On April 17, 2016 at 12:41 AM Braden McDaniel <braden@endoframe.com> wrote:
I'm setting up dovecot on a new box; and once again I find myself banging my head against GSSAPI authentication.
The particularly irritating thing is that I have this working on another box. I've done my best to ape the configuration of that box; but it's been some years since I set it up and somewhere along the line I have failed.
My dovecot.conf has:
auth_mechanism = plain gssapi
passdb { driver = pam } userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext }where /etc/dovecot/dovecot-ldap.conf.ext is:
hosts = ldap dn = cn=Manager,dc=endoframe,dc=net dnpass = XXXXXXXX ldap_version = 3 base = ou=people,dc=endoframe,dc=net deref = never scope = subtree user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_filter = (&(objectClass=posixAccount)(uid=%u))I've diff'd the contents of /etc/dovecot on the working vs. non-working servers, and I can see nothing of pertinence (just a few lines about loading the sieve plug-in).
Now, logging in with the kerberos password via PAM *is* working. /etc/pam.d/dovecot:
#%PAM-1.0 auth sufficient pam_krb5.so account sufficient pam_krb5.soBut GSSAPI authentication is not:
[ root@hinge ~]# telnet localhost 143 Trying ::1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLESTARTTLS AUTH=PLAIN AUTH=GSSAPI] Dovecot ready. a authenticate GSSAPI a NO [UNAVAILABLE] Temporary authentication failure. [hinge.endoframe.net:2016-04-16 21:33:32] ^] telnet> close Connection closed.
Oh... The kerberos server does have an IMAP service key for hinge; and that service key appears in hinge's /etc/krb5.keytab, as well.
Any pointers on where I should be looking at this point would be very much appreciated.
-- Braden McDaniel <braden@endoframe.com>
Hi!
Did you check your setup against http://wiki2.dovecot.org/Authentication/Kerberos
Also can you provide klist -k on server?
Aki Tuomi