From owner-freebsd-questions@FreeBSD.ORG Thu Jun 18 05:51:05 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C38E41065754 for ; Thu, 18 Jun 2009 05:51:05 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 69E038FC18 for ; Thu, 18 Jun 2009 05:51:05 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from beta.1-16-172-dyn.locolomo.org (beta.1-16-172-dyn.locolomo.org [172.16.1.127]) by mail.locolomo.org (Postfix) with ESMTPSA id 38CE01C1A66; Thu, 18 Jun 2009 07:51:04 +0200 (CEST) Message-ID: <4A39D5C7.8000009@locolomo.org> Date: Thu, 18 Jun 2009 07:51:03 +0200 From: Erik Norgaard User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Mel Flynn References: <4A38D6FE.8000804@locolomo.org> <200906171204.38995.mel.flynn+fbsd.questions@mailing.thruhere.net> <4A3966FE.7020702@locolomo.org> <200906171443.07165.mel.flynn+fbsd.questions@mailing.thruhere.net> In-Reply-To: <200906171443.07165.mel.flynn+fbsd.questions@mailing.thruhere.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-questions@freebsd.org Subject: Re: Problem authenticating with sasl in jail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jun 2009 05:51:06 -0000 Mel Flynn wrote: >> Looking again on the logs: >> >> Jun 17 23:39:17 jail imap[8412]: badlogin: jail.example.com [172.16.0.2] >> plaintext cyrus@example.com SASL(-13): user not found: checkpass failed >> >> The user cyrus exists, I can login and get shell access, but there may >> be something about the realm, that causes the user not to be found? But: > > Any chance there's a minuserid in effect? dovecot doesn't allow logins from > user id's <1000 by default. There may be a similar issue with Cyrus and sounds > like something one would overlook. No, the cyrus user has the same uid and passwd in both jail and on host. > It still is disturbing that no mechanisms are found. Are there maybe left > overs in site_perl/5.8.9? I recently (may) deinstalled all packages and upgraded everything, there are nothing perlish that should cause such problems: I have checked using cyradm to connect from the host to host, host to jail, jail to host and jail to jail. In all cases, I can connect with the imap instance on the host, but not in the jail. > Or do you have restrictions that only allow plain > logins when tls is in effect? There are indeed: allowplaintext: yes allowplainwithouttls: no sasl_mech_list: plain sasl_minimum_layer: 128 sasl_pwcheck_method: saslauthd However, this is the same configuration that I have on the host where everything works fine. It appears to be something with the realm, really: I did a bad login on the working server just to see what goes on there (user games): Jun 18 07:46:28 alpha imap[14244]: badlogin: jail.example.com [172.16.0.2] plaintext games SASL(-13): authentication failure: checkpass failed And just for comparison, a successful login: Jun 18 07:39:54 alpha imap[14127]: login: jail.example.com [172.16.0.2] cyrus plaintext User logged in Both where I connect out from the jail to the host. Note there is no realm specified contrary to the log entries found in the jail. thanks again, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org