Univention Bugzilla – Bug 42759
saslauthd (e.g. via postfix) fails once user changes his/her own password
Last modified: 2018-09-12 13:19:55 CEST
Situation: postfix with SASL authentication via Cyrus' saslauthd (not via Dovecot as the customer in question is using Kopano as their mail server). saslauthd runs with the default configuration (MECHANISM="pam") from installation of the sasl2-bin package. Whenever a user changes his/her password via logging in to the UMC authentication via saslauthd fails and keeps on failing, both with the new and the old password. Comparing the user entry in the LDAP directory before and after that change reveals that the "userPassword" field uses a different method. Before the change it contained the hashed password, e.g. "userPassword: {crypt}$6$…". After the change it only contained a reference to the Kerberos secret: "userPassword: {K5KEY}". How to reproduce it: • Install the sasl2-bin package and start saslauthd. • Verify that authentication works (please select a user who's not a member of the "Domain Admins" group): "testsaslauthd -u <username> -p <password>" • Log in to the Univention Management Console as that unprivileged user. The only available module should be the password change module. • Change the user's password. • On the command line restart both the "nscd" and "saslauthd" services in order to prevent caching from affecting the results. • Try to authenticate with "testsaslauthd" again. Observe that it now fails with both the old and the new password. A workaround for one user is to log into the UMC as a user with administrative privileges and to change the user's password via the "Users" module. In that moment the "userPassword" attribute in the LDAP will contain the hashed key again. The workaround for all users is to reconfigure saslauthd to use LDAP instead of PAM for authentication. I've implemented the following template file (/etc/univention/templates/files/etc/saslauthd.conf.d/99_custom) for this: ------------------------------------------------------------ @%@UCRWARNING=# @%@ # # LDAP Recipient Canonical Maps support # search_base = @%@ldap/base@%@ query_filter = (&(univentionCanonicalRecipientRewriteEnabled=1)(|(univentionPublicPrimaryMailAddress=%s)(univentionPublicAlternativeMailAddress=%s))) result_attribute = univentionInternalPrimaryMailAddress search_timeout = @%@mail/postfix/ldap/timeout@%@ scope = sub version = 3 bind_dn = @%@ldap/hostdn@%@ @!@ import os from univention.lib.misc import getLDAPURIs print 'server_host = %s' % getLDAPURIs(configRegistry) if os.path.exists('/etc/machine.secret'): print 'bind_pw = %s' % (open('/etc/machine.secret','r').read()) else: print 'bind_pw = MACHINE.SECRET_IS_MISSING' if configRegistry.is_true('mail/postfix/ldaptable/starttls', False): print 'start_tls = yes' if configRegistry.is_true('mail/postfix/ldaptable/tlsrequirecert', False): print 'tls_require_cert = yes' if configRegistry.get('mail/postfix/ldaptable/tlscacertfile'): print 'tls_ca_cert_file = %s' % configRegistry['mail/postfix/ldaptable/tlscacertfile'] print 'debuglevel = %s' % configRegistry.get('mail/postfix/ldaptable/debuglevel', '0') @!@ ------------------------------------------------------------ Registration of the template looks like this (/etc/univention/templates/info/custom): ------------------------------------------------------------ Type: multifile Multifile: etc/saslauthd.conf Type: subfile Multifile: etc/saslauthd.conf Subfile: etc/saslauthd.conf.d/99_custom Variables: hostname Variables: domainname Variables: ldap/master Variables: saslauthd/starttls ------------------------------------------------------------ Additionally a server password hook script is needed; mine (/usr/lib/univention-server/server_password_change.d/custom-saslauthd) looks like this: ------------------------------------------------------------ #!/bin/bash if [ "$1" = "postchange" ] ; then /usr/sbin/ucr commit /etc/saslauthd.conf /usr/sbin/service saslauthd restart fi ------------------------------------------------------------
(In reply to Moritz Bunkus from comment #0) > Comparing the user entry in the LDAP directory before and after that change > reveals that the "userPassword" field uses a different method. Before the > change it contained the hashed password, e.g. "userPassword: {crypt}$6$…". > After the change it only contained a reference to the Kerberos secret: > "userPassword: {K5KEY}". The K5KEY attribute means that the LDAP server checks the incoming bind password against the Kerberos Keys. I guess you are using Samba 4 or AD Connector? If PAM does not work, can you post the auth.log?
