Hi guys,

This morning we created a principal "mupd...@bath.ac.uk" and added that 
to the key tab on sauber for the IMAP server, and it authenticated fine.

It would appear there is a bug somewhere meaning that 
"primary/insta...@realm" style principals cannot be used as clients to 



David Mayo
Networks/Systems Administrator
University of Bath Computing Services

Tel: +44 1225 38 6046
Email: d.j.m...@bath.ac.uk

David Mayo wrote:
> Hi guys,
> We are upgrading to cyrus-imap-2.3.14 and are looking at using mupdate
> for the first time, but we are having problems with the GSSAPI
> authentication between mupdate hosts.
> We have two servers - sauber and tyrrell. sauber is one of the backend
> hosts and tyrrell is the mupdate master. We have generated service
> principals for them and placed them in their own key tabs:
> mupdate/sauber.bath.ac.uk
> imap/sauber.bath.ac.uk
> mupdate/tyrrell.bath.ac.uk
> imap/tyrrell.bath.ac.uk
> We initialise these keytabs in the START section of cyrus.conf with the
>   following line:
>    # authenticate to Kerberos
>    auth          cmd="/usr/bin/kinit -k -t /opt/etc/imapd/krb5.keytab
> mupdate/sauber.bath.ac.uk"
> (obviously the mupdate master uses mupdate/tyrrell.bath.ac.uk)
> If we run mupdatetest after starting the master daemons we see the
> following output on sauber:
> sauber $ /opt/packages/cyrus-imapd/bin/mupdatetest tyrrell
> S: * OK MUPDATE "tyrrell.bath.ac.uk" "Cyrus Murder" "v2.3.14" "(master)"
> YIICUAYJKoZIhvcSAQICAQBuggI/MIICO6ADAgEFoQMCAQ6iBwMFACAAAACjggFCYYIBPjCCATqgAwIBBaEMGwpCQVRILkFDLlVLoiowKKADAgEDoSEwHxsHbXVwZGF0ZRsUc2F1YmVyLXoxLmJhdGguYWMudWujgfgwgfWgAwIBEqEDAgEDooHoBIHlPVA1HD73jR4nq9Hb68acrSI8xYmDdZSJKFzualaEiI9UyhvV5nfMKIbjNaWwk5IYqI8Jm6MPIpHlsCrauF9WaiOwlYFPErEu0id4jWpl/FmqBoG+LdfivBIcpOLMWDNvRZYuarje/b97MEId8G5zikjr9wQSCjA0Yo68DtIbAPsLIWXCuVd5Pf8gY8S0U3nQeSS/YvI3hgvn9Aau4fCU/A9UWx50HrV+8AqEXqtrZ6HatkiZn1HgbvG+3iaPPKfiKeM96ZKydluJX+iI8iojF6IObakbCFdaqeploQQaqKjsradGJqSB3zCB3KADAgESooHUBIHR1h3Qku1JS6q6PkUXU48xtkn3r/SwKKAZ9MU/b2ieGfHw+1mmoo6a8A4SSOjep/CCU5jCRte2yURf+j0gCkyuH/8YhP1xxITn8ljDCkLFr0zZIWOOXg6yEB4Rpg8kUJx7xeIsTLHIc4BQE+MfDxqrKFkwM0o+RTZEd5cKICdk5Tq1bu3d/zsDuSk2x1QT77iQUMIu7g2k+tSPobMgmphjLcwqrknc68gmjTbn/NYe6ltfteRzTDQzRiga8cU3nlC/MEYA9Wc3AFIxh93GC1WqTuU=
> S:
> YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvLEn4nvf4zsyDbNlSFPQe3SwAxL7iusPxROKhmcdUc9TRrN2290JAKNL9odMnOeOcEcVsmJHAq55ux476T6iF7L+G2XLWJiseyjeCDar7PpfA0p6h+TNFKnuqHhB7BNyVgGsLrGT91R4GHa0Y0LEP
> C:
> failure: prot layer failure
> And resulting logs on tyrrell:
> May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15800]: [ID 921384
> mail.debug] accepted connection
> May  8 10:10:35 tyrrell.bath.ac.uk master[15766]: [ID 970914 mail.error]
> process 15800 exited, signaled to death by 11
> May  8 10:10:35 tyrrell.bath.ac.uk master[15766]: [ID 684980
> mail.warning] service mupdate pid 15800 in READY state: terminated
> abnormally
> May  8 10:10:35 tyrrell.bath.ac.uk master[15803]: [ID 392559 mail.debug]
