On Aug 31, 2011, at 8:27 AM, Stanislav Klinkov wrote:
Why such hostility?
I beg you pardon, sir. Nothing personal, but to the question like "My car does not move" you provide the answer "Try to wipe screen and kick wheels". How do you think, if one digs into source code, has not he attempted more simple ways? Yes, I have read the manuals and wiki's before posting here. And I know what is wireshark and how to use it.
And I did answer your second question about how principal should looks like.
The matter of my question was how does the string in form of "service@host" agree with keytab entries in form of "service/host@REALM". Now I do know the answer. It is controlled by the argument "GSS_C_NT_HOSTBASED_SERVICE" of function "gss_import_name".
Maybe I wrong, not running yet 2.0.
You are wrong. There were some minor changes. See here, for example: http://www.dovecot.org/list/dovecot-cvs/2010-June/017143.html
Make sure your client requesting correct principal in first place.
Yes, I am sure. I examined logs of my Mozilla Thunderbird client. They look like this:
******* Thunderbird logs ********** 3712[5a9e240]: nsAuthSSPI::Init 3712[5a9e240]: InitSSPI 3712[5a9e240]: Using SPN of [imap/efim.test.local] 3712[5a9e240]: AcquireCredentialsHandle() succeeded. 3712[5a9e240]: entering nsAuthSSPI::GetNextToken() 3712[5a9e240]: InitializeSecurityContext: continue.
I take these Thunderbird log entries to mean your workstation was able to get a kerberos ticket for imap/efim.test.local
"Wrong principal in request", Usually means the principal in the system keytab for your system doesn't agree with the hostname or DNS name of the system.
It does agree. My host is named "efim.test.local". Here is the contents of my krb5.keytab:
******* krb5.keytab *********** slot KVNO Principal
1 4 imap/efim.test.local@ROMASHKA.LAN 2 5 pop/efim.test.local@ROMASHKA.LAN 3 6 smtp/efim.test.local@ROMASHKA.LAN
The fact that you have different KVNOs for multiple services on the same host seems curious. How did you generate those keys and put them into krb5.keytab? Are you using Active Directory for Kerberos? If I ran ktpass multiple times to generate a new key for imap and then smtp, I would get the "wrong principal in request" error. When I ran ktpass once for IMAP and added the SPN for smtp using LDAP/setspn and used ktutil on the dovecot host to add an entry to my keytab with the same key and kvno as ktpass generated the first time, then dovecot and smtp started working. I suppose that's weaker for security but chances are your mail SPNs (imap/pop/smtp) are tied to a single user or machine account anyway...
I have already found out, that denial is generated somewhere inside krb5 libraries, not in Dovecot's modules. But I see no way to trace or debug kerberos calls. Source codes of kerberos libs are too complex for me to analyze.
If you are interested in, you may join the parallel discussion of the topic on iXBT forum here: http://forum.ixbt.com/topic.cgi?id=76:10089
With best regards, Stanislav Klinkov.