Created attachment 8212 [details] auth.log from failed authentication attempts with saslauthd & PAM
The auth.log is rather unremarkable, just the usual "authentication failed". I've attached a copy from back when we still had saslauthd use PAM. The actual user name has been replaced by "USERNAME".
Other users are stumbling across this problem, too: https://help.univention.com/t/benutzer-konnen-passwort-nur-teilweise-andern/8855
Additionally I've verified that the problem still happens in 4.3.
Another workaround: Using the mailadress as the username should work. (username@your.domain) The problem seems to be in "/etc/pam.d/smtp". As long as the {crypt} password scheme is used, pam_unix works. If pam_unix didn't work the assumption seems to be that it failed because username@your.domain was used instead of just the username. In this case pam_unix failed because the password scheme {K5KEY} was used. Which results in a broken username mapping.
See also https://help.univention.com/t/saslauthd-pam-authenticate-failed/3322/3 Replacing "requisite" with "optional" for pam_univentionmailcyrus.so should do the trick.
This issue affects at least the PAM stacks of univention-mail-postfix and maybe also univention-mail-dovecot. I have not tested, if the login works correctly if the username is passed to dovecot. It will NOT work with cyrus, since cyrus will use the given username as localpart and the local DNS domain as domain part of an mail address → works only if username and localpart of the primary mail address are identical and the domain part matches the DNS domain of the cyrus system.
Customer affected. Fix would be great!
"requisite" has been replaced by "optional" for pam_univentionmailcyrus.so in several PAM stacks. Additionally a ucs-test has been added that tests all authentication variants (username, mailPrimaryAddress(mPA), w/ and w/o {K5KEY}). I found no problems with mPA, uid or {K5KEY} with the new setup. ac493d54fd Bug #42759: update advisories ef8a9fc7d3 Bug #42579: Merge branch 'sschwardt/42579/4.2/fix_pamstack' into 4.2-4 cb41ff9585 Bug #42759: check PAM stack for mail services 9bdfe95231 Bug #42759: fix PAM stack to allow login with username 540d363b0b Bug #42579: add advisories Package: univention-mail-postfix Version: 11.0.2-5A~4.2.0.201808231642 Branch: ucs_4.2-0 Scope: errata4.2-4 Package: univention-mail-dovecot Version: 3.0.1-9A~4.2.0.201808231641 Branch: ucs_4.2-0 Scope: errata4.2-4 Package: univention-mail-cyrus Version: 9.0.0-13A~4.2.0.201808231642 Branch: ucs_4.2-0 Scope: errata4.2-4 Package: univention-mail-cyrus-murder Version: 8.0.0-4A~4.2.0.201808231642 Branch: ucs_4.2-0 Scope: errata4.2-4 Package: ucs-test Version: 7.0.23-128A~4.2.0.201808231700 Branch: ucs_4.2-0 Scope: errata4.2-4
5a94fee8c5 Bug #42759: 20b_check_auth_via_smtp_and_imap: fix LDAP connection on slaves and memberservers