> about to exec /opt/packages/cyrus-imapd/bin/mupdate
> May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 518349
> mail.debug] executed
> May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
> mail.debug] New worker thread started, for a total of 1
> May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
> mail.debug] New worker thread started, for a total of 2
> May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
> mail.debug] New worker thread started, for a total of 3
> May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
> mail.debug] New worker thread started, for a total of 4
> May  8 10:10:35 tyrrell.bath.ac.uk mupdate[15803]: [ID 242572
> mail.debug] New worker thread started, for a total of 5
> Looking on sauber, the mupdate/tyrrell.bath.ac.uk principal has already
>   been exchanged by the time the mupdate server crashes:
> sauber $ klist
> Ticket cache: FILE:/tmp/krb5cc_58
> Default principal: mupdate/sauber.bath.ac...@bath.ac.uk
> Valid starting                  Expires                  Service principal
> 08/05/2009 10:10:31  08/05/2009 20:10:31  krbtgt/bath.ac...@bath.ac.uk
>          renew until 15/05/2009 10:10:31
> 08/05/2009 10:10:31  08/05/2009 20:10:31
> mupdate/tyrrell.bath.ac...@bath.ac.uk
>          renew until 15/05/2009 10:10:31
> While trying to make this work, we did find one way - use a principal
> that has a password rather than in the keytab:
> sauber $ kinit cyrus
> Password for cy...@bath.ac.uk:
> sauber $ /opt/packages/cyrus-imapd/bin/mupdatetest tyrrell
> S: * OK MUPDATE "tyrrell.bath.ac.uk" "Cyrus Murder" "v2.3.14" "(master)"
> YIICPwYJKoZIhvcSAQICAQBuggIuMIICKqADAgEFoQMCAQ6iBwMFACAAAACjggFDYYIBPzCCATugAwIBBaEMGwpCQVRILkFDLlVLoiowKKADAgEDoSEwHxsHbXVwZGF0ZRsUc2F1YmVyLXoxLmJhdGguYWMudWujgfkwgfagAwIBEqEDAgEDooHpBIHmuu+hTMP3LCm1YcazFaEgALSsEnuUnd3k+wIaSSW2doz9+Rrbp8HAuKOB0wLUebUNTPuBXrjBpcAGQisNQczjKMFwCaMMUnyvJ0GdcWRLZHBeoB+kTB6X0E3mtvgjeCdGr9ti70noQBdDHXlvWWyhPOxrIasUi1EDxzw+v/iaO2vagQqolWPN/TOC2ydpgBDbqawW6DjF4Bv4vPe7DCruKQeGzgT1iaPu5afp8kyEFehPHAwtvwB9toPgZI9FEm4SWmjiTfdjPuFs7tjWQZermemeKmMgod8TbHJ8zsmyMoRs1WxqIROkgc0wgcqgAwIBEqKBwgSBv/Bw1XraXVNjA1HQ8e8gk2GTm57PW6/hLWfjZwhsY4yKojltxJXkovaecdbesbu9oa9vT4m+p8QcxQ74pdPKHYwvx8OZh9epNhVbnllMpWyWP8PXuwQCqSWjPhgTbvNjNfVIwpNd7IjtMI99sRc1q5+jDiJE+yblWDpQOPP7rCkMVYxsCT9FQ0cgaU7IsRT4r+jw45HG99w4cvqLhA9RHwg9cXfrg3umajngNovT13CD0deXlQjWwlO7m9bZN/zI
> S:
> YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv6ysRnz7c5/jXdrML5GDO3yUDRd6e483bvcFFSv7Om/LcVmstU3vc7py4zljh1sI9cqP6wV0d6NKtUNJBEGaQNciHdasq+ywbgRsMvAsAM5/m7i06vByFOdRvZX2MxCdEMVW9KbAGRIHBvK6JQFxG
> C:
> S: A01 OK "Authenticated"
> Authenticated.
> Security strength factor: 56
> Q01 OK "bye-bye"
> Connection closed.
> sauber $ klist
> Ticket cache: FILE:/tmp/krb5cc_58
> Default principal: cy...@bath.ac.uk
> Valid starting                  Expires                  Service principal
> 08/05/2009 10:27:37  08/05/2009 20:27:37  krbtgt/bath.ac...@bath.ac.uk
>          renew until 15/05/2009 10:27:37
