Hi guys, This morning we created a principal "mupdate@xxxxxxxxxx" and added that to the key tab on sauber for the IMAP server, and it authenticated fine. It would appear there is a bug somewhere meaning that "primary/instance@REALM" style principals cannot be used as clients to mupdate. Regards, Dave. David Mayo Networks/Systems Administrator University of Bath Computing Services Tel: +44 1225 38 6046 Email: D.J.Mayo@xxxxxxxxxx David Mayo wrote: > Hi guys, > > We are upgrading to cyrus-imap-2.3.14 and are looking at using mupdate > for the first time, but we are having problems with the GSSAPI > authentication between mupdate hosts. > > We have two servers - sauber and tyrrell. sauber is one of the backend > hosts and tyrrell is the mupdate master. We have generated service > principals for them and placed them in their own key tabs: > > mupdate/sauber.bath.ac.uk > imap/sauber.bath.ac.uk > > mupdate/tyrrell.bath.ac.uk > imap/tyrrell.bath.ac.uk > > We initialise these keytabs in the START section of cyrus.conf with the > following line: > > # authenticate to Kerberos > auth cmd="/usr/bin/kinit -k -t /opt/etc/imapd/krb5.keytab > mupdate/sauber.bath.ac.uk" > > (obviously the mupdate master uses mupdate/tyrrell.bath.ac.uk) > > If we run mupdatetest after starting the master daemons we see the > following output on sauber: > > sauber $ /opt/packages/cyrus-imapd/bin/mupdatetest tyrrell > S: * AUTH "PLAIN" "GSSAPI" > S: * STARTTLS > S: * PARTIAL-UPDATE > S: * OK MUPDATE "tyrrell.bath.ac.uk" "Cyrus Murder" "v2.3.14" "(master)" > C: A01 AUTHENTICATE "GSSAPI" {796+} > YIICUAYJKoZIhvcSAQICAQBuggI/MIICO6ADAgEFoQMCAQ6iBwMFACAAAACjggFCYYIBPjCCATqgAwIBBaEMGwpCQVRILkFDLlVLoiowKKADAgEDoSEwHxsHbXVwZGF0ZRsUc2F1YmVyLXoxLmJhdGguYWMudWujgfgwgfWgAwIBEqEDAgEDooHoBIHlPVA1HD73jR4nq9Hb68acrSI8xYmDdZSJKFzualaEiI9UyhvV5nfMKIbjNaWwk5IYqI8Jm6MPIpHlsCrauF9WaiOwlYFPErEu0id4jWpl/FmqBoG+LdfivBIcpOLMWDNvRZYuarje/b97MEId8G5zikjr9wQSCjA0Yo68DtIbAPsLIWXCuVd5Pf8gY8S0U3nQeSS/YvI3hgvn9Aau4fCU/A9UWx50HrV+8AqEXqtrZ6HatkiZn1HgbvG+3iaPPKfiKeM96ZKydluJX+iI8iojF6IObakbCFdaqeploQQaqKjsradGJqSB3zCB3KADAgESooHUBIHR1h3Qku1JS6q6PkUXU48xtkn3r/SwKKAZ9MU/b2ieGfHw+1mmoo6a8A4SSOjep/CCU5jCRte2yURf+j0gCkyuH/8YhP1xxITn8ljDCkLFr0zZIWOOXg6yEB4Rpg8kUJx7xeIsTLHIc4BQE+MfDxqrKFkwM0o+RTZEd5cKICdk5Tq1bu3d/zsDuSk2x1QT77iQUMIu7g2k+tSPobMgmphjLcwqrknc68gmjTbn/NYe6ltfteRzTDQzRiga8cU3nlC/MEYA9Wc3AFIxh93GC1WqTuU= > S: > YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvLEn4nvf4zsyDbNlSFPQe3SwAxL7iusPxROKhmcdUc9TRrN2290JAKNL9odMnOeOcEcVsmJHAq55ux476T6iF7L+G2XLWJiseyjeCDar7PpfA0p6h+TNFKnuqHhB7BNyVgGsLrGT91R4GHa0Y0LEP > C: > S: BQQF/wAMAAAAAAAAOK+zDAcAEADNmu4T0KaBjcxG0O4= > C: BQQE/wAMAAAAAAAAGT4NlQQABAAv1geB3Ly5Xf/bqt8= > failure: prot layer failure > > And resulting logs on tyrrell: > > May 8 10:10:35 tyrrell.bath.ac.uk mupdate[15800]: [ID 921384 > mail.debug] accepted connection > May 8 10:10:35 tyrrell.bath.ac.uk master[15766]: [ID 970914 mail.error] > process 15800 exited, signaled to death by 11 > May 8 10:10:35 tyrrell.bath.ac.uk