Murder

Willem van den Oord willem at ahk.nl
Tue Oct 1 11:44:19 EDT 2002


Hi Rob and others on the list,

It works!
well... sort of.

After configuring the master mupdate to use a different config directory
i could use the imap proxy without any major problems. I'm also using
the kerberos initializing and renewal commands in cyrus.conf as you
suggested. (I still have a renewal issue, but this is kerberos related).

I configured lmtpproxyd to listen to /var/run/cyrus/socket/lmtp so i
could use cyrdeliver with postfix. The lmtpproxyd authenticated fine to
the mupdate master, but not to the backend lmtpd. (Allthough this wan't
really obvious from the entries in /var/log/mail.log). In the auth.log
files it said:

Oct  1 13:23:45 jef cyrus/lmtpproxyd[31562]: All-whitespace username.

With some lmtptests to the lmtpproxyd (temporarily listening on
localhost), using a sniffer i could see that it returned a

421 4.3.0 deliver: can't connect to backend lmtp server

error. I peeked into the source (lmtpproxyd.c) to see where these
messages are generated and noticed that to establish a connection to the
backend it also consults:

lmtpproxy_username
lmtpproxy_authname
lmtpproxy_realm

from the config file. (This isn't in the documentation). When i added
the lmtpproxy_username entry, it worked fine. I don't have to specify
the other entries. I don't even need to specify a valid username. I
think lmtpproxyd authenticates itself using the kerberos tickets it
holds (in my case the mupdate tickets), is that a correct assumption?

I think i have a simular problem with cyradm. I can't use GSSAPI as the
authentication mechanisch (not even when connecting to the backend). In
the auth.log files it generates:

Oct  1 15:19:40 jef perl: All-whitespace username.
Oct  1 15:19:40 jef perl: No worthy mechs found

This is a pitty, becausse i can't use cyradm on the frontend. When it
receives a referal reply (when trying to delete a mailbox) it want's to
authenticate to the backend imapd using kerberos, so it gives me a:

cyradm: cannot authenticate to kerberos.jef.ahk.nl

Because of the All-whitespace username i guess. This looks as a sasl
issue to me.

When i try to create a mailbox (using the cyradm on the frontend) it
says:

NO Permission denied

Which is really strange, because i *am* able to create a mailbox as the
mupdate user, and there seems to be no immediate mupdate transaction
involved. I suppose this might be wrong. 

As a ordinary user i am able to create a mailbox just fine, allthough it
logs an error message in the mail.log:

Oct  1 16:10:33 jef cyrus/proxyd[724]: kick_mupdate: can't connect to
target: No such file or directory

I haven't tested deletion of mailboxes as an ordinary user but i guess
this depens on the support of referals in the imap client.

Is using referals for mailbox deletion the way it should work? I was
thinking about hiding my backend behind a packetfilter and presenting
only the frontends, but when it returns referals to do the actual
transaction, this isn't possible. I was also thinking on using perdition
as a proxy to the frontends, to map usernames into mailbox names (i need
this because we have different users with the same loginname now). This
isn't possible either because it would refer to a backend and the
username isn't valid anymore on the backend. 

Not to worry though... i guess i could let perdition connect to the
right backends directly (when i also specify what backend to use), and
let only the cross realm kerberos users (from windows 2000 servers) log
in on the frontend :) (using the krb.equiv file to map principals to
mailbox names). I really like that kerberos stuff! This doesn't break
the mupdate database right? The backends push there modifications to the
mupdate master and the mupdate master informs the mupdate slaves when
they need to know (right?). 


Then there was the pop3proxyd issue. When i added a servername entry in
the config file it didn't produce the Gethostbyname error anymore. But
now it seems to segfault. At lease the mail.log says:

Oct  1 16:43:42 jef cyrus/master[623]: process 843 exited, signaled to
death by 11

And the pop3proxyd just closes the connection.


All things considered i have enough stuff running to build me a good new
mail configuration and using murder is a great add-on. Besides providing
load-sharing, I can configure all my hosts with the same postfix
configuration because all mailboxes can be reached from all hosts, and
it also should work for windows 2000 users using cross-realm
authentication (allthough i haven't tested that yet). It also holds
great potential for distributed mailboxes etc. I'm really looking
forward to see how it will evolve and i hope i can help you guys a bit.

A tip: It would be nice to have a facility to map usernames to
mailboxnames via plugins in the proxy daemons (like perdition does).
Maybe even using the perdition modules api, so one could use their
modules. That would maybe be a more generalised alternative for the
krb.equiv file too.

