Results 1 to 7 of 7

Thread: problems with LDAP auth against OSX server (and other minor issues)

  1. #1
    SpaceBass is offline Active Member
    Join Date
    Jan 2007
    Posts
    30
    Rep Power
    8

    Default problems with LDAP auth against OSX server (and other minor issues)

    Hey folks,
    Long time lurker, infrequent poster, avid home Zimbra user.

    Our zimbra box is running on a 2.2 ghz mac mini with 2gb of ram running ubuntu 10.04 LTS. Patches and zimbra are current. Approx 5 users.

    Our OS X server is a similarly spec'ed mini running the latest Snow Leopard server.

    At least 20x a day, every user has to re-enter their password in Apple's OSX Mail.app when sending and frequently when checking mail. Anecdotally, its safe to say that almost any send requires entering the password 2-3 times. After I successfully enter my password, I can check apple's Keychain.app and confirm that it is correct.

    All clients are using IDLE, SSL and password auth (although kerberos would be cool, but I'll save that for another project).

    I'll add that this has been going on for at least a year (been lazy about getting here to post it and pulling the logs to support the the post).

    The only other observation is that CPU utilization on my box goes up more and more every week. It is frequently pegged at 100% with the following two processes being the leading culprits:

    /opt/zimbra/java/bin/java -server -XX:NewRatio=2 -Djava.awt.headless=true
    /bin/bash /opt/zimbra/bin/zmjava com.zimbra.cs.account.ProvUtil -l gamcs

    I've also noticed an AMAZING amount of spam for box with only 5 users. I'm at the point where I'm considering an upstream 3rd party anti-spam solution...which is nuts for a home user. Frankly anyone in their right mind would be on gmail...but I'm geeky and love my zimbra box and would love to keep this working internally if we can.

    I understand there have been posts and bug reports about ProvUtil with most reporting that it is now fixed.
    That is not my observation on: Release 6.0.8_GA_2661.UBUNTU8 UBUNTU8 FOSS edition.

    OS X Server Open Directory Password Log:
    Code:
    Dec  7 2010 08:47:04    USER: {0x4873e0167dc9d2000000000900000009, ndawson} is the current user.
    Dec  7 2010 08:47:04    AUTH2: {0x4873e0167dc9d2000000000900000009, ndawson} CRAM-MD5 authentication succeeded.
    Dec  7 2010 08:47:05    RSAVALIDATE: success.
    Dec  7 2010 08:47:05    USER: {0x4873e08d2d2d663d0000000a0000000a, npdweb} is the current user.
    Dec  7 2010 08:47:05    AUTH2: {0x4873e08d2d2d663d0000000a0000000a, npdweb} CRAM-MD5 authentication succeeded.
    Dec  7 2010 08:47:07    RSAVALIDATE: success.
    Dec  7 2010 08:47:07    USER: {0x4873e08d2d2d663d0000000a0000000a, npdweb} is the current user.
    Dec  7 2010 08:47:07    AUTH2: {0x4873e08d2d2d663d0000000a0000000a, npdweb} CRAM-MD5 authentication succeeded.
    Dec  7 2010 08:47:10    RSAVALIDATE: success.
    Dec  7 2010 08:47:10    USER: {0x4873e0167dc9d2000000000900000009, ndawson} is the current user.
    Dec  7 2010 08:47:10    AUTH2: {0x4873e0167dc9d2000000000900000009, ndawson} CRAM-MD5 authentication succeeded.
    Dec  7 2010 08:47:10    RSAVALIDATE: success.
    Dec  7 2010 08:47:10    USER: {0x4873e0167dc9d2000000000900000009, ndawson} is the current user.
    Dec  7 2010 08:47:10    AUTH2: {0x4873e0167dc9d2000000000900000009, ndawson} CRAM-MD5 authentication succeeded.
    Dec  7 2010 08:47:38    RSAVALIDATE: success.
    Dec  7 2010 08:47:38    USER: {0x4873e0167dc9d2000000000900000009, ndawson} is the current user.
    Dec  7 2010 08:47:38    AUTH2: {0x4873e0167dc9d2000000000900000009, ndawson} CRAM-MD5 authentication succeeded.
    Dec  7 2010 08:47:47    RSAVALIDATE: success.
    Dec  7 2010 08:47:47    USER: {0x4873e08d2d2d663d0000000a0000000a, npdweb} is the current user.
    Dec  7 2010 08:47:47    AUTH2: {0x4873e08d2d2d663d0000000a0000000a, npdweb} CRAM-MD5 authentication succeeded.
    Dec  7 2010 08:47:48    RSAVALIDATE: success.
    Dec  7 2010 08:47:48    USER: {0x4873e0167dc9d2000000000900000009, ndawson} is the current user.
    Dec  7 2010 08:47:48    AUTH2: {0x4873e0167dc9d2000000000900000009, ndawson} CRAM-MD5 authentication succeeded.
    Dec  7 2010 08:47:51    RSAVALIDATE: success.
    Dec  7 2010 08:47:51    USER: {0x4873e08d2d2d663d0000000a0000000a, npdweb} is the current user.
    Dec  7 2010 08:47:51    AUTH2: {0x4873e08d2d2d663d0000000a0000000a, npdweb} CRAM-MD5 authentication succeeded.
    Dec  7 2010 08:48:04    RSAVALIDATE: success.
    Dec  7 2010 08:48:04    USER: {0x4873e08d2d2d663d0000000a0000000a, npdweb} is the current user.
    Dec  7 2010 08:48:04    AUTH2: {0x4873e08d2d2d663d0000000a0000000a, npdweb} CRAM-MD5 authentication succeeded.
    Dec  7 2010 08:48:06    RSAVALIDATE: success.
    Dec  7 2010 08:48:06    USER: {0x4873e08d2d2d663d0000000a0000000a, npdweb} is the current user.
    Dec  7 2010 08:48:06    AUTH2: {0x4873e08d2d2d663d0000000a0000000a, npdweb} CRAM-MD5 authentication succeeded.
    Dec  7 2010 08:48:10    RSAVALIDATE: success.
    Dec  7 2010 08:48:10    USER: {0x4873e08d2d2d663d0000000a0000000a, npdweb} is the current user.
    Dec  7 2010 08:48:10    AUTH2: {0x4873e08d2d2d663d0000000a0000000a, npdweb} CRAM-MD5 authentication succeeded.