master[15766]: [ID 684980 > mail.warning] service mupdate pid 15800 in READY state: terminated > abnormally > May 8 10:10:35 tyrrell.bath.ac.uk master[15803]: [ID 392559 mail.debug] > about to exec /opt/packages/cyrus-imapd/bin/mupdate > May 8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 518349 > mail.debug] executed > May 8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572 > mail.debug] New worker thread started, for a total of 1 > May 8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572 > mail.debug] New worker thread started, for a total of 2 > May 8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572 > mail.debug] New worker thread started, for a total of 3 > May 8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572 > mail.debug] New worker thread started, for a total of 4 > May 8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572 > mail.debug] New worker thread started, for a total of 5 > > Looking on sauber, the mupdate/tyrrell.bath.ac.uk principal has already > been exchanged by the time the mupdate server crashes: > > sauber $ klist > Ticket cache: FILE:/tmp/krb5cc_58 > Default principal: mupdate/sauber.bath.ac.uk@xxxxxxxxxx > > Valid starting Expires Service principal > 08/05/2009 10:10:31 08/05/2009 20:10:31 krbtgt/BATH.AC.UK@xxxxxxxxxx > renew until 15/05/2009 10:10:31 > 08/05/2009 10:10:31 08/05/2009 20:10:31 > mupdate/tyrrell.bath.ac.uk@xxxxxxxxxx > renew until 15/05/2009 10:10:31 > > While trying to make this work, we did find one way - use a principal > that has a password rather than in the keytab: > > sauber $ kinit cyrus > Password for cyrus@xxxxxxxxxx: > sauber $ /opt/packages/cyrus-imapd/bin/mupdatetest tyrrell > S: * AUTH "PLAIN" "GSSAPI" > S: * STARTTLS > S: * PARTIAL-UPDATE > S: * OK MUPDATE "tyrrell.bath.ac.uk" "Cyrus Murder" "v2.3.14" "(master)" > C: A01 AUTHENTICATE "GSSAPI" {772+} > YIICPwYJKoZIhvcSAQICAQBuggIuMIICKqADAgEFoQMCAQ6iBwMFACAAAACjggFDYYIBPzCCATugAwIBBaEMGwpCQVRILkFDLlVLoiowKKADAgEDoSEwHxsHbXVwZGF0ZRsUc2F1YmVyLXoxLmJhdGguYWMudWujgfkwgfagAwIBEqEDAgEDooHpBIHmuu+hTMP3LCm1YcazFaEgALSsEnuUnd3k+wIaSSW2doz9+Rrbp8HAuKOB0wLUebUNTPuBXrjBpcAGQisNQczjKMFwCaMMUnyvJ0GdcWRLZHBeoB+kTB6X0E3mtvgjeCdGr9ti70noQBdDHXlvWWyhPOxrIasUi1EDxzw+v/iaO2vagQqolWPN/TOC2ydpgBDbqawW6DjF4Bv4vPe7DCruKQeGzgT1iaPu5afp8kyEFehPHAwtvwB9toPgZI9FEm4SWmjiTfdjPuFs7tjWQZermemeKmMgod8TbHJ8zsmyMoRs1WxqIROkgc0wgcqgAwIBEqKBwgSBv/Bw1XraXVNjA1HQ8e8gk2GTm57PW6/hLWfjZwhsY4yKojltxJXkovaecdbesbu9oa9vT4m+p8QcxQ74pdPKHYwvx8OZh9epNhVbnllMpWyWP8PXuwQCqSWjPhgTbvNjNfVIwpNd7IjtMI99sRc1q5+jDiJE+yblWDpQOPP7rCkMVYxsCT9FQ0cgaU7IsRT4r+jw45HG99w4cvqLhA9RHwg9cXfrg3umajngNovT13CD0deXlQjWwlO7m9bZN/zI > S: > YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv6ysRnz7c5/jXdrML5GDO3yUDRd6e483bvcFFSv7Om/LcVmstU3vc7py4zljh1sI9cqP6wV0d6NKtUNJBEGaQNciHdasq+ywbgRsMvAsAM5/m7i06vByFOdRvZX2MxCdEMVW9KbAGRIHBvK6JQFxG > C: > S: BQQF/wAMAAAAAAAAOaMBYAcAEAAlGhxrUx+QK7vb6rg= > C: BQQE/wAMAAAAAAAAELjSmQQABAB9zam/40LRAaw4zaw= > S: A01 OK "Authenticated" > Authenticated. > Security