GSSAPI Context Issues (expired kerberos tickets) with Murder
Paul M Fleming
pfleming at siumed.edu
Wed Mar 1 15:44:39 EST 2006
I'm currently running a murder setup with 4 frontend and 4 backend
machines. Authentication is done using Kerberos 5. Most clients connect
via SSL and the plaintext password is checked via saslauthd then they
are proxied to the correct backend using GSSAPI credentials. We're
having problems with long lived clients (machines left on 24-7 or logged
in >8hours most using Netscape). Netscape's connections freeze when the
GSSAPI credentials expire. Clients that are not long lived (IMP webmail
for example) do not have this problem. Quiting the client and restarting
always solves the problem. When I did an strace on the proxyd and imapd
processes for a hung connection both were waiting in a select for the
tcp connection between them. Turning up debugging in this environment is
not practical because it is production.
The question. Do I have to change all my murder related principals to
use longer lived tickets (current ticket lifetime is 10hours - renewing
every 6) to avoid context expires during busy work hours? Is it
recommended to do ticket renewals with "at" instead of "period"? Anyone
else have long lived >8 hour connection in a Kerberos murder? Anyone
else having this problem? Suggestions? Comments?
DETAIL logs,versions and configs follow....
frontend logs
Mar 1 07:38:12 mp2 imaps[4423]: starttls: TLSv1 with cipher RC4-MD5
(128/128 bits reused) no authentication
Mar 1 07:38:12 mp2 imaps[4423]: login: XXX.siumed.edu [1.1.1.1] user
plain+TLS User logged in
Mar 1 07:38:31 mp2 imaps[4423]: PROTERR: Connection reset by peer
Mar 1 07:38:40 mp2 imaps[4443]: starttls: TLSv1 with cipher RC4-MD5
(128/128 bits new) no authentication
Mar 1 07:38:42 mp2 imaps[4443]: login: XXX.siumed.edu [1.1.1.1] user
plain+TLS User logged in
Mar 1 13:33:40 mp2 imaps[4443]: GSSAPI Error: The context has expired
(No error)
backend logs
Mar 1 07:38:12 imap2 imap[4412]: login: mp2.siumed.edu [2.2.2.2] user
GSSAPI User logged in
Mar 1 07:38:42 imap2 imap[4561]: login: mp2.siumed.edu [2.2.2.2] user
GSSAPI User logged in
Mar 1 10:01:27 imap2 imap[4561]: skiplist: checkpointed
/var/imap/user/u/user.seen (44 records, 3820 bytes) in 0 seconds
Mar 1 13:45:40 imap2 imap[4561]: GSSAPI Error: The context has expired
(No error)
Mar 1 13:58:40 imap2 imap[4561]: idle for too long, closing connection
version (fe and be) note auth=regexp is a custom regular expression auth
module.
