[Dovecot] GSSAPI Authentication in v1.2.1
Angel Marin
anmar at anmar.eu.org
Mon Aug 10 11:36:39 EEST 2009
Phillip Macey wrote:
>
> In the release notes for v1.2.2, Timo said:
>> Found and fixes several v1.2-specific bugs. Hopefully it's now stable
>> for most people's usage.
>>
>> * GSSAPI: More changes to authentication. Hopefully good now.
>>
> What were the GSSAPI changes? I am having problems with _some_ of my
> users using GSSAPI auth. I am using version 1.2.1. The client
> (thunderbird) reports that the server does not support 'secure
> authentication'. When I switch on auth_debug in dovecot, I see errors
> such as these in the logs:
>
> Aug 3 16:45:57 fury dovecot: auth(default): client in: AUTH 1
> GSSAPI service=imap lip=10.1.0.20 rip=10.8.5.72 lport=143
> rport=4027
> Aug 3 16:45:57 fury dovecot: auth(default): gssapi(?,10.8.5.72): Using
> all keytab entries
> Aug 3 16:45:57 fury dovecot: auth(default): client out: CONT 1
> Aug 3 16:45:57 fury dovecot: imap-login: Disconnected: Input buffer
> full (auth failed, 1 attempts): method=GSSAPI, rip=10.8.5.72, lip=10.1.0.20
>
>
> Other users work perfectly (eg. all of the user accounts I tested
> against). Would this have been a bug that was fixed in 1.2.2 or is it
> something else? If it is most likely something else, I will post
> `dovecot -n`.
Same here (1.2.3), it's been working fine adding all possible principals
to the keytab and setting:
auth_gssapi_hostname = $ALL
There are all sorts of resolvers out there that seem to mess with
principal name selection on the clients all the time. Weird thing is
this particular one didn't happen with 1.1.x
--
Angel Marin
http://anmar.eu.org/
More information about the dovecot
mailing list