[Dovecot] Problems setting up dovecot 2.0.1 with kerberos auth

Dirk Heinrichs dirk.heinrichs at altum.de
Sun Sep 5 20:02:11 EEST 2010


Hi,

I'm trying to setup dovecot 2.0.1 on a debian squeeze test box. I want
to integrate it into an already working kerberos5 setup, but I don't get
it to work.

I've added created host/ smtp/ and imap/ service principals with random
key for the test machine and added them to its keytab.

I can also obtain user credentials using kinit, but when I try to telnet
to port 143, I only get the following:

# kinit heini
Password for heini at ALTUM.DE:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: heini at ALTUM.DE

Valid starting     Expires            Service principal
09/05/10 18:56:30  09/06/10 04:56:30  krbtgt/ALTUM.DE at ALTUM.DE
        renew until 09/06/10 18:56:27
# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=GSSAPI] Dovecot ready.
a authenticate GSSAPI
a NO [UNAVAILABLE] Temporary authentication failure.
^]
telnet> Connection closed.

This is in the logs:

Sep  5 18:56:47 oldbox dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
Sep  5 18:56:47 oldbox dovecot: auth: Debug: auth client connected
(pid=27684)
Sep  5 18:56:58 oldbox dovecot: auth: Debug: client in:
AUTH#0111#011GSSAPI#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=33753
Sep  5 18:56:58 oldbox dovecot: auth: Debug: gssapi(?,127.0.0.1):
Obtaining credentials for imap at rohan
Sep  5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While
acquiring service credentials: Unspecified GSS failure.  Minor code may
provide more information
Sep  5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While
acquiring service credentials: Permission denied
Sep  5 18:57:00 oldbox dovecot: auth: Debug: client out: FAIL#0111#011temp
Sep  5 18:57:05 oldbox dovecot: imap-login: Disconnected (auth failed, 1
attempts): method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=0, secured

My configuration:

# doveconf -n
# 2.0.1 (a05834588ffb): /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-486 i586 Debian squeeze/sid
auth_debug = yes
auth_gssapi_hostname = rohan
auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = gssapi
auth_verbose = yes
disable_plaintext_auth = no
listen = *
mail_location = maildir:~/mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = comparator-i;octet
comparator-i;ascii-casemap fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex
imap4flags copy include variables body enotify environment mailbox date
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = imap
ssl = no
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  args = uid=vmail gid=vmail home=/var/vmail/%u
  driver = static
}

And here's the content of the kerberos keytab:

# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
   1    3            host/oldbox.altum.de at ALTUM.DE
   2    3            host/oldbox.altum.de at ALTUM.DE
   3    3            host/oldbox.altum.de at ALTUM.DE
   4    3            host/oldbox.altum.de at ALTUM.DE
   5    3            imap/oldbox.altum.de at ALTUM.DE
   6    3            imap/oldbox.altum.de at ALTUM.DE
   7    3            imap/oldbox.altum.de at ALTUM.DE
   8    3            imap/oldbox.altum.de at ALTUM.DE
   9    3            smtp/oldbox.altum.de at ALTUM.DE
  10    3            smtp/oldbox.altum.de at ALTUM.DE
  11    3            smtp/oldbox.altum.de at ALTUM.DE
  12    3            smtp/oldbox.altum.de at ALTUM.DE


I also don't see any connection attempt in the KDC's log file.

Any idea what could be wrong?

Thanks...

	Dirk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20100905/25d4f034/attachment.bin 


More information about the dovecot mailing list