so as an account mech

If one cannot test login to sasl i also see no point in setting up postfix and
cyrus imap assuming that the bdb bug does mean the datastore cant be read -
thats another issue.

The error logged is 'no auth' in testsaslauth.

While having unix accounts for imap would work in fc6, it rather does miss the
point (why have sasl) and that would take forever to setup

I've googled for this stuff -but im either looking for the wrong stuff, or need
to custom compile stuff.

I'll add more info as find the the time, fc6 might look pretty but i'd thought i
would not have to reinvent the the sasl wheel, or also find that even customlog
config statement in apache2 is broken. 

Comment 3 sheridan west 2006-12-15 19:01:44 UTC
Examples no cyrus-imap/no postfix pure sasl

pwcheck_method: saslauthd
#added below:
saslauthd_version: 2
mech_list: plain login cram-md5 digest-md5
#end file

auth       include      system-auth
account    include      system-auth
#end file

create user

saslpasswd2 -c -f /etc/sasldb2 technical@badsasl.com 
Again (for verification): 

start/stop saslauth2
[root@localhost ~]# /etc/rc.d/init.d/saslauthd stop
Stopping saslauthd:                                        [  OK  ]
[root@localhost ~]# /etc/rc.d/init.d/saslauthd start
Starting saslauthd:                                        [  OK  ]
[root@localhost ~]# /etc/rc.d/init.d/saslauthd status
saslauthd (pid 11181 11180 11179 11178 11172) is running...

read file:

[root@localhost ~]# sasldblistusers2
technical@badsasl.com: userPassword

now try sasl login

testsaslauthd -u technical@badsasl.com -p boy
0: NO "authentication failed"

try pam login 
testsaslauthd -u root -p <password>
0: OK "Success."

saslauthd[26299]: do_auth         : auth failure: [user=technical@badsasl.com]
[service=imap] [realm=] [mech=pam] [reason=PAM auth error]
Dec 15 18:23:37 localhost saslauthd[26294]: server_exit     : master exited: 26294

see http://www.howtoforge.com/forums/archive/index.php/t-8755.html - Never got
to postfix setup does not use /etc/sasldb2 but local user account, note no imap
setup either

Raw sasl2 

? need http://www.clasohm.com/blog/swcat/11876 but where ?

auth       required    pam_env.so
auth       required    pam_mount.so
auth       sufficient  pam_ssh.so use_first_pass
auth       include     system-auth
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    optional    pam_keyinit.so force revoke
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_console.so
session    optional    pam_mount.so
session    optional    pam_ssh.so

Comment 4 sheridan west 2007-01-17 01:12:25 UTC
testsaslauthd is not looking up /etc/sasldb2 with root root -rw-r--r--
privelidges ok with user /etc/shadow.

Ive mostly worked through my issues in fc6 but testsaslauthd is a waste of time
with salsdb2 db's.  Not a good diagnostic tool for sasl auths is the advice i
can give you.

Whether that was the cyrus teams intentions i leave in your hands. I leave the
matter now.

Comment 5 Steve Conklin 2008-01-04 17:02:12 UTC
Fedora 6 has reached end of life. If this can be reproduced in a later release,
please open a new bug.

Note You need to log in before you can comment on or make changes to this bug.