[Dovecot] auth_krb5_keytab ignored ?
Hi list,
i noticed that when doing imap gssapi authentication with kerberos, dovecot (here 2.1.7) always searches /etc/krb5.keytab although i have auth_krb5_keytab = /etc/mail3.krb5.keytab in my etc/dovecot/dovecot.conf and doveconf -n also show this setting. If i combine the keytabs in krb5.keytab it works. Is there another location where i should put my configuration regarding gssapi/kerberos ?
Thanks, Leon
logs: 18:48_root@mail3:/root# cat /var/log/dovecot.log | tail -n 8 Jun 08 18:48:16 auth: Debug: client in: AUTH 1 GSSAPI service=imap secured session=gexTxPjBZACClTqR lip=130.149.58.164 rip=130.149.58.145 lport=993 rport=31076 Jun 08 18:48:16 auth: Debug: gssapi(?,130.149.58.145,<gexTxPjBZACClTqR>): Obtaining credentials for imap@mail3.physik-pool.tu-berlin.de Jun 08 18:48:16 auth: Debug: client out: CONT 1 Jun 08 18:48:16 auth: Debug: client in: CONT<hidden> Jun 08 18:48:16 auth: Info: gssapi(?,130.149.58.145,<gexTxPjBZACClTqR>): While processing incoming data: Miscellaneous failure (see text) Jun 08 18:48:16 auth: Info: gssapi(?,130.149.58.145,<gexTxPjBZACClTqR>): While processing incoming data: Failed to find imap/mail3.physik-pool.tu-berlin.de@PCPOOL.PHYSIK.TU-BERLIN.DE(kvno 1) in keytab FILE:/etc/krb5.keytab (des3-cbc-sha1) Jun 08 18:48:18 auth: Debug: client out: FAIL 1 Jun 08 18:48:23 imap-login: Info: Aborted login (auth failed, 1 attempts in 7 secs): user=<>, method=GSSAPI, rip=130.149.58.145, lip=130.149.58.164, TLS, session=<gexTxPjBZACClTqR>
# 2.1.7: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 8.2-RELEASE-p3 amd64 auth_debug = yes auth_gssapi_hostname = mail3.physik-pool.tu-berlin.de auth_krb5_keytab = /etc/mail3.krb5.keytab auth_mechanisms = gssapi plain login auth_verbose = yes auth_worker_max_count = 120 first_valid_gid = 300 first_valid_uid = 200 lda_mailbox_autocreate = yes listen = mail3.physik.tu-berlin.de log_path = /var/log/dovecot.log mail_fsync = always mail_location = maildir:~/maildir mail_nfs_index = yes mail_nfs_storage = yes mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mmap_disable = yes namespace { inbox = yes location = prefix = separator = / type = private } namespace { location = mbox:~/mail prefix = mail/ separator = / type = private } passdb { args = session=yes failure_show_msg=yes max_requests=100 dovecot driver = pam } plugin { quota = fs sieve = ~/.dovecot.sieve sieve_dir = ~/.sieve } protocols = imap pop3 service auth { unix_listener auth-client { mode = 0660 } unix_listener auth-master { mode = 0600 } user = root } service imap-login { inet_listener imap { port = 0 } process_limit = 256 process_min_avail = 6 } service managesieve-login { process_limit = 256 process_min_avail = 6 } service pop3-login { inet_listener pop3 { port = 0 } process_limit = 256 process_min_avail = 6 } ssl_cert = </etc/private/mail3.physik.tu-berlin.de.pem ssl_key = </etc/private/physik.tu-berlin.de_privatekey.pem userdb { args = blocking=yes driver = passwd } verbose_proctitle = yes protocol lda { info_log_path = /var/log/dovecot-lda.log log_path = /var/log/dovecot-lda.log mail_plugins = " sieve quota" }
On Fri, 2012-06-08 at 18:59 +0200, Leon Meßner wrote:
Hi list,
i noticed that when doing imap gssapi authentication with kerberos, dovecot (here 2.1.7) always searches /etc/krb5.keytab although i have auth_krb5_keytab = /etc/mail3.krb5.keytab in my etc/dovecot/dovecot.conf and doveconf -n also show this setting. If i combine the keytabs in krb5.keytab it works. Is there another location where i should put my configuration regarding gssapi/kerberos ?
