Am 06.09.2010 08:53, schrieb Andre:
Il giorno 05/set/2010, alle ore 19.02, Dirk Heinrichs ha scritto:
I've added created host/ smtp/ and imap/ service principals with random key for the test machine and added them to its keytab.
As I see below the principals are for oldbox.altum.de (is this the FQDN of the server?)
Of the (test) mail server, yes.
My configuration:
# doveconf -n # 2.0.1 (a05834588ffb): /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-486 i586 Debian squeeze/sid auth_debug = yes auth_gssapi_hostname = rohan ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Line above should be “auth_gssapi_hostname = oldbox.altum.de"
Ah, ok. Thought it should be the one of the KDC.
Any idea what could be wrong?
Read between the lines :)
It is sufficient that you create principal “imap/fullyqualifieddomainname” for IMAP auth. host/ principal is necessary if you want to telnet/ssh to the host using KRB auth, smtp/ is necessary if you want to send mails authenticating via KRB, but your SMTP server should support it.
Yes, I know.
It is VERY VERY important that you use the FQDN (the one you obtain doing a reverse resolution - host -t ptr IP.of.the.server) of the imap server, unless you use a buggy client (read Apple Mail.app) in which case it should be necessary to create a principal for "imap/alias.of.server" and you MUST add auth_gssapi_hostname = “$ALL” to your configuration.
Looks like "$ALL" was the way to go, since at least I get the imap/ ticket now. However, login still fails:
% klist Ticket cache: FILE:/tmp/krb5cc_1000_RRFLlX Default principal: heini@ALTUM.DE
Valid starting Expires Service principal 09/06/10 19:48:33 09/07/10 05:48:33 krbtgt/ALTUM.DE@ALTUM.DE renew until 09/07/10 19:48:33 09/06/10 19:48:33 09/07/10 05:48:33 afs/altum.de@ALTUM.DE renew until 09/07/10 19:48:33 09/06/10 19:50:18 09/07/10 05:48:33 host/rohan.altum.de@ renew until 09/07/10 19:48:33 09/06/10 19:50:18 09/07/10 05:48:33 host/rohan.altum.de@ALTUM.DE renew until 09/07/10 19:48:33 % mutt # Authentication fails % klist Ticket cache: FILE:/tmp/krb5cc_1000_RRFLlX Default principal: heini@ALTUM.DE
Valid starting Expires Service principal 09/06/10 19:48:33 09/07/10 05:48:33 krbtgt/ALTUM.DE@ALTUM.DE renew until 09/07/10 19:48:33 09/06/10 19:48:33 09/07/10 05:48:33 afs/altum.de@ALTUM.DE renew until 09/07/10 19:48:33 09/06/10 19:50:18 09/07/10 05:48:33 host/rohan.altum.de@ renew until 09/07/10 19:48:33 09/06/10 19:50:18 09/07/10 05:48:33 host/rohan.altum.de@ALTUM.DE renew until 09/07/10 19:48:33 09/06/10 19:51:45 09/07/10 05:48:33 imap/oldbox.altum.de@ renew until 09/07/10 19:48:33 09/06/10 19:51:45 09/07/10 05:48:33 imap/oldbox.altum.de@ALTUM.DE renew until 09/07/10 19:48:33 % telnet oldbox 143 Trying 192.168.1.56... Connected to oldbox.altum.de (192.168.1.56). Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=GSSAPI] Dovecot ready. a authenticate gssapi
- ^] telnet> Connection closed.
mail.log from oldbox:
Sep 6 19:52:38 oldbox dovecot: auth: Debug: auth client connected (pid=28634) Sep 6 19:52:39 oldbox dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=imap#011lip=192.168.1.56#011rip=192.168.1.172#011lport=143#011rport=47913 Sep 6 19:52:39 oldbox dovecot: auth: Debug: gssapi(?,192.168.1.172): Using all keytab entries Sep 6 19:52:39 oldbox dovecot: auth: Debug: client out: CONT#0111#011 Sep 6 19:52:39 oldbox dovecot: auth: Debug: client in: CONT<hidden> Sep 6 19:52:39 oldbox dovecot: auth: gssapi(?,192.168.1.172): While processing incoming data: Unspecified GSS failure. Minor code may provide more information Sep 6 19:52:39 oldbox dovecot: auth: gssapi(?,192.168.1.172): While processing incoming data: Permission denied Sep 6 19:52:41 oldbox dovecot: auth: Debug: client out: FAIL#0111 Sep 6 19:52:41 oldbox dovecot: imap-login: Disconnected (auth failed, 1 attempts): method=GSSAPI, rip=192.168.1.172, lip=192.168.1.56, mpid=0
Thanks...
Dirk