[Dovecot] dovecot 1.2rc5 fails to authenticate user via GSSAPI

Hi,

we're facing problem where dovecot 1.2rc5 is not able to authenticate user via gssapi. (I'm forwarding information from red hat's bugzilla)

Steps to reproduce:

1. Install dovecot with kerberos support, create mailboxes for the client
2. Get initial credentials on client side
3. Attempt to log in via dovecot using gssapi -> login failed

Client side

1. Email client displays: "[AUTHENTICATIONFAILED] Authentication failed."
2. klist before login shows: Valid starting Expires Service principal 06/18/09 20:01:01 06/19/09 20:01:01 krbtgt/realm@realm
3. klist after login attempt shows: Valid starting Expires Service principal 06/18/09 20:01:01 06/19/09 20:01:01 krbtgt/realm@realm 06/18/09 20:01:28 06/19/09 20:01:01 imap/mail.domain@realm

Server side

1. /var/log/maillog: dovecot: auth(default): gssapi(user,192.168.0.1): authn_name not authorized dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<user>, method=GSSAPI, rip=192.168.0.1, lip=192.168.0.2, TLS

It is possible for the same user to login via other mechanisms. The issue reproduced with different email clients. Evolution and a custom java-based client were attempted.

example of dovecot.conf: protocols = imap mail_location = maildir:/home/virtual/%u/Maildir protocol imap { } auth_krb5_keytab=/etc/dovecot.keytab auth default { mechanisms = gssapi userdb static { args = uid=vmail gid=vmail home=/home/virtual/%u } }

Exactly the same dovecot setup was working just fine with dovecot 1.1 series. Authentication using kinit works just fine and kerberos infrastructure is functioning well as I use kerberos auth for other services like apache and ssh successfully.

/var/log/maillog with using auth_debug=yes can be found here: https://bugzilla.redhat.com/attachment.cgi?id=348710

Regards, Michal Hlavinka