mupdate - GSSAPI authentication

David Mayo D.J.Mayo at bath.ac.uk
Tue May 12 09:09:17 EDT 2009 

Hi guys,

This morning we created a principal "mupdate at BATH.AC.UK" and added that 
to the key tab on sauber for the IMAP server, and it authenticated fine.

It would appear there is a bug somewhere meaning that 
"primary/instance at REALM" style principals cannot be used as clients to 
mupdate.

Regards,


Dave.

David Mayo
Networks/Systems Administrator
University of Bath Computing Services

Tel: +44 1225 38 6046
Email: D.J.Mayo at bath.ac.uk

David Mayo wrote:
> Hi guys,
> 
> We are upgrading to cyrus-imap-2.3.14 and are looking at using mupdate
> for the first time, but we are having problems with the GSSAPI
> authentication between mupdate hosts.
> 
> We have two servers - sauber and tyrrell. sauber is one of the backend
> hosts and tyrrell is the mupdate master. We have generated service
> principals for them and placed them in their own key tabs:
> 
> mupdate/sauber.bath.ac.uk
> imap/sauber.bath.ac.uk
> 
> mupdate/tyrrell.bath.ac.uk
> imap/tyrrell.bath.ac.uk
> 
> We initialise these keytabs in the START section of cyrus.conf with the
>   following line:
> 
>    # authenticate to Kerberos
>    auth          cmd="/usr/bin/kinit -k -t /opt/etc/imapd/krb5.keytab
> mupdate/sauber.bath.ac.uk"
> 
> (obviously the mupdate master uses mupdate/tyrrell.bath.ac.uk)
> 
> If we run mupdatetest after starting the master daemons we see the
> following output on sauber:
> 
> sauber $ /opt/packages/cyrus-imapd/bin/mupdatetest tyrrell
> S: * AUTH "PLAIN" "GSSAPI"
> S: * STARTTLS
> S: * PARTIAL-UPDATE
> S: * OK MUPDATE "tyrrell.bath.ac.uk" "Cyrus Murder" "v2.3.14" "(master)"
> C: A01 AUTHENTICATE "GSSAPI" {796+}
> YIICUAYJKoZIhvcSAQICAQBuggI/MIICO6ADAgEFoQMCAQ6iBwMFACAAAACjggFCYYIBPjCCATqgAwIBBaEMGwpCQVRILkFDLlVLoiowKKADAgEDoSEwHxsHbXVwZGF0ZRsUc2F1YmVyLXoxLmJhdGguYWMudWujgfgwgfWgAwIBEqEDAgEDooHoBIHlPVA1HD73jR4nq9Hb68acrSI8xYmDdZSJKFzualaEiI9UyhvV5nfMKIbjNaWwk5IYqI8Jm6MPIpHlsCrauF9WaiOwlYFPErEu0id4jWpl/FmqBoG+LdfivBIcpOLMWDNvRZYuarje/b97MEId8G5zikjr9wQSCjA0Yo68DtIbAPsLIWXCuVd5Pf8gY8S0U3nQeSS/YvI3hgvn9Aau4fCU/A9UWx50HrV+8AqEXqtrZ6HatkiZn1HgbvG+3iaPPKfiKeM96ZKydluJX+iI8iojF6IObakbCFdaqeploQQaqKjsradGJqSB3zCB3KADAgESooHUBIHR1h3Qku1JS6q6PkUXU48xtkn3r/SwKKAZ9MU/b2ieGfHw+1mmoo6a8A4SSOjep/CCU5jCRte2yURf+j0gCkyuH/8YhP1xxITn8ljDCkLFr0zZIWOOXg6yEB4Rpg8kUJx7xeIsTLHIc4BQE+MfDxqrKFkwM0o+RTZEd5cKICdk5Tq1bu3d/zsDuSk2x1QT77iQUMIu7g2k+tSPobMgmphjLcwqrknc68gmjTbn/NYe6ltfteRzTDQzRiga8cU3nlC/MEYA9Wc3AFIxh93GC1WqTuU=
> S:
> YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvLEn4nvf4zsyDbNlSFPQe3SwAxL7iusPxROKhmcdUc9TRrN2290JAKNL9odMnOeOcEcVsmJHAq55ux476T6iF7L+G2XLWJiseyjeCDar7PpfA0p6h+TNFKnuqHhB7BNyVgGsLrGT91R4GHa0Y0LEP
> C:
> S: BQQF/wAMAAAAAAAAOK+zDAcAEADNmu4T0KaBjcxG0O4=
> C: BQQE/wAMAAAAAAAAGT4NlQQABAAv1geB3Ly5Xf/bqt8=
> failure: prot layer failure
> 
> And resulting logs on tyrrell:
> 
> May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15800]: [ID 921384
> mail.debug] accepted connection
> May  8 10:10:35 tyrrell.bath.ac.uk master[15766]: [ID 970914 mail.error]
> process 15800 exited, signaled to death by 11
> May  8 10:10:35 tyrrell.bath.ac.uk master[15766]: [ID 684980
