Authentication with Samba using Kerberos fails
Hi,
I've been having some problems getting GSSAPI authentication going against a samba (4.2) server and am hoping someone can point me in the right direction. I've searched through Google and haven't managed to find a solution yet.
I followed the config instructions at http://wiki2.dovecot.org/Authentication/Kerberos and run through the testing. Testing from the server with telnet does as expected i.e. I get the "+" after I try "a authenticate GSSAPI". However, when I go to test from Thunderbird on while logged in on a Windows PC joined to the domain authentication fails and I see the following in mail.log (I'm running Ubuntu 14.04.2 LTS).
Apr 8 11:49:18 server dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Apr 8 11:49:18 server dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Apr 8 11:49:18 server dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libmech_gssapi.so Apr 8 11:49:18 server dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Apr 8 11:49:18 server dovecot: auth: Debug: auth client connected (pid=17667) Apr 8 11:49:18 server dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=imap#011secured#011session=e8xMvSwTQgDAqCpl#011lip=192.168.1.1#011rip=192.168.1.101#011lport=143#011rport=49986 Apr 8 11:49:18 server dovecot: auth: Debug: gssapi(?,192.168.42.101,<e8xMvSwTQgDAqCpl>): Obtaining credentials for imap@server.corp.mydomain.com Apr 8 11:49:18 server dovecot: auth: Debug: client passdb out: CONT#0111#011 Apr 8 11:49:18 server dovecot: auth: Debug: client in: CONT<hidden> Apr 8 11:49:18 server dovecot: auth: Debug: gssapi(me@corp.mydomain.com,192.168.1.101,<e8xMvSwTQgDAqCpl>): security context state completed. Apr 8 11:49:18 server dovecot: auth: Debug: client passdb out: CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrkGiOLsky4fbzWGzpxgW4mjmpjvNsiCqH8MnsUKviP9v1oVLPXSVkqFzFUiCLAd130ldnf742o/inz9Dx6e0aETwDKnnZu9OUD2nCGg/f5zA20IXGWR1zXVJi3hEB8nmrLgaENhyX0JMiE6g= Apr 8 11:49:18 server dovecot: auth: Debug: client in: CONT<hidden> Apr 8 11:49:18 server dovecot: auth: Debug: gssapi(me@corp.mydomain.com,192.168.1.101,<e8xMvSwTQgDAqCpl>): Negotiated security layer Apr 8 11:49:18 server dovecot: auth: Debug: client passdb out: CONT#0111#011BQQF/wAMAAAAAAAAIvajggH////ubQhCZGfeuWGZQ7w= Apr 8 11:49:18 server dovecot: auth: Debug: client in: CONT<hidden> Apr 8 11:49:18 server dovecot: auth: Panic: file auth-request.c: line 716 (auth_request_is_disabled_master_user): assertion failed: (request->requested_login_user != NULL) Apr 8 11:49:18 server dovecot: auth: Error: Raw backtrace: /usr/lib/dovecot/libdovecot.so.0(+0x5e271) [0x7f524a7da271] -> /usr/lib/dovecot/libdovecot.so.0(+0x5e34e) [0x7f524a7da34e] -> /usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f524a795a9e] -> dovecot/auth(+0x15162) [0x7f524ac7e162] -> dovecot/auth(auth_request_lookup_credentials+0x22) [0x7f524ac7f8d2] -> /usr/lib/dovecot/modules/auth/libmech_gssapi.so(+0x20d4) [0x7f52499450d4] -> dovecot/auth(auth_request_handler_auth_continue+0xd1) [0x7f524ac81391] -> dovecot/auth(+0x1052a) [0x7f524ac7952a] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_call_io+0x27) [0x7f524a7ea247] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0xd7) [0x7f524a7eafd7] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f524a7e9de8] -> /usr/lib/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f524a79ac93] -> dovecot/auth(main+0x38c) [0x7f524ac7750c] -> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f5249d8dec5] -> dovecot/auth(+0xe6d9) [0x7f524ac776d9] Apr 8 11:49:18 server dovecot: auth: Fatal: master: service(auth): child 17668 killed with signal 6 (core dumps disabled) Apr 8 11:49:18 server dovecot: imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=17667, EOF) Apr 8 11:49:19 server dovecot: imap-login: Disconnected (auth process communication failure): user=<>, method=GSSAPI, rip=192.168.1.101, lip=192.168.1.1, TLS, session=<e8xMvSwTQgDAqCpl>
Relevant parts of my config:
auth_anonymous_username = anonymous auth_cache_negative_ttl = 1 hours auth_cache_size = 0 auth_cache_ttl = 1 hours auth_debug = yes auth_debug_passwords = no auth_default_realm = CORP.MYDOMAIN.COM auth_failure_delay = 2 secs auth_gssapi_hostname = server.corp.mydomain.com auth_krb5_keytab = /etc/dovecot/krb5.keytab auth_master_user_separator = auth_mechanisms = gssapi auth_proxy_self = auth_realms = auth_socket_path = auth-userdb auth_ssl_require_client_cert = no auth_ssl_username_from_cert = no auth_use_winbind = no auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ auth_username_format = %Lu auth_username_translation = auth_verbose = yes auth_verbose_passwords = no auth_winbind_helper_path = /usr/bin/ntlm_auth auth_worker_max_count = 30 userdb { args = uid=dovecot gid=dovecot home=/var/vmail/%u default_fields = driver = static override_fields = }
Any help greatly appreciated.
Cheers, Justin.
participants (1)
-
Justin Clacherty