Bug 42759 - saslauthd (e.g. via postfix) fails once user changes his/her own password
saslauthd (e.g. via postfix) fails once user changes his/her own password
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-4-errata
Assigned To: Sönke Schwardt-Krummrich
Daniel Tröder
:
Depends on:
Blocks: 47642
  Show dependency treegraph
 
Reported: 2016-10-25 12:00 CEST by Moritz Bunkus
Modified: 2018-09-12 13:19 CEST (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.286
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018052521000551,2018071921000522
Bug group (optional):
Max CVSS v3 score:


Attachments
auth.log from failed authentication attempts with saslauthd & PAM (1.62 KB, text/plain)
2016-11-10 09:11 CET, Moritz Bunkus
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Bunkus 2016-10-25 12:00:27 CEST
Situation: postfix with SASL authentication via Cyrus' saslauthd (not via Dovecot as the customer in question is using Kopano as their mail server). saslauthd runs with the default configuration (MECHANISM="pam") from installation of the sasl2-bin package.

Whenever a user changes his/her password via logging in to the UMC authentication via saslauthd fails and keeps on failing, both with the new and the old password.

Comparing the user entry in the LDAP directory before and after that change reveals that the "userPassword" field uses a different method. Before the change it contained the hashed password, e.g. "userPassword: {crypt}$6$…". After the change it only contained a reference to the Kerberos secret: "userPassword: {K5KEY}".

How to reproduce it:

• Install the sasl2-bin package and start saslauthd.
• Verify that authentication works (please select a user who's not a member of the "Domain Admins" group): "testsaslauthd -u <username> -p <password>"
• Log in to the Univention Management Console as that unprivileged user. The only available module should be the password change module.
• Change the user's password.
• On the command line restart both the "nscd" and "saslauthd" services in order to prevent caching from affecting the results.
• Try to authenticate with "testsaslauthd" again. Observe that it now fails with both the old and the new password.

A workaround for one user is to log into the UMC as a user with administrative privileges and to change the user's password via the "Users" module. In that moment the "userPassword" attribute in the LDAP will contain the hashed key again.

The workaround for all users is to reconfigure saslauthd to use LDAP instead of PAM for authentication. I've implemented the following template file (/etc/univention/templates/files/etc/saslauthd.conf.d/99_custom) for this:

------------------------------------------------------------
@%@UCRWARNING=# @%@
#
# LDAP Recipient Canonical Maps support
#

search_base = @%@ldap/base@%@
query_filter = (&(univentionCanonicalRecipientRewriteEnabled=1)(|(univentionPublicPrimaryMailAddress=%s)(univentionPublicAlternativeMailAddress=%s)))
result_attribute = univentionInternalPrimaryMailAddress
search_timeout = @%@mail/postfix/ldap/timeout@%@
scope = sub
version = 3
bind_dn = @%@ldap/hostdn@%@
@!@
import os
from univention.lib.misc import getLDAPURIs
print 'server_host = %s' % getLDAPURIs(configRegistry)
if os.path.exists('/etc/machine.secret'):
	print 'bind_pw = %s' % (open('/etc/machine.secret','r').read())
else:
	print 'bind_pw = MACHINE.SECRET_IS_MISSING'
if configRegistry.is_true('mail/postfix/ldaptable/starttls', False):
	print 'start_tls = yes'
if configRegistry.is_true('mail/postfix/ldaptable/tlsrequirecert', False):
	print 'tls_require_cert = yes'
if configRegistry.get('mail/postfix/ldaptable/tlscacertfile'):
	print 'tls_ca_cert_file = %s' % configRegistry['mail/postfix/ldaptable/tlscacertfile']
print 'debuglevel = %s' % configRegistry.get('mail/postfix/ldaptable/debuglevel', '0')
@!@
------------------------------------------------------------

Registration of the template looks like this (/etc/univention/templates/info/custom):

------------------------------------------------------------
Type: multifile
Multifile: etc/saslauthd.conf

Type: subfile
Multifile: etc/saslauthd.conf
Subfile: etc/saslauthd.conf.d/99_custom
Variables: hostname
Variables: domainname
Variables: ldap/master
Variables: saslauthd/starttls
------------------------------------------------------------

Additionally a server password hook script is needed; mine (/usr/lib/univention-server/server_password_change.d/custom-saslauthd) looks like this:

------------------------------------------------------------
#!/bin/bash

if [ "$1" = "postchange" ] ; then
  /usr/sbin/ucr commit /etc/saslauthd.conf
  /usr/sbin/service saslauthd restart
fi
------------------------------------------------------------
Comment 1 Stefan Gohmann univentionstaff 2016-11-09 16:32:16 CET
(In reply to Moritz Bunkus from comment #0)
> Comparing the user entry in the LDAP directory before and after that change
> reveals that the "userPassword" field uses a different method. Before the
> change it contained the hashed password, e.g. "userPassword: {crypt}$6$…".
> After the change it only contained a reference to the Kerberos secret:
> "userPassword: {K5KEY}".