Try if this works:
import_environment = TZ GDB DEBUG_SILENT KRB5_KTNAME
Then start Dovecot with:
KRB5_KTNAME=/etc/mail3.krb5.keytab dovecot
I'm wondering if the code in mech-gssapi.c that sets KRB5_KTNAME environment is being called too late.
On Mon, Jun 11, 2012 at 03:16:16PM +0300, Timo Sirainen wrote:
On Fri, 2012-06-08 at 18:59 +0200, Leon Meßner wrote:
Hi list,
i noticed that when doing imap gssapi authentication with kerberos, dovecot (here 2.1.7) always searches /etc/krb5.keytab although i have auth_krb5_keytab = /etc/mail3.krb5.keytab in my etc/dovecot/dovecot.conf and doveconf -n also show this setting. If i combine the keytabs in krb5.keytab it works. Is there another location where i should put my configuration regarding gssapi/kerberos ?
Try if this works:
import_environment = TZ GDB DEBUG_SILENT KRB5_KTNAME
Then start Dovecot with:
KRB5_KTNAME=/etc/mail3.krb5.keytab dovecot
I'm wondering if the code in mech-gssapi.c that sets KRB5_KTNAME environment is being called too late.
It's still looking inside the default krb5.keytab .
/var/log/dovecot.log: Jun 11 16:26:55 master: Info: Dovecot v2.1.7 starting up Jun 11 16:26:55 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 11 16:26:55 auth: Debug: auth client connected (pid=82646) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82648) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82647) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82649) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82651) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82653) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82655) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82652) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82656) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82657) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82650) Jun 11 16:26:55 auth: Debug: auth client connected (pid=82654) Jun 11 16:27:05 auth: Debug: auth client connected (pid=82669) Jun 11 16:27:06 auth: Debug: client in: AUTH 1 GSSAPI service=imap secured session=DLX+JDPCLwCClTqR lip=130.149.58.164 rip=130.149.58.145 lport=993 rport=29743 Jun 11 16:27:06 auth: Debug: gssapi(?,130.149.58.145,<DLX+JDPCLwCClTqR>): Obtaining credentials for imap@mail3.physik-pool.tu-berlin.de Jun 11 16:27:06 auth: Debug: client out: CONT 1 Jun 11 16:27:06 auth: Debug: client in: CONT<hidden> Jun 11 16:27:06 auth: Info: gssapi(?,130.149.58.145,<DLX+JDPCLwCClTqR>): While processing incoming data: Miscellaneous failure (see text) Jun 11 16:27:06 auth: Info: gssapi(?,130.149.58.145,<DLX+JDPCLwCClTqR>): While processing incoming data: Failed to find imap/mail3.physik-pool.tu-berlin.de@PCPOOL.PHYSIK.TU-BERLIN.DE(kvno 1) in keytab FILE:/etc/krb5.keytab (des3-cbc-sha1) Jun 11 16:27:08 auth: Debug: client out: FAIL 1 Jun 11 16:27:18 auth: Debug: auth client connected (pid=82673) Jun 11 16:27:18 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=130.149.58.149, lip=130.149.58.164, TLS, session=<Vy6wJTPCAgCClTqV> Jun 11 16:27:22 imap-login: Info: Aborted login (auth failed, 1 attempts in 16 secs): user=<>, method=GSSAPI, rip=130.149.58.145, lip=130.149.58.164, TLS, session=<DLX+JDPCLwCClTqR> Jun 11 16:27:38 auth: Debug: auth client connected (pid=82681) Jun 11 16:27:38 pop3-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=130.149.58.149, lip=130.149.58.164, TLS, session=<lhjfJjPCWwCClTqV> Jun 11 16:27:45 master: Warning: Killed with signal 15 (by pid=82684 uid=0 code=kill)
On 11.6.2012, at 17.43, Leon Meßner wrote:
Try if this works:
import_environment = TZ GDB DEBUG_SILENT KRB5_KTNAME
Then start Dovecot with:
KRB5_KTNAME=/etc/mail3.krb5.keytab dovecot
I'm wondering if the code in mech-gssapi.c that sets KRB5_KTNAME environment is being called too late.
