global admin without defaultdomain?

Kendrick Vargas ken at hudat.com
Mon Dec 29 21:12:46 EST 2003


On Mon, 29 Dec 2003, Igor Brezac wrote:

> On Mon, 29 Dec 2003, Kendrick Vargas wrote:
> 
> > On Mon, 29 Dec 2003, Igor Brezac wrote:
> >
> > > This would be correct only if there is a bug.  There is no bug here, but
> > > rather a misconfiguration on your part.  We can argue how to make the code
> > > different/better in order to make it easier to configure.
> > >
> > > On my configuration, I can cannect as admin to any interface on the mail
> > > server (I have to use fully qualified username: admin at defaultdomain), or
> > > I can connect to a specific ip with an unqualified admin userid.
> >
> > localhost> auth cyrus
> > IMAP Password:
> > localhost>
> >
> >                    5363 Connect     cyrus at localhost on
> >                    5363 Init DB     hudat_sys
> >                    5363 Query       SELECT sys_shadow.password AS
> > userPassword FROM sys_users, sys_shadow WHERE sys_users.username = 'cyrus'
> > AND sys_users.domain = 'imap.somename.com' AND
> > sys_shadow.sys_users_id=sys_users.sys_users_id
> >                    5363 Query       SELECT sys_shadow.password AS
> > cmusaslsecretPLAIN FROM sys_users, sys_shadow WHERE sys_users.username =
> > 'cyrus' AND sys_users.domain = 'imap.somename.com' AND
> > sys_shadow.sys_users_id=sys_users.sys_users_id
> >                    5363 Quit
> >
> >
> > Look at that, it worked unqualified. It also goes in qualified too... but
> > only on localhost:
> >
> > toy:~# cyradm
> > cyradm> server localhost
> > IMAP Password:
> >               Login failed: user not found at
> > /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm
> > line 118
> > server: localhost: cannot authenticate
> > localhost> auth cyrus at imap.somename.com
> > IMAP Password:
> > localhost>
> 
> Does 'cm user.test at virtual1.com' work?
> 
> What is mysql query dump for this auth?

Once I actually get logged in, it works fine. I was able to create all of 
my mailboxes once I had a user that could reliably log in. As for the 
query, it was identical to the one just before it. The email was allready 
getting a bit long at that point, so I though it was obvious from it 
working that the query was the same.

> > Now, I'm not crazy, I've been admining boxes for 6 or 7 years now and I am
> > just proficient enough that I can go in and hack away at something when it
> > doesn't work, given enough time. The imap.somename.com only started
> > working when I added the following to my /etc/hosts file:
> >
> > 127.0.0.1       localhost localhost.localdomain imap.somename.com
> >
> > I don't know if it worked on the localhost before I added that to the
> > /etc/hosts (for resolving purposes), but I can test if you like.
> 
> This worked by accident because reverse lookup returned 'localhost'.
> imapd cannot determine domainname from that thus making the defaultdomain
> auth.
> 
> This will work for you:
> 
> 127.0.0.1 host.imap.somename.com localhost localhost.localdomain
> 
> It'd be easier if you specify a mech rather than have cyradm chase one
> that works.  So try,
> 
> cyradm --user admin at defaultdomain --auth login localhost
> 
> If this works you can try other mechs.

Ummm.. there aren't many mechs on my system :-) But at least this 
enlightens me more on cyradm's commandline use:

toy:~# cyradm --user cyrus at imap.somename.com --auth login localhost
IMAP Password: 
localhost>

toy:~# cyradm --user cyrus at imap.somename.com --auth login toy.hudat.com
IMAP Password: 
              Login failed: user not found at 
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm 
line 118
cyradm: cannot authenticate to server with login as 
cyrus at imap.somename.com
toy:~# 

There you go, it won't log in. This was after I changed the /etc/hosts 
line to the one you supplied. All this did was change the prompt in cyradm 
once I was logged in.

