[Dovecot] Problems setting up dovecot 2.0.1 with kerberos auth

Dirk Heinrichs dirk.heinrichs at altum.de
Mon Sep 6 21:09:15 EEST 2010 

Am 06.09.2010 08:53, schrieb Andre:
> Il giorno 05/set/2010, alle ore 19.02, Dirk Heinrichs ha scritto:
> 
>> I've added created host/ smtp/ and imap/ service principals with
>> random key for the test machine and added them to its keytab.
> 
> As I see below the principals are for oldbox.altum.de (is this the
> FQDN of the server?)

Of the (test) mail server, yes.

>> My configuration:
>> 
>> # doveconf -n # 2.0.1 (a05834588ffb): /etc/dovecot/dovecot.conf #
>> OS: Linux 2.6.32-5-486 i586 Debian squeeze/sid auth_debug = yes 
>> auth_gssapi_hostname = rohan
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Line above should be
> “auth_gssapi_hostname = oldbox.altum.de"

Ah, ok. Thought it should be the one of the KDC.

>> Any idea what could be wrong?
>> 
> 
> Read between the lines :)
> 
> It is sufficient that you create principal
> “imap/fullyqualifieddomainname” for IMAP auth. host/ principal is
> necessary if you want to telnet/ssh to the host using KRB auth, smtp/
> is necessary if you want to send mails authenticating via KRB, but
> your SMTP server should support it.

Yes, I know.

> It is VERY VERY important that you use the FQDN (the one you obtain
> doing a reverse resolution - host -t ptr IP.of.the.server) of the
> imap server, unless you use a buggy client (read Apple Mail.app) in
> which case it should be necessary to create a principal for
> "imap/alias.of.server" and you MUST add auth_gssapi_hostname = “$ALL”
> to your configuration.

Looks like "$ALL" was the way to go, since at least I get the imap/
ticket now. However, login still fails:

% klist
Ticket cache: FILE:/tmp/krb5cc_1000_RRFLlX
Default principal: heini at ALTUM.DE

Valid starting     Expires            Service principal
09/06/10 19:48:33  09/07/10 05:48:33  krbtgt/ALTUM.DE at ALTUM.DE
        renew until 09/07/10 19:48:33
09/06/10 19:48:33  09/07/10 05:48:33  afs/altum.de at ALTUM.DE
        renew until 09/07/10 19:48:33
09/06/10 19:50:18  09/07/10 05:48:33  host/rohan.altum.de@
        renew until 09/07/10 19:48:33
09/06/10 19:50:18  09/07/10 05:48:33  host/rohan.altum.de at ALTUM.DE
        renew until 09/07/10 19:48:33
% mutt # Authentication fails
% klist
Ticket cache: FILE:/tmp/krb5cc_1000_RRFLlX
Default principal: heini at ALTUM.DE

Valid starting     Expires            Service principal
09/06/10 19:48:33  09/07/10 05:48:33  krbtgt/ALTUM.DE at ALTUM.DE
        renew until 09/07/10 19:48:33
09/06/10 19:48:33  09/07/10 05:48:33  afs/altum.de at ALTUM.DE
        renew until 09/07/10 19:48:33
09/06/10 19:50:18  09/07/10 05:48:33  host/rohan.altum.de@
        renew until 09/07/10 19:48:33
09/06/10 19:50:18  09/07/10 05:48:33  host/rohan.altum.de at ALTUM.DE
        renew until 09/07/10 19:48:33
09/06/10 19:51:45  09/07/10 05:48:33  imap/oldbox.altum.de@
        renew until 09/07/10 19:48:33
09/06/10 19:51:45  09/07/10 05:48:33  imap/oldbox.altum.de at ALTUM.DE
        renew until 09/07/10 19:48:33
% telnet oldbox 143
Trying 192.168.1.56...
Connected to oldbox.altum.de (192.168.1.56).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=GSSAPI] Dovecot ready.
a authenticate gssapi
+
^]
telnet> Connection closed.

mail.log from oldbox:

Sep  6 19:52:38 oldbox dovecot: auth: Debug: auth client connected
(pid=28634)
Sep  6 19:52:39 oldbox dovecot: auth: Debug: client in:
AUTH#0111#011GSSAPI#011service=imap#011lip=192.168.1.56#011rip=192.168.1.172#011lport=143#011rport=47913
Sep  6 19:52:39 oldbox dovecot: auth: Debug: gssapi(?,192.168.1.172):
Using all keytab entries
Sep  6 19:52:39 oldbox dovecot: auth: Debug: client out: CONT#0111#011
Sep  6 19:52:39 oldbox dovecot: auth: Debug: client in: CONT<hidden>
Sep  6 19:52:39 oldbox dovecot: auth: gssapi(?,192.168.1.172): While
processing incoming data: Unspecified GSS failure.  Minor code may
provide more information
Sep  6 19:52:39 oldbox dovecot: auth: gssapi(?,192.168.1.172): While
processing incoming data: Permission denied
Sep  6 19:52:41 oldbox dovecot: auth: Debug: client out: FAIL#0111
Sep  6 19:52:41 oldbox dovecot: imap-login: Disconnected (auth failed, 1
attempts): method=GSSAPI, rip=192.168.1.172, lip=192.168.1.56, mpid=0

Thanks...

	Dirk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20100906/42c9cabc/attachment.bin

More information about the dovecot mailing list