Re: Dovecot SASL and GSSAPI (IPA)

Hi Ranbir

This is more a postfix question but I have done this configs before in a BETA-Lab and it's a real pain. I'll be glad to help if I can.

I my environment I had postfix directly authenticating SASL with the IPA server (FreeIPA) using Cyrus SASL libs. In IPA the service most be registered with principal smtp/HOSTNAME.

## # /etc/postfix/sasl/smtpd.conf ## pwcheck_method: saslauthd mech_list: GSSAPI PLAIN LOGIN

## # /etc/default/saslauthd ## START=yes DESC="SASL Authentication Daemon" NAME="saslauthd" MECHANISMS="kerberos5" MECH_OPTIONS="" THREADS=5 OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Regards,

Manuel Delgado

*Usuario Linux* *#520940 http://counter.li.org/*

Mag. Computación e Informática Universidad de Costa Rica Centro de Informática

On Sun, Dec 13, 2015 at 11:21 AM, Ranbir m3freak@thesandhufamily.ca wrote:

Hi Everyone,

I'm currently using dovecot SASL in postfix and passwd-file in dovecot for authenticating my users. I want to switch to using IPA instead.

I have both the postfix (mailman01) and dovecot (mailman02) servers joined to the IPA domain. I have GSSAPI working in dovecot for IMAP. But, the SASL GSSAPI authentication in postfix fails with this error:

warning: unknown[10.200.5.100]: SASL GSSAPI authentication failed:

This is what dovecot logs:

Dec 12 22:31:54 mailman02 dovecot: auth: Debug: auth client connected (pid=0) Dec 12 22:31:54 mailman02 dovecot: auth: Debug: client in: AUTH 1 GSSAPI service=smtp nologin lip=10.200.9.14 rip=10.200.5.100 secured resp=<hidden> Dec 12 22:31:54 mailman02 dovecot: auth: Debug: gssapi(?,10.200.5.100): Obtaining credentials for smtp@mailman02.theinside.rnr Dec 12 22:31:54 mailman02 dovecot: auth: gssapi(?,10.200.5.100): While processing incoming data: Unspecified GSS failure. Minor code may provide more information Dec 12 22:31:54 mailman02 dovecot: auth: gssapi(?,10.200.5.100): While processing incoming data: Wrong principal in request Dec 12 22:31:56 mailman02 dovecot: auth: Debug: client passdb out: FAIL 1

I've tried changing the "smtpd_sasl_local_domain" in postfix's main.cf file to "mailman02.theinside.rnr", but I get the same errors in dovecot and postfix. Right now the config in postfix looks like this:

import_environment="KRB5_KTNAME=/etc/postfix/smtp.keytab" smtpd_sasl_local_domain = mailman01.theoutside.rnr

Does what I'm trying to do make sense? If so, how do I fix it? Do I have to stop using dovecot sasl in postfix and switch to cyrus sasl?

-- Ranbir