The K5KEY attribute means that the LDAP server checks the incoming bind password against the Kerberos Keys. I guess you are using Samba 4 or AD Connector?

If PAM does not work, can you post the auth.log?
Comment 2 Moritz Bunkus 2016-11-10 09:11:37 CET
Created attachment 8212 [details]
auth.log from failed authentication attempts with saslauthd & PAM
Comment 3 Moritz Bunkus 2016-11-10 09:11:54 CET
The auth.log is rather unremarkable, just the usual "authentication failed". I've attached a copy from back when we still had saslauthd use PAM. The actual user name has been replaced by "USERNAME".
Comment 4 Moritz Bunkus 2018-05-25 14:04:21 CEST
Other users are stumbling across this problem, too:

https://help.univention.com/t/benutzer-konnen-passwort-nur-teilweise-andern/8855
Comment 5 Moritz Bunkus 2018-05-25 14:05:38 CEST
Additionally I've verified that the problem still happens in 4.3.
Comment 6 Jürn Brodersen univentionstaff 2018-05-29 14:16:20 CEST
Another workaround:
Using the mailadress as the username should work. (username@your.domain)


The problem seems to be in "/etc/pam.d/smtp". As long as the {crypt} password scheme is used, pam_unix works. If pam_unix didn't work the assumption seems to be that it failed because username@your.domain was used instead of just the username. 

In this case pam_unix failed because the password scheme {K5KEY} was used. Which results in a broken username mapping.
Comment 7 Sönke Schwardt-Krummrich univentionstaff 2018-05-30 17:25:50 CEST
See also https://help.univention.com/t/saslauthd-pam-authenticate-failed/3322/3

Replacing "requisite" with "optional" for pam_univentionmailcyrus.so should do the trick.
Comment 8 Sönke Schwardt-Krummrich univentionstaff 2018-05-30 17:40:32 CEST
This issue affects at least the PAM stacks of univention-mail-postfix and maybe also univention-mail-dovecot. I have not tested, if the login works correctly if the username is passed to dovecot.
It will NOT work with cyrus, since cyrus will use the given username as localpart and the local DNS domain as domain part of an mail address → works only if username and localpart of the primary mail address are identical and the domain part matches the DNS domain of the cyrus system.
Comment 9 Christian Völker univentionstaff 2018-07-19 13:10:20 CEST
Customer affected. Fix would be great!
Comment 10 Sönke Schwardt-Krummrich univentionstaff 2018-08-23 17:02:13 CEST
"requisite" has been replaced by "optional" for pam_univentionmailcyrus.so in several PAM stacks. Additionally a ucs-test has been added that tests all authentication variants (username, mailPrimaryAddress(mPA), w/ and w/o {K5KEY}).
I found no problems with mPA, uid or {K5KEY} with the new setup.

ac493d54fd Bug #42759: update advisories
ef8a9fc7d3 Bug #42579: Merge branch 'sschwardt/42579/4.2/fix_pamstack' into 4.2-4
cb41ff9585 Bug #42759: check PAM stack for mail services
9bdfe95231 Bug #42759: fix PAM stack to allow login with username
540d363b0b Bug #42579: add advisories

Package: univention-mail-postfix
Version: 11.0.2-5A~4.2.0.201808231642
Branch: ucs_4.2-0
Scope: errata4.2-4

Package: univention-mail-dovecot
Version: 3.0.1-9A~4.2.0.201808231641
Branch: ucs_4.2-0
Scope: errata4.2-4

Package: univention-mail-cyrus
Version: 9.0.0-13A~4.2.0.201808231642
Branch: ucs_4.2-0
Scope: errata4.2-4

Package: univention-mail-cyrus-murder
Version: 8.0.0-4A~4.2.0.201808231642
Branch: ucs_4.2-0
Scope: errata4.2-4

Package: ucs-test
Version: 7.0.23-128A~4.2.0.201808231700
Branch: ucs_4.2-0
Scope: errata4.2-4
Comment 11 Sönke Schwardt-Krummrich univentionstaff 2018-08-27 09:30:40 CEST
5a94fee8c5 Bug #42759: 20b_check_auth_via_smtp_and_imap: fix LDAP connection on slaves and memberservers
Comment 12 Daniel Tröder univentionstaff 2018-09-10 17:06:07 CEST
OK: code change
OK: advisory