OK: code change OK: advisory For Dovecot =========== OK: manual tests with fetchmail and swaks OK: automated test: Release: 4.2-4 errata418 ii univention-mail-postfix 11.0.2-4A~4.2.0.201802 all ii univention-mail-dovecot 3.0.1-8A~4.2.0.2018042 all /sync/ucs-test/tests/40_mail# time ./20b_check_auth_via_smtp_and_imap -f RESULT: ======================================================= pre_change_testsaslauthd_uid : SKIPPED pre_change_testsaslauthd_mailPrimaryAddress : SKIPPED pre_change_smtp_uid : OK pre_change_smtp_mailPrimaryAddress : OK pre_change_sieve_uid : FAILED pre_change_sieve_mailPrimaryAddress : OK pre_change_pop3_uid : FAILED pre_change_pop3_mailPrimaryAddress : OK pre_change_imap_uid : FAILED pre_change_imap_mailPrimaryAddress : OK post_change_testsaslauthd_uid : SKIPPED post_change_testsaslauthd_mailPrimaryAddress : SKIPPED post_change_smtp_uid : OK post_change_smtp_mailPrimaryAddress : OK post_change_sieve_uid : FAILED post_change_sieve_mailPrimaryAddress : OK post_change_pop3_uid : FAILED post_change_pop3_mailPrimaryAddress : OK post_change_imap_uid : FAILED post_change_imap_mailPrimaryAddress : OK -- upgrade... ii univention-mail-postfix 11.0.2-5A~4.2.0.201808 all ii univention-mail-dovecot 3.0.1-9A~4.2.0.2018082 all -- RESULT: ======================================================= pre_change_testsaslauthd_uid : SKIPPED pre_change_testsaslauthd_mailPrimaryAddress : SKIPPED pre_change_smtp_uid : OK pre_change_smtp_mailPrimaryAddress : OK pre_change_sieve_uid : OK pre_change_sieve_mailPrimaryAddress : OK pre_change_pop3_uid : OK pre_change_pop3_mailPrimaryAddress : OK pre_change_imap_uid : OK pre_change_imap_mailPrimaryAddress : OK post_change_testsaslauthd_uid : SKIPPED post_change_testsaslauthd_mailPrimaryAddress : SKIPPED post_change_smtp_uid : OK post_change_smtp_mailPrimaryAddress : OK post_change_sieve_uid : OK post_change_sieve_mailPrimaryAddress : OK post_change_pop3_uid : OK post_change_pop3_mailPrimaryAddress : OK post_change_imap_uid : OK post_change_imap_mailPrimaryAddress : OK
For Cyrus ========= FAIL: manual tests with fetchmail and swaks * OK: login to SMTP: with email & uid works * FAIL: login to IMAP & POP: with email works, but with uid fails FAIL: automated test: Release: 4.2-4 errata418 ii univention-mail-postfix 11.0.2-4A~4.2.0.201802 all ii univention-mail-cyrus 9.0.0-12A~4.2.0.201705 all root@m52:~# /sync/ucs-test/tests/40_mail/20b_check_auth_via_smtp_and_imap -f RESULT: ======================================================= pre_change_testsaslauthd_uid : OK pre_change_testsaslauthd_mailPrimaryAddress : OK pre_change_smtp_uid : OK pre_change_smtp_mailPrimaryAddress : OK pre_change_sieve_uid : OK pre_change_sieve_mailPrimaryAddress : OK pre_change_pop3_uid : FAILED pre_change_pop3_mailPrimaryAddress : OK pre_change_imap_uid : OK pre_change_imap_mailPrimaryAddress : OK post_change_testsaslauthd_uid : FAILED post_change_testsaslauthd_mailPrimaryAddress : FAILED post_change_smtp_uid : OK post_change_smtp_mailPrimaryAddress : OK post_change_sieve_uid : OK post_change_sieve_mailPrimaryAddress : OK post_change_pop3_uid : FAILED post_change_pop3_mailPrimaryAddress : OK post_change_imap_uid : FAILED post_change_imap_mailPrimaryAddress : OK --- upgrade ii univention-mail-postfix 11.0.2-5A~4.2.0.201808 all ii univention-mail-cyrus 9.0.0-13A~4.2.0.201808 all --- RESULT: ======================================================= pre_change_testsaslauthd_uid : OK pre_change_testsaslauthd_mailPrimaryAddress : OK pre_change_smtp_uid : OK pre_change_smtp_mailPrimaryAddress : OK pre_change_sieve_uid : OK pre_change_sieve_mailPrimaryAddress : OK pre_change_pop3_uid : FAILED pre_change_pop3_mailPrimaryAddress : OK pre_change_imap_uid : OK pre_change_imap_mailPrimaryAddress : OK post_change_testsaslauthd_uid : OK post_change_testsaslauthd_mailPrimaryAddress : OK post_change_smtp_uid : OK post_change_smtp_mailPrimaryAddress : OK post_change_sieve_uid : OK post_change_sieve_mailPrimaryAddress : OK post_change_pop3_uid : FAILED post_change_pop3_mailPrimaryAddress : OK post_change_imap_uid : OK post_change_imap_mailPrimaryAddress : OK
