Bug 47642 - [4.3] saslauthd (e.g. via postfix) fails once user changes his/her own password
[4.3] saslauthd (e.g. via postfix) fails once user changes his/her own password
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-1-errata
Assigned To: Sönke Schwardt-Krummrich
Daniel Tröder
:
Depends on: 42759
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-23 16:49 CEST by Sönke Schwardt-Krummrich
Modified: 2018-08-29 12:49 CEST (History)
0 users

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.286
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2018-08-23 16:49:58 CEST
Merge this change also to UCS 4.3 as it fixes the UID login problem with dovecot/IMAP.

+++ This bug was initially created as a clone of Bug #42759 +++

Situation: postfix with SASL authentication via Cyrus' saslauthd (not via Dovecot as the customer in question is using Kopano as their mail server). saslauthd runs with the default configuration (MECHANISM="pam") from installation of the sasl2-bin package.

Whenever a user changes his/her password via logging in to the UMC authentication via saslauthd fails and keeps on failing, both with the new and the old password.

Comparing the user entry in the LDAP directory before and after that change reveals that the "userPassword" field uses a different method. Before the change it contained the hashed password, e.g. "userPassword: {crypt}$6$…". After the change it only contained a reference to the Kerberos secret: "userPassword: {K5KEY}".

How to reproduce it:

• Install the sasl2-bin package and start saslauthd.
• Verify that authentication works (please select a user who's not a member of the "Domain Admins" group): "testsaslauthd -u <username> -p <password>"
• Log in to the Univention Management Console as that unprivileged user. The only available module should be the password change module.
• Change the user's password.
• On the command line restart both the "nscd" and "saslauthd" services in order to prevent caching from affecting the results.
• Try to authenticate with "testsaslauthd" again. Observe that it now fails with both the old and the new password.

A workaround for one user is to log into the UMC as a user with administrative privileges and to change the user's password via the "Users" module. In that moment the "userPassword" attribute in the LDAP will contain the hashed key again.

The workaround for all users is to reconfigure saslauthd to use LDAP instead of PAM for authentication. I've implemented the following template file (/etc/univention/templates/files/etc/saslauthd.conf.d/99_custom) for this:

------------------------------------------------------------
@%@UCRWARNING=# @%@
#
# LDAP Recipient Canonical Maps support
#

search_base = @%@ldap/base@%@
query_filter = (&(univentionCanonicalRecipientRewriteEnabled=1)(|(univentionPublicPrimaryMailAddress=%s)(univentionPublicAlternativeMailAddress=%s)))
result_attribute = univentionInternalPrimaryMailAddress
search_timeout = @%@mail/postfix/ldap/timeout@%@
scope = sub
version = 3
bind_dn = @%@ldap/hostdn@%@
@!@
import os
from univention.lib.misc import getLDAPURIs
print 'server_host = %s' % getLDAPURIs(configRegistry)
if os.path.exists('/etc/machine.secret'):
	print 'bind_pw = %s' % (open('/etc/machine.secret','r').read())
else:
	print 'bind_pw = MACHINE.SECRET_IS_MISSING'
if configRegistry.is_true('mail/postfix/ldaptable/starttls', False):
	print 'start_tls = yes'
if configRegistry.is_true('mail/postfix/ldaptable/tlsrequirecert', False):
	print 'tls_require_cert = yes'
if configRegistry.get('mail/postfix/ldaptable/tlscacertfile'):
	print 'tls_ca_cert_file = %s' % configRegistry['mail/postfix/ldaptable/tlscacertfile']
print 'debuglevel = %s' % configRegistry.get('mail/postfix/ldaptable/debuglevel', '0')
@!@
------------------------------------------------------------

Registration of the template looks like this (/etc/univention/templates/info/custom):

------------------------------------------------------------
Type: multifile
Multifile: etc/saslauthd.conf

Type: subfile
Multifile: etc/saslauthd.conf
Subfile: etc/saslauthd.conf.d/99_custom
Variables: hostname
Variables: domainname
Variables: ldap/master
Variables: saslauthd/starttls
------------------------------------------------------------

Additionally a server password hook script is needed; mine (/usr/lib/univention-server/server_password_change.d/custom-saslauthd) looks like this:

------------------------------------------------------------
#!/bin/bash

if [ "$1" = "postchange" ] ; then
  /usr/sbin/ucr commit /etc/saslauthd.conf
  /usr/sbin/service saslauthd restart
fi
------------------------------------------------------------
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2018-08-24 14:12:19 CEST
"requisite" has been replaced by "optional" for pam_univentionmailcyrus.so in several PAM stacks. Additionally a ucs-test has been added that tests all authentication variants (username, mailPrimaryAddress(mPA), w/ and w/o {K5KEY}).
I found no problems with mPA, uid or {K5KEY} with the new setup.

