Bug#635246: saslauthd authentication error with rimap

Sun Jul 24 09:24:50 UTC 2011

Package: sasl2-bin
Version: 2.1.24~rc1.dfsg1+cvs2011-05-23-4
Severity: important
Tags: squeeze patch

Courier is setup to use userdb. 

# authtest -s imap <myuser> <myuserpasswd>
Authentication succeeded.

[...]

I can authenticate users. However, the same doesn't work through saslauthd (rimap).

# testsaslauthd -u <myuser> -p <myuserpasswd>
0: NO "authentication failed"

The actual authentication seems to pass as shown in the logs /var/log/mail.log:

Jul 24 10:38:27 <myhost> imapd: Connection, ip=[::ffff:127.0.0.1]
Jul 24 10:38:27 <myhost> authdaemond: received auth request, service=imap, authtype=login
Jul 24 10:38:27 <myhost> authdaemond: authuserdb: trying this module
Jul 24 10:38:27 <myhost> authdaemond: userdb: looking up '<myuser>'
Jul 24 10:38:27 <myhost> authdaemond: userdb: home=.../<myuser>/, uid=..., gid=..., shell=/bin/false, mail=..., quota=<unset>, gecos=<unset>, options=<unset>
Jul 24 10:38:27 <myhost> authdaemond: found imappw in userdbshadow
Jul 24 10:38:27 <myhost> authdaemond: authuserdb: sysusername=<null>, sysuserid=..., sysgroupid=..., homedir=..., address=<myuser>, fullname=<null>, maildir=.../<myuser>/, quota=<null>, options=<null>
Jul 24 10:38:27 <myhost> authdaemond: authuserdb: clearpasswd=<null>, passwd=...
Jul 24 10:38:27 <myhost> authdaemond: password matches successfully
Jul 24 10:38:27 <myhost> authdaemond: Authenticated: sysusername=<null>, sysuserid=10000, sysgroupid=10000, homedir=..., address=<myuser>, fullname=<null>, maildir=.../<myuser>/, quota=<null>, options=<null>
Jul 24 10:38:27 <myhost> authdaemond: Authenticated: clearpasswd=<myuserpasswd>, passwd=...
Jul 24 10:38:27 <myhost> imapd: LOGIN, user=<myuser>, ip=[::ffff:127.0.0.1], port=[56186], protocol=IMAP
Jul 24 10:38:27 <myhost> imapd: DISCONNECTED, user=<myuser>, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=0, sent=178, time=0

The same setup works in lenny.

There seems to be similar issue in FreeBSD forums at http://forums.freebsd.org/archive/index.php/t-8953.html and a possible patch is also provided at http://netvor.sk/~johnny/hacks/cyrus-sasl-2.1.23/lib:checkpw.c.diff.

-- System Information:
Debian Release: 6.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18-028stab070.14 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages sasl2-bin depends on:
ii  db-util 5.1.4                            Berkeley Database Utilities
ii  debconf 1.5.36.1                         Debian configuration management sy
ii  libc6   2.11.2-10                        Embedded GNU C Library: Shared lib
ii  libcome 1.41.12-4stable1                 common error description library
ii  libdb5. 5.1.25-10                        Berkeley v5.1 Database Libraries [
ii  libgssa 1.8.3+dfsg-4squeeze1             MIT Kerberos runtime libraries - k
ii  libk5cr 1.8.3+dfsg-4squeeze1             MIT Kerberos runtime libraries - C
ii  libkrb5 1.8.3+dfsg-4squeeze1             MIT Kerberos runtime libraries
ii  libldap 2.4.23-7.2                       OpenLDAP libraries
ii  libpam0 1.1.1-6.1                        Pluggable Authentication Modules l
ii  libsasl 2.1.24~rc1.dfsg1+cvs2011-05-23-4 Cyrus SASL - authentication abstra
ii  libssl1 1.0.0d-3                         SSL shared libraries
ii  lsb-bas 3.2-23.2squeeze1                 Linux Standard Base 3.2 init scrip

sasl2-bin recommends no packages.

sasl2-bin suggests no packages.

-- Configuration Files:
/etc/courier/authdaemonrc
authmodulelist="authuserdb"
daemons=1
version=""
authdaemonvar=/var/run/courier/authdaemon
DEBUG_LOGIN=2

/etc/default/saslauthd changed:
START=yes
MECHANISMS="rimap"
MECH_OPTIONS="127.0.0.1"
NAME="saslauthd"
THREADS=0
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

-- debconf information:
  cyrus-sasl2/upgrade-sasldb2-failed:
  cyrus-sasl2/backup-sasldb2: /var/backups/sasldb2.bak
  cyrus-sasl2/upgrade-sasldb2-backup-failed:
  cyrus-sasl2/purge-sasldb2: false