Hi Henrique!
On Mon, 11 Jun 2007, Henrique de Moraes Holschuh wrote:
On Mon, 11 Jun 2007, Rico Barth wrote:
all works fine. But we need ldap group support and this workaround is not
suitable for us.
Well, I need an strace of the crash. See the cyrus21 documentation on how
to get one.
And, if it is what I think it is, there is no fix (libsasl going berserk).
Well, we tried to reproduce this failure and sent strace output but we
couldn't reproduce it. It seems there's a relation between nscd
and the server crashes. As I wrote my first reply to this bug all
processes on the server were new (a new installation). After two days of
working we can't reproduce the crash. Our environment consists of
cyrus21-admin 2.1.18-5.1 Cyrus mail system (administration tool)
cyrus21-clients 2.1.18-5.1 Cyrus mail system (test clients)
cyrus21-common 2.1.18-5.1 Cyrus mail system (common files)
cyrus21-doc 2.1.18-5.1 Cyrus mail system (documentation files)
cyrus21-imapd 2.1.18-5.1 Cyrus mail system (IMAP support)
cyrus21-pop3d 2.1.18-5.1 Cyrus mail system (POP3 support)
libauthen-sasl-cyrus-perl 0.13-server-1 Perl extension for Cyrus SASL library
libcyrus-imap-perl21 2.1.18-5.1 Interface to Cyrus imap client
imclient libr
libauthen-sasl-perl 2.10-1 Authen::SASL - SASL Authentication
framework
libsasl2 2.1.22.dfsg1-8 Authentication abstraction library
libsasl2-2 2.1.22.dfsg1-8 Authentication abstraction library
libsasl2-modules 2.1.22.dfsg1-8 Pluggable Authentication Modules for
SASL
sasl2-bin 2.1.22.dfsg1-8 Administration programs for SASL
users datab
ldap-utils 2.3.30-5 OpenLDAP utilities
libldap-2.3-0 2.3.30-5 OpenLDAP libraries
libldap2 2.1.30-13.3 OpenLDAP libraries
libldap2-dev 2.1.30-13.3 OpenLDAP development libraries
libnet-ldap-perl 0.33-2 A Client interface to LDAP servers
libnss-ldap 251-7.5 NSS module for using LDAP as a naming
service
libpam-ldap 180-1.7 Pluggable Authentication Module allowing
LDAP
libpam-ldap 180-1.7 Pluggable Authentication Module allowing LDAP
libpam-modules 0.79-4 Pluggable Authentication Modules for PAM
libpam-runtime 0.79-4 Runtime support for the PAM library
libpam0g 0.79-4 Pluggable Authentication Modules library
nscd 2.3.6.ds1-13 GNU C Library: Name Service Cache Daemon
And here are the config files from monday which induces the crash. These
config files are still the same till now.
/etc/imapd.conf:
configdirectory: /var/lib/cyrus
defaultpartition: default
partition-default: /var/spool/cyrus/mail
partition-news: /var/spool/cyrus/news
newsspool: /var/spool/news
altnamespace: no
unixhierarchysep: no
admins: cyrus
sieve_admins: cyrus listing
allowanonymouslogin: no
popminpoll: 1
autocreatequota: 0
umask: 077
sieveusehomedir: false
sievedir: /var/spool/sieve
hashimapspool: true
allowplaintext: yes
sasl_mech_list: plain login cram-md5
allowapop: no
sasl_minimum_layer: 0
sasl_pwcheck_method: saslauthd
sasl_auto_transition: yes
tls_cert_file: /etc/ssl/certs/IMAP_intern_cert.pem
tls_key_file: /etc/ssl/private/IMAP_intern_key.pem
tls_ca_file: /etc/ssl/cacert.pem
tls_ca_path: /etc/ssl/certs
tls_session_timeout: 1440
tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
tls_require_cert: false
lmtpsocket: /var/run/cyrus/socket/lmtp
idlesocket: /var/run/cyrus/socket/idle
notifysocket: /var/run/cyrus/socket/notify
Sasl_auto_transition is on that auth can fall back to cram-md5 if first
login is a plain login trough ssl.
/etc/cyrus.conf:
START {
recover cmd="/usr/sbin/ctl_cyrusdb -r"
delprune cmd="/usr/sbin/ctl_deliver -E 3"
tlsprune cmd="/usr/sbin/tls_prune"
}
SERVICES {
imap cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100
imaps cmd="imapd -s -U 30" listen="imaps" prefork=0
maxchild=100
pop3 cmd="pop3d -U 30" listen="pop3" prefork=0 maxchild=50
pop3s cmd="pop3d -s -U 30" listen="pop3s" prefork=0
maxchild=50
lmtpunix cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp"
prefork=0 maxchild=20
notify cmd="notifyd" listen="/var/run/cyrus/socket/notify"
proto="udp" prefork=1
}
EVENTS {
checkpoint cmd="/usr/sbin/ctl_cyrusdb -c" period=30
delprune cmd="/usr/sbin/ctl_deliver -E 3" at=0401
tlsprune cmd="/usr/sbin/tls_prune" at=0401
squatter cmd="/usr/sbin/squatter -r user" period=240
}
/etc/default/saslauthd:
START=yes
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -r"
/etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files
netmasks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: files
automount: files
And now a part from the logs on monday:
/var/log/syslog:
...
Jun 11 10:09:37 athene cyrus/imaps[12793]: executed
Jun 11 10:09:37 athene cyrus/imapd[12793]: accepted connection
Jun 11 10:09:37 athene cyrus/imapd[12793]: mystore: starting txn 2147483672
Jun 11 10:09:37 athene cyrus/imapd[12793]: mystore: committing txn 2147483672
Jun 11 10:09:37 athene cyrus/imapd[12793]: starttls: TLSv1 with cipher
AES128-SHA (128/128 bits new) no authentication
Jun 11 10:09:37 athene cyrus/imapd[12793]: badlogin:
ikaros.office.cape-it.de[172.16.21.6] CRAM-MD5 [SASL(-13): user not found: no
secret in database]
Jun 11 10:09:40 athene cyrus/imapd[12793]: login:
ikaros.office.cape-it.de[172.16.21.6] riba plaintext+TLS
Jun 11 10:09:40 athene cyrus/master[12647]: process 12793 exited, signaled to
death by 6
Jun 11 10:09:40 athene cyrus/master[12647]: service imaps pid 12793 in BUSY
state: terminated abnormally
...
Sorry, but we can't reproduce the cyrus crash so we can't send strace
output to you. But I hope information above could help you.
Thanks and bye
Rico
--
Dipl.-Math. Rico Barth, Geschäftsführer/Projektleiter
c.a.p.e. IT GmbH
Annaberger Straße 240 , 09125 Chemnitz
phone/fax: +49 371 5347-621 / -625
mobile: +49 176 66680786
mailto: [EMAIL PROTECTED] , PGP-Key: 0x874C8377
internet: www.cape-it.de
Geschäftsführung Rico Barth, Thomas Maier
AG Chemnitz, HRB 23192
