Il giorno 05/set/2010, alle ore 19.02, Dirk Heinrichs ha scritto:
Hi,
I'm trying to setup dovecot 2.0.1 on a debian squeeze test box. I want to integrate it into an already working kerberos5 setup, but I don't get it to work.
I've added created host/ smtp/ and imap/ service principals with random key for the test machine and added them to its keytab.
As I see below the principals are for oldbox.altum.de (is this the FQDN of the server?)
I can also obtain user credentials using kinit, but when I try to telnet to port 143, I only get the following:
# kinit heini Password for heini@ALTUM.DE: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: heini@ALTUM.DE
Valid starting Expires Service principal 09/05/10 18:56:30 09/06/10 04:56:30 krbtgt/ALTUM.DE@ALTUM.DE renew until 09/06/10 18:56:27 # telnet localhost 143 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=GSSAPI] Dovecot ready. a authenticate GSSAPI a NO [UNAVAILABLE] Temporary authentication failure. ^] telnet> Connection closed.
This is in the logs:
Sep 5 18:56:47 oldbox dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Sep 5 18:56:47 oldbox dovecot: auth: Debug: auth client connected (pid=27684) Sep 5 18:56:58 oldbox dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=33753 Sep 5 18:56:58 oldbox dovecot: auth: Debug: gssapi(?,127.0.0.1): Obtaining credentials for imap@rohan Sep 5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While acquiring service credentials: Unspecified GSS failure. Minor code may provide more information Sep 5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While acquiring service credentials: Permission denied Sep 5 18:57:00 oldbox dovecot: auth: Debug: client out: FAIL#0111#011temp Sep 5 18:57:05 oldbox dovecot: imap-login: Disconnected (auth failed, 1 attempts): method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=0, secured
My configuration:
# doveconf -n # 2.0.1 (a05834588ffb): /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-486 i586 Debian squeeze/sid auth_debug = yes auth_gssapi_hostname = rohan
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Line above should be “auth_gssapi_hostname = oldbox.altum.de"
auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = gssapi auth_verbose = yes disable_plaintext_auth = no listen = * mail_location = maildir:~/mail managesieve_notify_capability = mailto managesieve_sieve_capability = comparator-i;octet comparator-i;ascii-casemap fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = imap ssl = no ssl_cert =
And here's the content of the kerberos keytab:
# ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal
1 3 host/oldbox.altum.de@ALTUM.DE 2 3 host/oldbox.altum.de@ALTUM.DE 3 3 host/oldbox.altum.de@ALTUM.DE 4 3 host/oldbox.altum.de@ALTUM.DE 5 3 imap/oldbox.altum.de@ALTUM.DE 6 3 imap/oldbox.altum.de@ALTUM.DE 7 3 imap/oldbox.altum.de@ALTUM.DE 8 3 imap/oldbox.altum.de@ALTUM.DE 9 3 smtp/oldbox.altum.de@ALTUM.DE 10 3 smtp/oldbox.altum.de@ALTUM.DE 11 3 smtp/oldbox.altum.de@ALTUM.DE 12 3 smtp/oldbox.altum.de@ALTUM.DE
I also don't see any connection attempt in the KDC's log file.
Any idea what could be wrong?
Read between the lines :)
It is sufficient that you create principal “imap/fullyqualifieddomainname” for IMAP auth. host/ principal is necessary if you want to telnet/ssh to the host using KRB auth, smtp/ is necessary if you want to send mails authenticating via KRB, but your SMTP server should support it.
It is VERY VERY important that you use the FQDN (the one you obtain doing a reverse resolution - host -t ptr IP.of.the.server) of the imap server, unless you use a buggy client (read Apple Mail.app) in which case it should be necessary to create a principal for "imap/alias.of.server" and you MUST add auth_gssapi_hostname = “$ALL” to your configuration.
A.