[Dovecot] Problems setting up dovecot 2.0.1 with kerberos auth

Andre am at am.cx
Mon Sep 6 09:53:31 EEST 2010 

Il giorno 05/set/2010, alle ore 19.02, Dirk Heinrichs ha scritto:

> Hi,
> 
> I'm trying to setup dovecot 2.0.1 on a debian squeeze test box. I want
> to integrate it into an already working kerberos5 setup, but I don't get
> it to work.
> 
> I've added created host/ smtp/ and imap/ service principals with random
> key for the test machine and added them to its keytab.

As I see below the principals are for oldbox.altum.de (is this the FQDN of the server?)

> 
> I can also obtain user credentials using kinit, but when I try to telnet
> to port 143, I only get the following:
> 
> # kinit heini
> Password for heini at ALTUM.DE:
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: heini at ALTUM.DE
> 
> Valid starting     Expires            Service principal
> 09/05/10 18:56:30  09/06/10 04:56:30  krbtgt/ALTUM.DE at ALTUM.DE
>        renew until 09/06/10 18:56:27
> # telnet localhost 143
> Trying 127.0.0.1...
> Connected to localhost (127.0.0.1).
> Escape character is '^]'.
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
> AUTH=GSSAPI] Dovecot ready.
> a authenticate GSSAPI
> a NO [UNAVAILABLE] Temporary authentication failure.
> ^]
> telnet> Connection closed.
> 
> This is in the logs:
> 
> Sep  5 18:56:47 oldbox dovecot: auth: Debug: Loading modules from
> directory: /usr/lib/dovecot/modules/auth
> Sep  5 18:56:47 oldbox dovecot: auth: Debug: auth client connected
> (pid=27684)
> Sep  5 18:56:58 oldbox dovecot: auth: Debug: client in:
> AUTH#0111#011GSSAPI#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=33753
> Sep  5 18:56:58 oldbox dovecot: auth: Debug: gssapi(?,127.0.0.1):
> Obtaining credentials for imap at rohan
> Sep  5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While
> acquiring service credentials: Unspecified GSS failure.  Minor code may
> provide more information
> Sep  5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While
> acquiring service credentials: Permission denied
> Sep  5 18:57:00 oldbox dovecot: auth: Debug: client out: FAIL#0111#011temp
> Sep  5 18:57:05 oldbox dovecot: imap-login: Disconnected (auth failed, 1
> attempts): method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=0, secured
> 
> My configuration:
> 
> # doveconf -n
> # 2.0.1 (a05834588ffb): /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-5-486 i586 Debian squeeze/sid
> auth_debug = yes
> auth_gssapi_hostname = rohan
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Line above should be “auth_gssapi_hostname = oldbox.altum.de"

> auth_krb5_keytab = /etc/krb5.keytab
> auth_mechanisms = gssapi
> auth_verbose = yes
> disable_plaintext_auth = no
> listen = *
> mail_location = maildir:~/mail
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = comparator-i;octet
> comparator-i;ascii-casemap fileinto reject envelope encoded-character
> vacation subaddress comparator-i;ascii-numeric relational regex
> imap4flags copy include variables body enotify environment mailbox date
> plugin {
>  sieve = ~/.dovecot.sieve
>  sieve_dir = ~/sieve
> }
> protocols = imap
> ssl = no
> ssl_cert = </etc/ssl/certs/dovecot.pem
> ssl_key = </etc/ssl/private/dovecot.pem
> userdb {
>  args = uid=vmail gid=vmail home=/var/vmail/%u
>  driver = static
> }
> 
> And here's the content of the kerberos keytab:
> 
> # ktutil
> ktutil:  rkt /etc/krb5.keytab
> ktutil:  l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
>   1    3            host/oldbox.altum.de at ALTUM.DE
>   2    3            host/oldbox.altum.de at ALTUM.DE
>   3    3            host/oldbox.altum.de at ALTUM.DE
>   4    3            host/oldbox.altum.de at ALTUM.DE
>   5    3            imap/oldbox.altum.de at ALTUM.DE
>   6    3            imap/oldbox.altum.de at ALTUM.DE
>   7    3            imap/oldbox.altum.de at ALTUM.DE
>   8    3            imap/oldbox.altum.de at ALTUM.DE
>   9    3            smtp/oldbox.altum.de at ALTUM.DE
>  10    3            smtp/oldbox.altum.de at ALTUM.DE
>  11    3            smtp/oldbox.altum.de at ALTUM.DE
>  12    3            smtp/oldbox.altum.de at ALTUM.DE
> 
> 
> I also don't see any connection attempt in the KDC's log file.
> 
> Any idea what could be wrong?
> 

Read between the lines :)

It is sufficient that you create principal “imap/fullyqualifieddomainname” for IMAP auth. host/ principal is necessary if you want to telnet/ssh to the host using KRB auth, smtp/ is necessary if you want to send mails authenticating via KRB, but your SMTP server should support it.

It is VERY VERY important that you use the FQDN (the one you obtain doing a reverse resolution - host -t ptr IP.of.the.server) of the imap server, unless you use a buggy client (read Apple Mail.app) in which case it should be necessary to create a principal for "imap/alias.of.server" and you MUST add auth_gssapi_hostname = “$ALL” to your configuration.

A.

More information about the dovecot mailing list