[Dovecot] dovecot 1.2rc5 fails to authenticate user via GSSAPI

Wed Jun 24 16:38:51 EEST 2009

Hi,

we're facing problem where dovecot 1.2rc5 is not able to authenticate user via 
gssapi. (I'm forwarding information from red hat's bugzilla)

Steps to reproduce:
1. Install dovecot with kerberos support, create mailboxes for the client
2. Get initial credentials on client side
3. Attempt to log in via dovecot using gssapi
-> login failed

Client side
1. Email client displays: "[AUTHENTICATIONFAILED] Authentication failed."
2. klist before login shows: 
Valid starting     Expires            Service principal
06/18/09 20:01:01  06/19/09 20:01:01  krbtgt/realm at realm
3. klist after login attempt shows:
Valid starting     Expires            Service principal
06/18/09 20:01:01  06/19/09 20:01:01  krbtgt/realm at realm
06/18/09 20:01:28  06/19/09 20:01:01  imap/mail.domain at realm

Server side
1. /var/log/maillog: 
dovecot: auth(default): gssapi(user,192.168.0.1): authn_name not authorized
dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<user>,
method=GSSAPI, rip=192.168.0.1, lip=192.168.0.2, TLS

----------------
It is possible for the same user to login via other mechanisms.
The issue reproduced with different email clients. Evolution and a custom
java-based client were attempted.

example of dovecot.conf:
protocols = imap
mail_location = maildir:/home/virtual/%u/Maildir
protocol imap {
}
auth_krb5_keytab=/etc/dovecot.keytab
auth default {
mechanisms = gssapi
  userdb static {
    args = uid=vmail gid=vmail home=/home/virtual/%u
  }
}
-------------------------
Exactly the same dovecot setup was working just fine with dovecot 1.1 series. 
Authentication using kinit works just fine and kerberos infrastructure is
functioning well as I use kerberos auth for other services like apache and ssh
successfully.

/var/log/maillog with using auth_debug=yes can be found here:
https://bugzilla.redhat.com/attachment.cgi?id=348710

Regards,
Michal Hlavinka