Prepared in branch "sschwardt/47642/4.3/fix_pamstack"
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2018-08-24 14:35:53 CEST
As discussed, merged to 4.3-1-errata.

137b90f173 Bug #47642: update advisories
ccc2f331c0 Bug #47642: Merge branch 'sschwardt/47642/4.3/fix_pamstack' into 4.3-1
af76f1ddb0 Bug #47642: check PAM stack for mail services
d024f8d470 Bug #47642: add changelog entries
048655c475 Bug #47642: fix PAM stack to allow login with username
bb3d2421fa Bug #47642: add advisories

Package: univention-mail-postfix
Version: 12.0.0-21A~4.3.0.201808241427
Branch: ucs_4.3-0
Scope: errata4.3-1

Package: univention-mail-dovecot
Version: 4.0.0-11A~4.3.0.201808241427
Branch: ucs_4.3-0
Scope: errata4.3-1
Comment 3 Daniel Tröder univentionstaff 2018-08-24 19:14:26 CEST
OK: code change
OK: advisory
OK: manual tests with fetchmail and swaks
OK: auto mated test:

ii  univention-mail-postfix   12.0.0-20A~4.3.0. all               UCS - postfix configuration
ii  univention-mail-dovecot   4.0.0-10A~4.3.0.2 all               UCS - imap configuration

RESULT:  (on m52 and m141-ox)
=======================================================
pre_change_testsaslauthd_uid                 : SKIPPED
pre_change_testsaslauthd_mailPrimaryAddress  : SKIPPED
pre_change_smtp_uid                          : OK
pre_change_smtp_mailPrimaryAddress           : OK
pre_change_sieve_uid                         : FAILED
pre_change_sieve_mailPrimaryAddress          : OK
pre_change_imap_uid                          : FAILED
pre_change_imap_mailPrimaryAddress           : OK
post_change_testsaslauthd_uid                : SKIPPED
post_change_testsaslauthd_mailPrimaryAddress : SKIPPED
post_change_smtp_uid                         : OK
post_change_smtp_mailPrimaryAddress          : OK
post_change_sieve_uid                        : FAILED
post_change_sieve_mailPrimaryAddress         : OK
post_change_imap_uid                         : FAILED
post_change_imap_mailPrimaryAddress          : OK


$ univention-upgrade

ii  univention-mail-postfix   12.0.0-21         all               UCS - postfix configuration
ii  univention-mail-dovecot   4.0.0-11          all               UCS - imap configuration

RESULT:  (on m52 and m141-ox)
=======================================================
pre_change_testsaslauthd_uid                 : SKIPPED
pre_change_testsaslauthd_mailPrimaryAddress  : SKIPPED
pre_change_smtp_uid                          : OK
pre_change_smtp_mailPrimaryAddress           : OK
pre_change_sieve_uid                         : OK
pre_change_sieve_mailPrimaryAddress          : OK
pre_change_imap_uid                          : OK
pre_change_imap_mailPrimaryAddress           : OK
post_change_testsaslauthd_uid                : SKIPPED
post_change_testsaslauthd_mailPrimaryAddress : SKIPPED
post_change_smtp_uid                         : OK
post_change_smtp_mailPrimaryAddress          : OK
post_change_sieve_uid                        : OK
post_change_sieve_mailPrimaryAddress         : OK
post_change_imap_uid                         : OK
post_change_imap_mailPrimaryAddress          : OK
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2018-08-27 09:31:27 CEST
f440e6875b Bug #47642: 20b_check_auth_via_smtp_and_imap: fix LDAP connection on slaves and memberservers