On April 3, 2016 at 10:57 AM Luca Bertoncello lucabert@lucabert.de wrote:
Hi list!
I'm really puzzled... I have a Mailserver with Dovecot 2.2.9 (installed from Ubuntu 14.04-Repositories) and it works well with LDAP-Authentication agains the Active Directory.
Now I want to use GSSAPI to allow the clients (with Thunderbird 38.7.1) to read E-Mails without giving a password.
I configured Dovecot using these HowTos:
http://mindref.blogspot.de/2011/02/dovecot-kerberos.html http://wiki.dovecot.org/Authentication/Kerberos
But it does not work... In mail.log I can just see:
Apr 3 09:52:26 mail dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Apr 3 09:52:26 mail dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Apr 3 09:52:26 mail dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libmech_gssapi.so Apr 3 09:52:26 mail dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Apr 3 09:52:26 mail dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libauthdb_ldap.so Apr 3 09:52:26 mail dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Apr 3 09:52:26 mail dovecot: auth: Debug: auth client connected (pid=2300) Apr 3 09:52:26 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.50.54, lip=192.168.50.3, session=<x8Sq5I8vsADAqDI2>
and Thunderbird says that the Ticket was not accepted and I have to check if I'm logged into the Kerberos/GSSAPI subsystem. I checked with tcpdump and I see that Thunderbird does NOT send at all any request.
Could someone help me?
Thanks a lot! Luca Bertoncello (lucabert@lucabert.de)
Make sure you have a keytab entry for IMAP/hostname, and host/hostname. Kerberos is pretty name oriented so DNS names much match, also reverse entries for optimal performance.
Also make sure your client has acquired some principal such as username@YOURDOMAIN.
These are usually checked with klist command or klist -k, depending if you are looking at credentials cache or keytab file.
Also, make sure that GSSAPI is provided as mechanism by dovecot, this is easy to check with
telnet hostname 14
and see what LOGIN mechanisms are provided. If it does not list capabilities, use
a01 CAPABILITY
to list them.
Aki Tuomi Dovecot Oy