On 18.04.2016 14:22, Braden McDaniel wrote:
On Mon, 2016-04-18 at 08:59 +0300, aki.tuomi@dovecot.fi wrote:
On April 18, 2016 at 8:13 AM Braden McDaniel <braden@endoframe.com> wrote:
On Sun, 2016-04-17 at 21:49 +0300, aki.tuomi@dovecot.fi wrote:
Did you check your setup against
http://wiki2.dovecot.org/Authentication/Kerberos I did. Of course, it's possible I've still managed to overlook something.
Also can you provide klist -k on server? I assume you mean the kerberos server:
[ root@knock ~]#Apologies, I ment your IMAP server. [ root@hinge ~]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 host/hinge.endoframe.net@ENDOFRAME.NET 3 host/hinge.endoframe.net@ENDOFRAME.NET 4 host/hinge.endoframe.net@ENDOFRAME.NET 2 imap/hinge.endoframe.net@ENDOFRAME.NET
There was previous case where gssapi did not work with Thunderbird. It apparently has some problems with GSSAPI usage. Also, did you ensure that your client has all the requisite principals?
Can you try turning on auth_verbose=yes?
Remember that kerberos is very DNS oriented, so missing/incorrect reverse records can also cause failures.
Aki