    /var/log/zimbra.log (Ubuntu box)
    Code:
    Dec  7 08:47:03 aspen postfix/anvil[28264]: statistics: max connection count 1 for (smtp:92.81.89.112) at Dec  7 08:43:32
    Dec  7 08:47:03 aspen postfix/anvil[28264]: statistics: max cache size 1 at Dec  7 08:43:32
    Dec  7 08:47:36 aspen postfix/smtpd[30777]: connect from osx5.nsnet.us[10.1.1.100]
    Dec  7 08:47:36 aspen postfix/smtpd[30777]: setting up TLS connection from osx5.nsnet.us[10.1.1.100]
    Dec  7 08:47:58 aspen postfix/smtpd[30781]: connect from osx5.nsnet.us[10.1.1.100]
    Dec  7 08:47:58 aspen postfix/smtpd[30781]: setting up TLS connection from osx5.nsnet.us[10.1.1.100]
    Dec  7 08:47:58 aspen postfix/smtpd[30781]: Anonymous TLS connection established from osx5.nsnet.us[10.1.1.100]: TLSv1 with cipher AES128-SHA (128/128 bits)
    Dec  7 08:47:58 aspen saslauthd[10406]: zmauth: authenticating against elected url 'https://mail.nickdawson.net:7071/service/admin/soap/' ...
    Dec  7 08:47:58 aspen postfix/smtpd[30777]: Anonymous TLS connection established from osx5.nsnet.us[10.1.1.100]: TLSv1 with cipher AES128-SHA (128/128 bits)
    Dec  7 08:47:59 aspen saslauthd[10403]: zmauth: authenticating against elected url 'https://mail.nickdawson.net:7071/service/admin/soap/' ...
    Dec  7 08:48:04 aspen saslauthd[10406]: zmpost: url='https://mail.nickdawson.net:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="982957"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_860948f2f7416b887a4bf3c2c4e04c34842d519d_69643d33363a35666263376130612d636634632d343962342d623664642d3432653165623834623662333b6578703d31333a313239313930323438343633343b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>lemongrass</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    Dec  7 08:48:05 aspen saslauthd[10406]: auth_zimbra: npdweb auth OK
    Dec  7 08:48:05 aspen postfix/smtpd[30781]: disconnect from osx5.nsnet.us[10.1.1.100]
    Dec  7 08:48:15 aspen saslauthd[10403]: authentication against url 'https://mail.nickdawson.net:7071/service/admin/soap/' caused error 'curl_easy_perform: error(28): SSL connection timeout'
    Dec  7 08:48:17 aspen saslauthd[10403]: url 'https://mail.nickdawson.net:7071/service/admin/soap/' will not be used for (at least) 600 seconds
    Dec  7 08:48:17 aspen saslauthd[10403]: Authentication cycle re-elected url https://mail.nickdawson.net:7071/service/admin/soap/, giving up ...
    Dec  7 08:48:18 aspen saslauthd[10403]: auth_zimbra: ndawson auth failed: curl_easy_perform: error(28): SSL connection timeout
    Dec  7 08:48:18 aspen saslauthd[10403]: do_auth         : auth failure: [user=ndawson] [service=smtp] [realm=] [mech=zimbra] [reason=Unknown]
    Dec  7 08:48:18 aspen postfix/smtpd[30777]: warning: SASL authentication failure: Password verification failed
    Dec  7 08:48:19 aspen postfix/smtpd[30777]: warning: osx5.nsnet.us[10.1.1.100]: SASL PLAIN authentication failed: authentication failure
    Dec  7 08:48:19 aspen postfix/smtpd[30777]: disconnect from osx5.nsnet.us[10.1.1.100]
    Dec  7 08:48:20 aspen zmmailboxdmgr[31531]: status requested
    Dec  7 08:48:20 aspen zmmailboxdmgr[31531]: status OK
    Dec  7 08:48:25 aspen zmmailboxdmgr[31932]: status requested
    Dec  7 08:48:25 aspen zmmailboxdmgr[31932]: status OK
    Dec  7 08:48:26 aspen zmmailboxdmgr[31991]: status requested
    Dec  7 08:48:26 aspen zmmailboxdmgr[31991]: status OK

