I'm setting up dovecot on a new box; and once again I find myself banging my head against GSSAPI authentication.
The particularly irritating thing is that I have this working on another box. I've done my best to ape the configuration of that box; but it's been some years since I set it up and somewhere along the line I have failed.
My dovecot.conf has:
auth_mechanism = plain gssapi
passdb {
driver = pam
}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}where /etc/dovecot/dovecot-ldap.conf.ext is:
hosts = ldap
dn = cn=Manager,dc=endoframe,dc=net
dnpass = XXXXXXXX
ldap_version = 3
base = ou=people,dc=endoframe,dc=net
deref = never
scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%u))I've diff'd the contents of /etc/dovecot on the working vs. non-working servers, and I can see nothing of pertinence (just a few lines about loading the sieve plug-in).
Now, logging in with the kerberos password via PAM *is* working. /etc/pam.d/dovecot:
#%PAM-1.0
auth sufficient pam_krb5.so
account sufficient pam_krb5.soBut GSSAPI authentication is not:
[ root@hinge ~]# telnet localhost 143
Trying ::1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=GSSAPI] Dovecot ready.
a authenticate GSSAPI
a NO [UNAVAILABLE] Temporary authentication failure. [hinge.endoframe.net:2016-04-16 21:33:32]
^]
telnet> close
Connection closed.Oh... The kerberos server does have an IMAP service key for hinge; and that service key appears in hinge's /etc/krb5.keytab, as well.
Any pointers on where I should be looking at this point would be very much appreciated.
-- Braden McDaniel <braden@endoframe.com>