mupdate - GSSAPI authentication

David Mayo D.J.Mayo at bath.ac.uk
Fri May 8 06:59:58 EDT 2009


Hi guys,

We are upgrading to cyrus-imap-2.3.14 and are looking at using mupdate
for the first time, but we are having problems with the GSSAPI
authentication between mupdate hosts.

We have two servers - sauber and tyrrell. sauber is one of the backend
hosts and tyrrell is the mupdate master. We have generated service
principals for them and placed them in their own key tabs:

mupdate/sauber.bath.ac.uk
imap/sauber.bath.ac.uk

mupdate/tyrrell.bath.ac.uk
imap/tyrrell.bath.ac.uk

We initialise these keytabs in the START section of cyrus.conf with the
  following line:

   # authenticate to Kerberos
   auth          cmd="/usr/bin/kinit -k -t /opt/etc/imapd/krb5.keytab
mupdate/sauber.bath.ac.uk"

(obviously the mupdate master uses mupdate/tyrrell.bath.ac.uk)

If we run mupdatetest after starting the master daemons we see the
following output on sauber:

sauber $ /opt/packages/cyrus-imapd/bin/mupdatetest tyrrell
S: * AUTH "PLAIN" "GSSAPI"
S: * STARTTLS
S: * PARTIAL-UPDATE
S: * OK MUPDATE "tyrrell.bath.ac.uk" "Cyrus Murder" "v2.3.14" "(master)"
C: A01 AUTHENTICATE "GSSAPI" {796+}
YIICUAYJKoZIhvcSAQICAQBuggI/MIICO6ADAgEFoQMCAQ6iBwMFACAAAACjggFCYYIBPjCCATqgAwIBBaEMGwpCQVRILkFDLlVLoiowKKADAgEDoSEwHxsHbXVwZGF0ZRsUc2F1YmVyLXoxLmJhdGguYWMudWujgfgwgfWgAwIBEqEDAgEDooHoBIHlPVA1HD73jR4nq9Hb68acrSI8xYmDdZSJKFzualaEiI9UyhvV5nfMKIbjNaWwk5IYqI8Jm6MPIpHlsCrauF9WaiOwlYFPErEu0id4jWpl/FmqBoG+LdfivBIcpOLMWDNvRZYuarje/b97MEId8G5zikjr9wQSCjA0Yo68DtIbAPsLIWXCuVd5Pf8gY8S0U3nQeSS/YvI3hgvn9Aau4fCU/A9UWx50HrV+8AqEXqtrZ6HatkiZn1HgbvG+3iaPPKfiKeM96ZKydluJX+iI8iojF6IObakbCFdaqeploQQaqKjsradGJqSB3zCB3KADAgESooHUBIHR1h3Qku1JS6q6PkUXU48xtkn3r/SwKKAZ9MU/b2ieGfHw+1mmoo6a8A4SSOjep/CCU5jCRte2yURf+j0gCkyuH/8YhP1xxITn8ljDCkLFr0zZIWOOXg6yEB4Rpg8kUJx7xeIsTLHIc4BQE+MfDxqrKFkwM0o+RTZEd5cKICdk5Tq1bu3d/zsDuSk2x1QT77iQUMIu7g2k+tSPobMgmphjLcwqrknc68gmjTbn/NYe6ltfteRzTDQzRiga8cU3nlC/MEYA9Wc3AFIxh93GC1WqTuU=
S:
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvLEn4nvf4zsyDbNlSFPQe3SwAxL7iusPxROKhmcdUc9TRrN2290JAKNL9odMnOeOcEcVsmJHAq55ux476T6iF7L+G2XLWJiseyjeCDar7PpfA0p6h+TNFKnuqHhB7BNyVgGsLrGT91R4GHa0Y0LEP
C:
S: BQQF/wAMAAAAAAAAOK+zDAcAEADNmu4T0KaBjcxG0O4=
C: BQQE/wAMAAAAAAAAGT4NlQQABAAv1geB3Ly5Xf/bqt8=
failure: prot layer failure

And resulting logs on tyrrell:

May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15800]: [ID 921384
mail.debug] accepted connection
May  8 10:10:35 tyrrell.bath.ac.uk master[15766]: [ID 970914 mail.error]
process 15800 exited, signaled to death by 11
May  8 10:10:35 tyrrell.bath.ac.uk master[15766]: [ID 684980
mail.warning] service mupdate pid 15800 in READY state: terminated
abnormally
May  8 10:10:35 tyrrell.bath.ac.uk master[15803]: [ID 392559 mail.debug]
about to exec /opt/packages/cyrus-imapd/bin/mupdate
May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 518349
mail.debug] executed
May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
mail.debug] New worker thread started, for a total of 1
May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
mail.debug] New worker thread started, for a total of 2
May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
mail.debug] New worker thread started, for a total of 3
May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
mail.debug] New worker thread started, for a total of 4
May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
mail.debug] New worker thread started, for a total of 5

Looking on sauber, the mupdate/tyrrell.bath.ac.uk principal has already
  been exchanged by the time the mupdate server crashes:

sauber $ klist
Ticket cache: FILE:/tmp/krb5cc_58
Default principal: mupdate/sauber.bath.ac.uk at BATH.AC.UK

Valid starting                  Expires                  Service principal
08/05/2009 10:10:31  08/05/2009 20:10:31  krbtgt/BATH.AC.UK at BATH.AC.UK
         renew until 15/05/2009 10:10:31
08/05/2009 10:10:31  08/05/2009 20:10:31
mupdate/tyrrell.bath.ac.uk at BATH.AC.UK
         renew until 15/05/2009 10:10:31

While trying to make this work, we did find one way - use a principal
that has a password rather than in the keytab:

sauber $ kinit cyrus
Password for cyrus at BATH.AC.UK:
sauber $ /opt/packages/cyrus-imapd/bin/mupdatetest tyrrell
S: * AUTH "PLAIN" "GSSAPI"
S: * STARTTLS
S: * PARTIAL-UPDATE
S: * OK MUPDATE "tyrrell.bath.ac.uk" "Cyrus Murder" "v2.3.14" "(master)"
C: A01 AUTHENTICATE "GSSAPI" {772+}
YIICPwYJKoZIhvcSAQICAQBuggIuMIICKqADAgEFoQMCAQ6iBwMFACAAAACjggFDYYIBPzCCATugAwIBBaEMGwpCQVRILkFDLlVLoiowKKADAgEDoSEwHxsHbXVwZGF0ZRsUc2F1YmVyLXoxLmJhdGguYWMudWujgfkwgfagAwIBEqEDAgEDooHpBIHmuu+hTMP3LCm1YcazFaEgALSsEnuUnd3k+wIaSSW2doz9+Rrbp8HAuKOB0wLUebUNTPuBXrjBpcAGQisNQczjKMFwCaMMUnyvJ0GdcWRLZHBeoB+kTB6X0E3mtvgjeCdGr9ti70noQBdDHXlvWWyhPOxrIasUi1EDxzw+v/iaO2vagQqolWPN/TOC2ydpgBDbqawW6DjF4Bv4vPe7DCruKQeGzgT1iaPu5afp8kyEFehPHAwtvwB9toPgZI9FEm4SWmjiTfdjPuFs7tjWQZermemeKmMgod8TbHJ8zsmyMoRs1WxqIROkgc0wgcqgAwIBEqKBwgSBv/Bw1XraXVNjA1HQ8e8gk2GTm57PW6/hLWfjZwhsY4yKojltxJXkovaecdbesbu9oa9vT4m+p8QcxQ74pdPKHYwvx8OZh9epNhVbnllMpWyWP8PXuwQCqSWjPhgTbvNjNfVIwpNd7IjtMI99sRc1q5+jDiJE+yblWDpQOPP7rCkMVYxsCT9FQ0cgaU7IsRT4r+jw45HG99w4cvqLhA9RHwg9cXfrg3umajngNovT13CD0deXlQjWwlO7m9bZN/zI
S:
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv6ysRnz7c5/jXdrML5GDO3yUDRd6e483bvcFFSv7Om/LcVmstU3vc7py4zljh1sI9cqP6wV0d6NKtUNJBEGaQNciHdasq+ywbgRsMvAsAM5/m7i06vByFOdRvZX2MxCdEMVW9KbAGRIHBvK6JQFxG
C:
S: BQQF/wAMAAAAAAAAOaMBYAcAEAAlGhxrUx+QK7vb6rg=
C: BQQE/wAMAAAAAAAAELjSmQQABAB9zam/40LRAaw4zaw=
S: A01 OK "Authenticated"
Authenticated.
Security strength factor: 56
C: Q01 LOGOUT
Q01 OK "bye-bye"
Connection closed.
sauber $ klist
Ticket cache: FILE:/tmp/krb5cc_58
Default principal: cyrus at BATH.AC.UK

