The distinction is that kerberos principals are in form
<service>/<hostname>@<REALM>
the hostname bit *must* match to the host you are connecting to, exactly and verbatim. It can differ in case, I guess.
The service is what service you are connecting to. These have special meanings and can be case sensitive (like http won't always work, it has to be HTTP).
host/ is always needed in at least system keytab. Not sure if it's needed now in the service tab. But I suspect that you need to have IMAP and not imap. Also make sure and double-check that the hostname is correct.
Once you've done the keytab you'll want to grab a cup of coffee and local newspaper or something and read it thru before trying, because it might take some time for it to work.
Also, your client *and* host needs to be able to access KDC (all of them) on 88/tcp.
Aki
On 01.07.2016 09:42, Mark Foley wrote:
My keytab now has:
ktutil: read_kt /etc/dovecot/dovecot.keytab ktutil: list slot KVNO Principal
1 1 smtp/mail.hprs.local@HPRS.LOCAL 2 1 imap/mail.hprs.local@HPRS.LOCAL
I added these in ktutil with:
addent -password -p smtp/mail.hprs.local@HPRS.LOCAL -k 1 -e arcfour-hmac
Aki wrote:
I think the problem still is that your keytab file has no entry imap/hostname@DOMAIN and IMAP/hostname@DOMAIN you also have no host/hostname@DOMAIN Not sure how to interpret your template. Are you suggesting I should ...
addent -password -p IMAP/mail@HPRS.LOCAL -k 1 -e arcfour-hmac addent -password -p imap/mail@HPRS.LOCAL -k 1 -e arcfour-hmac
(one IMAP uppercase and one lowercase?)
I don't get your distinction between host and hostname in your 3rd example: host/hostname@DOMAIN
Meanwhile ...
Tried a bunch of things. No go so far. In fact, I'm questioning if gssapi is enabled in my dovecot. I did rebuild and reinstall using
./configure --with-gssapi=yes, but if I only enable gssapi authentication, I get "No authenticators available" (mail client). How can I verify gssapi is really available? dovecot --build-options shows:Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail SQL drivers: Passdb: checkpassword passwd passwd-file shadow Userdb: checkpassword nss passwd prefetch passwd-file
should I see authentication methods there?
--Mark
-----Original Message----- Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] To: dovecot@dovecot.org From: Aki Tuomi aki.tuomi@dovecot.fi Organization: Dovecot Oy Date: Thu, 30 Jun 2016 09:58:14 +0300
I think the problem still is that your keytab file has no entry imap/hostname@DOMAIN and IMAP/hostname@DOMAIN
you also have no host/hostname@DOMAIN
Aki
On 29.06.2016 18:40, Mark Foley wrote:
Yes, I think that's exactly correct. I just made a similar reply to Edgar Pettijohn about that. The Thunderbird message is:
"The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark@ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm."
I made further comments in that message that I won't clutter the list by repeating here. Check out that message and see what you think could be wrong.
Thanks for your help! I'm sure this is solvable!
--Mark
-----Original Message-----
Date: Wed, 29 Jun 2016 08:03:14 -0400 Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] From: brendan kearney bpk678@gmail.com To: Mark Foley mfoley@ohprs.org Cc: dovecot@dovecot.org
The last log line shows "user=<>". This indicates no credentials were presented. If the rip field matches the client ip you tested from, I would bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not pulled for the authentication. On Jun 28, 2016 11:33 PM, "Mark Foley" mfoley@ohprs.org wrote: [deleted]