I was able to reproduce this issue: +OK Name is a valid mailbox >>> test_pop3_auth(r550o0j97s): POP3 auth failed - -ERR [SYS/PERM] Unable to locate maildrop: Mailbox does not exist The login itself was ok, but cyrus is unable to find the mailbox if the POP3 connection is established against "localhost". I fixed the ucs-test script by using a POP3S connection against $hostname.$domainname. e5b8926483 Bug #42759: add changelog entry 9b3afcfbcf Bug #42759: some cleanup 34416ea4ef Bug #42759: fix POP3 login in 20b_check_auth_via_smtp_and_imap Package: ucs-test Version: 7.0.23-131A~4.2.0.201809102145 Branch: ucs_4.2-0 Scope: errata4.2-4
Still not working. The test has an error: the email address is the same as the kerberos name. RESULT: ======================================================= pre_change_testsaslauthd_uid : OK pre_change_testsaslauthd_mailPrimaryAddress : OK pre_change_smtp_uid : OK pre_change_smtp_mailPrimaryAddress : OK pre_change_sieve_uid : FAILED pre_change_sieve_mailPrimaryAddress : OK pre_change_pop3_uid : FAILED pre_change_pop3_mailPrimaryAddress : OK pre_change_imap_uid : OK pre_change_imap_mailPrimaryAddress : OK post_change_testsaslauthd_uid : OK post_change_testsaslauthd_mailPrimaryAddress : OK post_change_smtp_uid : OK post_change_smtp_mailPrimaryAddress : OK post_change_sieve_uid : FAILED post_change_sieve_mailPrimaryAddress : OK post_change_pop3_uid : FAILED post_change_pop3_mailPrimaryAddress : OK post_change_imap_uid : OK post_change_imap_mailPrimaryAddress : OK I modified the test to use a local part that is different to the kerberos name. [4.2-4 d606a73c68] Bug #42759: don't use kerberos name as email address
But unfortunately this is now missing the point: If you log in to Cyrus with a username, the username (UID) is interpreted as a local part of a mail address. If the domain part is missing due to the use of the UID, the default domain is automatically used. This means that it only works if the DNS domain and the mail domain are identical AND if the localpart and the UID match. This is a known limitation of Cyrus that we cannot avoid here. I.e. if a different mail address is used now, the test will go wrong, because Cyrus does not support this. Unfortunately, no adjustment to the PAM stack will help. Originally the point was that the login should also work if {K5KEY} is in userPassword. This problem has been fixed in this bug. If you urgently need more, we should consider this separately via a feature request/bug. Or am I missing something at this point?
OK: this bug is only about enabling the same authentication as before, when changing the password to {K5KEY}. Enabling uid->mPA conversion in PAM will not be required here.
All fine then (automated and manual tests).
<http://errata.software-univention.de/ucs/4.2/512.html> <http://errata.software-univention.de/ucs/4.2/513.html> <http://errata.software-univention.de/ucs/4.2/514.html> <http://errata.software-univention.de/ucs/4.2/515.html>