Valid starting                  Expires                  Service principal
08/05/2009 10:27:37  08/05/2009 20:27:37  krbtgt/BATH.AC.UK at BATH.AC.UK
         renew until 15/05/2009 10:27:37
08/05/2009 10:27:43  08/05/2009 20:27:37
mupdate/tyrrell.bath.ac.uk at BATH.AC.UK
         renew until 15/05/2009 10:27:37

Relevant logs from tyrrell:

May  8 10:27:42 tyrrell.bath.ac.uk mupdate[15803]: [ID 596527
mail.notice] login: sauber.bath.ac.uk [138.38.132.132] cyrus GSSAPI User
logged in

The *only* difference is we are using a default principal of
cyrus at BATH.AC.UK rather than mupdate/sauber.bath.ac.uk at BATH.AC.UK. This
  does not seem to make sense.

Relevant lines from config files:

sauber imapd.conf:

admins: cyrus imap/sauber.bath.ac.uk
sasl_pwcheck_method: saslauthd
sasl_mech_list: plain gssapi
mupdate_server: tyrrell.bath.ac.uk
mupdate_config: standard
mupdate_authname: mupdate/sauber.bath.ac.uk
mupdate_username: cyrus

tyrrell imapd.conf:

admins: cyrus mupdate/sauber.bath.ac.uk
sasl_pwcheck_method: saslauthd
sasl_mech_list: plain gssapi

We compiled cyrus-imapd-2.3.14 with the following flags:
PROGDIR=/opt/packages/cyrus-imapd \
   ./configure --prefix=$PROGDIR --mandir=/opt/share/man \
         --sysconfdir=/opt/etc/imapd \
         --enable-listext --enable-idled --with-snmp \
         --enable-murder \
         --enable-replication \
         --enable-nntp \
         --disable-gssapi \
         --with-cyrus-group=cyrus \
         --with-cyrus-user=cyrus \
         --with-cyrus-prefix=$PROGDIR \
         --with-openssl=$OPENSSLDIR \
         --with-ucdsnmp=/opt/packages/net-snmp \
         --with-sasl=$SASLDIR \
         --with-dbdir=/opt/packages/berkeley-db \
         --with-syslogfacility=MAIL

We are using Cyrus SASL 2.1.22 built like this:

PROGDIR=/opt/packages/cyrus-sasl \
   ./configure --prefix=$PROGDIR --sysconfdir=/opt/etc/cyrus \
         --with-plugindir=/opt/packages/cyrus-sasl/lib/sasl2 \
         --enable-shared \
         --disable-static \
         --disable-java \
         --with-configdir=/opt/etc/sasl2 \
         --disable-krb4 \
         --with-gss_impl=mit \
         --with-rc4 \
         --with-dblib=berkeley \
         --with-saslauthd=/var/sasl2 --without-pwcheck \
         --with-devrandom=/dev/urandom \
         --enable-anon \
         --enable-cram \
         --enable-digest \
         --enable-ntlm \
         --enable-plain \
         --enable-login \
         --without-ldap \
         --disable-otp \
         --disable-ldapdb \
         --disable-sql --without-mysql --without-pgsql --without-sqlite \
         --enable-gssapi=$KERBEROSDIR \
         --with-openssl=$OPENSSLDIR

We are using MIT KerberosV 1.6.3 and running on Solaris 10 x86. tyrrell
  is actually a Solaris 'Zone' on sauber.

If anyone has any ideas of what might be causing this problem we'd be
very interested!

Regards,


Dave.

David Mayo
Networks/Systems Administrator
University of Bath Computing Services

Tel: +44 1225 38 6046
Email: D.J.Mayo at bath.ac.uk




More information about the Info-cyrus mailing list