For Dovecot
===========

OK: manual tests with fetchmail and swaks
OK: automated test:

Release:	4.2-4 errata418
ii  univention-mail-postfix             11.0.2-4A~4.2.0.201802 all
ii  univention-mail-dovecot             3.0.1-8A~4.2.0.2018042 all

/sync/ucs-test/tests/40_mail# time ./20b_check_auth_via_smtp_and_imap -f

RESULT:
=======================================================
pre_change_testsaslauthd_uid                 : SKIPPED
pre_change_testsaslauthd_mailPrimaryAddress  : SKIPPED
pre_change_smtp_uid                          : OK
pre_change_smtp_mailPrimaryAddress           : OK
pre_change_sieve_uid                         : FAILED
pre_change_sieve_mailPrimaryAddress          : OK
pre_change_pop3_uid                          : FAILED
pre_change_pop3_mailPrimaryAddress           : OK
pre_change_imap_uid                          : FAILED
pre_change_imap_mailPrimaryAddress           : OK
post_change_testsaslauthd_uid                : SKIPPED
post_change_testsaslauthd_mailPrimaryAddress : SKIPPED
post_change_smtp_uid                         : OK
post_change_smtp_mailPrimaryAddress          : OK
post_change_sieve_uid                        : FAILED
post_change_sieve_mailPrimaryAddress         : OK
post_change_pop3_uid                         : FAILED
post_change_pop3_mailPrimaryAddress          : OK
post_change_imap_uid                         : FAILED
post_change_imap_mailPrimaryAddress          : OK

--
upgrade...

ii  univention-mail-postfix             11.0.2-5A~4.2.0.201808 all
ii  univention-mail-dovecot             3.0.1-9A~4.2.0.2018082 all
--

RESULT:
=======================================================
pre_change_testsaslauthd_uid                 : SKIPPED
pre_change_testsaslauthd_mailPrimaryAddress  : SKIPPED
pre_change_smtp_uid                          : OK
pre_change_smtp_mailPrimaryAddress           : OK
pre_change_sieve_uid                         : OK
pre_change_sieve_mailPrimaryAddress          : OK
pre_change_pop3_uid                          : OK
pre_change_pop3_mailPrimaryAddress           : OK
pre_change_imap_uid                          : OK
pre_change_imap_mailPrimaryAddress           : OK
post_change_testsaslauthd_uid                : SKIPPED
post_change_testsaslauthd_mailPrimaryAddress : SKIPPED
post_change_smtp_uid                         : OK
post_change_smtp_mailPrimaryAddress          : OK
post_change_sieve_uid                        : OK
post_change_sieve_mailPrimaryAddress         : OK
post_change_pop3_uid                         : OK
post_change_pop3_mailPrimaryAddress          : OK
post_change_imap_uid                         : OK
post_change_imap_mailPrimaryAddress          : OK
Comment 13 Daniel Tröder univentionstaff 2018-09-10 17:08:34 CEST
For Cyrus
=========

FAIL: manual tests with fetchmail and swaks

* OK: login to SMTP: with email & uid works
* FAIL: login to IMAP & POP: with email works, but with uid fails

FAIL: automated test:

Release:	4.2-4 errata418
ii  univention-mail-postfix             11.0.2-4A~4.2.0.201802 all
ii  univention-mail-cyrus               9.0.0-12A~4.2.0.201705 all

root@m52:~# /sync/ucs-test/tests/40_mail/20b_check_auth_via_smtp_and_imap -f

RESULT:
=======================================================
pre_change_testsaslauthd_uid                 : OK
pre_change_testsaslauthd_mailPrimaryAddress  : OK
pre_change_smtp_uid                          : OK
pre_change_smtp_mailPrimaryAddress           : OK
pre_change_sieve_uid                         : OK
pre_change_sieve_mailPrimaryAddress          : OK
pre_change_pop3_uid                          : FAILED
pre_change_pop3_mailPrimaryAddress           : OK
pre_change_imap_uid                          : OK
pre_change_imap_mailPrimaryAddress           : OK
post_change_testsaslauthd_uid                : FAILED
post_change_testsaslauthd_mailPrimaryAddress : FAILED
post_change_smtp_uid                         : OK
post_change_smtp_mailPrimaryAddress          : OK
post_change_sieve_uid                        : OK
post_change_sieve_mailPrimaryAddress         : OK
post_change_pop3_uid                         : FAILED
post_change_pop3_mailPrimaryAddress          : OK
post_change_imap_uid                         : FAILED
post_change_imap_mailPrimaryAddress          : OK

