GSSAPI authentication setup
I'm setting up dovecot on a new box; and once again I find myself banging my head against GSSAPI authentication.
The particularly irritating thing is that I have this working on another box. I've done my best to ape the configuration of that box; but it's been some years since I set it up and somewhere along the line I have failed.
My dovecot.conf has:
auth_mechanism = plain gssapi
passdb {
driver = pam
}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}where /etc/dovecot/dovecot-ldap.conf.ext is:
hosts = ldap
dn = cn=Manager,dc=endoframe,dc=net
dnpass = XXXXXXXX
ldap_version = 3
base = ou=people,dc=endoframe,dc=net
deref = never
scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%u))I've diff'd the contents of /etc/dovecot on the working vs. non-working servers, and I can see nothing of pertinence (just a few lines about loading the sieve plug-in).
Now, logging in with the kerberos password via PAM *is* working. /etc/pam.d/dovecot:
#%PAM-1.0
auth sufficient pam_krb5.so
account sufficient pam_krb5.soBut GSSAPI authentication is not:
[ root@hinge ~]# telnet localhost 143
Trying ::1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=GSSAPI] Dovecot ready.
a authenticate GSSAPI
a NO [UNAVAILABLE] Temporary authentication failure. [hinge.endoframe.net:2016-04-16 21:33:32]
^]
telnet> close
Connection closed.Oh... The kerberos server does have an IMAP service key for hinge; and that service key appears in hinge's /etc/krb5.keytab, as well.
Any pointers on where I should be looking at this point would be very much appreciated.
-- Braden McDaniel <braden@endoframe.com>
On April 17, 2016 at 12:41 AM Braden McDaniel <braden@endoframe.com> wrote:
I'm setting up dovecot on a new box; and once again I find myself banging my head against GSSAPI authentication.
The particularly irritating thing is that I have this working on another box. I've done my best to ape the configuration of that box; but it's been some years since I set it up and somewhere along the line I have failed.
My dovecot.conf has:
auth_mechanism = plain gssapi
passdb { driver = pam } userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext }where /etc/dovecot/dovecot-ldap.conf.ext is:
hosts = ldap dn = cn=Manager,dc=endoframe,dc=net dnpass = XXXXXXXX ldap_version = 3 base = ou=people,dc=endoframe,dc=net deref = never scope = subtree user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_filter = (&(objectClass=posixAccount)(uid=%u))I've diff'd the contents of /etc/dovecot on the working vs. non-working servers, and I can see nothing of pertinence (just a few lines about loading the sieve plug-in).
Now, logging in with the kerberos password via PAM *is* working. /etc/pam.d/dovecot:
#%PAM-1.0 auth sufficient pam_krb5.so account sufficient pam_krb5.soBut GSSAPI authentication is not:
[ root@hinge ~]# telnet localhost 143 Trying ::1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLESTARTTLS AUTH=PLAIN AUTH=GSSAPI] Dovecot ready. a authenticate GSSAPI a NO [UNAVAILABLE] Temporary authentication failure. [hinge.endoframe.net:2016-04-16 21:33:32] ^] telnet> close Connection closed.
Oh... The kerberos server does have an IMAP service key for hinge; and that service key appears in hinge's /etc/krb5.keytab, as well.
Any pointers on where I should be looking at this point would be very much appreciated.
-- Braden McDaniel <braden@endoframe.com>
Hi!
Did you check your setup against http://wiki2.dovecot.org/Authentication/Kerberos
Also can you provide klist -k on server?
Aki Tuomi
On Sun, 2016-04-17 at 21:49 +0300, aki.tuomi@dovecot.fi wrote:
Did you check your setup against
I did. Of course, it's possible I've still managed to overlook something.
Also can you provide klist -k on server?
I assume you mean the kerberos server:
[ root@knock ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/knock.endoframe.net@ENDOFRAME.NET
2 host/knock.endoframe.net@ENDOFRAME.NET 2 host/knock.endoframe.net@ENDOFRAME.NET 2 host/knock.endoframe.net@ENDOFRAME.NET 2 host/knock.endoframe.net@ENDOFRAME.NET 2 host/knock.endoframe.net@ENDOFRAME.NET 4 host/rail.endoframe.net@ENDOFRAME.NET 4 host/rail.endoframe.net@ENDOFRAME.NET 4 host/rail.endoframe.net@ENDOFRAME.NET 4 host/rail.endoframe.net@ENDOFRAME.NET 4 host/rail.endoframe.net@ENDOFRAME.NET 4 host/rail.endoframe.net@ENDOFRAME.NET 3 nfs/rail.endoframe.net@ENDOFRAME.NET 5 host/hinge.endoframe.net@ENDOFRAME.NET 5 host/hinge.endoframe.net@ENDOFRAME.NET 5 host/hinge.endoframe.net@ENDOFRAME.NET 5 host/hinge.endoframe.net@ENDOFRAME.NET 5 host/hinge.endoframe.net@ENDOFRAME.NET 5 host/hinge.endoframe.net@ENDOFRAME.NET 5 host/hinge.endoframe.net@ENDOFRAME.NET 5 host/hinge.endoframe.net@ENDOFRAME.NET
-- Braden McDaniel <braden@endoframe.com>
On April 18, 2016 at 8:13 AM Braden McDaniel <braden@endoframe.com> wrote:
On Sun, 2016-04-17 at 21:49 +0300, aki.tuomi@dovecot.fi wrote:
Did you check your setup against
I did. Of course, it's possible I've still managed to overlook something.
