Univention Bugzilla – Full Text Bug Listing |
Summary: | saslauthd (e.g. via postfix) fails once user changes his/her own password | ||
---|---|---|---|
Product: | UCS | Reporter: | Moritz Bunkus <m.bunkus> |
Component: | Assignee: | Sönke Schwardt-Krummrich <schwardt> | |
Status: | CLOSED FIXED | QA Contact: | Daniel Tröder <troeder> |
Severity: | normal | ||
Priority: | P5 | CC: | brodersen, gohmann, markus.daehlmann, scheinig, schwardt, thorsten.strusch, voelker |
Version: | UCS 4.2 | ||
Target Milestone: | UCS 4.2-4-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 5: Blocking further progress on the daily work |
User Pain: | 0.286 | Enterprise Customer affected?: | Yes |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Yes | Flags outvoted (downgraded) after PO Review: | |
Ticket number: | 2018052521000551,2018071921000522 | Bug group (optional): | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 47642 | ||
Attachments: | auth.log from failed authentication attempts with saslauthd & PAM |
Description
Moritz Bunkus
2016-10-25 12:00:27 CEST
(In reply to Moritz Bunkus from comment #0) > Comparing the user entry in the LDAP directory before and after that change > reveals that the "userPassword" field uses a different method. Before the > change it contained the hashed password, e.g. "userPassword: {crypt}$6$…". > After the change it only contained a reference to the Kerberos secret: > "userPassword: {K5KEY}". The K5KEY attribute means that the LDAP server checks the incoming bind password against the Kerberos Keys. I guess you are using Samba 4 or AD Connector? If PAM does not work, can you post the auth.log? Created attachment 8212 [details]
auth.log from failed authentication attempts with saslauthd & PAM
The auth.log is rather unremarkable, just the usual "authentication failed". I've attached a copy from back when we still had saslauthd use PAM. The actual user name has been replaced by "USERNAME". Other users are stumbling across this problem, too: https://help.univention.com/t/benutzer-konnen-passwort-nur-teilweise-andern/8855 Additionally I've verified that the problem still happens in 4.3. Another workaround: Using the mailadress as the username should work. (username@your.domain) The problem seems to be in "/etc/pam.d/smtp". As long as the {crypt} password scheme is used, pam_unix works. If pam_unix didn't work the assumption seems to be that it failed because username@your.domain was used instead of just the username. In this case pam_unix failed because the password scheme {K5KEY} was used. Which results in a broken username mapping. See also https://help.univention.com/t/saslauthd-pam-authenticate-failed/3322/3 Replacing "requisite" with "optional" for pam_univentionmailcyrus.so should do the trick. This issue affects at least the PAM stacks of univention-mail-postfix and maybe also univention-mail-dovecot. I have not tested, if the login works correctly if the username is passed to dovecot. It will NOT work with cyrus, since cyrus will use the given username as localpart and the local DNS domain as domain part of an mail address → works only if username and localpart of the primary mail address are identical and the domain part matches the DNS domain of the cyrus system. Customer affected. Fix would be great! "requisite" has been replaced by "optional" for pam_univentionmailcyrus.so in several PAM stacks. Additionally a ucs-test has been added that tests all authentication variants (username, mailPrimaryAddress(mPA), w/ and w/o {K5KEY}). I found no problems with mPA, uid or {K5KEY} with the new setup. ac493d54fd Bug #42759: update advisories ef8a9fc7d3 Bug #42579: Merge branch 'sschwardt/42579/4.2/fix_pamstack' into 4.2-4 cb41ff9585 Bug #42759: check PAM stack for mail services 9bdfe95231 Bug #42759: