mupdate - GSSAPI authentication
David Mayo
D.J.Mayo at bath.ac.uk
Tue May 12 09:09:17 EDT 2009
Hi guys,
This morning we created a principal "mupdate at BATH.AC.UK" and added that
to the key tab on sauber for the IMAP server, and it authenticated fine.
It would appear there is a bug somewhere meaning that
"primary/instance at REALM" style principals cannot be used as clients to
mupdate.
Regards,
Dave.
David Mayo
Networks/Systems Administrator
University of Bath Computing Services
Tel: +44 1225 38 6046
Email: D.J.Mayo at bath.ac.uk
David Mayo wrote:
> Hi guys,
>
> We are upgrading to cyrus-imap-2.3.14 and are looking at using mupdate
> for the first time, but we are having problems with the GSSAPI
> authentication between mupdate hosts.
>
> We have two servers - sauber and tyrrell. sauber is one of the backend
> hosts and tyrrell is the mupdate master. We have generated service
> principals for them and placed them in their own key tabs:
>
> mupdate/sauber.bath.ac.uk
> imap/sauber.bath.ac.uk
>
> mupdate/tyrrell.bath.ac.uk
> imap/tyrrell.bath.ac.uk
>
> We initialise these keytabs in the START section of cyrus.conf with the
> following line:
>
> # authenticate to Kerberos
> auth cmd="/usr/bin/kinit -k -t /opt/etc/imapd/krb5.keytab
> mupdate/sauber.bath.ac.uk"
>
> (obviously the mupdate master uses mupdate/tyrrell.bath.ac.uk)
>
> If we run mupdatetest after starting the master daemons we see the
> following output on sauber:
>
> sauber $ /opt/packages/cyrus-imapd/bin/mupdatetest tyrrell
> S: * AUTH "PLAIN" "GSSAPI"
> S: * STARTTLS
> S: * PARTIAL-UPDATE
> S: * OK MUPDATE "tyrrell.bath.ac.uk" "Cyrus Murder" "v2.3.14" "(master)"
> C: A01 AUTHENTICATE "GSSAPI" {796+}
> YIICUAYJKoZIhvcSAQICAQBuggI/MIICO6ADAgEFoQMCAQ6iBwMFACAAAACjggFCYYIBPjCCATqgAwIBBaEMGwpCQVRILkFDLlVLoiowKKADAgEDoSEwHxsHbXVwZGF0ZRsUc2F1YmVyLXoxLmJhdGguYWMudWujgfgwgfWgAwIBEqEDAgEDooHoBIHlPVA1HD73jR4nq9Hb68acrSI8xYmDdZSJKFzualaEiI9UyhvV5nfMKIbjNaWwk5IYqI8Jm6MPIpHlsCrauF9WaiOwlYFPErEu0id4jWpl/FmqBoG+LdfivBIcpOLMWDNvRZYuarje/b97MEId8G5zikjr9wQSCjA0Yo68DtIbAPsLIWXCuVd5Pf8gY8S0U3nQeSS/YvI3hgvn9Aau4fCU/A9UWx50HrV+8AqEXqtrZ6HatkiZn1HgbvG+3iaPPKfiKeM96ZKydluJX+iI8iojF6IObakbCFdaqeploQQaqKjsradGJqSB3zCB3KADAgESooHUBIHR1h3Qku1JS6q6PkUXU48xtkn3r/SwKKAZ9MU/b2ieGfHw+1mmoo6a8A4SSOjep/CCU5jCRte2yURf+j0gCkyuH/8YhP1xxITn8ljDCkLFr0zZIWOOXg6yEB4Rpg8kUJx7xeIsTLHIc4BQE+MfDxqrKFkwM0o+RTZEd5cKICdk5Tq1bu3d/zsDuSk2x1QT77iQUMIu7g2k+tSPobMgmphjLcwqrknc68gmjTbn/NYe6ltfteRzTDQzRiga8cU3nlC/MEYA9Wc3AFIxh93GC1WqTuU=
> S:
> YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvLEn4nvf4zsyDbNlSFPQe3SwAxL7iusPxROKhmcdUc9TRrN2290JAKNL9odMnOeOcEcVsmJHAq55ux476T6iF7L+G2XLWJiseyjeCDar7PpfA0p6h+TNFKnuqHhB7BNyVgGsLrGT91R4GHa0Y0LEP
> C:
> S: BQQF/wAMAAAAAAAAOK+zDAcAEADNmu4T0KaBjcxG0O4=
> C: BQQE/wAMAAAAAAAAGT4NlQQABAAv1geB3Ly5Xf/bqt8=
> failure: prot layer failure
>
> And resulting logs on tyrrell:
>
> May 8 10:10:35 tyrrell.bath.ac.uk mupdate[15800]: [ID 921384
> mail.debug] accepted connection
> May 8 10:10:35 tyrrell.bath.ac.uk master[15766]: [ID 970914 mail.error]
> process 15800 exited, signaled to death by 11
> May 8 10:10:35 tyrrell.bath.ac.uk master[15766]: [ID 684980
> mail.warning] service mupdate pid 15800 in READY state: terminated
> abnormally
> May 8 10:10:35 tyrrell.bath.ac.uk master[15803]: [ID 392559 mail.debug]
> about to exec /opt/packages/cyrus-imapd/bin/mupdate
> May 8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 518349
> mail.debug] executed
> May 8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
> mail.debug] New worker thread started, for a total of 1
> May 8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
> mail.debug] New worker thread started, for a total of 2
> May 8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
> mail.debug] New worker thread started, for a total of 3
> May 8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
> mail.debug] New worker thread started, for a total of 4
> May 8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
> mail.debug] New worker thread started, for a total of 5
>
> Looking on sauber, the mupdate/tyrrell.bath.ac.uk principal has already
> been exchanged by the time the mupdate server crashes:
>
> sauber $ klist
> Ticket cache: FILE:/tmp/krb5cc_58
> Default principal: mupdate/sauber.bath.ac.uk at BATH.AC.UK
>
> Valid starting Expires Service principal
> 08/05/2009 10:10:31 08/05/2009 20:10:31 krbtgt/BATH.AC.UK at BATH.AC.UK
> renew until 15/05/2009 10:10:31
> 08/05/2009 10:10:31 08/05/2009 20:10:31
> mupdate/tyrrell.bath.ac.uk at BATH.AC.UK
> renew until 15/05/2009 10:10:31
>
> While trying to make this work, we did find one way - use a principal
> that has a password rather than in the keytab:
>
> sauber $ kinit cyrus
> Password for cyrus at BATH.AC.UK:
> sauber $ /opt/packages/cyrus-imapd/bin/mupdatetest tyrrell
> S: * AUTH "PLAIN" "GSSAPI"
> S: * STARTTLS
> S: * PARTIAL-UPDATE
> S: * OK MUPDATE "tyrrell.bath.ac.uk" "Cyrus Murder" "v2.3.14" "(master)"
> C: A01 AUTHENTICATE "GSSAPI" {772+}
> YIICPwYJKoZIhvcSAQICAQBuggIuMIICKqADAgEFoQMCAQ6iBwMFACAAAACjggFDYYIBPzCCATugAwIBBaEMGwpCQVRILkFDLlVLoiowKKADAgEDoSEwHxsHbXVwZGF0ZRsUc2F1YmVyLXoxLmJhdGguYWMudWujgfkwgfagAwIBEqEDAgEDooHpBIHmuu+hTMP3LCm1YcazFaEgALSsEnuUnd3k+wIaSSW2doz9+Rrbp8HAuKOB0wLUebUNTPuBXrjBpcAGQisNQczjKMFwCaMMUnyvJ0GdcWRLZHBeoB+kTB6X0E3mtvgjeCdGr9ti70noQBdDHXlvWWyhPOxrIasUi1EDxzw+v/iaO2vagQqolWPN/TOC2ydpgBDbqawW6DjF4Bv4vPe7DCruKQeGzgT1iaPu5afp8kyEFehPHAwtvwB9toPgZI9FEm4SWmjiTfdjPuFs7tjWQZermemeKmMgod8TbHJ8zsmyMoRs1WxqIROkgc0wgcqgAwIBEqKBwgSBv/Bw1XraXVNjA1HQ8e8gk2GTm57PW6/hLWfjZwhsY4yKojltxJXkovaecdbesbu9oa9vT4m+p8QcxQ74pdPKHYwvx8OZh9epNhVbnllMpWyWP8PXuwQCqSWjPhgTbvNjNfVIwpNd7IjtMI99sRc1q5+jDiJE+yblWDpQOPP7rCkMVYxsCT9FQ0cgaU7IsRT4r+jw45HG99w4cvqLhA9RHwg9cXfrg3umajngNovT13CD0deXlQjWwlO7m9bZN/zI
> S:
> YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv6ysRnz7c5/jXdrML5GDO3yUDRd6e483bvcFFSv7Om/LcVmstU3vc7py4zljh1sI9cqP6wV0d6NKtUNJBEGaQNciHdasq+ywbgRsMvAsAM5/m7i06vByFOdRvZX2MxCdEMVW9KbAGRIHBvK6JQFxG
> C:
> S: BQQF/wAMAAAAAAAAOaMBYAcAEAAlGhxrUx+QK7vb6rg=
> C: BQQE/wAMAAAAAAAAELjSmQQABAB9zam/40LRAaw4zaw=
> S: A01 OK "Authenticated"
> Authenticated.
