No authentication error when replication attempted in automatic mode

Ivan Lezhnjov Jr. ivan.lezhnjov.jr at gmail.com
Wed Jul 20 09:56:32 EDT 2011 

I've said before that I fixed the issue with authentication from
Master<->Replica in a basic two-host setup in a mysterious way. Funny
thing is that I've managed to successfully replicate from M to R and
vice versa, swapping the roles of the hosts as many times as I wanted.
Everything worked  as expected.

Then I set out to repeat this success on a set of two other machines,
and reached another dead end with a slightly different problem.

This message attempts to describe the issue that I'm battling with and
what has been tried thus far to win this fight :)

This is a basic two-host setup, host A is Master, host B is Replica.

When replication is attempted in automatic mode it fails.
Incidentally, it fails in manual mode too.

------------------- Replica
Jul 20 15:29:24 clone-machine-target syncserver[3630]: accepted connection
Jul 20 15:29:24 clone-machine-target syncserver[3630]: cmdloop(): startup
Jul 20 15:29:24 clone-machine-target syncserver[3630]: imapd:Loading
hard-coded DH parameters
Jul 20 15:29:24 clone-machine-target syncserver[3630]: SSL_accept()
incomplete -> wait
Jul 20 15:29:24 clone-machine-target syncserver[3630]: SSL_accept()
succeeded -> done
Jul 20 15:29:24 clone-machine-target syncserver[3630]: starttls: TLSv1
with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authent
ication

------------------- Master
Jul 20 15:29:00 clone-machine sync_client[3638]: Doing a peer verify
Jul 20 15:29:00 clone-machine sync_client[3638]: verify
error:num=19:self signed certificate in certificate chain
Jul 20 15:29:00 clone-machine sync_client[3638]: received server certificate
Jul 20 15:29:00 clone-machine sync_client[3638]: starttls: TLSv1 with
cipher DHE-RSA-AES256-SHA (256/256 bits new client) no authen
tication
Jul 20 15:29:00 clone-machine sync_client[3638]: couldn't authenticate
to backend server: no mechanism available
Jul 20 15:29:00 clone-machine sync_client[3638]: Can not connect to
server '10.10.0.178'

The interesting fact is that I can successfully authenticate with
synctest from Master to Replica like this:

[root at clone-machine ~]# synctest -a cyrus -u cyrus -m plain -t ""
replica.localdomain
S: * SASL PLAIN LOGIN
S: * STARTTLS
S: * COMPRESS DEFLATE
S: * OK clone-machine-target Cyrus sync server v2.4.10-Kolab-2.4.10-1
C: STARTTLS
S: OK Begin TLS negotiation now
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
S: * SASL PLAIN LOGIN
S: * OK clone-machine-target Cyrus sync server v2.4.10-Kolab-2.4.10-1
Please enter your password:
C: AUTHENTICATE PLAIN Y3lydXMAY3lydXMAY3lydXNhZG1pbnJlcGxpY2E=
S: OK Success (tls protection)
Authenticated.
Security strength factor: 256

but /usr/lib/cyrus-imapd/sync_client -r fails to.



SITE CONFIGURATION


------------------- Master
[root at clone-machine ~]# cat /etc/imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
sasl_minimum_layer: 0
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd-my.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd-my.pem
tls_ca_file: /etc/pki/tls/certs/cacert.pem
guid_mode: sha1
delete_mode: immediate
sync_host: 10.10.0.178
sync_authname: cyrus
syncpassword: xxxxxxxxxxxxx
sync_log: 1
allowplaintext: 1
tcp_keepalive: 1

[root at clone-machine ~]# cat /etc/cyrus.conf |grep -v \#

START {
  recover	cmd="ctl_cyrusdb -r"

  idled		cmd="idled"

  syncclient    cmd="/usr/lib/cyrus-imapd/sync_client -r"
}

SERVICES {
  imap		cmd="imapd" listen="imap" prefork=5 provide_uuid=1
  imaps		cmd="imapd -s" listen="imaps" prefork=1 provide_uuid=1


  lmtpunix	cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
provide_uuid=1

}

EVENTS {
  checkpoint	cmd="ctl_cyrusdb -c" period=30

  delprune	cmd="cyr_expire -D 7 -E 3 -X 7" at=0400

  tlsprune	cmd="tls_prune" at=0400
}



------------------- Replica
[root at clone-machine-target ~]# cat /etc/imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd-my.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd-my.pem
tls_ca_file: /etc/pki/tls/certs/cacert.pem
allowplaintext: 1
tcp_keepalive: 1

[root at clone-machine-target ~]# cat /etc/cyrus.conf |grep -v \#

START {
  recover	cmd="ctl_cyrusdb -r"

  idled		cmd="idled"

}

SERVICES {
  imap		cmd="imapd" listen="imap" prefork=5 provide_uuid=1
  imaps		cmd="imapd -s" listen="imaps" prefork=1 provide_uuid=1


  lmtpunix	cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
provide_uuid=1


  syncserver       cmd="/usr/lib/cyrus-imapd/sync_server" listen="csync"
}

EVENTS {
  checkpoint	cmd="ctl_cyrusdb -c" period=30

  delprune	cmd="cyr_expire -D 7 -E 3 -X 7" at=0400

  tlsprune	cmd="tls_prune" at=0400
}

Using my own self-signed certificates and my own CA on both machines.
CN points to a hosts FQDNs defined in /etc/hosts as master.localdomain
and replica.localdomain.


PAM configuration:

[root at clone-machine ~]# cat /etc/pam.d/{csync,imap,lmtp}
#%PAM-1.0
auth       required     pam_nologin.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth
#%PAM-1.0
auth       required     pam_nologin.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth
#%PAM-1.0
auth       required     pam_nologin.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth


selinux disabled
iptables disabled

I've tried the following options with no success and positive changes
in regard to replication:
- sasl_minimum_layer: 0
- syncserver       cmd="/usr/lib/cyrus-imapd/sync_server -p 1" listen="csync"
- removing sasl_mech_list completely while setting allowplaintext to false


SOFTWARE INSTALLED
[root at clone-machine ~]# yum list installed |grep cyrus
cyrus-imapd.x86_64                       2.4.10-1               installed
cyrus-imapd-debuginfo.x86_64             2.4.10-1               installed
cyrus-imapd-devel.x86_64                 2.4.10-1               installed
cyrus-imapd-perl.x86_64                  2.4.10-1               installed
cyrus-imapd-utils.x86_64                 2.4.10-1               installed
cyrus-sasl.x86_64                        2.1.22-4               installed
cyrus-sasl-devel.x86_64                  2.1.22-4               installed
cyrus-sasl-lib.x86_64                    2.1.22-4               installed
cyrus-sasl-plain.x86_64                  2.1.22-4               installed

using a Kolab SRPM for cyrus-imapd as divulged in synctest output. I
also tried Invoca SRPM (same tests only running Invoca build).

I'm hoping to get any help because I've spent most of the day reading
mailing list archives, trying to find at least a hint but nothing
seems to help. I need your fresh look at this whole setup people.

Thanks in advance for your time.

More information about the Info-cyrus mailing list