  2. #2
    SpaceBass is offline Active Member
    Join Date
    Jan 2007
    Posts
    30
    Rep Power
    8

    Default

    sorry to be that guy... but...bump?
    Any thoughts about why zimbra says the LDAP auth fails and the OSX server says it is successful?

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,470
    Rep Power
    56

    Default

    To state the obvious, the reason it's failing is because of this:

    Code:
    Dec  7 08:48:18 aspen saslauthd[10403]: auth_zimbra: ndawson auth failed: curl_easy_perform: error(28): SSL connection timeout
    Do you have any firewall or AppArmor on this server? Is there anything else running on the server? What happens at the time this connection times out (is the server under load etc.)? Have you done any of the tweaks to reduce the RAM footprint of Zimbra?

    You'd need to give further details about the type of spam you're receiving and what the headers are from the email plus any details of spam 'tweaks' that you've made to the anti-spam system.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,470
    Rep Power
    56

    Default

    BTW, I notice that in your public DNS records you are using a CNAME rather than an A record for your domain - using a CNAME can be problematic and isn't really recommended. Do you have the same configuration on your LAN DNS using a CNAME instead of an A record?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    SpaceBass is offline Active Member
    Join Date
    Jan 2007
    Posts
    30
    Rep Power
    8

    Default

    Quote Originally Posted by phoenix View Post
    To state the obvious, the reason it's failing is because of this:

    Code:
    Dec  7 08:48:18 aspen saslauthd[10403]: auth_zimbra: ndawson auth failed: curl_easy_perform: error(28): SSL connection timeout
    Do you have any firewall or AppArmor on this server? Is there anything else running on the server? What happens at the time this connection times out (is the server under load etc.)? Have you done any of the tweaks to reduce the RAM footprint of Zimbra?

    You'd need to give further details about the type of spam you're receiving and what the headers are from the email plus any details of spam 'tweaks' that you've made to the anti-spam system.
    Thanks Phoenix - appreciate your time and reply! I'm happy to provide more info, like I said, I'm a hobbiest and so sometimes need a little coaching to know what to provide.