> Security strength factor: 56
> C: Q01 LOGOUT
> Q01 OK "bye-bye"
> Connection closed.
> sauber $ klist
> Ticket cache: FILE:/tmp/krb5cc_58
> Default principal: cyrus at BATH.AC.UK
>
> Valid starting Expires Service principal
> 08/05/2009 10:27:37 08/05/2009 20:27:37 krbtgt/BATH.AC.UK at BATH.AC.UK
> renew until 15/05/2009 10:27:37
> 08/05/2009 10:27:43 08/05/2009 20:27:37
> mupdate/tyrrell.bath.ac.uk at BATH.AC.UK
> renew until 15/05/2009 10:27:37
>
> Relevant logs from tyrrell:
>
> May 8 10:27:42 tyrrell.bath.ac.uk mupdate[15803]: [ID 596527
> mail.notice] login: sauber.bath.ac.uk [138.38.132.132] cyrus GSSAPI User
> logged in
>
> The *only* difference is we are using a default principal of
> cyrus at BATH.AC.UK rather than mupdate/sauber.bath.ac.uk at BATH.AC.UK. This
> does not seem to make sense.
>
> Relevant lines from config files:
>
> sauber imapd.conf:
>
> admins: cyrus imap/sauber.bath.ac.uk
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: plain gssapi
> mupdate_server: tyrrell.bath.ac.uk
> mupdate_config: standard
> mupdate_authname: mupdate/sauber.bath.ac.uk
> mupdate_username: cyrus
>
> tyrrell imapd.conf:
>
> admins: cyrus mupdate/sauber.bath.ac.uk
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: plain gssapi
>
> We compiled cyrus-imapd-2.3.14 with the following flags:
> PROGDIR=/opt/packages/cyrus-imapd \
> ./configure --prefix=$PROGDIR --mandir=/opt/share/man \
> --sysconfdir=/opt/etc/imapd \
> --enable-listext --enable-idled --with-snmp \
> --enable-murder \
> --enable-replication \
> --enable-nntp \
> --disable-gssapi \
> --with-cyrus-group=cyrus \
> --with-cyrus-user=cyrus \
> --with-cyrus-prefix=$PROGDIR \
> --with-openssl=$OPENSSLDIR \
> --with-ucdsnmp=/opt/packages/net-snmp \
> --with-sasl=$SASLDIR \
> --with-dbdir=/opt/packages/berkeley-db \
> --with-syslogfacility=MAIL
>
> We are using Cyrus SASL 2.1.22 built like this:
>
> PROGDIR=/opt/packages/cyrus-sasl \
> ./configure --prefix=$PROGDIR --sysconfdir=/opt/etc/cyrus \
> --with-plugindir=/opt/packages/cyrus-sasl/lib/sasl2 \
> --enable-shared \
> --disable-static \
> --disable-java \
> --with-configdir=/opt/etc/sasl2 \
> --disable-krb4 \
> --with-gss_impl=mit \
> --with-rc4 \
> --with-dblib=berkeley \
> --with-saslauthd=/var/sasl2 --without-pwcheck \
> --with-devrandom=/dev/urandom \
> --enable-anon \
> --enable-cram \
> --enable-digest \
> --enable-ntlm \
> --enable-plain \
> --enable-login \
> --without-ldap \
> --disable-otp \
> --disable-ldapdb \
> --disable-sql --without-mysql --without-pgsql --without-sqlite \
> --enable-gssapi=$KERBEROSDIR \
> --with-openssl=$OPENSSLDIR
>
> We are using MIT KerberosV 1.6.3 and running on Solaris 10 x86. tyrrell
> is actually a Solaris 'Zone' on sauber.
>
> If anyone has any ideas of what might be causing this problem we'd be
> very interested!
>
> Regards,
>
>
> Dave.
>
> David Mayo
> Networks/Systems Administrator
> University of Bath Computing Services
>
> Tel: +44 1225 38 6046
> Email: D.J.Mayo at bath.ac.uk
>
>
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list