[Dovecot] Troube with GSSAPI auth
Hi all. I have a troube with GSSAPI (Dovecot 2.0.7) auth:
auth: Debug: client in: AUTH 1 GSSAPI service=imap lip=192.168.1.56 rip=192.168.1.2 lport=143 $ auth: Debug: gssapi(?,192.168.1.2): Obtaining credentials for imap@ auth: Info: gssapi(?,192.168.1.2): While acquiring service credentials: An invalid name was supplied auth: Info: gssapi(?,192.168.1.2): While acquiring service credentials: Unknown code krb5 216
Kerberos key imap/hostname@REALM installed, dovecot.conf:
auth_debug = yes auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = gssapi disable_plaintext_auth = no first_valid_uid = 1 log_path = /var/log/dovecot.log log_timestamp = "%Y-%m-%d %H:%M:%S " mail_gid = 89 mail_location = maildir:/var/spool/mail/%n mail_privileged_group = mail mail_uid = 89 service imap-login { inet_listener imap { address = * port = 143 } } ssl = no userdb { driver = static }
Any ideas?
Maybe you need to set auth_gssapi_hostname?
I added auth_gssapi_hostname = servertd.td.pmz.com.ua (its the KDC) to dovecot.conf and generated again service principals:
slot KVNO Principal
1 14 imap/melchior.td.pmz.com.ua@TD.PMZ.COM.UA 2 13 host/melchior.td.pmz.com.ua@TD.PMZ.COM.UA 3 1 imap/melchior.td.pmz.com.ua@TD.PMZ.COM.UA 4 1 host/melchior.td.pmz.com.ua@TD.PMZ.COM.UA
Then i got:
auth: Debug: gssapi(?,192.168.1.50): Obtaining credentials for imap@servertd.td.pmz.com.ua auth: Info: gssapi(?,192.168.1.50): While acquiring service credentials: Unspecified GSS failure. Minor code may provide more$ auth: Info: gssapi(?,192.168.1.50): While acquiring service credentials: No principal in keytab matches desired name
Something wrong with service principals, but what?
asd dsa wrote:
Maybe you need to set auth_gssapi_hostname?
I added auth_gssapi_hostname = servertd.td.pmz.com.ua (its the KDC) to dovecot.conf and generated again service principals:
slot KVNO Principal
1 14 imap/melchior.td.pmz.com.ua@TD.PMZ.COM.UA 2 13 host/melchior.td.pmz.com.ua@TD.PMZ.COM.UA 3 1 imap/melchior.td.pmz.com.ua@TD.PMZ.COM.UA 4 1 host/melchior.td.pmz.com.ua@TD.PMZ.COM.UA
Then i got:
auth: Debug: gssapi(?,192.168.1.50): Obtaining credentials for imap@servertd.td.pmz.com.ua auth: Info: gssapi(?,192.168.1.50): While acquiring service credentials: Unspecified GSS failure. Minor code may provide more$ auth: Info: gssapi(?,192.168.1.50): While acquiring service credentials: No principal in keytab matches desired name
Something wrong with service principals, but what?
Maybe auth_gssapi_hostname should = melchior.td.pmz.com.ua since that's what is in your keytab.
Maybe auth_gssapi_hostname should = melchior.td.pmz.com.ua since that's what is in your keytab.
Yep, it helps, but ive got another error:
auth: Info: gssapi(?,192.168.1.2): While processing incoming data: Unspecified GSS failure. Minor code may provide more information auth: Info: gssapi(?,192.168.1.2): While processing incoming data: Unknown code krb5 230
I destroyed kerberos cache in /tmp/krb*, but nothing changed.
asd dsa wrote:
Maybe auth_gssapi_hostname should = melchior.td.pmz.com.ua since that's what is in your keytab.
Yep, it helps, but ive got another error:
auth: Info: gssapi(?,192.168.1.2): While processing incoming data: Unspecified GSS failure. Minor code may provide more information auth: Info: gssapi(?,192.168.1.2): While processing incoming data: Unknown code krb5 230
I destroyed kerberos cache in /tmp/krb*, but nothing changed.
It's been a while since I've really messed with Kerberos, but I did find a page [1] which talked a little about krb5 error 230.
It said: Error 230 in the krb5 table is KRB5_KT_KVNONOTFOUND, "Key version number for principal in key table is incorrect".
Maybe that will help by giving you a starting point.
Willie
[1] http://mailman.mit.edu/pipermail/kerberos/2009-February/014506.html
participants (3)
-
asd dsa
-
Timo Sirainen
-
Willie Gillespie