global admin without defaultdomain?
Kendrick Vargas
ken at hudat.com
Mon Dec 29 21:12:46 EST 2003
On Mon, 29 Dec 2003, Igor Brezac wrote:
> On Mon, 29 Dec 2003, Kendrick Vargas wrote:
>
> > On Mon, 29 Dec 2003, Igor Brezac wrote:
> >
> > > This would be correct only if there is a bug. There is no bug here, but
> > > rather a misconfiguration on your part. We can argue how to make the code
> > > different/better in order to make it easier to configure.
> > >
> > > On my configuration, I can cannect as admin to any interface on the mail
> > > server (I have to use fully qualified username: admin at defaultdomain), or
> > > I can connect to a specific ip with an unqualified admin userid.
> >
> > localhost> auth cyrus
> > IMAP Password:
> > localhost>
> >
> > 5363 Connect cyrus at localhost on
> > 5363 Init DB hudat_sys
> > 5363 Query SELECT sys_shadow.password AS
> > userPassword FROM sys_users, sys_shadow WHERE sys_users.username = 'cyrus'
> > AND sys_users.domain = 'imap.somename.com' AND
> > sys_shadow.sys_users_id=sys_users.sys_users_id
> > 5363 Query SELECT sys_shadow.password AS
> > cmusaslsecretPLAIN FROM sys_users, sys_shadow WHERE sys_users.username =
> > 'cyrus' AND sys_users.domain = 'imap.somename.com' AND
> > sys_shadow.sys_users_id=sys_users.sys_users_id
> > 5363 Quit
> >
> >
> > Look at that, it worked unqualified. It also goes in qualified too... but
> > only on localhost:
> >
> > toy:~# cyradm
> > cyradm> server localhost
> > IMAP Password:
> > Login failed: user not found at
> > /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm
> > line 118
> > server: localhost: cannot authenticate
> > localhost> auth cyrus at imap.somename.com
> > IMAP Password:
> > localhost>
>
> Does 'cm user.test at virtual1.com' work?
>
> What is mysql query dump for this auth?
Once I actually get logged in, it works fine. I was able to create all of
my mailboxes once I had a user that could reliably log in. As for the
query, it was identical to the one just before it. The email was allready
getting a bit long at that point, so I though it was obvious from it
working that the query was the same.
> > Now, I'm not crazy, I've been admining boxes for 6 or 7 years now and I am
> > just proficient enough that I can go in and hack away at something when it
> > doesn't work, given enough time. The imap.somename.com only started
> > working when I added the following to my /etc/hosts file:
> >
> > 127.0.0.1 localhost localhost.localdomain imap.somename.com
> >
> > I don't know if it worked on the localhost before I added that to the
> > /etc/hosts (for resolving purposes), but I can test if you like.
>
> This worked by accident because reverse lookup returned 'localhost'.
> imapd cannot determine domainname from that thus making the defaultdomain
> auth.
>
> This will work for you:
>
> 127.0.0.1 host.imap.somename.com localhost localhost.localdomain
>
> It'd be easier if you specify a mech rather than have cyradm chase one
> that works. So try,
>
> cyradm --user admin at defaultdomain --auth login localhost
>
> If this works you can try other mechs.
Ummm.. there aren't many mechs on my system :-) But at least this
enlightens me more on cyradm's commandline use:
toy:~# cyradm --user cyrus at imap.somename.com --auth login localhost
IMAP Password:
localhost>
toy:~# cyradm --user cyrus at imap.somename.com --auth login toy.hudat.com
IMAP Password:
Login failed: user not found at
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/Cyrus/IMAP/Admin.pm
line 118
cyradm: cannot authenticate to server with login as
cyrus at imap.somename.com
toy:~#
There you go, it won't log in. This was after I changed the /etc/hosts
line to the one you supplied. All this did was change the prompt in cyradm
once I was logged in.
> > Oh, and umm... if you still don't believe me:
> >
> > toy:~# telnet toy.hudat.com 143
> > Trying 204.235.97.76...
> > Connected to toy.hudat.com.
> > Escape character is '^]'.
> > * OK imap.somename.com Cyrus IMAP4 v2.2.2-BETA server ready
> > . login cyrus at imap.somename.com PASSWORD
> > . NO Login failed: user not found
> >
> > toy:~# telnet localhost 143
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > * OK imap.somename.com Cyrus IMAP4 v2.2.2-BETA server ready
> > . login cyrus at imap.somename.com PASSWORD
> > . OK User logged in
> > . logout
> > * BYE LOGOUT received
> > . OK Completed
> > Connection closed by foreign host.
