[Dovecot] GSSAPI authentication behind HA servers
Mustafa A. Hashmi
mahashmi at gmail.com
Thu Mar 22 17:26:25 EET 2007
Hi all,
On 2/3/07, Mustafa A. Hashmi <mahashmi at gmail.com> wrote:
> We have 2 mail servers sitting behind linux-HA machines.The mail
> servers are currently running dovecot 1.0rc2.
>
> Looking to enable GSSAPI authentication, I exported krb keytabs for
> imap/node01.domain at REALM and imap/node02.domain at REALM for both mail
> servers.
>
> However, clients are connecting to mail.domain.com, which results in a
> mismatch as far as the keytab is concerned (and rightly so).
> Connections directly to node01 and node02 work fine for gssapi auth.
>
> I proceeded to export a key for mail.domain.com into the same keytab
> for both the nodes, however, I don't think more than a single key is
> checked for the imap service, and authentication errors continued.
>
> Is anybody running something similar? Could you please explain how you
> have this working on your end?
In response to my own query -- the confusion lay on my end. It is important
to understand how Kerberos works and reading the Kerberos FAQ cleared quite
a few things for me. People running dovecot in HA environments with GSSAPI
based authentication are encouraged to read the following documentation:
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#kerbdns
It is however noteworthy that modifying mech-gssapi.c (using rc15), in the
following manner will scan all entries in the keytab:
--- /usr/local/src/foobar/dovecot-1.0.rc15/src/auth/mech-gssapi.c
2006-09-22 19:55:18.000000000 +0500
+++ /usr/local/src/dovecot-1.0.rc15/src/auth/mech-gssapi.c 2007-03-19
09:27:58.000000000 +0500
@@ -178,11 +178,11 @@
gss_buffer_desc outbuf;
major_status = gss_accept_sec_context (
&minor_status,
&request->gss_ctx,
- request->service_cred,
+ GSS_C_NO_CREDENTIAL,
&inbuf,
GSS_C_NO_CHANNEL_BINDINGS,
&request->authn_name,
NULL, /* mech_type */
&outbuf,
Regards,
--
Mustafa A. Hashmi
mahashmi at gmail.com
More information about the dovecot
mailing list