On 10/15/2010 09:50 PM, Trever L. Adams wrote:
Thanks to Timo, I have solved all but one of my problems. For back ground, I am using Samba4 as an AD. I have the userdb working from LDAP just fine and kerberos authenetication for dovecot's IMAP server working fine. The problem is using dovecot's SASL with postfix. I also have plain/login working in imap and smtp. Both use pam_krb5 through pam to authenticate clients that don't have kerberos, and for now smtp. When trying to do smtp kerberos, I get the following:
postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: request longer than 2048: AUTH GSSAPI ... dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=smtp#011nologin#011lip=SERVER_IP#011rip=CLIENT_IP#011secured#011resp=<hidden> dovecot: auth: Debug: gssapi(?,CLIENT_IP): Obtaining credentials for smtp@MAILSERVER_FQDN dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data: Unspecified GSS failure. Minor code may provide more information dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data: Invalid message type postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: SASL GSSAPI authentication failed: dovecot: auth: Debug: client out: FAIL#0111
# klist -k /etc/dovecot/krb5.keytab Keytab name: WRFILE:/etc/dovecot/krb5.keytab KVNO Principal
2 imap/MAILSERVER_FQDN@DOMAIN_REALM 2 smtp/MAILSERVER_FQDN@DOMAIN_REALM
The client is Thunderbird.
Any help would be greatly appreciated. I have made sure that the file has proper permissions. I have regenerated the smtp cert making suer the password is accurate. I have done everything I know to try. The only thing that I am guess remains is something is broken with Thunderbird's kerberos setup for smtp.
Thank you very much, Trever
Samba4 doesn't automatically set the userPrincipalName to imap/f.q.d.n@REALM or smtp/f.q.d.n@REALM when setting up an SPN. This was the problem. For some reason it works fine for imap but not smtp.
I have reported this as a possible bug to Samba4. I am documenting it here in case someone else has problems.
Trever
"The amount of time between slipping on the peel and landing on the pavement is precisely 1 bananosecond." -- Unknown