name : Cyrus IMAPD
version : v2.2.12 2005/02/14 16:43:51
vendor : Project Cyrus
support-url: http://asg.web.cmu.edu/cyrus
os : Linux
environment: Built w/Cyrus SASL 2.1.20
Running w/Cyrus SASL 2.1.20
Built w/Sleepycat Software: Berkeley DB 3.3.11: (July 12,2001)
Running w/Sleepycat Software: Berkeley DB 3.3.11: (July
12, 2001)
Built w/OpenSSL 0.9.6b [engine] 9 Jul 2001
Running w/OpenSSL 0.9.6b [engine] 9 Jul 2001
CMU Sieve 2.2
TCP Wrappers
mmap = shared
lock = fcntl
nonblock = fcntl
auth = regexp
idle = poll
backend-url:
front-end cyrus.conf
--
START {
auth cmd="/usr/kerberos/bin/kinit -k -t /etc/krb5.keytab
murder/hostname.siumed.edu"
recover cmd="ctl_cyrusdb -r"
}
SERVICES {
mupdate cmd="/usr/cyrus/bin/mupdate " listen=3905 prefork=1
imap cmd="proxyd" listen="imap" prefork=10 maxchild=750
imaps cmd="proxyd -s" listen="imaps" prefork=10 maxchild=750
imapp cmd="proxyd" listen="imap-priv" prefork=2 maxchild=5
lmtp cmd="lmtpproxyd" listen="/var/imap/socket/lmtp"
prefork=5 maxchild=10
sieve cmd="timsieved" listen="sieve" prefork=1 maxchild=10
}
EVENTS {
checkpoint cmd="ctl_cyrusdb -c" period=5
delprune cmd="cyr_expire -E 3" period=1440
tlsprune cmd="tls_prune" period=1440
reauth cmd="/usr/kerberos/bin/kinit -k -t /etc/krb5.keytab
murder/hostname.siumed.edu" period="360"
}
front-end imapd.conf
configdirectory: /var/imap
partition-default: /var/spool/imap
quotawarn: 85
duplicatesuppression: yes
imapidresponse: yes
allowallsubscribe: yes
annotation_db: skiplist
duplicate_db: berkeley-nosync
mboxlist_db: skiplist
quota_db: quotalegacy
seenstate_db: skiplist
subscription_db: flat
tlscache_db: berkeley-nosync
admins: regexp:mupdate/.+\.siumed\.edu regexp:mupdate/.+\.som\.siu\.edu
regexp:.+/admin regexp:murder/.+\.siumed\.edu
sievedir: /var/sieve
sendmail: /usr/sbin/sendmail
sasl_pwcheck_method: saslauthd
tls_cert_file: /etc/ssl/cert.pem
tls_key_file: /etc/ssl/key.pem
tls_ca_file: /etc/ssl/siumed_ca_cert.pem
mupdate_server: mupdatemaster.siumed.edu
mupdate_port: 3905
backend cyrus.conf
START {
auth cmd="/usr/kerberos/bin/kinit -k -t /etc/krb5.keytab
hostname/imap1.siumed.edu"
recover cmd="ctl_cyrusdb -r"
mupdatepush cmd="ctl_mboxlist -m -a"
}
SERVICES {
imap cmd="imapd" listen="imap" prefork=10 maxchild=650
imaps cmd="imapd -s" listen="imaps" prefork=10 maxchild=650
imapp cmd="imapd" listen="imap-priv" prefork=5 maxchild=5
lmtp cmd="lmtpd" listen="lmtp" prefork=5 maxchild=10
fud cmd="fud" listen="fud" prefork=1 proto=udp
lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=5
maxchild=10
sieve cmd="timsieved" listen="sieve" prefork=1 maxchild=10
}
EVENTS {
checkpoint cmd="ctl_cyrusdb -c" period=5
delprune cmd="cyr_expire -E 3" period=1440
tlsprune cmd="tls_prune" period=1440
reauth cmd="/usr/kerberos/bin/kinit -k -t /etc/krb5.keytab
mupdate/hostname.siumed.edu" period="360"
}
backend imapd.conf
configdirectory: /var/imap
partition-default: /var/spool/imap
quotawarn: 85
duplicatesuppression: yes
imapidresponse: yes
allowallsubscribe: yes
annotation_db: skiplist
duplicate_db: berkeley-nosync
mboxlist_db: skiplist
quota_db: quotalegacy
seenstate_db: skiplist
subscription_db: flat
tlscache_db: berkeley-nosync
admins: regexp:.+/admin
# allow frontend to proxy & sent lmtp
proxyservers: regexp:murder/.+\.siumed\.edu
lmtp_admins: regexp:murder/.+\.siumed\.edu
sievedir: /var/sieve
sendmail: /usr/sbin/sendmail
sasl_pwcheck_method: saslauthd
tls_cert_file: /etc/ssl/cert.pem
tls_key_file: /etc/ssl/key.pem
tls_ca_file: /etc/ssl/siumed_ca_cert.pem
mupdate_server: mupdatemaster.siumed.edu
mupdate_port: 3905
More information about the Info-cyrus
mailing list