[Dovecot] Problems setting up dovecot 2.0.1 with kerberos auth
Hi,
I'm trying to setup dovecot 2.0.1 on a debian squeeze test box. I want to integrate it into an already working kerberos5 setup, but I don't get it to work.
I've added created host/ smtp/ and imap/ service principals with random key for the test machine and added them to its keytab.
I can also obtain user credentials using kinit, but when I try to telnet to port 143, I only get the following:
# kinit heini Password for heini@ALTUM.DE: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: heini@ALTUM.DE
Valid starting Expires Service principal 09/05/10 18:56:30 09/06/10 04:56:30 krbtgt/ALTUM.DE@ALTUM.DE renew until 09/06/10 18:56:27 # telnet localhost 143 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=GSSAPI] Dovecot ready. a authenticate GSSAPI a NO [UNAVAILABLE] Temporary authentication failure. ^] telnet> Connection closed.
This is in the logs:
Sep 5 18:56:47 oldbox dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Sep 5 18:56:47 oldbox dovecot: auth: Debug: auth client connected (pid=27684) Sep 5 18:56:58 oldbox dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=33753 Sep 5 18:56:58 oldbox dovecot: auth: Debug: gssapi(?,127.0.0.1): Obtaining credentials for imap@rohan Sep 5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While acquiring service credentials: Unspecified GSS failure. Minor code may provide more information Sep 5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While acquiring service credentials: Permission denied Sep 5 18:57:00 oldbox dovecot: auth: Debug: client out: FAIL#0111#011temp Sep 5 18:57:05 oldbox dovecot: imap-login: Disconnected (auth failed, 1 attempts): method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=0, secured
My configuration:
# doveconf -n # 2.0.1 (a05834588ffb): /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-486 i586 Debian squeeze/sid auth_debug = yes auth_gssapi_hostname = rohan auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = gssapi auth_verbose = yes disable_plaintext_auth = no listen = * mail_location = maildir:~/mail managesieve_notify_capability = mailto managesieve_sieve_capability = comparator-i;octet comparator-i;ascii-casemap fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = imap ssl = no ssl_cert =
And here's the content of the kerberos keytab:
# ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal
1 3 host/oldbox.altum.de@ALTUM.DE 2 3 host/oldbox.altum.de@ALTUM.DE 3 3 host/oldbox.altum.de@ALTUM.DE 4 3 host/oldbox.altum.de@ALTUM.DE 5 3 imap/oldbox.altum.de@ALTUM.DE 6 3 imap/oldbox.altum.de@ALTUM.DE 7 3 imap/oldbox.altum.de@ALTUM.DE 8 3 imap/oldbox.altum.de@ALTUM.DE 9 3 smtp/oldbox.altum.de@ALTUM.DE 10 3 smtp/oldbox.altum.de@ALTUM.DE 11 3 smtp/oldbox.altum.de@ALTUM.DE 12 3 smtp/oldbox.altum.de@ALTUM.DE
I also don't see any connection attempt in the KDC's log file.
Any idea what could be wrong?
Thanks...
DirkIl giorno 05/set/2010, alle ore 19.02, Dirk Heinrichs ha scritto:
Hi,
I'm trying to setup dovecot 2.0.1 on a debian squeeze test box. I want to integrate it into an already working kerberos5 setup, but I don't get it to work.
I've added created host/ smtp/ and imap/ service principals with random key for the test machine and added them to its keytab.
As I see below the principals are for oldbox.altum.de (is this the FQDN of the server?)
I can also obtain user credentials using kinit, but when I try to telnet to port 143, I only get the following:
# kinit heini Password for heini@ALTUM.DE: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: heini@ALTUM.DE
Valid starting Expires Service principal 09/05/10 18:56:30 09/06/10 04:56:30 krbtgt/ALTUM.DE@ALTUM.DE renew until 09/06/10 18:56:27 # telnet localhost 143 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=GSSAPI] Dovecot ready. a authenticate GSSAPI a NO [UNAVAILABLE] Temporary authentication failure. ^] telnet> Connection closed.
