[Dovecot] v 1.1.13 / GSSAPI / Timeout waiting for handshake from auth server
pod
pod at herald.ox.ac.uk
Fri Apr 3 16:30:33 EEST 2009
Timo Sirainen <tss at iki.fi> writes:
> On Wed, 2009-03-25 at 15:31 +0100, Jahnke-Zumbusch, Dirk wrote:
>> 1. I am puzzled about the credentials "imap at my.host.name" being obtained;
>> shouldn't this be
>> something like "imap/my.host.name at MY.REALM" ?
>
> I don't know anything about Kerberos.
I suspect the "imap at my.host.name" refers to the subject at the GSSAPI
layer. This is certainly the form one would use in gss_import_name() in
order to construct the "name" of the peer one might then subsequently use
in a call to gss_init_sec_context() or, as in this case,
gss_acquire_cred(). If the underlying mechanism in use by the GSSAPI
layer is Kerberos then it will be translated to an appropriately named
principal, such as "imap/my.host.name at MY.REALM", but that name will not in
general be exposed above the GSSAPI layer.
> This anyway means that dovecot-auth process is hanging for over 30
> seconds. Probably the "obtaining credentials" is taking for a long time.
> But why that is, I've no idea.
Wild guess: maybe the underlying Kerberos libraries are attempting to
canonicalise the host part by doing DNS lookups which are timing out as a
result of a non-responsive DNS server?
More information about the dovecot
mailing list