fix PAM stack to allow login with username 540d363b0b Bug #42579: add advisories Package: univention-mail-postfix Version: 11.0.2-5A~4.2.0.201808231642 Branch: ucs_4.2-0 Scope: errata4.2-4 Package: univention-mail-dovecot Version: 3.0.1-9A~4.2.0.201808231641 Branch: ucs_4.2-0 Scope: errata4.2-4 Package: univention-mail-cyrus Version: 9.0.0-13A~4.2.0.201808231642 Branch: ucs_4.2-0 Scope: errata4.2-4 Package: univention-mail-cyrus-murder Version: 8.0.0-4A~4.2.0.201808231642 Branch: ucs_4.2-0 Scope: errata4.2-4 Package: ucs-test Version: 7.0.23-128A~4.2.0.201808231700 Branch: ucs_4.2-0 Scope: errata4.2-4 5a94fee8c5 Bug #42759: 20b_check_auth_via_smtp_and_imap: fix LDAP connection on slaves and memberservers OK: code change OK: advisory For Dovecot =========== OK: manual tests with fetchmail and swaks OK: automated test: Release: 4.2-4 errata418 ii univention-mail-postfix 11.0.2-4A~4.2.0.201802 all ii univention-mail-dovecot 3.0.1-8A~4.2.0.2018042 all /sync/ucs-test/tests/40_mail# time ./20b_check_auth_via_smtp_and_imap -f RESULT: ======================================================= pre_change_testsaslauthd_uid : SKIPPED pre_change_testsaslauthd_mailPrimaryAddress : SKIPPED pre_change_smtp_uid : OK pre_change_smtp_mailPrimaryAddress : OK pre_change_sieve_uid : FAILED pre_change_sieve_mailPrimaryAddress : OK pre_change_pop3_uid : FAILED pre_change_pop3_mailPrimaryAddress : OK pre_change_imap_uid : FAILED pre_change_imap_mailPrimaryAddress : OK post_change_testsaslauthd_uid : SKIPPED post_change_testsaslauthd_mailPrimaryAddress : SKIPPED post_change_smtp_uid : OK post_change_smtp_mailPrimaryAddress : OK post_change_sieve_uid : FAILED post_change_sieve_mailPrimaryAddress : OK post_change_pop3_uid : FAILED post_change_pop3_mailPrimaryAddress : OK post_change_imap_uid : FAILED post_change_imap_mailPrimaryAddress : OK -- upgrade... ii univention-mail-postfix 11.0.2-5A~4.2.0.201808 all ii univention-mail-dovecot 3.0.1-9A~4.2.0.2018082 all -- RESULT: ======================================================= pre_change_testsaslauthd_uid : SKIPPED pre_change_testsaslauthd_mailPrimaryAddress : SKIPPED pre_change_smtp_uid : OK pre_change_smtp_mailPrimaryAddress : OK pre_change_sieve_uid : OK pre_change_sieve_mailPrimaryAddress : OK pre_change_pop3_uid : OK pre_change_pop3_mailPrimaryAddress : OK pre_change_imap_uid : OK pre_change_imap_mailPrimaryAddress : OK post_change_testsaslauthd_uid : SKIPPED post_change_testsaslauthd_mailPrimaryAddress : SKIPPED post_change_smtp_uid : OK post_change_smtp_mailPrimaryAddress : OK post_change_sieve_uid : OK post_change_sieve_mailPrimaryAddress : OK post_change_pop3_uid : OK post_change_pop3_mailPrimaryAddress : OK post_change_imap_uid : OK post_change_imap_mailPrimaryAddress : OK For Cyrus ========= FAIL: manual tests with fetchmail and swaks * OK: login to SMTP: with email & uid works * FAIL: login to IMAP & POP: with email works, but with uid fails FAIL: automated test: Release: 4.2-4 errata418 ii univention-mail-postfix 11.0.2-4A~4.2.0.201802 all ii univention-mail-cyrus 9.0.0-12A~4.2.0.201705 all root@m52:~# /sync/ucs-test/tests/40_mail/20b_check_auth_via_smtp_and_imap -f RESULT: ======================================================= pre_change_testsaslauthd_uid : OK pre_change_testsaslauthd_mailPrimaryAddress : OK pre_change_smtp_uid : OK pre_change_smtp_mailPrimaryAddress : OK pre_change_sieve_uid : OK pre_change_sieve_mailPrimaryAddress : OK pre_change_pop3_uid : FAILED pre_change_pop3_mailPrimaryAddress : OK pre_change_imap_uid : OK pre_change_imap_mailPrimaryAddress : OK post_change_testsaslauthd_uid : FAILED post_change_testsaslauthd_mailPrimaryAddress : FAILED post_change_smtp_uid : OK post_change_smtp_mailPrimaryAddress : OK post_change_sieve_uid : OK post_change_sieve_mailPrimaryAddress : OK post_change_pop3_uid : FAILED post_change_pop3_mailPrimaryAddress : OK post_change_imap_uid : FAILED post_change_imap_mailPrimaryAddress : OK --- upgrade ii univention-mail-postfix 11.0.2-5A~4.2.0.201808 all ii univention-mail-cyrus 9.0.0-13A~4.2.0.201808 all --- RESULT: ======================================================= pre_change_testsaslauthd_uid : OK pre_change_testsaslauthd_mailPrimaryAddress : OK pre_change_smtp_uid : OK pre_change_smtp_mailPrimaryAddress : OK pre_change_sieve_uid : OK pre_change_sieve_mailPrimaryAddress : OK pre_change_pop3_uid : FAILED pre_change_pop3_mailPrimaryAddress : OK pre_change_imap_uid : OK pre_change_imap_mailPrimaryAddress : OK post_change_testsaslauthd_uid : OK post_change_testsaslauthd_mailPrimaryAddress : OK post_change_smtp_uid : OK post_change_smtp_mailPrimaryAddress : OK post_change_sieve_uid : OK post_change_sieve_mailPrimaryAddress : OK post_change_pop3_uid : FAILED post_change_pop3_mailPrimaryAddress : OK post_change_imap_uid : OK post_change_imap_mailPrimaryAddress : OK I was able to reproduce this issue: +OK Name is a valid mailbox >>> test_pop3_auth(r550o0j97s): POP3 auth failed - -ERR [SYS/PERM] Unable to locate maildrop: Mailbox does not exist The login itself was ok, but cyrus is unable to find the mailbox if the POP3 connection is established against "localhost". I fixed the ucs-test script by using a POP3S connection against $hostname.$domainname. e5b8926483 Bug #42759: add changelog entry 9b3afcfbcf Bug #42759: some cleanup 34416ea4ef Bug #42759: fix POP3 login in 20b_check_auth_via_smtp_and_imap Package: ucs-test Version: 7.0.23-131A~4.2.0.201809102145 Branch: ucs_4.2-0 Scope: errata4.2-4 Still not working. The test has an error: the email address is the same as the kerberos name. RESULT: ======================================================= pre_change_testsaslauthd_uid : OK pre_change_testsaslauthd_mailPrimaryAddress : OK pre_change_smtp_uid : OK pre_change_smtp_mailPrimaryAddress : OK pre_change_sieve_uid : FAILED pre_change_sieve_mailPrimaryAddress : OK pre_change_pop3_uid : FAILED pre_change_pop3_mailPrimaryAddress : OK pre_change_imap_uid : OK pre_change_imap_mailPrimaryAddress : OK post_change_testsaslauthd_uid : OK post_change_testsaslauthd_mailPrimaryAddress : OK post_change_smtp_uid : OK post_change_smtp_mailPrimaryAddress : OK post_change_sieve_uid : FAILED post_change_sieve_mailPrimaryAddress : OK post_change_pop3_uid : FAILED post_change_pop3_mailPrimaryAddress : OK post_change_imap_uid : OK post_change_imap_mailPrimaryAddress : OK I modified the test to use a local part that is different to the kerberos name. [4.2-4 d606a73c68] Bug #42759: don't use kerberos name as email address But unfortunately this is now missing the point: If you log in to Cyrus with a username, the username (UID) is interpreted as a local part of a mail address. If the domain part is missing due to the use of the UID, the default domain is automatically used. This means that it only works if the DNS domain and the mail domain are identical AND if the localpart and the UID match. This is a known limitation of Cyrus that we cannot avoid here. I.e. if a different mail address is used now, the test will go wrong, because Cyrus does not support this. Unfortunately, no adjustment to the PAM stack will help. Originally the point was that the login should also work if {K5KEY} is in userPassword. This problem has been fixed in this bug. If you urgently need more, we should consider this separately via a feature request/bug. Or am I missing something at this point? OK: this bug is only about enabling the same authentication as before, when changing the password to {K5KEY}. Enabling uid->mPA conversion in PAM will not be required here. All fine then (automated and manual tests). |