Hi all, On 2/3/07, Mustafa A. Hashmi wrote:

We have 2 mail servers sitting behind linux-HA machines.The mail servers are currently running dovecot 1.0rc2.

Looking to enable GSSAPI authentication, I exported krb keytabs for imap/node01.domain@REALM and imap/node02.domain@REALM for both mail servers.

However, clients are connecting to mail.domain.com, which results in a mismatch as far as the keytab is concerned (and rightly so). Connections directly to node01 and node02 work fine for gssapi auth.

I proceeded to export a key for mail.domain.com into the same keytab for both the nodes, however, I don't think more than a single key is checked for the imap service, and authentication errors continued.

Is anybody running something similar? Could you please explain how you have this working on your end?

In response to my own query -- the confusion lay on my end. It is important to understand how Kerberos works and reading the Kerberos FAQ cleared quite a few things for me. People running dovecot in HA environments with GSSAPI based authentication are encouraged to read the following documentation: http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#kerbdns It is however noteworthy that modifying mech-gssapi.c (using rc15), in the following manner will scan all entries in the keytab: --- /usr/local/src/foobar/dovecot-1.0.rc15/src/auth/mech-gssapi.c 2006-09-22 19:55:18.000000000 +0500 +++ /usr/local/src/dovecot-1.0.rc15/src/auth/mech-gssapi.c 2007-03-19 09:27:58.000000000 +0500 @@ -178,11 +178,11 @@ gss_buffer_desc outbuf; major_status = gss_accept_sec_context ( &minor_status, &request->gss_ctx, - request->service_cred, + GSS_C_NO_CREDENTIAL, &inbuf, GSS_C_NO_CHANNEL_BINDINGS, &request->authn_name, NULL, /* mech_type */ &outbuf, Regards, -- Mustafa A. Hashmi mahashmi@gmail.com