this mail is sent to info-cyrus and cyrus-sasl, cause I really dont
know where my problem is.
cyrus-imapd-2.0.16
cyrus-sasl-1.5.27
as long as I use 'sasldb'-method for imap-auth all is ok. But as soon
as I switch to pam, only user cyrus can login. pam works fine for
other apps.
I test with #cyradm -U xxx localhost and also with imtest (output of
imtest see below) on the background master-process.
I tried two pam_modules:
pam_pwdb.so and pam_unix.so
$cat imap
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
=> error in syslog (each error comes twice):
Nov 27 15:16:33 server2 pwdb_chkpwd[8867]: could not identify user
Nov 27 15:16:33 server2 pwdb_chkpwd[8867]: could not identify user
or
$cat imap
#%PAM-1.0
auth required /lib/security/pam_unix.so
account required /lib/security/pam_unix.so
=> error in syslog (each error comes twice !)
Nov 27 16:22:51 server2 imap(pam_unix)[20608]: authentication
failure; logname= uid=504 euid=504 tty= ruser= r host= user=pilsl
Nov 27 16:22:51 server2 imap(pam_unix)[20608]: authentication
failure; logname= uid=504 euid=504 tty= ruser= r host= user=pilsl
where uid is *not* the uid of the user I tried to logon with but the
uid of cyrus !!
look at the following: I tried to logon as user 'peter' and 'pilsl'
Nov 27 16:22:51 server2 imap(pam_unix)[20608]: authentication
failure; logname= uid=504 euid=504 tty= ruser= r host= user=pilsl
Nov 27 16:23:05 server2 imap(pam_unix)[20615]: authentication
failure; logname= uid=504 euid=504 tty= ruser= r host= user=peter
the same uid, but different username ! the real uid's for these users
are 501 and 503 ... and 504 is uid of user 'cyrus' .. (I tried to
fool my problem by giving all users the same passwd like cyrus, but
while this is a security-hazard it wont work ..)
The same config works fine on other servers and all the other apps
like 'su','login' that use pam, work just fine. (so I think its not a
pam-problem)
I think there is a problem in saslib, but who am I to know about the
in-depth-details ;) ?
I recompiled sasl and cyrus and also tried to delete and add the user
cyrus and recompile again and again and always the same effect: only
the user that holds the uid for which cyrus thinks it the cyrus-user
(actually the cyrususer at compiletime) can login.
any idea ?
I feel doomed here.
thnx
peter
ps: Here comes my imapd.conf, cyrus.conf and output of imtest:
# cat /etc/imapd.conf
configdirectory: /data/imap/config
partition-default: /data/imap/spool
admins: cyrus pilsl
srvtab: /data/imap/srvtab
allowanonymouslogin: no
sasl_pwcheck_method: pam
# cat /etc/cyrus.conf
# standard standalone server implementation
START {
# do not delete these entries!
mboxlist cmd="ctl_mboxlist -r"
deliver cmd="ctl_deliver -r"
# this is only necessary if using idled for IMAP IDLE
# idled cmd="idled"
}
# UNIX sockets start with a slash and are put into /var/imap/sockets
SERVICES {
# add or remove based on preferences
imap cmd="imapd" listen="imap" prefork=0
pop3 cmd="pop3d" listen="pop3" prefork=0
# LMTP is required for delivery
lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
}
EVENTS {
# this is required
checkpoint cmd="ctl_mboxlist -c" period=30
# this is only necessary if using duplicate delivery suppression
delprune cmd="ctl_deliver -E 3" period=1440
}
# imtest -m login -a cyrus localhost
C: C01 CAPABILITY
S: * OK server2.local Cyrus IMAP4 v2.0.16 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE
S: C01 OK Completed
Password:
C: L01 LOGIN cyrus {4}
+ go ahead
C: <omitted>
L01 OK User logged in
Authenticated.
Security strength factor: 0
[root@server2 root]# imtest -m login -a pilsl localhost
C: C01 CAPABILITY
S: * OK server2.local Cyrus IMAP4 v2.0.16 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE
S: C01 OK Completed
Password:
C: L01 LOGIN pilsl {4}
+ go ahead
C: <omitted>
L01 NO Login failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0
--
mag. peter pilsl
phone: +43 676 3574035
fax : +43 676 3546512
email: [EMAIL PROTECTED]
sms : [EMAIL PROTECTED]
pgp-key available