strength factor: 56 > C: Q01 LOGOUT > Q01 OK "bye-bye" > Connection closed. > sauber $ klist > Ticket cache: FILE:/tmp/krb5cc_58 > Default principal: cyrus@xxxxxxxxxx > > Valid starting Expires Service principal > 08/05/2009 10:27:37 08/05/2009 20:27:37 krbtgt/BATH.AC.UK@xxxxxxxxxx > renew until 15/05/2009 10:27:37 > 08/05/2009 10:27:43 08/05/2009 20:27:37 > mupdate/tyrrell.bath.ac.uk@xxxxxxxxxx > renew until 15/05/2009 10:27:37 > > Relevant logs from tyrrell: > > May 8 10:27:42 tyrrell.bath.ac.uk mupdate[15803]: [ID 596527 > mail.notice] login: sauber.bath.ac.uk [138.38.132.132] cyrus GSSAPI User > logged in > > The *only* difference is we are using a default principal of > cyrus@xxxxxxxxxx rather than mupdate/sauber.bath.ac.uk@xxxxxxxxxxx This > does not seem to make sense. > > Relevant lines from config files: > > sauber imapd.conf: > > admins: cyrus imap/sauber.bath.ac.uk > sasl_pwcheck_method: saslauthd > sasl_mech_list: plain gssapi > mupdate_server: tyrrell.bath.ac.uk > mupdate_config: standard > mupdate_authname: mupdate/sauber.bath.ac.uk > mupdate_username: cyrus > > tyrrell imapd.conf: > > admins: cyrus mupdate/sauber.bath.ac.uk > sasl_pwcheck_method: saslauthd > sasl_mech_list: plain gssapi > > We compiled cyrus-imapd-2.3.14 with the following flags: > PROGDIR=/opt/packages/cyrus-imapd \ > ./configure --prefix=$PROGDIR --mandir=/opt/share/man \ > --sysconfdir=/opt/etc/imapd \ > --enable-listext --enable-idled --with-snmp \ > --enable-murder \ > --enable-replication \ > --enable-nntp \ > --disable-gssapi \ > --with-cyrus-group=cyrus \ > --with-cyrus-user=cyrus \ > --with-cyrus-prefix=$PROGDIR \ > --with-openssl=$OPENSSLDIR \ > --with-ucdsnmp=/opt/packages/net-snmp \ > --with-sasl=$SASLDIR \ > --with-dbdir=/opt/packages/berkeley-db \ > --with-syslogfacility=MAIL > > We are using Cyrus SASL 2.1.22 built like this: > > PROGDIR=/opt/packages/cyrus-sasl \ > ./configure --prefix=$PROGDIR --sysconfdir=/opt/etc/cyrus \ > --with-plugindir=/opt/packages/cyrus-sasl/lib/sasl2 \ > --enable-shared \ > --disable-static \ > --disable-java \ > --with-configdir=/opt/etc/sasl2 \ > --disable-krb4 \ > --with-gss_impl=mit \ > --with-rc4 \ > --with-dblib=berkeley \ > --with-saslauthd=/var/sasl2 --without-pwcheck \ > --with-devrandom=/dev/urandom \ > --enable-anon \ > --enable-cram \ > --enable-digest \ > --enable-ntlm \ > --enable-plain \ > --enable-login \ > --without-ldap \ > --disable-otp \ > --disable-ldapdb \ > --disable-sql --without-mysql --without-pgsql --without-sqlite \ > --enable-gssapi=$KERBEROSDIR \ > --with-openssl=$OPENSSLDIR > > We are using MIT KerberosV 1.6.3 and running on Solaris 10 x86. tyrrell > is actually a Solaris 'Zone' on sauber. > > If anyone has any ideas of what might be causing this problem we'd be > very interested! > > Regards, > > > Dave. > > David Mayo > Networks/Systems Administrator > University of Bath Computing Services > > Tel: +44 1225 38 6046 > Email: D.J.Mayo@xxxxxxxxxx > > > ---- > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html