---
upgrade

ii  univention-mail-postfix             11.0.2-5A~4.2.0.201808 all
ii  univention-mail-cyrus               9.0.0-13A~4.2.0.201808 all
---

RESULT:
=======================================================
pre_change_testsaslauthd_uid                 : OK
pre_change_testsaslauthd_mailPrimaryAddress  : OK
pre_change_smtp_uid                          : OK
pre_change_smtp_mailPrimaryAddress           : OK
pre_change_sieve_uid                         : OK
pre_change_sieve_mailPrimaryAddress          : OK
pre_change_pop3_uid                          : FAILED
pre_change_pop3_mailPrimaryAddress           : OK
pre_change_imap_uid                          : OK
pre_change_imap_mailPrimaryAddress           : OK
post_change_testsaslauthd_uid                : OK
post_change_testsaslauthd_mailPrimaryAddress : OK
post_change_smtp_uid                         : OK
post_change_smtp_mailPrimaryAddress          : OK
post_change_sieve_uid                        : OK
post_change_sieve_mailPrimaryAddress         : OK
post_change_pop3_uid                         : FAILED
post_change_pop3_mailPrimaryAddress          : OK
post_change_imap_uid                         : OK
post_change_imap_mailPrimaryAddress          : OK
Comment 14 Sönke Schwardt-Krummrich univentionstaff 2018-09-10 21:53:54 CEST
I was able to reproduce this issue:

+OK Name is a valid mailbox
>>> test_pop3_auth(r550o0j97s): POP3 auth failed - -ERR [SYS/PERM] Unable to locate maildrop: Mailbox does not exist

The login itself was ok, but cyrus is unable to find the mailbox if the POP3 connection is established against "localhost". I fixed the ucs-test script by using a POP3S connection against $hostname.$domainname.

e5b8926483 Bug #42759: add changelog entry
9b3afcfbcf Bug #42759: some cleanup
34416ea4ef Bug #42759: fix POP3 login in 20b_check_auth_via_smtp_and_imap

Package: ucs-test
Version: 7.0.23-131A~4.2.0.201809102145
Branch: ucs_4.2-0
Scope: errata4.2-4
Comment 15 Daniel Tröder univentionstaff 2018-09-11 09:05:38 CEST
Still not working.
The test has an error: the email address is the same as the kerberos name.
RESULT:
=======================================================
pre_change_testsaslauthd_uid                 : OK
pre_change_testsaslauthd_mailPrimaryAddress  : OK
pre_change_smtp_uid                          : OK
pre_change_smtp_mailPrimaryAddress           : OK
pre_change_sieve_uid                         : FAILED
pre_change_sieve_mailPrimaryAddress          : OK
pre_change_pop3_uid                          : FAILED
pre_change_pop3_mailPrimaryAddress           : OK
pre_change_imap_uid                          : OK
pre_change_imap_mailPrimaryAddress           : OK
post_change_testsaslauthd_uid                : OK
post_change_testsaslauthd_mailPrimaryAddress : OK
post_change_smtp_uid                         : OK
post_change_smtp_mailPrimaryAddress          : OK
post_change_sieve_uid                        : FAILED
post_change_sieve_mailPrimaryAddress         : OK
post_change_pop3_uid                         : FAILED
post_change_pop3_mailPrimaryAddress          : OK
post_change_imap_uid                         : OK
post_change_imap_mailPrimaryAddress          : OK

I modified the test to use a local part that is different to the kerberos name.

[4.2-4 d606a73c68] Bug #42759: don't use kerberos name as email address
Comment 16 Sönke Schwardt-Krummrich univentionstaff 2018-09-11 09:39:37 CEST
But unfortunately this is now missing the point:
If you log in to Cyrus with a username, the username (UID) is interpreted as a local part of a mail address. If the domain part is missing due to the use of the UID, the default domain is automatically used. This means that it only works if the DNS domain and the mail domain are identical AND if the localpart and the UID match. This is a known limitation of Cyrus that we cannot avoid here.
I.e. if a different mail address is used now, the test will go wrong, because Cyrus does not support this. Unfortunately, no adjustment to the PAM stack will help.
Originally the point was that the login should also work if {K5KEY} is in userPassword. This problem has been fixed in this bug. If you urgently need more, we should consider this separately via a feature request/bug.

Or am I missing something at this point?
Comment 17 Daniel Tröder univentionstaff 2018-09-11 09:48:16 CEST
OK: this bug is only about enabling the same authentication as before, when changing the password to {K5KEY}. Enabling uid->mPA conversion in PAM will not be required here.
Comment 18 Daniel Tröder univentionstaff 2018-09-11 09:48:37 CEST
All fine then (automated and manual tests).