Thanks,

Willem

On Sun, 2002-09-29 at 01:10, Rob Siemborski wrote:
> On 28 Sep 2002, Willem van den Oord wrote:
> 
> > 1. Is it possible to run a mupdate master on the same host as a backend?
> 
> With some creativity, yes it is.  You just need to be sure that the
> mupdate instance is using a different configdirectory from the backend
> instance.
> 
> It is definately possible to put a mupdate master on a frontend.
> 
> > 2. Is it possible to run a backend on the same host as a frontend?
> 
> Again, yes, but the frontend can't be answering on the IMAP port (since
> the backend is answering there).  I doubt this is what you want.
> 
> > I'm trying running everything on 1 host now; all the backend daemons are
> > listening to the ethernet device and all the frontend proxy-daemons to
> > the loopbackdevice (just for testing purposes), but when i try creating
> > a mailbox, it gives me this message:
> 
> Ken had a "murder-in-a-box" running for some testing purposes on his
> laptop and was fine (the frontend was sharing its mailbox database with
> the mupdate master, and was answering on a nonstandard port).   The
> backend was setup as normal.
> 
> > NO unable to reserve mailbox on mupdate server
> >
> > Even without frontend proxies it gives me this message. But the mupdate
> > master is still on the same machine offcourse. Might that be the
> > problem?
> >
> > here are the relevant mail.log entries:
> >
> > Sep 28 22:58:38 jef cyrus/mupdate[19628]: login: mupdate from
> > kerberos.jef.ahk.nl[193.67.24.49]
> > Sep 28 22:58:38 jef cyrus/mupdate[19628]: cmd_set(fd:13, qwerqwer)
> > Sep 28 22:58:38 jef cyrus/imapd[19626]: mupdate NO response: mailbox
> > already exists
> > Sep 28 22:58:38 jef cyrus/imapd[19626]: MUPDATE: can't reserve mailbox
> > entry for 'qwerqwer'
> 
> You do appear to be authenticating properly, though it seems that the
> mailbox already exists.
> 
> I'm betting you have your master mupdate server sharing the same
> configdirectory as your backend, and since the backend does:
> 
> 1. create local entry
> 2. reserve remote entry
> 
> the mupdate server sees that the entry already exists, and denys the
> operation.
> 
> > I also have a question about authenticating to a mupdate server.
> > To use a kerberos 5 ticket for authenticating to the mupdate server (and
> > to the backend servers) i su to cyrus and do a: kinit -k mupdate
> >
> > I noticed that i also had to add the mupdate/kerberos.jef.ahk.nl service
> > ticket to the keytab. This isn't ideal because the tickets it uses
> > expire. Isn't it possible for clients of mupdate to read their tickets
> > from the krb5.keytab?
> 
> We do this at CMU (with krb4, but krb5 shouldn't be much different) with
> entrys in cyrus.conf like:
> 
> START {
>   auth          cmd="/usr/local/bin/ksrvtgt -l 3600 imap mail1 ANDREW.CMU.EDU /imap/conf/srvtab"
> }
> 
> EVENTS {
>   reauth        cmd="/usr/local/bin/ksrvtgt -l 3600 imap mail1 ANDREW.CMU.EDU /imap/conf/srvtab"
> }
> 
> > I allready tried DIGEST-MD5 and other shared secret methods, but i kept
> > getting messages like:
> >
> > Sep 28 21:13:56 jef cyrus/imapd[18882]: badlogin:
> > kerberos.jef.ahk.nl[193.67.24.49] DIGEST-MD5 [SASL(-13): user not found:
> > no secret in database]
> >
> > I wasn't able to add MD5 tickets with: saslpasswd2 -c -n mupdate. That
> > doesn't seem to do anything (allthough it doesn't complain about
> > anything either). Only userPasswords seem to have effect. That's why i
> > decided to try GSSAPI in the first place.
> 
> -n isn't doing what you expect.  This could probably be clarified in the
> documentation.  You don't want to specify it.
> 
> > Then i have a minor problem with the pop proxy. When i try loggin in
> > with the user and pass command, it exits saying:
> >
> > -ERR [SYS/PERM] Fatal error: gethostbyname failed
> [snip]
> > So it looks to me that i authenticated to the backend pop3 successfully?
> > I have no clue about why it exists with that strange messsage.
> 
> Me either.  I'd need to do some more detailed debugging.
> 
> > I'm sorry if these questions seem silly. It's my first try with the
> > cyrus imap server & sasl library.
> 
> They don't seem silly.  We haven't gotten much feedback (other than our
> own experiences) on the Murder setup.
> 
> In any case, to get a murder this close to working on your first try is
> pretty impressive ;)
> 
> Let me know how it works out.
> 
> -Rob
> 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
> Research Systems Programmer * /usr/contributed Gatekeeper
> 
> 






More information about the Info-cyrus mailing list