Cannot login with method=GSSAPI
I am migrating an existing dovecot server to a new server. The existing server uses pam_krb5 and works with the plain and gssapi methods. The new server plain/pam_krb5 normal password authentication works. However, the gssapi (tickets) authentication is producing the following error:
=== Begin Error ====
imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.7.61, lip=192.168.7.97, TLS, session=<SPnD7NhWWtrAqAc9>
=== End Error ===
What is causing the "user=<>"? It should be "user=<erik>".
I have been using Thunderbird SSL GSSAPI from a Debian Linux testing/buster XFCE desktop to connect to the existing server for years. When I point it to the new server, I receive the above error.
ssh kerberos gssapi authentication is working fine on the new server.
Most of the doveconf setting between the existing and new servers are the same.
The existing server is 32 bit. The new server is 64 bit running in an LXC container. The existing server dovecot version is the same as the new server.
Notes:
dovecot version: 2.2.31 (65cde28) OS: Debian Linux testing/buster Arch: amd64
Client: Mozilla Thunderbird 52.2.1 (latest)
The disconnect (no auth attempts) means that the client did not see any reason to try logging in.
You can use https://wiki.mozilla.org/MailNews:Logging to enable debug logging.
Aki
On 16.08.2017 09:50, Erik Haller wrote:
I am migrating an existing dovecot server to a new server. The existing server uses pam_krb5 and works with the plain and gssapi methods. The new server plain/pam_krb5 normal password authentication works. However, the gssapi (tickets) authentication is producing the following error:
=== Begin Error ====
imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.7.61, lip=192.168.7.97, TLS, session=<SPnD7NhWWtrAqAc9>
=== End Error ===
What is causing the "user=<>"? It should be "user=<erik>".
I have been using Thunderbird SSL GSSAPI from a Debian Linux testing/buster XFCE desktop to connect to the existing server for years. When I point it to the new server, I receive the above error.
ssh kerberos gssapi authentication is working fine on the new server.
Most of the doveconf setting between the existing and new servers are the same.
The existing server is 32 bit. The new server is 64 bit running in an LXC container. The existing server dovecot version is the same as the new server.
Notes:
dovecot version: 2.2.31 (65cde28) OS: Debian Linux testing/buster Arch: amd64
Client: Mozilla Thunderbird 52.2.1 (latest)
I solved the problem. The dovecot auth_gssapi_hostname entry did not have a correct reverse DNS entry.
Example:
mail.example.com had an IP of 192.168.1.3 and the reverse pointer record for 192.168.1.3 was a different hostname; i.e. orange.example.com.
Kerberos gssapi is strict.
Thank you for your help.
On Tue, Aug 15, 2017 at 11:55 PM, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
The disconnect (no auth attempts) means that the client did not see any reason to try logging in.
You can use https://wiki.mozilla.org/MailNews:Logging to enable debug logging.
Aki
On 16.08.2017 09:50, Erik Haller wrote:
I am migrating an existing dovecot server to a new server. The existing server uses pam_krb5 and works with the plain and gssapi methods. The new server plain/pam_krb5 normal password authentication works. However, the gssapi (tickets) authentication is producing the following error:
=== Begin Error ====
imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.7.61, lip=192.168.7.97, TLS, session=<SPnD7NhWWtrAqAc9>
=== End Error ===
What is causing the "user=<>"? It should be "user=<erik>".
I have been using Thunderbird SSL GSSAPI from a Debian Linux testing/buster XFCE desktop to connect to the existing server for years. When I point it to the new server, I receive the above error.
ssh kerberos gssapi authentication is working fine on the new server.
Most of the doveconf setting between the existing and new servers are the same.
The existing server is 32 bit. The new server is 64 bit running in an LXC container. The existing server dovecot version is the same as the new server.
Notes:
dovecot version: 2.2.31 (65cde28) OS: Debian Linux testing/buster Arch: amd64
Client: Mozilla Thunderbird 52.2.1 (latest)
participants (2)
-
Aki Tuomi
-
Erik Haller