Looking for GSSAPI config [was: Looking for NTLM config example]

Mark Foley mfoley at ohprs.org
Fri Jul 1 06:42:06 UTC 2016 

My keytab now has:

ktutil:  read_kt /etc/dovecot/dovecot.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1          smtp/mail.hprs.local at HPRS.LOCAL
   2    1          imap/mail.hprs.local at HPRS.LOCAL

I added these in ktutil with:

addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac

Aki wrote:

> I think the problem still is that your keytab file has no entry
> imap/hostname at DOMAIN and IMAP/hostname at DOMAIN
> you also have no host/hostname at DOMAIN

Not sure how to interpret your template. Are you suggesting I should ...

addent -password -p IMAP/mail at HPRS.LOCAL -k 1 -e arcfour-hmac
addent -password -p imap/mail at HPRS.LOCAL -k 1 -e arcfour-hmac

(one IMAP uppercase and one lowercase?)

I don't get your distinction between host and hostname in your 3rd example: host/hostname at DOMAIN

Meanwhile ...

Tried a bunch of things.  No go so far.  In fact, I'm questioning if gssapi is enabled in my
dovecot.  I did rebuild and reinstall using `./configure --with-gssapi=yes`, but if I only
enable gssapi authentication, I get "No authenticators available" (mail client).  How can I
verify gssapi is really available? dovecot --build-options shows:

Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192
Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail
SQL drivers:
Passdb: checkpassword passwd passwd-file shadow
Userdb: checkpassword nss passwd prefetch passwd-file

should I see authentication methods there?

--Mark

-----Original Message-----
Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
To: dovecot at dovecot.org
From: Aki Tuomi <aki.tuomi at dovecot.fi>
Organization: Dovecot Oy
Date: Thu, 30 Jun 2016 09:58:14 +0300

I think the problem still is that your keytab file has no entry
imap/hostname at DOMAIN and IMAP/hostname at DOMAIN

you also have no host/hostname at DOMAIN

Aki

On 29.06.2016 18:40, Mark Foley wrote:
> Yes, I think that's exactly correct. I just made a similar reply to Edgar Pettijohn about that.
> The Thunderbird message is:
>
> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check
> that you are logged in to the Kerberos/GSSAPI realm."
>
> I made further comments in that message that I won't clutter the list by repeating here. Check
> out that message and see what you think could be wrong.
>
> Thanks for your help! I'm sure this is solvable!
>
> --Mark
>
> -----Original Message-----
>> Date: Wed, 29 Jun 2016 08:03:14 -0400
>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>> From: brendan kearney <bpk678 at gmail.com>
>> To: Mark Foley <mfoley at ohprs.org>
>> Cc: dovecot at dovecot.org
>>
>> The last log line shows "user=<>".  This indicates no credentials were
>> presented.  If the rip field matches the client ip you tested from, I would
>> bet the appropriate kerberos ticket (imap/host.domain.tld at REALM) was not
>> pulled for the authentication.
>> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfoley at ohprs.org> wrote:
> [deleted]

More information about the dovecot mailing list