Great Fun With Cyrus-IMAP, SASLAUTHD, and PAM-SMB

[Robert Lubbers]

What I am trying to do in a nutshell is to set up an IMAP/SMTP-AUTH 
server for a small company using Cyrus-IMAP, and to have the mail 
accounts authenticate off of a Windows domain controller.   The SMB PAM 
module appears to be working well, as I have been able to get the POP 
server module of the Cyrus server to authenticate off of the Windows 
DC.  That us to say, I can do this...

telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK exchange.booriley.com Cyrus POP3 v2.2.9 server ready 
<[EMAIL PROTECTED]>
user booriley
+OK Name is a valid mailbox
pass booriley
+OK Mailbox locked and ready

While this is happening, this is what comes up on the /var/log/secure.log:
Dec  1 16:36:50 exchange saslauthd[26153]: rel_accept_lock : released 
accept lock
Dec  1 16:36:50 exchange saslauthd[26155]: get_accept_lock : acquired 
accept lock
Dec  1 16:36:50 exchange imap(pam_unix)[26153]: authentication failure; 
logname= uid=0 euid=0 tty= ruser= rhost=  user=booriley
Dec  1 16:36:50 exchange saslauthd[26153]: No Local authentication done, 
relying on other modules for password file entry.
Dec  1 16:36:50 exchange pamsmbd[1872]: cache_check: found entry 
checking passwords
Dec  1 16:36:50 exchange pamsmbd[1872]: cache_check: found entry
Dec  1 16:36:50 exchange pamsmbd[1872]: cache_check: account valid
Dec  1 16:36:50 exchange saslauthd[26153]: pamsmbd: Got something back... 0
Dec  1 16:36:50 exchange saslauthd[26153]: pam_smb: got back 0 username  
booriley
Dec  1 16:36:50 exchange saslauthd[26153]: do_auth         : auth 
success: [user=booriley] [service=pop] [realm=] [mech=pam]
Dec  1 16:36:50 exchange saslauthd[26153]: do_request      : response: OK


However, when I try to attach to the IMAP server, I get this:
Trying 127.0.0.1...
Connected to localhost.Dec  1 16:36:50
Escape character is '^]'.
* OK exchange.booriley.com Cyrus IMAP4 v2.2.9 server ready
. login booriley booriley
. NO Login failed: can't request info until later in exchange
But I get **exactly the same message** in the /var/log/secure.log:
Dec  1 16:36:50 exchange saslauthd[26153]: rel_accept_lock : released 
accept lock
Dec  1 16:36:50 exchange saslauthd[26155]: get_accept_lock : acquired 
accept lock
Dec  1 16:36:50 exchange imap(pam_unix)[26153]: authentication failure; 
logname= uid=0 euid=0 tty= ruser= rhost=  user=booriley
Dec  1 16:36:50 exchange saslauthd[26153]: No Local authentication done, 
relying on other modules for password file entry.
Dec  1 16:36:50 exchange pamsmbd[1872]: cache_check: found entry 
checking passwords
Dec  1 16:36:50 exchange pamsmbd[1872]: cache_check: found entry
Dec  1 16:36:50 exchange pamsmbd[1872]: cache_check: account valid
Dec  1 16:36:50 exchange saslauthd[26153]: pamsmbd: Got something back... 0
Dec  1 16:36:50 exchange saslauthd[26153]: pam_smb: got back 0 username  
booriley
Dec  1 16:36:50 exchange saslauthd[26153]: do_auth         : auth 
success: [user=booriley] [service=imap] [realm=] [mech=pam]
Dec  1 16:36:50 exchange saslauthd[26153]: do_request      : response: OK

Strange world, huh?
Also, I have to change the  sasl_pwcheck_method:  from "saslauthd" to 
"auxprop" if I want to add a user through  cyradm.  This wouldn't be a 
deal breaker, but I have to stop the process , change the imapd.conf 
file, add the user, do my configuration, and restart the process, and it 
isn't very elegant.

Here is my imapd.conf file:
postmaster: postmaster
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: noctest cyrus
allowanonymouslogin: no
allowplaintext: yes
sasl_mech_list: LOGIN
servername: exchange.cleartel.com
autocreatequota: 40000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sievedir: /usr/sieve
sendmail: /usr/sbin/sendmail
sieve_maxscriptsize: 32
sieve_maxscripts: 5
tls_ca_file: /var/imap/server.pem
tls_cert_file: /var/imap/server.pem
tls_key_file: /var/imap/server.pem
And my /etc/pam.d/imap (pop,smtp) file:
auth       required     pam_securetty.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
so that it runs off the system-auth file:
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_smb_auth.so 
use_first_pass debug nolocal
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so

Any suggestions about where to start would be, needless to say, highly 
appreciated.






---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html