Re: Cannot Authenticate user with Kerberos/GSSAPI
mark@ohprs.org
My last message probably contained too much information. This one is more succient.
"Succint" may not be the right adjective, because I think this is the third copy I've seen.
Here is the dovecot log when user dsmith attempts to connect to dovecot from the Tbird client:
What I see is ...
Jul 11 19:29:46 imap-login: Info: Disconnected (no auth attempts in 3 secs): user=<>, rip=192.168.0.57, lip=192.168.0.2, TLS, session=<jR0sExNUTADAqAA5>
... a failed authentication with no real mention of Kerberos stuff, followed soon after with SSL/Kerberos yackety-yack, and ...
Jul 11 19:30:18 imap-login: Info: Login: user=<dsmith>, method=GSSAPI, rip=192.168.0.57, lip=192.168.0.2, mpid=3150, TLS, session=<iDUNFRNUUgDAqAA5>
... successful authentication via GSSAPI! From the log files you've shown, you were able to authenticate "dsmith". Your mail reader tells you otherwise?
Joseph Tam <jtam.home@gmail.com>
On Fri, 14 Jul 2017, Joseph Tam wrote:
... successful authentication via GSSAPI! From the log files you've shown, you were able to authenticate "dsmith". Your mail reader tells you otherwise?
Oops, I didn't see your previous comment
"The Kerberos/GSSAPI ticket was not accepted by the IMAP server ... please check that you
are logged into the Kerberos/GSSAPI realm."
I have only passing knowledge of Kerberos, but don't you have to klogin (login script or PAM) to join the Kerberos realm before getting service tickets? This appears to be what the TB message is hinting at.
Joseph Tam <jtam.home@gmail.com>
participants (1)
-
Joseph Tam