Murder

Rob Siemborski rjs3 at andrew.cmu.edu
Sat Sep 28 19:10:30 EDT 2002 

On 28 Sep 2002, Willem van den Oord wrote:

> 1. Is it possible to run a mupdate master on the same host as a backend?

With some creativity, yes it is.  You just need to be sure that the
mupdate instance is using a different configdirectory from the backend
instance.

It is definately possible to put a mupdate master on a frontend.

> 2. Is it possible to run a backend on the same host as a frontend?

Again, yes, but the frontend can't be answering on the IMAP port (since
the backend is answering there).  I doubt this is what you want.

> I'm trying running everything on 1 host now; all the backend daemons are
> listening to the ethernet device and all the frontend proxy-daemons to
> the loopbackdevice (just for testing purposes), but when i try creating
> a mailbox, it gives me this message:

Ken had a "murder-in-a-box" running for some testing purposes on his
laptop and was fine (the frontend was sharing its mailbox database with
the mupdate master, and was answering on a nonstandard port).   The
backend was setup as normal.

> NO unable to reserve mailbox on mupdate server
>
> Even without frontend proxies it gives me this message. But the mupdate
> master is still on the same machine offcourse. Might that be the
> problem?
>
> here are the relevant mail.log entries:
>
> Sep 28 22:58:38 jef cyrus/mupdate[19628]: login: mupdate from
> kerberos.jef.ahk.nl[193.67.24.49]
> Sep 28 22:58:38 jef cyrus/mupdate[19628]: cmd_set(fd:13, qwerqwer)
> Sep 28 22:58:38 jef cyrus/imapd[19626]: mupdate NO response: mailbox
> already exists
> Sep 28 22:58:38 jef cyrus/imapd[19626]: MUPDATE: can't reserve mailbox
> entry for 'qwerqwer'

You do appear to be authenticating properly, though it seems that the
mailbox already exists.

I'm betting you have your master mupdate server sharing the same
configdirectory as your backend, and since the backend does:

1. create local entry
2. reserve remote entry

the mupdate server sees that the entry already exists, and denys the
operation.

> I also have a question about authenticating to a mupdate server.
> To use a kerberos 5 ticket for authenticating to the mupdate server (and
> to the backend servers) i su to cyrus and do a: kinit -k mupdate
>
> I noticed that i also had to add the mupdate/kerberos.jef.ahk.nl service
> ticket to the keytab. This isn't ideal because the tickets it uses
> expire. Isn't it possible for clients of mupdate to read their tickets
> from the krb5.keytab?

We do this at CMU (with krb4, but krb5 shouldn't be much different) with
entrys in cyrus.conf like:

START {
  auth          cmd="/usr/local/bin/ksrvtgt -l 3600 imap mail1 ANDREW.CMU.EDU /imap/conf/srvtab"
}

EVENTS {
  reauth        cmd="/usr/local/bin/ksrvtgt -l 3600 imap mail1 ANDREW.CMU.EDU /imap/conf/srvtab"
}

> I allready tried DIGEST-MD5 and other shared secret methods, but i kept
> getting messages like:
>
> Sep 28 21:13:56 jef cyrus/imapd[18882]: badlogin:
> kerberos.jef.ahk.nl[193.67.24.49] DIGEST-MD5 [SASL(-13): user not found:
> no secret in database]
>
> I wasn't able to add MD5 tickets with: saslpasswd2 -c -n mupdate. That
> doesn't seem to do anything (allthough it doesn't complain about
> anything either). Only userPasswords seem to have effect. That's why i
> decided to try GSSAPI in the first place.

-n isn't doing what you expect.  This could probably be clarified in the
documentation.  You don't want to specify it.

> Then i have a minor problem with the pop proxy. When i try loggin in
> with the user and pass command, it exits saying:
>
> -ERR [SYS/PERM] Fatal error: gethostbyname failed
[snip]
> So it looks to me that i authenticated to the backend pop3 successfully?
> I have no clue about why it exists with that strange messsage.

Me either.  I'd need to do some more detailed debugging.

> I'm sorry if these questions seem silly. It's my first try with the
> cyrus imap server & sasl library.

They don't seem silly.  We haven't gotten much feedback (other than our
own experiences) on the Murder setup.

In any case, to get a murder this close to working on your first try is
pretty impressive ;)

Let me know how it works out.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper

More information about the Info-cyrus mailing list