Hello, ALL.
I am trying to organize a transparent single sign-on concept for my Active Directory users into Dovecot via IMAP. On the user's desktop I use Thunderbird 6.0 as a mail client (MUA), Windows XP as an operating system. Domain is controlled by Windows 2008 Server SP2 with Active Directory.
I have installed on my Mail server Debian GNU/Linux 6.0.2 (Squeeze) and Dovecot 2.0.13 from official "wheezy" repositories of it with all dependencies.
I ran into in a problem with generating proper "/etc/krb5.keytab" file for successful kerberos authentication against AD controller. I has performed all the steps described in official dovecot wiki here: http://wiki2.dovecot.org/Authentication/Kerberos
I have generated a service ticket with name "imap/efim.test.local@MYORG.LAN" exactly as described in wiki. ("MYORG.LAN" is my kerberos realm.) But this does not work. I see in debug logs something like this:
******** main service logs ******** Aug 29 16:05:14 auth: Info: gssapi(?,192.168.4.12): While processing incoming data: Unspecified GSS failure. Minor code may provide more information Aug 29 16:05:14 auth: Info: gssapi(?,192.168.4.12): While processing incoming data: Wrong principal in request
******** auth debug logs ********* Aug 29 16:05:14 auth: Debug: gssapi(?,192.168.4.12): Obtaining credentials for imap@efim.test.local Aug 29 16:05:14 auth: Debug: client out: CONT 1 Aug 29 16:05:14 auth: Debug: client in: CONT<hidden> Aug 29 16:05:16 auth: Debug: client out: FAIL 1
But (!). If I define << auth_gssapi_hostname = "$ALL" >> instead of << auth_gssapi_hostname = efim.test.local >> then everything works fine. I decided to find out where is the problem, so I dig into source code of gssapi module, "mech-gssapi.c". For versions 2.0.13 and 2.0.14 of dovecot I see there the following:
********* mech-gssapi.c ********* static OM_uint32 obtain_service_credentials(struct auth_request *request, gss_cred_id_t *ret_r) /* blah-blah-blah */ principal_name = t_str_new(128); str_append(principal_name, service_name); str_append_c(principal_name, '@'); str_append(principal_name, request->set->gssapi_hostname);
auth_request_log_debug(request, "gssapi",
"Obtaining credentials for %s", str_c(principal_name));
inbuf.length = str_len(principal_name);
inbuf.value = str_c_modifiable(principal_name);
major_status = gss_import_name(&minor_status, &inbuf,
GSS_C_NT_HOSTBASED_SERVICE,
&gss_principal);So, according to source code, Dovecot tries to find in krb5.keytab a principal named "imap@hostname". However wiki says to create the principal named "imap/hostname@REALM".
Please, clarify where is the error: in source code, in wiki, or I have misunderstood something.
Respectfully, Stanislav Klinkov.