This is in the logs:
Sep 5 18:56:47 oldbox dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Sep 5 18:56:47 oldbox dovecot: auth: Debug: auth client connected (pid=27684) Sep 5 18:56:58 oldbox dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=33753 Sep 5 18:56:58 oldbox dovecot: auth: Debug: gssapi(?,127.0.0.1): Obtaining credentials for imap@rohan Sep 5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While acquiring service credentials: Unspecified GSS failure. Minor code may provide more information Sep 5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While acquiring service credentials: Permission denied Sep 5 18:57:00 oldbox dovecot: auth: Debug: client out: FAIL#0111#011temp Sep 5 18:57:05 oldbox dovecot: imap-login: Disconnected (auth failed, 1 attempts): method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=0, secured
My configuration:
# doveconf -n # 2.0.1 (a05834588ffb): /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-486 i586 Debian squeeze/sid auth_debug = yes auth_gssapi_hostname = rohan
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Line above should be “auth_gssapi_hostname = oldbox.altum.de"
auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = gssapi auth_verbose = yes disable_plaintext_auth = no listen = * mail_location = maildir:~/mail managesieve_notify_capability = mailto managesieve_sieve_capability = comparator-i;octet comparator-i;ascii-casemap fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = imap ssl = no ssl_cert =
And here's the content of the kerberos keytab:
# ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal
1 3 host/oldbox.altum.de@ALTUM.DE 2 3 host/oldbox.altum.de@ALTUM.DE 3 3 host/oldbox.altum.de@ALTUM.DE 4 3 host/oldbox.altum.de@ALTUM.DE 5 3 imap/oldbox.altum.de@ALTUM.DE 6 3 imap/oldbox.altum.de@ALTUM.DE 7 3 imap/oldbox.altum.de@ALTUM.DE 8 3 imap/oldbox.altum.de@ALTUM.DE 9 3 smtp/oldbox.altum.de@ALTUM.DE 10 3 smtp/oldbox.altum.de@ALTUM.DE 11 3 smtp/oldbox.altum.de@ALTUM.DE 12 3 smtp/oldbox.altum.de@ALTUM.DE
I also don't see any connection attempt in the KDC's log file.
Any idea what could be wrong?
Read between the lines :)
It is sufficient that you create principal “imap/fullyqualifieddomainname” for IMAP auth. host/ principal is necessary if you want to telnet/ssh to the host using KRB auth, smtp/ is necessary if you want to send mails authenticating via KRB, but your SMTP server should support it.
It is VERY VERY important that you use the FQDN (the one you obtain doing a reverse resolution - host -t ptr IP.of.the.server) of the imap server, unless you use a buggy client (read Apple Mail.app) in which case it should be necessary to create a principal for "imap/alias.of.server" and you MUST add auth_gssapi_hostname = “$ALL” to your configuration.
A.
Am 06.09.2010 08:53, schrieb Andre:
Il giorno 05/set/2010, alle ore 19.02, Dirk Heinrichs ha scritto:
I've added created host/ smtp/ and imap/ service principals with random key for the test machine and added them to its keytab.
As I see below the principals are for oldbox.altum.de (is this the FQDN of the server?)
Of the (test) mail server, yes.
My configuration:
# doveconf -n # 2.0.1 (a05834588ffb): /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-486 i586 Debian squeeze/sid auth_debug = yes auth_gssapi_hostname = rohan ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Line above should be “auth_gssapi_hostname = oldbox.altum.de"
Ah, ok. Thought it should be the one of the KDC.
Any idea what could be wrong?
Read between the lines :)
It is sufficient that you create principal “imap/fullyqualifieddomainname” for IMAP auth. host/ principal is necessary if you want to telnet/ssh to the host using KRB auth, smtp/ is necessary if you want to send mails authenticating via KRB, but your SMTP server should support it.
Yes, I know.
It is VERY VERY important that you use the FQDN (the one you obtain doing a reverse resolution - host -t ptr IP.of.the.server) of the imap server, unless you use a buggy client (read Apple Mail.app) in which case it should be necessary to create a principal for "imap/alias.of.server" and you MUST add auth_gssapi_hostname = “$ALL” to your configuration.
