Authentication problem between 2.3.16 back-end and 2.2.12 mupdate and front-ends

Andrew Morgan morgan at orst.edu
Thu Oct 7 16:50:51 EDT 2010


Maybe you need to upgrade the mupdate master to 2.3.16 first?

 	Andy

On Thu, 7 Oct 2010, Michael D. Sofka wrote:

> Additional information.  Recall that:
>
>> I am in the process of upgrading our cyrus aggregation from 2.2.12 to
>> 2.3.16. I have installed cyrus 2.3.16 on a new back-end server, and it
>> appears fine.  I can create accounts on the server, read email from
>> them, etc.
>>
>> Now I am attempting to place the new back-end server into our
>> aggregation so I can begin migrating accounts off the current back-end
>> server.   It appears the new back-end is not able to authenticate to the
>> mupdate server.
>
> On the existing 2.2.12 back-end server I can run:
>
>    mupdatetest -v -p 3905 -a g_murder imap-fe1.server.rpi.edu
>
> And, it connects, and logs onto the front-end server.  If I run:
>
>    mupdatetest -v -t '' -p 3905 -a g_murder imap-fe1.server.rpi.edu
>
> It does the same with TLS.
>
>
> Trying this on the 2.3.16 server, built from Simon Matter's source RPM
> on a RE5 server I get:
>
> Hacker[901]:mupdatetest -v -p 3905 -a g_murder imap-fe1.server.rpi.edu
> S: * AUTH "LOGIN" "PLAIN"
> S: * STARTTLS
> S: * PARTIAL-UPDATE
> S: * OK MUPDATE "imap-fe1.server.rpi.edu" "Cyrus Murder"
> "v2.2.12-Invoca-RPM-2.2.12-20" "(master)"
> Authentication failed. no mechanism available
> Security strength factor: 0
>
> Note "no mechanisms available."  But, I can run the AUTHENTICATE
> command with either the PLAIN or LOGIN options, I can authenticate just
> fine.  Same with the -t '' option, except it goes through TLS first.
>
>
> Running:
>
>    ctl_mboxlist -cw
>
> returns:
>
>    couldn't connect to mupdate server
>
> And syslog reports:
>
> Oct  7 16:23:56 imap-be4 ctl_mboxlist[916]: starttls: TLSv1 with cipher
> AES256-SHA (256/256 bits new client) no authentication
> Oct  7 16:23:56 imap-be4 ctl_mboxlist[916]: couldn't authenticate to
> backend server: no mechanism available
> Oct  7 16:23:56 imap-be4 ctl_mboxlist[916]: mupdate_connect failed:
> SASL(-4): no mechanism available: No worthy mechs found
>
>
> "No worthy mechs found"  This seems to be saying that ctl_mboxlist
> doesn't like PLAIN or LOGIN.  If so, then what does it want?
>
>
> For incoming connections, there appears to be a similar problem.  When I
> attempt an xfer from the 2.2.12 back-end to the 2.3.16 back-end the
> transfer fails with the message:
>
>    xfermailbox: Server(s) unavailable to complete operation
>
> and the 2.3.16 syslog reports:
>
> Oct  7 16:27:33 imap-be4 imap[830]: accepted connection
> Oct  7 16:27:33 imap-be4 master[942]: about to exec
> /usr/lib/cyrus-imapd/imapd
> Oct  7 16:27:33 imap-be4 imap[942]: executed
> Oct  7 16:27:33 imap-be4 imap[830]: skiplist: checkpointed
> /var/lib/imap/tls_sessions.db (6 records, 1240 bytes) in 0 seconds
> Oct  7 16:27:33 imap-be4 imap[830]: imapd:Loading hard-coded DH parameters
> Oct  7 16:27:33 imap-be4 imap[830]: SSL_accept() incomplete -> wait
> Oct  7 16:27:33 imap-be4 imap[830]: SSL_accept() succeeded -> done
> Oct  7 16:27:33 imap-be4 imap[830]: starttls: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits new) no authentication
>
>
> I've configured saslauthd to use PAM, and PAM to use pam_unix.so.  And,
> as noted, authentication does work.
>
> Mike
>
> -- 
> Michael D. Sofka               sofkam at rpi.edu
> C&MT Sr. Systems Programmer,   Email, HPC, TeX, Epistemology
> Rensselaer Polytechnic Institute, Troy, NY.  http://www.rpi.edu/~sofkam/
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>
>


More information about the Info-cyrus mailing list