Hi,
I'm trying to setup dovecot 2.0.1 on a debian squeeze test box. I want to integrate it into an already working kerberos5 setup, but I don't get it to work.
I've added created host/ smtp/ and imap/ service principals with random key for the test machine and added them to its keytab.
I can also obtain user credentials using kinit, but when I try to telnet to port 143, I only get the following:
# kinit heini Password for heini@ALTUM.DE: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: heini@ALTUM.DE
Valid starting Expires Service principal 09/05/10 18:56:30 09/06/10 04:56:30 krbtgt/ALTUM.DE@ALTUM.DE renew until 09/06/10 18:56:27 # telnet localhost 143 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=GSSAPI] Dovecot ready. a authenticate GSSAPI a NO [UNAVAILABLE] Temporary authentication failure. ^] telnet> Connection closed.
This is in the logs:
Sep 5 18:56:47 oldbox dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Sep 5 18:56:47 oldbox dovecot: auth: Debug: auth client connected (pid=27684) Sep 5 18:56:58 oldbox dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=33753 Sep 5 18:56:58 oldbox dovecot: auth: Debug: gssapi(?,127.0.0.1): Obtaining credentials for imap@rohan Sep 5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While acquiring service credentials: Unspecified GSS failure. Minor code may provide more information Sep 5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While acquiring service credentials: Permission denied Sep 5 18:57:00 oldbox dovecot: auth: Debug: client out: FAIL#0111#011temp Sep 5 18:57:05 oldbox dovecot: imap-login: Disconnected (auth failed, 1 attempts): method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=0, secured
My configuration:
# doveconf -n # 2.0.1 (a05834588ffb): /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-486 i586 Debian squeeze/sid auth_debug = yes auth_gssapi_hostname = rohan auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = gssapi auth_verbose = yes disable_plaintext_auth = no listen = * mail_location = maildir:~/mail managesieve_notify_capability = mailto managesieve_sieve_capability = comparator-i;octet comparator-i;ascii-casemap fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = imap ssl = no ssl_cert =
And here's the content of the kerberos keytab:
# ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal
1 3 host/oldbox.altum.de@ALTUM.DE 2 3 host/oldbox.altum.de@ALTUM.DE 3 3 host/oldbox.altum.de@ALTUM.DE 4 3 host/oldbox.altum.de@ALTUM.DE 5 3 imap/oldbox.altum.de@ALTUM.DE 6 3 imap/oldbox.altum.de@ALTUM.DE 7 3 imap/oldbox.altum.de@ALTUM.DE 8 3 imap/oldbox.altum.de@ALTUM.DE 9 3 smtp/oldbox.altum.de@ALTUM.DE 10 3 smtp/oldbox.altum.de@ALTUM.DE 11 3 smtp/oldbox.altum.de@ALTUM.DE 12 3 smtp/oldbox.altum.de@ALTUM.DE
I also don't see any connection attempt in the KDC's log file.
Any idea what could be wrong?
Thanks...
Dirk