[Dovecot] Problems setting up dovecot 2.0.1 with kerberos auth
Dirk Heinrichs
dirk.heinrichs at altum.de
Mon Sep 6 21:09:15 EEST 2010
Am 06.09.2010 08:53, schrieb Andre:
> Il giorno 05/set/2010, alle ore 19.02, Dirk Heinrichs ha scritto:
>
>> I've added created host/ smtp/ and imap/ service principals with
>> random key for the test machine and added them to its keytab.
>
> As I see below the principals are for oldbox.altum.de (is this the
> FQDN of the server?)
Of the (test) mail server, yes.
>> My configuration:
>>
>> # doveconf -n # 2.0.1 (a05834588ffb): /etc/dovecot/dovecot.conf #
>> OS: Linux 2.6.32-5-486 i586 Debian squeeze/sid auth_debug = yes
>> auth_gssapi_hostname = rohan
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Line above should be
> “auth_gssapi_hostname = oldbox.altum.de"
Ah, ok. Thought it should be the one of the KDC.
>> Any idea what could be wrong?
>>
>
> Read between the lines :)
>
> It is sufficient that you create principal
> “imap/fullyqualifieddomainname” for IMAP auth. host/ principal is
> necessary if you want to telnet/ssh to the host using KRB auth, smtp/
> is necessary if you want to send mails authenticating via KRB, but
> your SMTP server should support it.
Yes, I know.
> It is VERY VERY important that you use the FQDN (the one you obtain
> doing a reverse resolution - host -t ptr IP.of.the.server) of the
> imap server, unless you use a buggy client (read Apple Mail.app) in
> which case it should be necessary to create a principal for
> "imap/alias.of.server" and you MUST add auth_gssapi_hostname = “$ALL”
> to your configuration.
Looks like "$ALL" was the way to go, since at least I get the imap/
ticket now. However, login still fails:
% klist
Ticket cache: FILE:/tmp/krb5cc_1000_RRFLlX
Default principal: heini at ALTUM.DE
Valid starting Expires Service principal
09/06/10 19:48:33 09/07/10 05:48:33 krbtgt/ALTUM.DE at ALTUM.DE
renew until 09/07/10 19:48:33
09/06/10 19:48:33 09/07/10 05:48:33 afs/altum.de at ALTUM.DE
renew until 09/07/10 19:48:33
09/06/10 19:50:18 09/07/10 05:48:33 host/rohan.altum.de@
renew until 09/07/10 19:48:33
09/06/10 19:50:18 09/07/10 05:48:33 host/rohan.altum.de at ALTUM.DE
renew until 09/07/10 19:48:33
% mutt # Authentication fails
% klist
Ticket cache: FILE:/tmp/krb5cc_1000_RRFLlX
Default principal: heini at ALTUM.DE
Valid starting Expires Service principal
09/06/10 19:48:33 09/07/10 05:48:33 krbtgt/ALTUM.DE at ALTUM.DE
renew until 09/07/10 19:48:33
09/06/10 19:48:33 09/07/10 05:48:33 afs/altum.de at ALTUM.DE
renew until 09/07/10 19:48:33
09/06/10 19:50:18 09/07/10 05:48:33 host/rohan.altum.de@
renew until 09/07/10 19:48:33
09/06/10 19:50:18 09/07/10 05:48:33 host/rohan.altum.de at ALTUM.DE
renew until 09/07/10 19:48:33
09/06/10 19:51:45 09/07/10 05:48:33 imap/oldbox.altum.de@
renew until 09/07/10 19:48:33
09/06/10 19:51:45 09/07/10 05:48:33 imap/oldbox.altum.de at ALTUM.DE
renew until 09/07/10 19:48:33
% telnet oldbox 143
Trying 192.168.1.56...
Connected to oldbox.altum.de (192.168.1.56).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=GSSAPI] Dovecot ready.
a authenticate gssapi
+
^]
telnet> Connection closed.
mail.log from oldbox:
Sep 6 19:52:38 oldbox dovecot: auth: Debug: auth client connected
(pid=28634)
Sep 6 19:52:39 oldbox dovecot: auth: Debug: client in:
AUTH#0111#011GSSAPI#011service=imap#011lip=192.168.1.56#011rip=192.168.1.172#011lport=143#011rport=47913
Sep 6 19:52:39 oldbox dovecot: auth: Debug: gssapi(?,192.168.1.172):
Using all keytab entries
Sep 6 19:52:39 oldbox dovecot: auth: Debug: client out: CONT#0111#011
Sep 6 19:52:39 oldbox dovecot: auth: Debug: client in: CONT<hidden>
Sep 6 19:52:39 oldbox dovecot: auth: gssapi(?,192.168.1.172): While
processing incoming data: Unspecified GSS failure. Minor code may
provide more information
Sep 6 19:52:39 oldbox dovecot: auth: gssapi(?,192.168.1.172): While
processing incoming data: Permission denied
Sep 6 19:52:41 oldbox dovecot: auth: Debug: client out: FAIL#0111
Sep 6 19:52:41 oldbox dovecot: imap-login: Disconnected (auth failed, 1
attempts): method=GSSAPI, rip=192.168.1.172, lip=192.168.1.56, mpid=0
Thanks...
Dirk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20100906/42c9cabc/attachment.bin
More information about the dovecot
mailing list