[hiredman]

Okay, the reason sievescript wasn’t working correctly was that my admin account was not a cyrusadmin account. So when I attempted to authenticate using:
sieveshell -u joeuser -a superadmin localhost
I would be prompted for my password twice and then logged into the account for superadmin because the password didn’t qualify me to access joeuser’s account only mine.
The solution is to edit /etc/imapd.conf
from this: admins cyrusimap
to this: admins cyrusimap superadmin
After stopping/starting Mail Services the sieveshell worked as expected.

Hope I save someone a few hours somewhere.
=Tod

[hiredman]

Partial resolution: If you turn firewall AND ssh service off 10.2 clients can authenticate against server. Clients are trying to create an ssh tunnel before authenticating and during their waited for ssh to fail their auth window times out on the server. By getting them an abject failure response quickly (no ssh running, no firewall interfering) they can proceed quickly enough.

Apple claims only clients that previously were required to ssh exhibit this behavior, but I’ve seen it in all my 10.2 attempts. Besides is a fresh 10.2 install in anyone’s interest at this point???

I’m going to try SACLing off clients and opening the ssh port on the firewall to the few 10.2 machines I have – hopefully this will allow 10.2 clients to get the rejection they so desire and allow me to run ssh on that box at the same time.

I’ll post back with results.

=Tod

[hiredman]

Update: I’ve been in communication with Apple and it looks like we’re into “known issue” land where problems go to die…

Apparently 10.2 automatically (unsuccessfully) tries to create an ssh tunnel to the server and the server is not expecting it to do that. I’m working on determining a work around right now and will post reports of success or failure as appropriate.

=Tod

[hiredman]

I tried turning off AFP and didn’t work, tried restarting after turning it off and that didn’t work. I did TCPDUMPs and sent them to you via messaging off-line.

Basically they look the same except after about 12 back and forth communications the 10.2 client starts an SSH attempt and sends 7 messages on-one to the server and then stops where the successful negotiation transfers two “S” messages and then starts a session.

Why would the 10.2 client be falling into an SSH attempt? The “connect SSH” choice in the options dialogue is off. (Actually I’ve tried it both ways.) I have seen the “ssh timed out” message I mentioned earlier and I’ve tried connection with the firewall off but that didn’t help either. (I have SSH firewalled off but not SACLed.)

Thanks for all your help,

=Tod

[hiredman]

I have the AFP Log enabled and set to log both Access and Errors with “login” checked under access.

The error log is completely empty and the access log shows no sign of the failed attempts. It shows the normal login, sleep request etc. but the failed logins show nothing.

The only log entries I’ve found are in console, system, and asl which have errors relating to the failed attempts:
console:Fileserver DirectoryService[52]: Failed Authentication return is being delayed due to over five recent auth failures for username:user.

system: very similar to above

asl: [timedate] [Facility daemon] [Sender Directory Service] [PID 52] [Message Failed Authentication return is being delayed due to over five recent failed attempts for username:user] [Level 1] [UID -2] [GID -2] [hostserver fileserver]

I can find no mention in either Appletalk connections or errors log. BTW I have Authentication set to “Any Method” and everything one except guest access.

The only other odd thing I’ve seen in the console of the client machine was an SSH connection timeout warning after several log in attempts. In case 10.2 was attempting to make an SSH connection and turned off the firewall but it made no difference. (Make SSH connection in the “Options” of the login dialogue is off. I tried it both ways to no effect.)

=Tod

[hiredman]

Doing [cmd]K and locating the server through browsing or by IP address.
It talks to the server it just doesn’t authenticate – you get a “Unknown user, incorrect password, or not authorized to login” message.

Right now I’m sorting through the PAM docs trying to figure that out. It seems to me that 10.2 is either supplying credentials in the wrong format or 10.4 is misinterpreting what is sent – maybe in PAM rules (?).

I deleted mcx_cache on the client machines that had it but that doesn’t seem to make a difference. On the 10.2 machine console you see the afp kexts load but it makes no difference. I’ve been upgrading the 102 machines as I find them but I’d rather solve the issue.

=Tod

[hiredman]

Seems one more Window Services stop and restart was all it took. I’m not sure why that one suddenly took and others hadn’t but… it works now.

yeah.

=Tod

[Author]

Posts