Bug#418615: cyrus21-imapd crashes if nsswitch is configured with ldap group support

Rico Barth rico.barth at cape-it.de
Wed Jun 13 11:35:51 UTC 2007


Hi Henrique!

On Mon, 11 Jun 2007, Henrique de Moraes Holschuh wrote:

> On Mon, 11 Jun 2007, Rico Barth wrote:
>> all works fine. But we need ldap group support and this workaround is not
>> suitable for us.
>
> Well, I need an strace of the crash.  See the cyrus21 documentation on how
> to get one.
>
> And, if it is what I think it is, there is no fix (libsasl going berserk).

Well, we tried to reproduce this failure and sent strace output but we 
couldn't reproduce it. It seems there's a relation between nscd 
and the server crashes. As I wrote my first reply to this bug all 
processes on the server were new (a new installation). After two days of 
working we can't reproduce the crash. Our environment consists of

cyrus21-admin             2.1.18-5.1     Cyrus mail system (administration tool)
cyrus21-clients           2.1.18-5.1     Cyrus mail system (test clients)
cyrus21-common            2.1.18-5.1     Cyrus mail system (common files)
cyrus21-doc               2.1.18-5.1     Cyrus mail system (documentation files)
cyrus21-imapd             2.1.18-5.1     Cyrus mail system (IMAP support)
cyrus21-pop3d             2.1.18-5.1     Cyrus mail system (POP3 support)
libauthen-sasl-cyrus-perl 0.13-server-1  Perl extension for Cyrus SASL library
libcyrus-imap-perl21      2.1.18-5.1     Interface to Cyrus imap client imclient libr
libauthen-sasl-perl         2.10-1         Authen::SASL - SASL Authentication framework
libsasl2                    2.1.22.dfsg1-8 Authentication abstraction library
libsasl2-2                  2.1.22.dfsg1-8 Authentication abstraction library
libsasl2-modules            2.1.22.dfsg1-8 Pluggable Authentication Modules for SASL
sasl2-bin                   2.1.22.dfsg1-8 Administration programs for SASL users datab
ldap-utils            2.3.30-5       OpenLDAP utilities
libldap-2.3-0         2.3.30-5       OpenLDAP libraries
libldap2              2.1.30-13.3    OpenLDAP libraries
libldap2-dev          2.1.30-13.3    OpenLDAP development libraries
libnet-ldap-perl      0.33-2         A Client interface to LDAP servers
libnss-ldap           251-7.5        NSS module for using LDAP as a naming service
libpam-ldap           180-1.7        Pluggable Authentication Module allowing LDAP
libpam-ldap      180-1.7        Pluggable Authentication Module allowing LDAP
libpam-modules   0.79-4         Pluggable Authentication Modules for PAM
libpam-runtime   0.79-4         Runtime support for the PAM library
libpam0g         0.79-4         Pluggable Authentication Modules library
nscd           2.3.6.ds1-13   GNU C Library: Name Service Cache Daemon


And here are the config files from monday which induces the crash. These 
config files are still the same till now.



/etc/imapd.conf:

configdirectory: /var/lib/cyrus
defaultpartition: default
partition-default: /var/spool/cyrus/mail
partition-news: /var/spool/cyrus/news
newsspool: /var/spool/news
altnamespace: no
unixhierarchysep: no
admins: cyrus
sieve_admins: cyrus listing
allowanonymouslogin: no
popminpoll: 1
autocreatequota: 0
umask: 077
sieveusehomedir: false
sievedir: /var/spool/sieve
hashimapspool: true
allowplaintext: yes
sasl_mech_list: plain login cram-md5
allowapop: no
sasl_minimum_layer: 0
sasl_pwcheck_method: saslauthd
sasl_auto_transition: yes
tls_cert_file: /etc/ssl/certs/IMAP_intern_cert.pem
tls_key_file: /etc/ssl/private/IMAP_intern_key.pem
tls_ca_file: /etc/ssl/cacert.pem
tls_ca_path: /etc/ssl/certs
tls_session_timeout: 1440
tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
tls_require_cert: false
lmtpsocket: /var/run/cyrus/socket/lmtp
idlesocket: /var/run/cyrus/socket/idle
notifysocket: /var/run/cyrus/socket/notify


Sasl_auto_transition is on that auth can fall back to cram-md5 if first 
login is a plain login trough ssl.


/etc/cyrus.conf:

START {
         recover         cmd="/usr/sbin/ctl_cyrusdb -r"
         delprune        cmd="/usr/sbin/ctl_deliver -E 3"
         tlsprune        cmd="/usr/sbin/tls_prune"
}
SERVICES {
         imap            cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100
         imaps           cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100
         pop3            cmd="pop3d -U 30" listen="pop3" prefork=0 maxchild=50
         pop3s           cmd="pop3d -s -U 30" listen="pop3s" prefork=0 maxchild=50
         lmtpunix        cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp" prefork=0 maxchild=20
         notify          cmd="notifyd" listen="/var/run/cyrus/socket/notify" proto="udp" prefork=1
}
EVENTS {
         checkpoint      cmd="/usr/sbin/ctl_cyrusdb -c" period=30
         delprune        cmd="/usr/sbin/ctl_deliver -E 3" at=0401
         tlsprune        cmd="/usr/sbin/tls_prune" at=0401
         squatter      cmd="/usr/sbin/squatter -r user" period=240
}



/etc/default/saslauthd:

START=yes
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -r"


/etc/nsswitch.conf

passwd:         files ldap
group:          files ldap
shadow:         files ldap
hosts:          files dns
networks:       files
netmasks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       files
automount:      files



And now a part from the logs on monday:

/var/log/syslog:

...
Jun 11 10:09:37 athene cyrus/imaps[12793]: executed
Jun 11 10:09:37 athene cyrus/imapd[12793]: accepted connection
Jun 11 10:09:37 athene cyrus/imapd[12793]: mystore: starting txn 2147483672
Jun 11 10:09:37 athene cyrus/imapd[12793]: mystore: committing txn 2147483672
Jun 11 10:09:37 athene cyrus/imapd[12793]: starttls: TLSv1 with cipher AES128-SHA (128/128 bits new) no authentication
Jun 11 10:09:37 athene cyrus/imapd[12793]: badlogin: ikaros.office.cape-it.de[172.16.21.6] CRAM-MD5 [SASL(-13): user not found: no secret in database]
Jun 11 10:09:40 athene cyrus/imapd[12793]: login: ikaros.office.cape-it.de[172.16.21.6] riba plaintext+TLS
Jun 11 10:09:40 athene cyrus/master[12647]: process 12793 exited, signaled to death by 6
Jun 11 10:09:40 athene cyrus/master[12647]: service imaps pid 12793 in BUSY state: terminated abnormally
...



Sorry, but we can't reproduce the cyrus crash so we can't send strace 
output to you. But I hope information above could help you.

Thanks and bye

Rico

-- 
Dipl.-Math. Rico Barth, Geschäftsführer/Projektleiter
c.a.p.e. IT GmbH
Annaberger Straße 240 , 09125 Chemnitz
phone/fax: +49 371 5347-621 / -625
mobile:    +49 176 66680786
mailto:    rico.barth at cape-it.de , PGP-Key: 0x874C8377
internet:  www.cape-it.de

Geschäftsführung Rico Barth, Thomas Maier
AG Chemnitz, HRB 23192


More information about the Pkg-Cyrus-imapd-Debian-devel mailing list