Phillip Macey wrote:
In the release notes for v1.2.2, Timo said:
Found and fixes several v1.2-specific bugs. Hopefully it's now stable for most people's usage.
* GSSAPI: More changes to authentication. Hopefully good now.What were the GSSAPI changes? I am having problems with _some_ of my users using GSSAPI auth. I am using version 1.2.1. The client (thunderbird) reports that the server does not support 'secure authentication'. When I switch on auth_debug in dovecot, I see errors such as these in the logs:
Aug 3 16:45:57 fury dovecot: auth(default): client in: AUTH 1 GSSAPI service=imap lip=10.1.0.20 rip=10.8.5.72 lport=143 rport=4027 Aug 3 16:45:57 fury dovecot: auth(default): gssapi(?,10.8.5.72): Using all keytab entries Aug 3 16:45:57 fury dovecot: auth(default): client out: CONT 1 Aug 3 16:45:57 fury dovecot: imap-login: Disconnected: Input buffer full (auth failed, 1 attempts): method=GSSAPI, rip=10.8.5.72, lip=10.1.0.20
Other users work perfectly (eg. all of the user accounts I tested against). Would this have been a bug that was fixed in 1.2.2 or is it something else? If it is most likely something else, I will post
dovecot -n.
Same here (1.2.3), it's been working fine adding all possible principals to the keytab and setting:
auth_gssapi_hostname = $ALL
There are all sorts of resolvers out there that seem to mess with principal name selection on the clients all the time. Weird thing is this particular one didn't happen with 1.1.x
-- Angel Marin http://anmar.eu.org/