> > Oh, and umm... if you still don't believe me:
> >
> > toy:~# telnet toy.hudat.com 143
> > Trying 204.235.97.76...
> > Connected to toy.hudat.com.
> > Escape character is '^]'.
> > * OK imap.somename.com Cyrus IMAP4 v2.2.2-BETA server ready
> > . login cyrus at imap.somename.com PASSWORD
> > . NO Login failed: user not found
> >
> > toy:~# telnet localhost 143
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > * OK imap.somename.com Cyrus IMAP4 v2.2.2-BETA server ready
> > . login cyrus at imap.somename.com PASSWORD
> > . OK User logged in
> > . logout
> > * BYE LOGOUT received
> > . OK Completed
> > Connection closed by foreign host.
> > toy:~#
> 
> This is suspicious, but it works for me:
> 
> # imtest -a cyradm at admin.ipass.net -m login localhost
> S: * OK Ipass Cyrus IMAP4 v2.2.2 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=NTLM AUTH=DIGEST-MD5 SASL-IR
> S: C01 OK Completed
> Please enter your password:
> C: L01 LOGIN cyradm at admin.ipass.net {6}
> S: + go ahead
> C: <omitted>
> S: L01 OK User logged in
> Authenticated.
> 
> 
> # imtest -a cyradm at admin.ipass.net -m login x.y.z.60
> S: * OK Ipass Cyrus IMAP4 v2.2.2 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=NTLM AUTH=DIGEST-MD5 SASL-IR
> S: C01 OK Completed
> OK Completed Please enter your password:
> C: L01 LOGIN cyradm at admin.ipass.net {6}
> S: + go ahead
> C: <omitted>
> S: L01 OK User logged in
> Authenticated.

Would you like me to post my config again? I don't know what to tell you 
about my configuration to make you believe me when I say I can't connect a 
global admin through anything but localhost. If I had the time and I was 
more understanding of C, I'd dive in the code and hunt it down, but the 
best I can provide right now is evidence. I don't know how bad I could 
screw the configuration (and I'm pretty good about reading docs), so I 
really don't see why this looks suspicious.

Look, here's my imap.conf

configdirectory: /opt/var/imap
partition-default: /opt/var/spool/imap
sasl_pwcheck_method: auxprop
virtdomains: yes
servername: imap.somename.com
defaultdomain: imap.somename.com
admins: cyrus
hashimapspool: true
unixhierarchysep: yes
altnamespace: yes
sasl_mysql_user: user
sasl_mysql_passwd: pass
sasl_mysql_hostnames: host
sasl_mysql_database: db
sasl_mysql_statement: SELECT blah FROM blah
sieveusehomedir: false
sievedir: /opt/var/spool/sieve
sendmail: /usr/sbin/sendmail

Here's my /etc/hosts configuration:

204.235.97.76   toy.hudat.com   toy
127.0.0.1       host.imap.somename.com localhost localhost.localdomain

Here's the configure line I used on cyrus:

./configure \
   --prefix=/opt/cyrus \
   --with-cyrus-prefix=/opt/cyrus \
   --enable-listext \
   --with-cyrus-user=cyrus \
   --with-cyrus-group=cyrus \
   --with-statedir=/opt/var/lock \
   --with-auth=unix \
   --with-sasl=/opt/cyrus \
   --with-perl

Here's my sasl config line:

./configure \
   --prefix=/opt/cyrus \
   --enable-static \
   --with-gnu-ld \
   --with-staticsasl \
   --with-dbpath=/opt/etc/sasldb2 \
   --with-plugindir=/opt/cyrus/lib/sasl2 \
   --enable-checkapop \
   --with-pam \
   --disable-krb4 \
   --disable-gssapi \
   --enable-anon \
   --enable-plain \
   --disable-cram \
   --disable-digest \
   --enable-login \
   --disable-otp \
   --with-openssl=/usr \
   --with-mysql=/opt/mysql

It's sasl 2.1.17 and cyrus imap 2.2.2-BETA.

This is all running on Fedora Core 1 with all the updates.
			-peace


> > > Here are simple rules:
> > >
> > > - global admins need to be unqualified in imapd.conf
> > > - Setup an interface that resolves to host.defaultdomain or setup an
> > > interface that does not resolve to anything.  This is required only if you
> > > want to use unqualified admins when connecting to cyrus.
> > > - global admins need to be unqualified in the user database
> >
> > Well I guess I found a bug then, because I think the proof above basically
> > breaks like 3 of those rules in terms of what is actually happening. In my
> > user database, the user is qualified (and, I might add, qualified to the
> > right domain). The user can log into the localhost interface where
> > imap.somename.com resolves to just fine, either qualified or unqualified,
> > don't matter. However, when trying to go in through the public interface,
> > it doesn't matter what I try, I just can't log in.
> 
> I am still not convinced that your setup is correct, although some of the
> things you brought up could point to problems.  I use saslauthd for auth,
> but the behavior between auxprop and saslauthd should not differ.  I am
> also using the latest CVS code which should handle admins the same as
> 2.2.2-beta.

Well, I gave you all the details about my setup. Please tell me what it'll 
take to convince you that my setup isn't screwed (at least from my end).
			-peace

-- 
Let he who is without clue kiss my ass






More information about the Info-cyrus mailing list