    The OSX server load is consistently very low, it litterally does not do more than provide local DNS and OpenDirectory. As the server logs reflect, it replies with authorizations - my observations are that those replies are very prompt.

    The zimbra server, on the other hand, is under constant load between 75%-100%. I've not done any tweaks to the RAM footprint - do you recommend doing so? Spam is set to kill at 50 and tag at 15 -any suggested changes there? Sample headers below.

    On the zimbra box, there is nothing besides the base ubuntu install and zimbra. No apparmor or other firewalls. Both zimbra and osx server are on the same subnet and switch for that matter.

    I'll change the external cname to an A record right away. Internally it is already an A record (and my client is using the ip address of the mail server).

    Sample spam header (picking a russian language one since the ones I can read are nothing short of x rated)
    Code:
    From: 	Александр Морозов <nbzese@idpcorporation.com>
    	Subject: 	SPAM NSnet_Рос. заводы производители 
    <STRONG>Новогодних хлопушек и бенгальских огней</STRONG> города Челябинска и 
    Краснозаводска проводят <STRONG>Новогоднюю акцию</STRONG></FONT> <STRONG><FONT 
    color=#ff0000>50%</FONT><FONT color=#ff0000> скидка</FONT></STRONG> <FONT 
    color=#000080>от основных заводских прайс листов 
    	Date: 	December 7, 2010 7:31:51 PM EST
    	To: 	Nick P P Dawson <npdweb@nick-dawson.com>
    	Return-Path: 	nbzese@idpcorporation.com
    	Received: 	from mail.nickdawson.net (LHLO mail.nickdawson.net) (10.1.1.27) by mail.nickdawson.net with LMTP; Tue, 7 Dec 2010 19:34:29 -0500 (EST)
    	Received: 	from localhost (localhost [127.0.0.1]) by mail.nickdawson.net (Postfix) with ESMTP id BE36A2A800E for <npdweb@nick-dawson.com>; Tue,  7 Dec 2010 19:34:28 -0500 (EST)
    	Received: 	from mail.nickdawson.net ([127.0.0.1]) by localhost (mail.nickdawson.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0WQdy+LawFyi for <npdweb@nick-dawson.com>; Tue,  7 Dec 2010 19:32:17 -0500 (EST)
    	Received: 	from idpcorporation.com (host186-177-static.116-2-b.business.telecomitalia.it [2.116.177.186]) by mail.nickdawson.net (Postfix) with ESMTP id 831832A8010 for <npdweb@nick-dawson.com>; Tue,  7 Dec 2010 19:31:53 -0500 (EST)
    	X-Virus-Scanned: 	amavisd-new at aspen.nsnet.com
    	X-Spam-Flag: 	YES
    	X-Spam-Score: 	9.195
    	X-Spam-Level: 	*********
    	X-Spam-Status: 	Yes, score=9.195 tagged_above=-10 required=3 tests=[BAYES_99=3.5, DOS_OE_TO_MX=2.523, HTML_MESSAGE=0.001, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_XBL=0.375] autolearn=no
    	Message-Id: 	<ca2501cb966e$372551e3$672d7987@idpcorporation.com>
    	Mime-Version: 	1.0
    	Content-Type: 	multipart/alternative; boundary="----=_NextPart_000_0023_17_01CB9680.EEECCEAB"
    	X-Priority: 	3
    	X-Msmail-Priority: 	Normal
    	X-Mailer: 	Microsoft Outlook Express 6.00.2900.2180
    	X-Mimeole: 	Produced By Microsoft MimeOLE V6.00.2900.3350

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,470
    Rep Power
    56

    Default

    I presume that all the Zimbra services are running? Do the following to check:

    Code:
    zmcontrol status
    Can you monitor the server for a while to give us some idea of which services are consuming resources (top or whatever is your favourite tool)?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    SpaceBass is offline Active Member
    Join Date
    Jan 2007
    Posts
    30
    Rep Power
    8

    Default

    Quote Originally Posted by phoenix View Post
    I presume that all the Zimbra services are running? Do the following to check:

    Code:
    zmcontrol status
    Can you monitor the server for a while to give us some idea of which services are consuming resources (top or whatever is your favourite tool)?
    Yes, all running.
    I've only made one change: I've tried disabling AV for the last 6 hours, no change.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •