[Dovecot] gssapi problems (postfix sasl through dovecot, dovecot imap working fine)
Thanks to Timo, I have solved all but one of my problems. For back ground, I am using Samba4 as an AD. I have the userdb working from LDAP just fine and kerberos authenetication for dovecot's IMAP server working fine. The problem is using dovecot's SASL with postfix. I also have plain/login working in imap and smtp. Both use pam_krb5 through pam to authenticate clients that don't have kerberos, and for now smtp. When trying to do smtp kerberos, I get the following:
postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: request longer than 2048: AUTH GSSAPI ... dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=smtp#011nologin#011lip=SERVER_IP#011rip=CLIENT_IP#011secured#011resp=<hidden> dovecot: auth: Debug: gssapi(?,CLIENT_IP): Obtaining credentials for smtp@MAILSERVER_FQDN dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data: Unspecified GSS failure. Minor code may provide more information dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data: Invalid message type postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: SASL GSSAPI authentication failed: dovecot: auth: Debug: client out: FAIL#0111
# klist -k /etc/dovecot/krb5.keytab Keytab name: WRFILE:/etc/dovecot/krb5.keytab KVNO Principal
2 imap/MAILSERVER_FQDN@DOMAIN_REALM 2 smtp/MAILSERVER_FQDN@DOMAIN_REALM
The client is Thunderbird.
Any help would be greatly appreciated. I have made sure that the file has proper permissions. I have regenerated the smtp cert making suer the password is accurate. I have done everything I know to try. The only thing that I am guess remains is something is broken with Thunderbird's kerberos setup for smtp.
Thank you very much, Trever
On 10/15/2010 09:50 PM, Trever L. Adams wrote:
Thanks to Timo, I have solved all but one of my problems. For back ground, I am using Samba4 as an AD. I have the userdb working from LDAP just fine and kerberos authenetication for dovecot's IMAP server working fine. The problem is using dovecot's SASL with postfix. I also have plain/login working in imap and smtp. Both use pam_krb5 through pam to authenticate clients that don't have kerberos, and for now smtp. When trying to do smtp kerberos, I get the following:
postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: request longer than 2048: AUTH GSSAPI ... dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=smtp#011nologin#011lip=SERVER_IP#011rip=CLIENT_IP#011secured#011resp=<hidden> dovecot: auth: Debug: gssapi(?,CLIENT_IP): Obtaining credentials for smtp@MAILSERVER_FQDN dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data: Unspecified GSS failure. Minor code may provide more information dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data: Invalid message type postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: SASL GSSAPI authentication failed: dovecot: auth: Debug: client out: FAIL#0111
# klist -k /etc/dovecot/krb5.keytab Keytab name: WRFILE:/etc/dovecot/krb5.keytab KVNO Principal
2 imap/MAILSERVER_FQDN@DOMAIN_REALM 2 smtp/MAILSERVER_FQDN@DOMAIN_REALM
The client is Thunderbird.
Any help would be greatly appreciated. I have made sure that the file has proper permissions. I have regenerated the smtp cert making suer the password is accurate. I have done everything I know to try. The only thing that I am guess remains is something is broken with Thunderbird's kerberos setup for smtp.
Thank you very much, Trever
Samba4 doesn't automatically set the userPrincipalName to imap/f.q.d.n@REALM or smtp/f.q.d.n@REALM when setting up an SPN. This was the problem. For some reason it works fine for imap but not smtp.
I have reported this as a possible bug to Samba4. I am documenting it here in case someone else has problems.
Trever
"The amount of time between slipping on the peel and landing on the pavement is precisely 1 bananosecond." -- Unknown
On 10/19/2010 06:16 AM, Trever L. Adams wrote:
Samba4 doesn't automatically set the userPrincipalName to imap/f.q.d.n@REALM or smtp/f.q.d.n@REALM when setting up an SPN. This was the problem. For some reason it works fine for imap but not smtp.
I have reported this as a possible bug to Samba4. I am documenting it here in case someone else has problems.
Trever
Unfortunately this only fixes Linux. It seems that Windows is sending larger Kerberos tickets than Linux.
I do not know if this is a postfix, dovecot or thunderbird bug. The fact it works in imap makes me think it is not dovecot, but I am still trying to figure things out. For the time being, those wishing to follow this in the other software, I just sent a message to postfix mailing list with the subject: smtpd_chat_query, dovecot sasl, AD, Samba4.
Thanks, Trever
"I'm all in favor of keeping dangerous weapons out of the hands of fools. Let's start with typewriters." -- Solomon Short
On 10/19/2010 07:56 AM, Trever L. Adams wrote:
On 10/19/2010 06:16 AM, Trever L. Adams wrote:
Samba4 doesn't automatically set the userPrincipalName to imap/f.q.d.n@REALM or smtp/f.q.d.n@REALM when setting up an SPN. This was the problem. For some reason it works fine for imap but not smtp.
I have reported this as a possible bug to Samba4. I am documenting it here in case someone else has problems.
Trever
Ok, so it is documented for others. It appears that it is a "bug" in Thunderbird due to the windows PAC in the kerberos ticket. Assuming you have followed instructions elsewhere and userPrincipalName is set properly in the AD, make sure you have the right line_length_limit for postfix.
If you are using dovecot sasl with postfix and are using Thunderbird in Windows (part of an AD domain) and using smtp kerberos authentication, make sure you have line_length_limit = 2176 in postfix's main.cf.
Thanks to Wietse for his help.
Trever
"It is difficult to legislate morality in the absence of moral legislators." -- Unknown
participants (1)
-
Trever L. Adams