Hello, I'm getting problem to setup dovecot imap/pop service authentication through Kerberos.
Already read https://wiki.dovecot.org/Authentication/Kerberos.
My guess is kerberos is working but something goes wrong after.
The keytab and ticket ( for ldap userdb lookup )
-rw------- 1 dovecot dovecot 498 ago 3 20:20 /etc/dovecot/imap.keytab -rw------- 1 dovecot root 1503 ago 4 11:40 /etc/dovecot/imap.ticket
dovecot --version 2.3.13 (89f716dc2)
the dovecot setting
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.13 (cdd19fe3) # OS: Linux 5.10.0-7-amd64 x86_64 Debian 11.0 # Hostname: postfix10.zw.local auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/imap.keytab auth_mechanisms = gssapi auth_username_translation = /@ import_environment = TZ KRB5CCNAME=/etc/dovecot/imap.ticket KRB5_KTNAME=/etc/dovecot/imap.keytab mail_gid = 5000 mail_home = /var/mail/virtual/%d/%n mail_location = maildir:~/mail mail_privileged_group = mail mail_uid = 5000 namespace inbox { disabled = no inbox = yes list = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = type = private } protocols = " imap lmtp pop3" service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl_cert =
When I launch Thunderbird, mail log raise this
Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=pop3#011session=Q3GdfL7IvLmsEAAs#011lip=10.16.0.220#011rip=172.16.0.44#011lport=110#011rport=47548 Aug 4 13:42:23 postfix10 dovecot: auth: Debug: gssapi(?,172.16.0.44,<Q3GdfL7IvLmsEAAs>): Using all keytab entries Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client passdb out: CONT#0111#011 Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client in: CONT<hidden> Aug 4 13:42:23 postfix10 dovecot: auth: Debug: gssapi(user0@zw.local,172.16.0.44,<Q3GdfL7IvLmsEAAs>): security context state completed. Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client passdb out: CONT#0111#011YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvsoco75BA/W0B9tS+UmJnunUg6vIcO5wr0fzZ7iGmCpsz0K2vL/qniGISDIwF9hDXXxs79bljbZE8Yx4dujqVuTPGMtewfhDtNfRNgYGNk/z28sDz7fs/dpIMKF2FAA1m9pFjBupQ1VkGbzMYc77U Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client in: CONT<hidden> Aug 4 13:42:23 postfix10 dovecot: auth: Debug: gssapi(user0@zw.local,172.16.0.44,<Q3GdfL7IvLmsEAAs>): Negotiated security layer Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client passdb out: CONT#0111#011BQQF/wAMAAAAAAAAAdf8bQH///86U2L5ErmqfWFYNQA= Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client in: CONT<hidden> Aug 4 13:42:23 postfix10 dovecot: auth: Error: gssapi(user0@domain1.zw.local,172.16.0.44,<Q3GdfL7IvLmsEAAs>): All password databases were skipped Aug 4 13:42:23 postfix10 dovecot: auth: Debug: auth(user0@domain1.zw.local,172.16.0.44,<Q3GdfL7IvLmsEAAs>): Auth request finished Aug 4 13:42:25 postfix10 dovecot: auth: Debug: client passdb out: FAIL#0111#011user=user0@domain1.zw.local#011code=temp_fail#011original_user=user0@ZW.LOCAL Aug 4 13:42:25 postfix10 dovecot: pop3-login: Debug: Ignoring unknown passdb extra field: original_user
Can someone help on this?
-- Lucas Castro
On 04/08/2021 19:47 Lucas Castro lucas@gnuabordo.com.br wrote:
Hello, I'm getting problem to setup dovecot imap/pop service authentication through Kerberos.
Already read https://wiki.dovecot.org/Authentication/Kerberos.
My guess is kerberos is working but something goes wrong after.
Hi!
This looks like a bug indeed. Does things start working if you add
passdb { driver = static args = password=pass }
Aki
On 8/6/21 9:56 AM, Aki Tuomi wrote:
On 04/08/2021 19:47 Lucas Castro lucas@gnuabordo.com.br wrote:
Hello, I'm getting problem to setup dovecot imap/pop service authentication through Kerberos.
Already read https://wiki.dovecot.org/Authentication/Kerberos.
My guess is kerberos is working but something goes wrong after.
Hi!
This looks like a bug indeed. Does things start working if you add
passdb { driver = static args = password=pass }
Aki
Thanks for reply.
Another question, How can I map kerberos principal to mail users?
How can I access user0@domain1.zw.local with user0@ZW.LOCAL
When I set on mail client the user as user0, works fine. but if I set the user to user@domain1.zw.local
dovecot return
"User not authorized to log in as user0"
And I don't figure out how to map the kerberos principal to mail account.
Right now, I keep the users information on ldap.
-- Lucas Castro
participants (2)
-
Aki Tuomi
-
Lucas Castro