> 08/05/2009 10:27:43  08/05/2009 20:27:37
> mupdate/tyrrell.bath.ac...@bath.ac.uk
>          renew until 15/05/2009 10:27:37
> Relevant logs from tyrrell:
> May  8 10:27:42 tyrrell.bath.ac.uk mupdate[15803]: [ID 596527
> mail.notice] login: sauber.bath.ac.uk [] cyrus GSSAPI User
> logged in
> The *only* difference is we are using a default principal of
> cy...@bath.ac.uk rather than mupdate/sauber.bath.ac...@bath.ac.uk. This
>   does not seem to make sense.
> Relevant lines from config files:
> sauber imapd.conf:
> admins: cyrus imap/sauber.bath.ac.uk
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: plain gssapi
> mupdate_server: tyrrell.bath.ac.uk
> mupdate_config: standard
> mupdate_authname: mupdate/sauber.bath.ac.uk
> mupdate_username: cyrus
> tyrrell imapd.conf:
> admins: cyrus mupdate/sauber.bath.ac.uk
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: plain gssapi
> We compiled cyrus-imapd-2.3.14 with the following flags:
> PROGDIR=/opt/packages/cyrus-imapd \
>    ./configure --prefix=$PROGDIR --mandir=/opt/share/man \
>          --sysconfdir=/opt/etc/imapd \
>          --enable-listext --enable-idled --with-snmp \
>          --enable-murder \
>          --enable-replication \
>          --enable-nntp \
>          --disable-gssapi \
>          --with-cyrus-group=cyrus \
>          --with-cyrus-user=cyrus \
>          --with-cyrus-prefix=$PROGDIR \
>          --with-openssl=$OPENSSLDIR \
>          --with-ucdsnmp=/opt/packages/net-snmp \
>          --with-sasl=$SASLDIR \
>          --with-dbdir=/opt/packages/berkeley-db \
>          --with-syslogfacility=MAIL
> We are using Cyrus SASL 2.1.22 built like this:
> PROGDIR=/opt/packages/cyrus-sasl \
>    ./configure --prefix=$PROGDIR --sysconfdir=/opt/etc/cyrus \
>          --with-plugindir=/opt/packages/cyrus-sasl/lib/sasl2 \
>          --enable-shared \
>          --disable-static \
>          --disable-java \
>          --with-configdir=/opt/etc/sasl2 \
>          --disable-krb4 \
>          --with-gss_impl=mit \
>          --with-rc4 \
>          --with-dblib=berkeley \
>          --with-saslauthd=/var/sasl2 --without-pwcheck \
>          --with-devrandom=/dev/urandom \
>          --enable-anon \
>          --enable-cram \
>          --enable-digest \
>          --enable-ntlm \
>          --enable-plain \
>          --enable-login \
>          --without-ldap \
>          --disable-otp \
>          --disable-ldapdb \
>          --disable-sql --without-mysql --without-pgsql --without-sqlite \
>          --enable-gssapi=$KERBEROSDIR \
>          --with-openssl=$OPENSSLDIR
> We are using MIT KerberosV 1.6.3 and running on Solaris 10 x86. tyrrell
>   is actually a Solaris 'Zone' on sauber.
> If anyone has any ideas of what might be causing this problem we'd be
> very interested!
> Regards,
> Dave.
> David Mayo
> Networks/Systems Administrator
> University of Bath Computing Services
> Tel: +44 1225 38 6046
> Email: d.j.m...@bath.ac.uk
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Reply via email to