On Mon, Jun 11, 2012 at 03:16:16PM +0300, Timo Sirainen wrote:
On Fri, 2012-06-08 at 18:59 +0200, Leon Meßner wrote:
Hi list,
i noticed that when doing imap gssapi authentication with kerberos, dovecot (here 2.1.7) always searches /etc/krb5.keytab although i have auth_krb5_keytab = /etc/mail3.krb5.keytab in my etc/dovecot/dovecot.conf and doveconf -n also show this setting. If i combine the keytabs in krb5.keytab it works. Is there another location where i should put my configuration regarding gssapi/kerberos ?
Try if this works:
import_environment = TZ GDB DEBUG_SILENT KRB5_KTNAME
Then start Dovecot with:
KRB5_KTNAME=/etc/mail3.krb5.keytab dovecot
I'm wondering if the code in mech-gssapi.c that sets KRB5_KTNAME environment is being called too late.
It's still looking inside the default krb5.keytab .
/var/log/dovecot.log: Jun 11 16:26:55 master: Info: Dovecot v2.1.7 starting up Jun 11 16:26:55 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 11 16:26:55 auth: Debug: auth client connected (pid=82646) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82648) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82647) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82649) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82651) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82653) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82655) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82652) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82656) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82657) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82650) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82654) Jun 11 16:27:05 auth: Debug: auth client connected (pid=82669) Jun 11 16:27:06 auth: Debug: client in: AUTH 1 GSSAPI service=imap secured session=DLX+JDPCLwCClTqR lip=130.149.58.164 rip=130.149.58.145 lport=993 rport=29743 Jun 11 16:27:06 auth: Debug: gssapi(?,130.149.58.145,<DLX+JDPCLwCClTqR>): Obtaining credentials for imap@mail3.physik-pool.tu-berlin.de Jun 11 16:27:06 auth: Debug: client out: CONT 1 Jun 11 16:27:06 auth: Debug: client in: CONT<hidden> Jun 11 16:27:06 auth: Info: gssapi(?,130.149.58.145,<DLX+JDPCLwCClTqR>): While processing incoming data: Miscellaneous failure (see text) Jun 11 16:27:06 auth: Info: gssapi(?,130.149.58.145,<DLX+JDPCLwCClTqR>): While processing incoming data: Failed to find imap/mail3.physik-pool.tu-berlin.de@PCPOOL.PHYSIK.TU-BERLIN.DE(kvno 1) in keytab FILE:/etc/krb5.keytab (des3-cbc-sha1) Jun 11 16:27:08 auth: Debug: client out: FAIL 1 Jun 11 16:27:18 auth: Debug: auth client connected (pid=82673) Jun 11 16:27:18 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=130.149.58.149, lip=130.149.58.164, TLS, session=<Vy6wJTPCAgCClTqV> Jun 11 16:27:22 imap-login: Info: Aborted login (auth failed, 1 attempts in 16 secs): user=<>, method=GSSAPI, rip=130.149.58.145, lip=130.149.58.164, TLS, session=<DLX+JDPCLwCClTqR> Jun 11 16:27:38 auth: Debug: auth client connected (pid=82681) Jun 11 16:27:38 pop3-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=130.149.58.149, lip=130.149.58.164, TLS, session=<lhjfJjPCWwCClTqV> Jun 11 16:27:45 master: Warning: Killed with signal 15 (by pid=82684 uid=0 code=kill)