> mail.warning] service mupdate pid 15800 in READY state: terminated
> abnormally
> May  8 10:10:35 tyrrell.bath.ac.uk master[15803]: [ID 392559 mail.debug]
> about to exec /opt/packages/cyrus-imapd/bin/mupdate
> May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 518349
> mail.debug] executed
> May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
> mail.debug] New worker thread started, for a total of 1
> May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
> mail.debug] New worker thread started, for a total of 2
> May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
> mail.debug] New worker thread started, for a total of 3
> May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
> mail.debug] New worker thread started, for a total of 4
> May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
> mail.debug] New worker thread started, for a total of 5
> 
> Looking on sauber, the mupdate/tyrrell.bath.ac.uk principal has already
>   been exchanged by the time the mupdate server crashes:
> 
> sauber $ klist
> Ticket cache: FILE:/tmp/krb5cc_58
> Default principal: mupdate/sauber.bath.ac.uk at BATH.AC.UK
> 
> Valid starting                  Expires                  Service principal
> 08/05/2009 10:10:31  08/05/2009 20:10:31  krbtgt/BATH.AC.UK at BATH.AC.UK
>          renew until 15/05/2009 10:10:31
> 08/05/2009 10:10:31  08/05/2009 20:10:31
> mupdate/tyrrell.bath.ac.uk at BATH.AC.UK
>          renew until 15/05/2009 10:10:31
> 
> While trying to make this work, we did find one way - use a principal
> that has a password rather than in the keytab:
> 
> sauber $ kinit cyrus
> Password for cyrus at BATH.AC.UK:
> sauber $ /opt/packages/cyrus-imapd/bin/mupdatetest tyrrell
> S: * AUTH "PLAIN" "GSSAPI"
> S: * STARTTLS
> S: * PARTIAL-UPDATE
> S: * OK MUPDATE "tyrrell.bath.ac.uk" "Cyrus Murder" "v2.3.14" "(master)"
> C: A01 AUTHENTICATE "GSSAPI" {772+}
> YIICPwYJKoZIhvcSAQICAQBuggIuMIICKqADAgEFoQMCAQ6iBwMFACAAAACjggFDYYIBPzCCATugAwIBBaEMGwpCQVRILkFDLlVLoiowKKADAgEDoSEwHxsHbXVwZGF0ZRsUc2F1YmVyLXoxLmJhdGguYWMudWujgfkwgfagAwIBEqEDAgEDooHpBIHmuu+hTMP3LCm1YcazFaEgALSsEnuUnd3k+wIaSSW2doz9+Rrbp8HAuKOB0wLUebUNTPuBXrjBpcAGQisNQczjKMFwCaMMUnyvJ0GdcWRLZHBeoB+kTB6X0E3mtvgjeCdGr9ti70noQBdDHXlvWWyhPOxrIasUi1EDxzw+v/iaO2vagQqolWPN/TOC2ydpgBDbqawW6DjF4Bv4vPe7DCruKQeGzgT1iaPu5afp8kyEFehPHAwtvwB9toPgZI9FEm4SWmjiTfdjPuFs7tjWQZermemeKmMgod8TbHJ8zsmyMoRs1WxqIROkgc0wgcqgAwIBEqKBwgSBv/Bw1XraXVNjA1HQ8e8gk2GTm57PW6/hLWfjZwhsY4yKojltxJXkovaecdbesbu9oa9vT4m+p8QcxQ74pdPKHYwvx8OZh9epNhVbnllMpWyWP8PXuwQCqSWjPhgTbvNjNfVIwpNd7IjtMI99sRc1q5+jDiJE+yblWDpQOPP7rCkMVYxsCT9FQ0cgaU7IsRT4r+jw45HG99w4cvqLhA9RHwg9cXfrg3umajngNovT13CD0deXlQjWwlO7m9bZN/zI
> S:
> YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv6ysRnz7c5/jXdrML5GDO3yUDRd6e483bvcFFSv7Om/LcVmstU3vc7py4zljh1sI9cqP6wV0d6NKtUNJBEGaQNciHdasq+ywbgRsMvAsAM5/m7i06vByFOdRvZX2MxCdEMVW9KbAGRIHBvK6JQFxG
> C:
> S: BQQF/wAMAAAAAAAAOaMBYAcAEAAlGhxrUx+QK7vb6rg=
> C: BQQE/wAMAAAAAAAAELjSmQQABAB9zam/40LRAaw4zaw=
> S: A01 OK "Authenticated"
> Authenticated.
> Security strength factor: 56
> C: Q01 LOGOUT
> Q01 OK "bye-bye"
> Connection closed.
> sauber $ klist
> Ticket cache: FILE:/tmp/krb5cc_58
> Default principal: cyrus at BATH.AC.UK
> 
> Valid starting                  Expires                  Service principal
