On 07/26/04 10:08 PM, Anton Jackson-Smith sat at the `puter and typed:
> Hey everyone,
> I'm having some problems with authentication running Cyrus IMAP 2.2.6
> and SASL 2.1.19 on FreeBSD updated to RELENG_5_2 base system and the
> latest ports.
I'm running exactly the same combination of cyrus and FreeBSD
versions. I also had the same authentication problem. Here's what I
finally found (after a weeks googling, doc reading, etc). Don't use a
saslpasswd. Use your regular Unix login password. Saslauthd installs
from the FreeBSD ports with pam as the default mechanism. I kept
resetting the password for my id at a million different possible
realms, and it never worked unless I skipped CRAM-MD5 authentication.
Fially, I realized that there's a line in the
/usr/local/etc/rc.d/saslauthd.sh script that specifies "-a pam" as the
args. If you want to change this, you'll need to verify the correct
mechanism for your needs and set the variable saslauthd_flags in
/etc/rc.conf - which will override the rc.d startup.
> Basically, when attempting to login using imtest there's always a second
> or two delay, followed by "S: L01 NO Login failed: authentication
> failure". I'm using imtest with the following command: "imtest -m login
> -a test localhost".
I got the same thing.
BTW, I also had problems with delivery - I'm using procmail, running
as the recipient to call deliver. I solved this by setting the suid
bit on deliver. Just in case.
HTH
Lou
> Using the SASL sample client/server, I can authenticate fine using the
> user 'test' with any of the offered mechanisms.
>
> CyrAdm also fails to login, giving the error "Login failed:
> authentication failure at
> /usr/local/lib/perl5/site_perl/5.8.2/mach/Cyrus/IMAP/Admin.pm line 118
> cyradm: cannot authenticate to server with LOGIN as admin"
>
> (Both the users test and admin exist and can be logged into with the
> sample client/server).
>
> I've tried recompiling both suites of software (IMAP and SASL) to use
> different versions of Berkely DB to no avail. I also attempted to use
> saslauthd using sasldb, but that also fails to authenticate the user,
> logging the error message "saslauthd[20054]: do_auth : auth
> failure: [user=admin] [service=imap] [realm=] [mech=sasldb]
> [reason=Unknown]"
>
> I was also getting this problem with older versions of IMAP and SASL I
> was attempting to get working before I upgraded my ports tree.
>
> Posted below is excepts from logs and config files that may be of some
> use :).
>
> Thanks very much, apologies if I left out some critical information ;)
>
> Anton Jackson-Smith (Landrocker)
>
>
> === Typical imtest login attempt ===
> [21:48:26] [EMAIL PROTECTED]: /usr/ports/mail/cyrus-imapd22/work# imtest -m
> login -a test localhost
> S: * OK mail.dyingstar.net Cyrus IMAP4 v2.2.6 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
> BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
> AUTH=NTLM AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT
> LIST-SUBSCRIBED
> S: C01 OK Completed
> Please enter your password:
> C: L01 LOGIN test {4}
> S: + go ahead
> C:
> S: L01 NO Login failed: authentication failure
> Authentication failed. generic failure
> Security strength factor: 0
> . logout
> * BYE LOGOUT received
> . OK Completed
> Connection closed.
> =
>
> === Typical Sample Client login attempt
> [21:58:57] [EMAIL PROTECTED]:
> /usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.19/sample# ./client
> -s saslauthd -m DIGEST-MD5 localhost
> receiving capability list... recv: {57}
> NTLM LOGIN ANONYMOUS PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5
> NTLM LOGIN ANONYMOUS PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5
> send: {10}
> DIGEST-MD5
> send: {1}
> N
> recv: {124}
> nonce=" length>",realm="aries.dyingstar.net",qop="auth",charset=utf-8,algorithm=md5-sess
> please enter an authentication id: test
> please enter an authorization id: test
> Password:
> send: {246}
> username="test",realm="aries.dyingstar.net",nonce=" length>",nc=0001,qop=auth,digest-uri="saslauthd/localhost",response=a9dcefae5af239d91886f0eabf948f22
> recv: {40}
> rspauth=af70d484fa5b5718132e8489daa25850
> send: {0}
>
> successful authentication
> closing connection"
> =
>
> === Log message generated from attempted imtest login ===
> Jul 26 22:01:09 aries imap[32204]: badlogin: localhost [::1] plaintext
> test SASL(-13): user not found: checkpass failed
> =
>
> === Log message from imtest using saslauthd and imtest ===
> saslauthd[20055]: do_auth : auth failure: [user=test]
> [service=imap] [realm=] [mech=sasldb] [reason=Unknown]
> =
>
> === imapd.conf (Comments stripped)===
> configdirectory: /usr/local/cyrus/config
> partition-defaul