Looks like "$ALL" was the way to go, since at least I get the imap/ ticket now. However, login still fails:
% klist Ticket cache: FILE:/tmp/krb5cc_1000_RRFLlX Default principal: heini@ALTUM.DE
Valid starting Expires Service principal 09/06/10 19:48:33 09/07/10 05:48:33 krbtgt/ALTUM.DE@ALTUM.DE renew until 09/07/10 19:48:33 09/06/10 19:48:33 09/07/10 05:48:33 afs/altum.de@ALTUM.DE renew until 09/07/10 19:48:33 09/06/10 19:50:18 09/07/10 05:48:33 host/rohan.altum.de@ renew until 09/07/10 19:48:33 09/06/10 19:50:18 09/07/10 05:48:33 host/rohan.altum.de@ALTUM.DE renew until 09/07/10 19:48:33 % mutt # Authentication fails % klist Ticket cache: FILE:/tmp/krb5cc_1000_RRFLlX Default principal: heini@ALTUM.DE
Valid starting Expires Service principal 09/06/10 19:48:33 09/07/10 05:48:33 krbtgt/ALTUM.DE@ALTUM.DE renew until 09/07/10 19:48:33 09/06/10 19:48:33 09/07/10 05:48:33 afs/altum.de@ALTUM.DE renew until 09/07/10 19:48:33 09/06/10 19:50:18 09/07/10 05:48:33 host/rohan.altum.de@ renew until 09/07/10 19:48:33 09/06/10 19:50:18 09/07/10 05:48:33 host/rohan.altum.de@ALTUM.DE renew until 09/07/10 19:48:33 09/06/10 19:51:45 09/07/10 05:48:33 imap/oldbox.altum.de@ renew until 09/07/10 19:48:33 09/06/10 19:51:45 09/07/10 05:48:33 imap/oldbox.altum.de@ALTUM.DE renew until 09/07/10 19:48:33 % telnet oldbox 143 Trying 192.168.1.56... Connected to oldbox.altum.de (192.168.1.56). Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=GSSAPI] Dovecot ready. a authenticate gssapi
- ^] telnet> Connection closed.
mail.log from oldbox:
Sep 6 19:52:38 oldbox dovecot: auth: Debug: auth client connected (pid=28634) Sep 6 19:52:39 oldbox dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=imap#011lip=192.168.1.56#011rip=192.168.1.172#011lport=143#011rport=47913 Sep 6 19:52:39 oldbox dovecot: auth: Debug: gssapi(?,192.168.1.172): Using all keytab entries Sep 6 19:52:39 oldbox dovecot: auth: Debug: client out: CONT#0111#011 Sep 6 19:52:39 oldbox dovecot: auth: Debug: client in: CONT<hidden> Sep 6 19:52:39 oldbox dovecot: auth: gssapi(?,192.168.1.172): While processing incoming data: Unspecified GSS failure. Minor code may provide more information Sep 6 19:52:39 oldbox dovecot: auth: gssapi(?,192.168.1.172): While processing incoming data: Permission denied Sep 6 19:52:41 oldbox dovecot: auth: Debug: client out: FAIL#0111 Sep 6 19:52:41 oldbox dovecot: imap-login: Disconnected (auth failed, 1 attempts): method=GSSAPI, rip=192.168.1.172, lip=192.168.1.56, mpid=0
Thanks...
DirkAm 06.09.2010 21:30, schrieb Dirk Heinrichs:
Am 06.09.2010 20:09, schrieb Dirk Heinrichs:
Looks like "$ALL" was the way to go, since at least I get the imap/ ticket now. However, login still fails:
I also get the tickets with auth_gssapi_hostname = oldbox.altum.de, but doesn't make a difference.
But changing permissions of the kerberos keytab did. After chmod 644 /etc/krb5.keytab login succeeded.
Bye...
DirkIl giorno 06/set/2010, alle ore 21.44, Dirk Heinrichs ha scritto:
Am 06.09.2010 21:30, schrieb Dirk Heinrichs:
Am 06.09.2010 20:09, schrieb Dirk Heinrichs:
Looks like "$ALL" was the way to go, since at least I get the imap/ ticket now. However, login still fails:
I also get the tickets with auth_gssapi_hostname = oldbox.altum.de, but doesn't make a difference.
But changing permissions of the kerberos keytab did. After chmod 644 /etc/krb5.keytab login succeeded.
Bye...
Dirk
When I saw the message “Permission denied” in a previous mail I immediately thought of permissions of krb5.keytab. Rememeber that, about what concerns security, it could be not good to chmod 644 keytab. Instead you can create another keytab containing principals for imap service, put it in dovecot directory (for example), give it correct permissions and ownership and change “auth_krb5_keytab” value to point to the new keytab file.
Bye Andre
Am 07.09.2010 09:32, schrieb Andre:
When I saw the message “Permission denied” in a previous mail I immediately thought of permissions of krb5.keytab. Rememeber that, about what concerns security, it could be not good to chmod 644 keytab. Instead you can create another keytab containing principals for imap service, put it in dovecot directory (for example), give it correct permissions and ownership and change “auth_krb5_keytab” value to point to the new keytab file.
Yes, will do this in the final setup.
Bye...
Dirk
participants (2)
-
Andre
-
Dirk Heinrichs