> 08/05/2009 10:27:37  08/05/2009 20:27:37  krbtgt/BATH.AC.UK at BATH.AC.UK
>          renew until 15/05/2009 10:27:37
> 08/05/2009 10:27:43  08/05/2009 20:27:37
> mupdate/tyrrell.bath.ac.uk at BATH.AC.UK
>          renew until 15/05/2009 10:27:37
> 
> Relevant logs from tyrrell:
> 
> May  8 10:27:42 tyrrell.bath.ac.uk mupdate[15803]: [ID 596527
> mail.notice] login: sauber.bath.ac.uk [138.38.132.132] cyrus GSSAPI User
> logged in
> 
> The *only* difference is we are using a default principal of
> cyrus at BATH.AC.UK rather than mupdate/sauber.bath.ac.uk at BATH.AC.UK. This
>   does not seem to make sense.
> 
> Relevant lines from config files:
> 
> sauber imapd.conf:
> 
> admins: cyrus imap/sauber.bath.ac.uk
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: plain gssapi
> mupdate_server: tyrrell.bath.ac.uk
> mupdate_config: standard
> mupdate_authname: mupdate/sauber.bath.ac.uk
> mupdate_username: cyrus
> 
> tyrrell imapd.conf:
> 
> admins: cyrus mupdate/sauber.bath.ac.uk
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: plain gssapi
> 
> We compiled cyrus-imapd-2.3.14 with the following flags:
> PROGDIR=/opt/packages/cyrus-imapd \
>    ./configure --prefix=$PROGDIR --mandir=/opt/share/man \
>          --sysconfdir=/opt/etc/imapd \
>          --enable-listext --enable-idled --with-snmp \
>          --enable-murder \
>          --enable-replication \
>          --enable-nntp \
>          --disable-gssapi \
>          --with-cyrus-group=cyrus \
>          --with-cyrus-user=cyrus \
>          --with-cyrus-prefix=$PROGDIR \
>          --with-openssl=$OPENSSLDIR \
>          --with-ucdsnmp=/opt/packages/net-snmp \
>          --with-sasl=$SASLDIR \
>          --with-dbdir=/opt/packages/berkeley-db \
>          --with-syslogfacility=MAIL
> 
> We are using Cyrus SASL 2.1.22 built like this:
> 
> PROGDIR=/opt/packages/cyrus-sasl \
>    ./configure --prefix=$PROGDIR --sysconfdir=/opt/etc/cyrus \
>          --with-plugindir=/opt/packages/cyrus-sasl/lib/sasl2 \
>          --enable-shared \
>          --disable-static \
>          --disable-java \
>          --with-configdir=/opt/etc/sasl2 \
>          --disable-krb4 \
>          --with-gss_impl=mit \
>          --with-rc4 \
>          --with-dblib=berkeley \
>          --with-saslauthd=/var/sasl2 --without-pwcheck \
>          --with-devrandom=/dev/urandom \
>          --enable-anon \
>          --enable-cram \
>          --enable-digest \
>          --enable-ntlm \
>          --enable-plain \
>          --enable-login \
>          --without-ldap \
>          --disable-otp \
>          --disable-ldapdb \
>          --disable-sql --without-mysql --without-pgsql --without-sqlite \
>          --enable-gssapi=$KERBEROSDIR \
>          --with-openssl=$OPENSSLDIR
> 
> We are using MIT KerberosV 1.6.3 and running on Solaris 10 x86. tyrrell
>   is actually a Solaris 'Zone' on sauber.
> 
> If anyone has any ideas of what might be causing this problem we'd be
> very interested!
> 
> Regards,
> 
> 
> Dave.
> 
> David Mayo
> Networks/Systems Administrator
> University of Bath Computing Services
> 
> Tel: +44 1225 38 6046
> Email: D.J.Mayo at bath.ac.uk
> 
> 
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list