It's still looking inside the default krb5.keytab .
Which Kerberos library are you using? Maybe it doesn't support this way of giving the keytab.
On Mon, Jun 11, 2012 at 06:26:57PM +0300, Timo Sirainen wrote:
On 11.6.2012, at 17.43, Leon Meßner wrote:
Try if this works:
import_environment = TZ GDB DEBUG_SILENT KRB5_KTNAME
Then start Dovecot with:
KRB5_KTNAME=/etc/mail3.krb5.keytab dovecot
I'm wondering if the code in mech-gssapi.c that sets KRB5_KTNAME environment is being called too late.
It's still looking inside the default krb5.keytab .
Which Kerberos library are you using? Maybe it doesn't support this way of giving the keytab.
I'm using the stock FreeBSD 8.2-RELEASE one which is heimdal-1.1.0 . I will update the machine to 8.3 (which is the latest release in 8.x), recompile and report my findings tomorrow.
thanks, Leon
On Mon, Jun 11, 2012 at 05:51:24PM +0200, Leon Meßner wrote:
On Mon, Jun 11, 2012 at 06:26:57PM +0300, Timo Sirainen wrote:
On 11.6.2012, at 17.43, Leon Meßner wrote:
import_environment = TZ GDB DEBUG_SILENT KRB5_KTNAME
i > >> KRB5_KTNAME=/etc/mail3.krb5.keytab dovecot
I'm wondering if the code in mech-gssapi.c that sets KRB5_KTNAME environment is being called too late.
It's still looking inside the default krb5.keytab .
Which Kerberos library are you using? Maybe it doesn't support this way of giving the keytab.
I'm using the stock FreeBSD 8.2-RELEASE one which is heimdal-1.1.0 . I will update the machine to 8.3 (which is the latest release in 8.x),
Updating and recompiling did not help. I don't know where to look for the problem though. If i use the kerberos utilities with KRB5_KTNAME the environment variable is beeing picked up ok.
19:22_root@mail3:/usr/ports/mail/dovecot# KRB5_KTNAME=/etc/mail3.krb5.keytab ktutil list /etc/mail3.krb5.keytab:
Vno Type Principal 1 des-cbc-crc imap/mail3.physik-pool.tu-berlin.de@PCPOOL.PHYSIK.TU-BERLIN.DE 1 des-cbc-md4 imap/mail3.physik-pool.tu-berlin.de@PCPOOL.PHYSIK.TU-BERLIN.DE 1 des-cbc-md5 imap/mail3.physik-pool.tu-berlin.de@PCPOOL.PHYSIK.TU-BERLIN.DE 1 des3-cbc-sha1 imap/mail3.physik-pool.tu-berlin.de@PCPOOL.PHYSIK.TU-BERLIN.DE
19:34_root@mail3:/usr/ports/mail/dovecot# KRB5_KTNAME=/etc/mail3.krb5.keytab kinit -k imap/mail3.physik-pool.tu-berlin.de 19:39_root@mail3:/usr/ports/mail/dovecot# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: imap/mail3.physik-pool.tu-berlin.de@PCPOOL.PHYSIK.TU-BERLIN.DE
Issued Expires Principal Jun 12 19:39:11 Jun 13 05:39:11 krbtgt/PCPOOL.PHYSIK.TU-BERLIN.DE@PCPOOL.PHYSIK.TU-BERLIN.DE
participants (2)
-
Leon Meßner
-
Timo Sirainen