Also can you provide klist -k on server?
I assume you mean the kerberos server:
[ root@knock ~]#-- Braden McDaniel <braden@endoframe.com>
Apologies, I ment your IMAP server.
Aki Tuomi
On Mon, 2016-04-18 at 08:59 +0300, aki.tuomi@dovecot.fi wrote:
On April 18, 2016 at 8:13 AM Braden McDaniel <braden@endoframe.com> wrote:
On Sun, 2016-04-17 at 21:49 +0300, aki.tuomi@dovecot.fi wrote:
Did you check your setup against
I did. Of course, it's possible I've still managed to overlook something.
Also can you provide klist -k on server?
I assume you mean the kerberos server:
[ root@knock ~]#
Apologies, I ment your IMAP server.
[ root@hinge ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/hinge.endoframe.net@ENDOFRAME.NET
3 host/hinge.endoframe.net@ENDOFRAME.NET 3 host/hinge.endoframe.net@ENDOFRAME.NET 3 host/hinge.endoframe.net@ENDOFRAME.NET 3 host/hinge.endoframe.net@ENDOFRAME.NET 3 host/hinge.endoframe.net@ENDOFRAME.NET 3 host/hinge.endoframe.net@ENDOFRAME.NET 3 host/hinge.endoframe.net@ENDOFRAME.NET 3 host/hinge.endoframe.net@ENDOFRAME.NET 3 host/hinge.endoframe.net@ENDOFRAME.NET 3 host/hinge.endoframe.net@ENDOFRAME.NET 3 host/hinge.endoframe.net@ENDOFRAME.NET 3 host/hinge.endoframe.net@ENDOFRAME.NET 3 host/hinge.endoframe.net@ENDOFRAME.NET 3 host/hinge.endoframe.net@ENDOFRAME.NET 3 host/hinge.endoframe.net@ENDOFRAME.NET 4 host/hinge.endoframe.net@ENDOFRAME.NET 4 host/hinge.endoframe.net@ENDOFRAME.NET 4 host/hinge.endoframe.net@ENDOFRAME.NET 4 host/hinge.endoframe.net@ENDOFRAME.NET 4 host/hinge.endoframe.net@ENDOFRAME.NET 4 host/hinge.endoframe.net@ENDOFRAME.NET 4 host/hinge.endoframe.net@ENDOFRAME.NET 4 host/hinge.endoframe.net@ENDOFRAME.NET 2 imap/hinge.endoframe.net@ENDOFRAME.NET 2 imap/hinge.endoframe.net@ENDOFRAME.NET 2 imap/hinge.endoframe.net@ENDOFRAME.NET 2 imap/hinge.endoframe.net@ENDOFRAME.NET 2 imap/hinge.endoframe.net@ENDOFRAME.NET 2 imap/hinge.endoframe.net@ENDOFRAME.NET 2 imap/hinge.endoframe.net@ENDOFRAME.NET 2 imap/hinge.endoframe.net@ENDOFRAME.NET
-- Braden McDaniel <braden@endoframe.com>
On 18.04.2016 14:22, Braden McDaniel wrote:
On Mon, 2016-04-18 at 08:59 +0300, aki.tuomi@dovecot.fi wrote:
On April 18, 2016 at 8:13 AM Braden McDaniel <braden@endoframe.com> wrote:
On Sun, 2016-04-17 at 21:49 +0300, aki.tuomi@dovecot.fi wrote:
Did you check your setup against
http://wiki2.dovecot.org/Authentication/Kerberos I did. Of course, it's possible I've still managed to overlook something.
Also can you provide klist -k on server? I assume you mean the kerberos server:
[ root@knock ~]#Apologies, I ment your IMAP server. [ root@hinge ~]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 host/hinge.endoframe.net@ENDOFRAME.NET 3 host/hinge.endoframe.net@ENDOFRAME.NET 4 host/hinge.endoframe.net@ENDOFRAME.NET 2 imap/hinge.endoframe.net@ENDOFRAME.NET
There was previous case where gssapi did not work with Thunderbird. It apparently has some problems with GSSAPI usage. Also, did you ensure that your client has all the requisite principals?
Can you try turning on auth_verbose=yes?
Remember that kerberos is very DNS oriented, so missing/incorrect reverse records can also cause failures.
Aki
On Mon, 2016-04-18 at 14:49 +0300, Aki Tuomi wrote:
There was previous case where gssapi did not work with Thunderbird. It apparently has some problems with GSSAPI usage.
I'm using Evolution; but note the telnet session. I'll beat mail clients into submission later.
I found the problem: I had not made the keytab file on the mail server readable by the dovecot process.
(Yes, I'm well aware the wiki mentions this; and I probably read that sentence at least a half dozen times without it really registering with me. Ahem.)
Thank you for your assistance.
-- Braden McDaniel <braden@endoframe.com>
participants (3)
-
Aki Tuomi
-
aki.tuomi@dovecot.fi
-
Braden McDaniel