> > toy:~#
>
> This is suspicious, but it works for me:
>
> # imtest -a cyradm at admin.ipass.net -m login localhost
> S: * OK Ipass Cyrus IMAP4 v2.2.2 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=NTLM AUTH=DIGEST-MD5 SASL-IR
> S: C01 OK Completed
> Please enter your password:
> C: L01 LOGIN cyradm at admin.ipass.net {6}
> S: + go ahead
> C: <omitted>
> S: L01 OK User logged in
> Authenticated.
>
>
> # imtest -a cyradm at admin.ipass.net -m login x.y.z.60
> S: * OK Ipass Cyrus IMAP4 v2.2.2 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=NTLM AUTH=DIGEST-MD5 SASL-IR
> S: C01 OK Completed
> OK Completed Please enter your password:
> C: L01 LOGIN cyradm at admin.ipass.net {6}
> S: + go ahead
> C: <omitted>
> S: L01 OK User logged in
> Authenticated.
Would you like me to post my config again? I don't know what to tell you
about my configuration to make you believe me when I say I can't connect a
global admin through anything but localhost. If I had the time and I was
more understanding of C, I'd dive in the code and hunt it down, but the
best I can provide right now is evidence. I don't know how bad I could
screw the configuration (and I'm pretty good about reading docs), so I
really don't see why this looks suspicious.
Look, here's my imap.conf
configdirectory: /opt/var/imap
partition-default: /opt/var/spool/imap
sasl_pwcheck_method: auxprop
virtdomains: yes
servername: imap.somename.com
defaultdomain: imap.somename.com
admins: cyrus
hashimapspool: true
unixhierarchysep: yes
altnamespace: yes
sasl_mysql_user: user
sasl_mysql_passwd: pass
sasl_mysql_hostnames: host
sasl_mysql_database: db
sasl_mysql_statement: SELECT blah FROM blah
sieveusehomedir: false
sievedir: /opt/var/spool/sieve
sendmail: /usr/sbin/sendmail
Here's my /etc/hosts configuration:
204.235.97.76 toy.hudat.com toy
127.0.0.1 host.imap.somename.com localhost localhost.localdomain
Here's the configure line I used on cyrus:
./configure \
--prefix=/opt/cyrus \
--with-cyrus-prefix=/opt/cyrus \
--enable-listext \
--with-cyrus-user=cyrus \
--with-cyrus-group=cyrus \
--with-statedir=/opt/var/lock \
--with-auth=unix \
--with-sasl=/opt/cyrus \
--with-perl
Here's my sasl config line:
./configure \
--prefix=/opt/cyrus \
--enable-static \
--with-gnu-ld \
--with-staticsasl \
--with-dbpath=/opt/etc/sasldb2 \
--with-plugindir=/opt/cyrus/lib/sasl2 \
--enable-checkapop \
--with-pam \
--disable-krb4 \
--disable-gssapi \
--enable-anon \
--enable-plain \
--disable-cram \
--disable-digest \
--enable-login \
--disable-otp \
--with-openssl=/usr \
--with-mysql=/opt/mysql
It's sasl 2.1.17 and cyrus imap 2.2.2-BETA.
This is all running on Fedora Core 1 with all the updates.
-peace
> > > Here are simple rules:
> > >
> > > - global admins need to be unqualified in imapd.conf
> > > - Setup an interface that resolves to host.defaultdomain or setup an
> > > interface that does not resolve to anything. This is required only if you
> > > want to use unqualified admins when connecting to cyrus.
> > > - global admins need to be unqualified in the user database
> >
> > Well I guess I found a bug then, because I think the proof above basically
> > breaks like 3 of those rules in terms of what is actually happening. In my
> > user database, the user is qualified (and, I might add, qualified to the
> > right domain). The user can log into the localhost interface where
> > imap.somename.com resolves to just fine, either qualified or unqualified,
> > don't matter. However, when trying to go in through the public interface,
> > it doesn't matter what I try, I just can't log in.
>
> I am still not convinced that your setup is correct, although some of the
> things you brought up could point to problems. I use saslauthd for auth,
> but the behavior between auxprop and saslauthd should not differ. I am
> also using the latest CVS code which should handle admins the same as
> 2.2.2-beta.
Well, I gave you all the details about my setup. Please tell me what it'll
take to convince you that my setup isn't screwed (at least from my end).
-peace
--
Let he who is without clue kiss my ass
More information about the Info-cyrus
mailing list